Update glanceapi to use service override #309
Conversation
|
/hold |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: stuggi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
stuggi
force-pushed
the
handle_ingress_v3
branch
3 times, most recently
from
809d292 to
b1835ec
Compare
| }) | ||
|
|
||
| // add Annotation to whether creating an ingress is required or not | ||
| if endpointType == service.EndpointPublic && svc.GetServiceType() == corev1.ServiceTypeClusterIP { |
There was a problem hiding this comment.
@stuggi I think I understand the main change here: we create the service at the service operator level, we annotate the service with AnnotationIngressCreateKey = "core.openstack.org/ingress_create" in case we need to build an ingress.
E.g. :
apiVersion: v1
kind: Service
metadata:
annotations:
core.openstack.org/ingress_create: "true"
core.openstack.org/ingress_name: glance
Does the openstack-operator watches for the Service resources and create the Routes for the services that are created with those annotations ?
In the Glance use case this would end up having a Route only for the GlanceAPIExternal, while the internal endpoint is still tied to metalLB ipaddresspool, right?
There was a problem hiding this comment.
@stuggi I think I understand the main change here: we create the service at the service operator level, we annotate the service with
AnnotationIngressCreateKey = "core.openstack.org/ingress_create"in case we need to build an ingress. E.g. :apiVersion: v1 kind: Service metadata: annotations: core.openstack.org/ingress_create: "true" core.openstack.org/ingress_name: glanceDoes the
openstack-operatorwatches for theServiceresources and create theRoutesfor the services that are created with those annotations ?
It does not watch the services, it watches the service CR it creates, e.g. glance. When glance updates its status because of condition update, or so, the openstack-operator reconciles and checks the services of glance. For those with the annotation it creates the route and passes in the endpointURL for the service. In a follow up for TLS it then passes the https url to be used for register in keystone. For TLS-E it then will then also create the cert ans passes in the secret name to be used by glance api.
In the
Glanceuse case this would end up having aRouteonly for theGlanceAPIExternal, while the internal endpoint is still tied to metalLB ipaddresspool, right?
yes correct. the internal endpoint can be customized using the service override, but for now we don't expect to create a route for it.
There was a problem hiding this comment.
Ack it works from me, I'm overall +1 with this change, I was trying to properly understand the interaction between the openstack-operator (that is supposed to create the Route) and the <Service>operator, that is supposed to build the service and register endpoints in keystone.
| - "172.17.0.202" | ||
| sharedIP: true | ||
| sharedIPKey: "" | ||
| override: |
There was a problem hiding this comment.
Do we want to provide a sample file in config/samples? It can be a follow up though, so we can have a final working solution w/ tls
There was a problem hiding this comment.
since we don't have a sample for the current one, I planned to only have a network-isolation sample in the openstack-operator as it is today. but we can also add a sample here
There was a problem hiding this comment.
ack, we can provide a sample based on the basic openstackcontrolplane in a follow up, the description in the Readme is enough.
| // APIOverrideSpec to override the generated manifest of several child resources. | ||
| type APIOverrideSpec struct { | ||
| // Override configuration for the Service created to serve traffic to the cluster. | ||
| Service *service.RoutedOverrideSpec `json:"service,omitempty"` |
There was a problem hiding this comment.
So this replace actually the way we used to config services w/ metallb and we're going to provide RouteOverrides under annotations form:
override:
service:
metadata:
annotations:
metallb.universe.tf/address-pool: internalapi
metallb.universe.tf/allow-shared-ip: internalapi
metallb.universe.tf/loadBalancerIPs: 172.17.0.90
spec:
type: LoadBalancer
There was a problem hiding this comment.
yes, via the overrides you pass in the annotation used for the LoadBalancer you use, metallb here (but could be also a different one. The benefit is that its native k8s service style and probably known by users if they already are familiar with k8s
stuggi
force-pushed
the
handle_ingress_v3
branch
4 times, most recently
from
2656dbf to
aa05d80
Compare
Hiccup /test glance-operator-build-deploy-kuttl |
stuggi
force-pushed
the
handle_ingress_v3
branch
from
aa05d80 to
95ff975
Compare
|
/test functional |
|
The issue we right now is that the we are building the new operator with the current version of the openstack-operator which has not the functionality to create the route for the new service operator version. With this the public endpoint will be a ClusterIP service and is not reachable by the tempest job which is running outside the OCP env. I think we have two options:
|
This would only work if the host tempest is running is using our DNS server where the service endpoint gets registered
|
Removes creation of routes.Those get done in the openstack-operator. Via service overrides the service can be customized. The service operator adds annotation to the service which needs to be exposed as a route. Jira: OSP-26690 Depends-On: openstack-k8s-operators/lib-common#332
stuggi
force-pushed
the
handle_ingress_v3
branch
from
95ff975 to
82f0dc7
Compare
|
@stuggi: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
I agree we should force-merge these patches and avoid growing the patch series to get the Routes creation moved at the openstack-operator level. |
Removes creation of routes.Those get done in the openstack-operator. Via service overrides the service can be customized. The service operator adds annotation to the service which needs to be exposed as a route.
Jira: OSP-26690
Depends-On: openstack-k8s-operators/lib-common#332
Depends-On: openstack-k8s-operators/keystone-operator#307