workloads not getting IP from Octavia LB when using provider networking
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Kubernetes Control Plane Charm |
Fix Released
|
High
|
Samuel Allan | ||
Openstack Integrator Charm |
Fix Released
|
High
|
Samuel Allan |
Bug Description
Kubernetes 1.17.5
Openstack Integrator charm at stable on jaas.ai
Openstack Train (Stein for Octavia)
When configuring openstack-
The k8s-master integrates just fine, octavia is used as a load-balancer in place of kube-api-lb.
However, workloads are not getting the IP addresses from the octavia LoadBalancer.
---
$ openstack loadbalancer amphora list
+------
| 9f43a456-
| a852569f-
| 8c1c5353-
| 390a8a5b-
| b13c22aa-
| 142cfba0-
| 3a279cba-
| 9e3fd179-
+------
$ openstack loadbalancer list
+------
| id | name | project_id | vip_address | provisioning_status | provider |
+------
| 9b4a5796-
| dbfacebd-
+------
---
In the above output, 172.16.7.180 is the VIP for the k8s-master cluster. 172.16.7.201 is the VIP for the workload.
---
$ kubectl get all
NAME READY STATUS RESTARTS AGE
pod/cdk-
pod/cdk-
pod/cdk-
pod/cdk-
pod/cdk-
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/cdk-cats LoadBalancer 10.152.183.38 <pending> 80:30836/TCP 9m8s
service/kubernetes ClusterIP 10.152.183.1 <none> 443/TCP 127m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.
NAME DESIRED CURRENT READY AGE
replicaset.
---
The cdk-cats service is waiting on the 172.16.7.201 IP address. A describe of that service shows the following:
---
$ kubectl describe service/cdk-cats
Name: cdk-cats
Namespace: default
Labels: <none>
Annotations: Selector: app=cdk-cats
Type: LoadBalancer
IP: 10.152.183.38
Port: cdk-cats 80/TCP
TargetPort: 80/TCP
NodePort: cdk-cats 30836/TCP
Endpoints: 10.1.78.
Session Affinity: None
External Traffic Policy: Cluster
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal EnsuringLoadBal
Warning SyncLoadBalance
---
As can be seen from the above output, it is assigning a FloatingNetworkID and attempting to assign a FloatingIP. There are no floating IPs in this scenario. There is only 1 network and it is directly on a VLAN and configured as a flat provider going to physnet1. There are no internal networks or Floating IP ranges.
Bundle config for openstack-
---
openstack-
charm: cs:~containers/
num_units: 1
trust: true
options:
manage-
subnet-id: 78114d37-
---
The subnet-id above is the subnet for the provider network.
---
$ openstack subnet list
+------
| ID | Name | Network | Subnet |
+------
| 713a43d7-
| 78114d37-
+------
---
full openstack-
---
$ juju config openstack-
application: openstack-
application-config:
trust:
default: false
description: Does this application have access to trusted credentials
source: user
type: bool
value: true
charm: openstack-
settings:
auth-url:
default: ""
description: |
The URL of the keystone API used to authenticate. On OpenStack control panels,
this can be found at Access and Security > API Access > Credentials.
source: default
type: string
value: ""
bs-version:
description: |
Used to override automatic version detection for block storage usage.
Valid values are v1, v2, v3 and auto. When auto is specified automatic
detection will select the highest supported version exposed by the
underlying OpenStack cloud. If not set, will use the upstream default.
source: unset
type: string
credentials:
default: ""
description: |
The base64-encoded contents of a JSON file containing OpenStack credentials.
The credentials must contain the following keys: auth-url, username, password,
project-name, user-domain-name, and project-
It could also contain a base64-encoded CA certificate in endpoint-tls-ca key value.
This can be used from bundles with 'include-base64://' (see
https:/
or from the command-line with 'juju config openstack credentials=
It is strongly recommended that you use 'juju trust' instead, if available.
source: default
type: string
value: ""
endpoint-tls-ca:
default: ""
description: |
A CA certificate that can be used to verify the target cloud API endpoints.
Use 'include-base64://' in a bundle to include a certificate. Otherwise,
pass a base64-encoded certificate (base64 of "-----BEGIN" to "-----END")
as a config option in a Juju CLI invocation.
source: default
type: string
value: ""
floating-
default: ""
description: |
If set, it will be passed to integrated workloads to indicate that
floating IPs should be created in the given network for load balancers
that those workloads manage. For example, this will determine whether and
where FIPs will be created by Kubernetes for LoadBalancer type services
in the cluster.
source: default
type: string
value: ""
ignore-volume-az:
description: |
Used to influence availability zone use when attaching Cinder volumes.
When Nova and Cinder have different availability zones, this should be
set to true. This is most commonly the case where there are many Nova
availability zones but only one Cinder availability zone. If not set,
will use the upstream default.
source: unset
type: boolean
lb-floating-
default: ""
description: |
If set, this charm will assign a floating IP in this network (name or ID)
for load balancers created for other charms related on the loadbalancer
endpoint.
source: default
type: string
value: ""
lb-method:
default: ROUND_ROBIN
description: |
Algorithm that will be used by load balancers, which must be one of:
ROUND_ROBIN, LEAST_CONNECTIONS, SOURCE_IP. This applies both to load
balancers managed by this charm for applications related via the
loadbalancer endpoint, as well as to load balancers managed by integrated
workloads, such as Kubernetes.
source: default
type: string
value: ROUND_ROBIN
lb-port:
default: 443
description: |
Port to use for load balancers created by this charm for other charms
related on the loadbalancer endpoint.
source: default
type: int
value: 443
lb-subnet:
default: ""
description: |
Override the subnet (name or ID) in which this charm will create load
balancers for other charms related on the loadbalancer endpoint. If not
set, the subnet over which the requesting application is related will be
used.
source: default
type: string
value: ""
manage-
default: false
description: |
Whether or not each load balancer should have its own security group, or
if all load balancers should use the default security group for the
project. This applies both to load balancers managed by this charm for
applications related via the loadbalancer endpoint, as well as to load
balancers managed by integrated workloads, such as Kubernetes.
source: user
type: boolean
value: true
password:
default: ""
description: Password of a valid user set in keystone.
source: default
type: string
value: ""
project-
default: ""
description: Name of the project domain where you want to create your resources.
source: default
type: string
value: ""
project-name:
default: ""
description: Name of project where you want to create your resources.
source: default
type: string
value: ""
region:
default: ""
description: Name of the region where you want to create your resources.
source: default
type: string
value: ""
snap_proxy:
default: ""
description: |
DEPRECATED. Use snap-http-proxy and snap-https-proxy model configuration settings. HTTP/HTTPS web proxy for Snappy to use when accessing the snap store.
source: default
type: string
value: ""
snap_proxy_url:
default: ""
description: |
DEPRECATED. Use snap-store-proxy model configuration setting. The address of a Snap Store Proxy to use for snaps e.g. http://
source: default
type: string
value: ""
snapd_refresh:
default: ""
description: |
How often snapd handles updates for installed snaps. The default (an empty string) is 4x per day. Set to "max" to check once per month based on the charm deployment date. You may also set a custom string as described in the 'refresh.timer' section here:
https:/
source: default
type: string
value: ""
subnet-id:
default: ""
description: |
If set, it will be passed to integrated workloads to indicate in what
subnet load balancers should be created. For example, this will determine
what subnet Kubernetes uses for LoadBalancer type services in the
cluster.
source: user
type: string
value: 78114d37-
trust-
description: |
In most scenarios the block device names provided by Cinder (e.g.
/dev/vda) can not be trusted. This boolean toggles this behavior. Setting
it to true results in trusting the block device names provided by Cinder.
The value of false results in the discovery of the device path
based on its serial number and /dev/disk/by-id mapping and is the
recommended approach. If not set, will use the upstream default.
source: unset
type: boolean
user-domain-name:
default: ""
description: Name of the user domain where you want to create your resources.
source: default
type: string
value: ""
username:
default: ""
description: Username of a valid user set in keystone.
source: default
type: string
value: ""
---
description: | updated |
Changed in charm-openstack-integrator: | |
status: | New → Triaged |
importance: | Undecided → Critical |
Changed in charm-kubernetes-master: | |
status: | New → Triaged |
importance: | Undecided → Critical |
Changed in charm-kubernetes-master: | |
importance: | Critical → High |
Changed in charm-openstack-integrator: | |
importance: | Critical → High |
Changed in charm-kubernetes-master: | |
milestone: | none → 1.24 |
Changed in charm-openstack-integrator: | |
milestone: | none → 1.24 |
Changed in charm-kubernetes-master: | |
status: | Fix Committed → Fix Released |
Changed in charm-openstack-integrator: | |
status: | Fix Committed → Fix Released |
I wonder if cloud-provider- openstack supports this use case.
Jeff, can you try cloud-provider- openstack service annotations[1] on the cdk-cats service and see if any of them help you? In particular, it looks like this config will make the cloud provider skip the Floating IP step:
service. beta.kubernetes .io/openstack- internal- load-balancer: 'true'
[1]: https:/ /github. com/kubernetes/ cloud-provider- openstack/ blob/v1. 17.0/docs/ expose- applications- using-loadbalan cer-type- service. md#service- annotations