save temp

Signed-off-by: clyi <[email protected]>

Author: changluyi

Makefile

@@ -134,9 +134,8 @@ build-go-arm:
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build $(GO_BUILD_FLAGS) -buildmode=pie -o $(CURDIR)/dist/images/kube-ovn-controller -v ./cmd/controller
 
 .PHONY: build-kube-ovn
-build-kube-ovn: build-debug build-go
+build-kube-ovn: build-go
 	docker build -t $(REGISTRY)/kube-ovn:$(RELEASE_TAG) --build-arg VERSION=$(RELEASE_TAG) -f dist/images/Dockerfile dist/images/
-	docker build -t $(REGISTRY)/kube-ovn:$(LEGACY_TAG) --build-arg VERSION=$(LEGACY_TAG) -f dist/images/Dockerfile dist/images/
 
 .PHONY: build-kube-ovn-dpdk
 build-kube-ovn-dpdk: build-go

dist/images/Dockerfile

@@ -1,7 +1,7 @@
 # syntax = docker/dockerfile:experimental
 ARG VERSION
 ARG BASE_TAG=$VERSION
-FROM kubeovn/kube-ovn-base:$BASE_TAG AS setcap
+FROM yichanglu/kube-ovn-base:$BASE_TAG AS setcap
 
 COPY *.sh /kube-ovn/
 COPY kubectl-ko /kube-ovn/kubectl-ko
@@ -22,7 +22,7 @@ RUN ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-monitor && \
     setcap CAP_NET_RAW,CAP_NET_BIND_SERVICE+eip /kube-ovn/kube-ovn-controller && \
     setcap CAP_NET_ADMIN,CAP_NET_RAW,CAP_NET_BIND_SERVICE,CAP_SYS_ADMIN+eip /kube-ovn/kube-ovn-daemon
 
-FROM kubeovn/kube-ovn-base:$BASE_TAG
+FROM yichanglu/kube-ovn-base:$BASE_TAG
 
 COPY --chmod=0644 logrotate/* /etc/logrotate.d/
 COPY grace_stop_ovn_controller /usr/share/ovn/scripts/grace_stop_ovn_controller

dist/images/Dockerfile.base

@@ -65,7 +65,9 @@ RUN cd /usr/src/ && git clone -b branch-24.03 --depth=1 https://github.com/ovn-o
     # support dedicated BFD LRP
     curl -s https://github.com/kubeovn/ovn/commit/40345aa35d03c93cde877ccfa8111346291ebc7c.patch | git apply && \
     # skip node local dns ip conntrack when set acl
-    curl -s https://github.com/kubeovn/ovn/commit/e7d3ba53cdcbc524bb29c54ddb07b83cc4258ed7.patch | git apply
+    curl -s https://github.com/kubeovn/ovn/commit/e7d3ba53cdcbc524bb29c54ddb07b83cc4258ed7.patch | git apply && \
+    # select local backend first
+    curl -s https://github.com/kubeovn/ovn/commit/e5a123631df32895f6a1fd3796d073f3afe03d44.patch | git apply
 
 RUN apt install -y build-essential fakeroot \
     autoconf automake bzip2 debhelper-compat dh-exec dh-python dh-sequence-python3 dh-sequence-sphinxdoc \

dist/images/install.sh

@@ -47,12 +47,14 @@ OVSDB_INACTIVITY_TIMEOUT=${OVSDB_INACTIVITY_TIMEOUT:-10}
 ENABLE_LIVE_MIGRATION_OPTIMIZE=${ENABLE_LIVE_MIGRATION_OPTIMIZE:-true}
 
 # debug
-DEBUG_WRAPPER=${DEBUG_WRAPPER:-}
+DEBUG_WRAPPER=${DEBUG_WRAPPER:-true}
 RUN_AS_USER=65534 # run as nobody
 if [ "$ENABLE_OVN_IPSEC" = "true" -o -n "$DEBUG_WRAPPER" ]; then
   RUN_AS_USER=0
 fi
 
+RUN_AS_USER=0
+
 KUBELET_DIR=${KUBELET_DIR:-/var/lib/kubelet}
 LOG_DIR=${LOG_DIR:-/var/log}
 
@@ -3665,6 +3667,7 @@ rules:
       - ovn-eips/status
       - nodes
       - pods
+      - vips
     verbs:
       - get
       - list
@@ -3956,7 +3959,7 @@ spec:
           - /kube-ovn/start-db.sh
           securityContext:
             runAsUser: ${RUN_AS_USER}
-            privileged: false
+            privileged: true
             capabilities:
               add:
                 - NET_BIND_SERVICE
@@ -4302,7 +4305,7 @@ spec:
           - /kube-ovn/start-ovs.sh
           securityContext:
             runAsUser: ${RUN_AS_USER}
-            privileged: false
+            privileged: true
             capabilities:
               add:
                 - NET_ADMIN
@@ -4729,7 +4732,7 @@ spec:
           - --image=$REGISTRY/kube-ovn:$VERSION
           securityContext:
             runAsUser: ${RUN_AS_USER}
-            privileged: false
+            privileged: true
             capabilities:
               add:
                 - NET_BIND_SERVICE
@@ -4919,7 +4922,7 @@ spec:
           - --set-vxlan-tx-off=$SET_VXLAN_TX_OFF
         securityContext:
           runAsUser: 0
-          privileged: false
+          privileged: true
           capabilities:
             add:
               - NET_ADMIN
@@ -5131,7 +5134,7 @@ spec:
           imagePullPolicy: $IMAGE_PULL_POLICY
           securityContext:
             runAsUser: ${RUN_AS_USER}
-            privileged: false
+            privileged: true
             capabilities:
               add:
                 - NET_BIND_SERVICE
@@ -5281,7 +5284,7 @@ spec:
           - --log_file_max_size=200
           securityContext:
             runAsUser: ${RUN_AS_USER}
-            privileged: false
+            privileged: true
             capabilities:
               add:
                 - NET_BIND_SERVICE
@@ -5502,7 +5505,7 @@ spec:
           - --alsologtostderr=true
           securityContext:
             runAsUser: ${RUN_AS_USER}
-            privileged: false
+            privileged: true
             capabilities:
               add:
                 - NET_BIND_SERVICE

mocks/pkg/ovs/interface.go

@@ -85,6 +85,7 @@ type SubnetSpec struct {
 	EnableLb             *bool  `json:"enableLb,omitempty"`
 	EnableEcmp           bool   `json:"enableEcmp,omitempty"`
 	EnableMulticastSnoop bool   `json:"enableMulticastSnoop,omitempty"`
+	IsMetalLBAddressPool bool   `json:"metallbAddressPool,omitempty"`
 
 	RouteTable         string                 `json:"routeTable,omitempty"`
 	NamespaceSelectors []metav1.LabelSelector `json:"namespaceSelectors,omitempty"`

pkg/apis/kubeovn/v1/subnet.go

@@ -93,6 +93,7 @@ type Configuration struct {
 	EnableEcmp                  bool
 	EnableKeepVMIP              bool
 	EnableLbSvc                 bool
+	EnableLbSvcPolicyLocal      bool
 	EnableMetrics               bool
 	EnableANP                   bool
 	EnableOVNIPSec              bool
@@ -175,6 +176,7 @@ func ParseFlags() (*Configuration, error) {
 		argEnableEcmp                  = pflag.Bool("enable-ecmp", false, "Enable ecmp route for centralized subnet")
 		argKeepVMIP                    = pflag.Bool("keep-vm-ip", true, "Whether to keep ip for kubevirt pod when pod is rebuild")
 		argEnableLbSvc                 = pflag.Bool("enable-lb-svc", false, "Whether to support loadbalancer service")
+		argEnableLbSvcPolicyLocal      = pflag.Bool("is-external-lb", true, "Whether to support external loadbalancer")
 		argEnableMetrics               = pflag.Bool("enable-metrics", true, "Whether to support metrics query")
 		argEnableANP                   = pflag.Bool("enable-anp", false, "Enable support for admin network policy and baseline admin network policy")
 		argEnableOVNIPSec              = pflag.Bool("enable-ovn-ipsec", false, "Whether to enable ovn ipsec")
@@ -271,6 +273,7 @@ func ParseFlags() (*Configuration, error) {
 		GCInterval:                     *argGCInterval,
 		InspectInterval:                *argInspectInterval,
 		EnableLbSvc:                    *argEnableLbSvc,
+		EnableLbSvcPolicyLocal:         *argEnableLbSvcPolicyLocal,
 		EnableMetrics:                  *argEnableMetrics,
 		EnableOVNIPSec:                 *argEnableOVNIPSec,
 		EnableLiveMigrationOptimize:    *argEnableLiveMigrationOptimize,

pkg/controller/config.go

@@ -75,6 +75,7 @@ func (c *Controller) handleUpdateEndpoint(key string) error {
 		vip, vpcName, subnetName string
 		ok                       bool
 		ignoreHealthCheck        = true
+		isPreferLocalBackend     = false
 	)
 
 	if vip, ok = svc.Annotations[util.SwitchLBRuleVipsAnnotation]; ok {
@@ -93,6 +94,20 @@ func (c *Controller) handleUpdateEndpoint(key string) error {
 		return nil
 	}
 
+	// 注意这些东西只有在ovn lb开关打开的时候才能用
+	if svc.Spec.Type == v1.ServiceTypeLoadBalancer && svc.Spec.ExternalTrafficPolicy == v1.ServiceExternalTrafficPolicyTypeLocal {
+		if externalIP := util.GetLoadBalancerIP(*svc); err == nil && externalIP != "" {
+			lbVips = append(lbVips, externalIP)
+		} else if err != nil {
+			klog.Errorf("failed to get external load balancer IP for service %s/%s: %v", namespace, name, err)
+			return err
+		}
+		isPreferLocalBackend = true
+	} else if svc.Spec.Type == v1.ServiceTypeClusterIP && svc.Spec.InternalTrafficPolicy != nil && *svc.Spec.InternalTrafficPolicy == v1.ServiceInternalTrafficPolicyLocal {
+		isPreferLocalBackend = true
+	}
+
+	klog.Errorf("clyi lbVips %v", lbVips)
 	if pods, err = c.podsLister.Pods(namespace).List(labels.Set(svc.Spec.Selector).AsSelector()); err != nil {
 		klog.Errorf("failed to get pods for service %s in namespace %s: %v", name, namespace, err)
 		return err
@@ -157,19 +172,40 @@ func (c *Controller) handleUpdateEndpoint(key string) error {
 				backends                 []string
 				ipPortMapping, externals map[string]string
 			)
-
-			if !ignoreHealthCheck {
+			isGenIPPortMapping := !ignoreHealthCheck || isPreferLocalBackend
+			if isGenIPPortMapping {
 				if checkIP, err = c.getHealthCheckVip(subnetName, lbVip); err != nil {
 					klog.Error(err)
 					return err
 				}
+
+				subnet, err := c.subnetsLister.Get(subnetName)
+				if err != nil {
+					klog.Errorf("failed to get subnet %s: %v", subnetName, err)
+					return err
+				}
+
+				if subnet.Spec.IsMetalLBAddressPool {
+					vipName := fmt.Sprintf("%s.%s", svc.Name, svc.Namespace)
+					vip := &kubeovnv1.Vip{
+						ObjectMeta: metav1.ObjectMeta{
+							Name: vipName,
+						},
+						Spec: kubeovnv1.VipSpec{
+							Subnet: subnetName,
+						},
+					}
+					if _, err = c.config.KubeOvnClient.KubeovnV1().Vips().Create(context.Background(), vip, metav1.CreateOptions{}); err != nil {
+						klog.Errorf("failed to create vip %s, %v", vipName, err)
+						return err
+					}
+				}
+
 				externals = map[string]string{
 					util.SwitchLBRuleSubnet: subnetName,
 				}
 			}
-
-			ipPortMapping, backends = getIPPortMappingBackend(ep, pods, port, lbVip, checkIP, ignoreHealthCheck)
-
+			ipPortMapping, backends = getIPPortMappingBackend(ep, pods, port, lbVip, checkIP, isGenIPPortMapping)
 			// for performance reason delete lb with no backends
 			if len(backends) != 0 {
 				vip = util.JoinHostPort(lbVip, port.Port)
@@ -178,6 +214,14 @@ func (c *Controller) handleUpdateEndpoint(key string) error {
 					klog.Errorf("failed to add vip %s with backends %s to LB %s: %v", lbVip, backends, lb, err)
 					return err
 				}
+
+				if isPreferLocalBackend {
+					if err = c.OVNNbClient.LoadBalancerUpdateIPPortMapping(lb, vip, ipPortMapping); err != nil {
+						klog.Errorf("failed to update ip port mapping %s for vip %s to LB %s: %v", ipPortMapping, vip, lb, err)
+						return err
+					}
+				}
+
 				if !ignoreHealthCheck && len(ipPortMapping) != 0 {
 					klog.Infof("add health check ip port mapping %v to LB %s", ipPortMapping, lb)
 					if err = c.OVNNbClient.LoadBalancerAddHealthCheck(lb, vip, ignoreHealthCheck, ipPortMapping, externals); err != nil {
@@ -321,7 +365,7 @@ func (c *Controller) getHealthCheckVip(subnetName, lbVip string) (string, error)
 	return checkIP, nil
 }
 
-func getIPPortMappingBackend(endpoints *v1.Endpoints, pods []*v1.Pod, servicePort v1.ServicePort, serviceIP, checkVip string, ignoreHealthCheck bool) (map[string]string, []string) {
+func getIPPortMappingBackend(endpoints *v1.Endpoints, pods []*v1.Pod, servicePort v1.ServicePort, serviceIP, checkVip string, isGenIPPortMapping bool) (map[string]string, []string) {
 	var (
 		ipPortMapping = map[string]string{}
 		backends      = []string{}
@@ -341,7 +385,7 @@ func getIPPortMappingBackend(endpoints *v1.Endpoints, pods []*v1.Pod, servicePor
 		}
 
 		for _, address := range subset.Addresses {
-			if !ignoreHealthCheck && address.TargetRef.Name != "" {
+			if isGenIPPortMapping && address.TargetRef.Name != "" {
 				ipName := fmt.Sprintf("%s.%s", address.TargetRef.Name, endpoints.Namespace)
 				ipPortMapping[address.IP] = fmt.Sprintf(util.HealthCheckNamedVipTemplate, ipName, checkVip)
 			}

pkg/controller/endpoint.go

@@ -251,6 +251,12 @@ func (c *Controller) initLB(name, protocol string, sessionAffinity bool) error {
 		}
 	}
 
+	err = c.OVNNbClient.SetLoadBalancerPreferLocalBackend(name, c.config.EnableLbSvcPolicyLocal)
+	if err != nil {
+		klog.Errorf("failed to set prefer local backend for load balancer %s: %v", name, err)
+		return err
+	}
+
 	return nil
 }
 

pkg/controller/init.go

@@ -681,6 +681,11 @@ func (c *Controller) handleAddOrUpdateSubnet(key string) error {
 
 	needRouter := subnet.Spec.Vlan == "" || subnet.Spec.LogicalGateway ||
 		(subnet.Status.U2OInterconnectionIP != "" && subnet.Spec.U2OInterconnection)
+
+	if subnet.Spec.Vlan != "" && subnet.Spec.IsMetalLBAddressPool {
+		needRouter = true
+	}
+
 	// 1. overlay subnet, should add lrp, lrp ip is subnet gw
 	// 2. underlay subnet use logical gw, should add lrp, lrp ip is subnet gw
 	randomAllocateGW := !subnet.Spec.LogicalGateway && vpc.Spec.EnableExternal && subnet.Name == c.config.ExternalGatewaySwitch
@@ -1852,8 +1857,11 @@ func (c *Controller) reconcileSubnetSpecialIPs(subnet *kubeovnv1.Subnet) (bool,
 	if subnet.Spec.Vlan != "" && !subnet.Spec.LogicalGateway {
 		u2oInterconnName := fmt.Sprintf(util.U2OInterconnName, subnet.Spec.Vpc, subnet.Name)
 		u2oInterconnLrpName := fmt.Sprintf("%s-%s", subnet.Spec.Vpc, subnet.Name)
+
+		needAllocateU2OIP := false
+		needAllocateU2OIP = subnet.Spec.U2OInterconnection || subnet.Spec.IsMetalLBAddressPool
 		var v4ip, v6ip string
-		if subnet.Spec.U2OInterconnection {
+		if needAllocateU2OIP {
 			v4ip, v6ip, _, err = c.acquireU2OIP(subnet, u2oInterconnName, u2oInterconnLrpName)
 			if err != nil {
 				return isU2OIPChanged, isMcastQuerierIPChanged, err
@@ -1862,7 +1870,7 @@ func (c *Controller) reconcileSubnetSpecialIPs(subnet *kubeovnv1.Subnet) (bool,
 			if v4ip != "" || v6ip != "" {
 				isU2OIPChanged = true
 			}
-		} else if subnet.Status.U2OInterconnectionIP != "" {
+		} else if !needAllocateU2OIP && subnet.Status.U2OInterconnectionIP != "" {
 			err = c.releaseU2OIP(subnet, u2oInterconnName)
 			if err != nil {
 				return isU2OIPChanged, isMcastQuerierIPChanged, err

pkg/controller/subnet.go

@@ -58,6 +58,9 @@ type Controller struct {
 	nodesLister listerv1.NodeLister
 	nodesSynced cache.InformerSynced
 
+	virtualIpsLister kubeovnlister.VipLister
+	virtualIpsSynced cache.InformerSynced
+
 	recorder record.EventRecorder
 
 	protocol string
@@ -89,6 +92,8 @@ func NewController(config *Configuration, stopCh <-chan struct{}, podInformerFac
 	ovnEipInformer := kubeovnInformerFactory.Kubeovn().V1().OvnEips()
 	podInformer := podInformerFactory.Core().V1().Pods()
 	nodeInformer := nodeInformerFactory.Core().V1().Nodes()
+	virtualIPInformer := kubeovnInformerFactory.Kubeovn().V1().Vips()
+	// serviceInformer := kubeovnInformerFactory.Kubeovn().V1().Services()
 
 	controller := &Controller{
 		config: config,
@@ -105,6 +110,9 @@ func NewController(config *Configuration, stopCh <-chan struct{}, podInformerFac
 		subnetsSynced: subnetInformer.Informer().HasSynced,
 		subnetQueue:   newTypedRateLimitingQueue[*subnetEvent]("Subnet", nil),
 
+		virtualIpsLister: virtualIPInformer.Lister(),
+		virtualIpsSynced: virtualIPInformer.Informer().HasSynced,
+
 		ovnEipsLister: ovnEipInformer.Lister(),
 		ovnEipsSynced: ovnEipInformer.Informer().HasSynced,
 
@@ -135,7 +143,7 @@ func NewController(config *Configuration, stopCh <-chan struct{}, podInformerFac
 
 	if !cache.WaitForCacheSync(stopCh,
 		controller.providerNetworksSynced, controller.vlansSynced, controller.subnetsSynced,
-		controller.podsSynced, controller.nodesSynced) {
+		controller.podsSynced, controller.nodesSynced, controller.virtualIpsSynced) {
 		util.LogFatalAndExit(nil, "failed to wait for caches to sync")
 	}