[occm] Improve route controller reconciling to ensure the cluster's nodes can access each other

[jeffyjf]

What this PR does / why we need it:

In order to the nodes of one cluster can access each other, route controller need to check and set three things:

1. The openstack router's route rules, so that the packets can be forwarded to correct nodes.
2. The node port's AllowAddressPair, to ensure the node permit the packets that access the node's pods/services pass through.
3. The openstack security group's rules, so that the nodes that bind the security group permit the packets from other nodes enter into.

The current codes just check router's route rule when controller call ListRoutes and just set Route and AllowAddressPair when controller call CreateRoute. This PR complements all of the other works.

Which issue this PR fixes(if applicable):
fixes #2482

Special notes for reviewers:

This PR lack of unit tests, because of I found occm lack of a mechanism to mock openstack client. Further more the whole occm lack of lots of unit tests due to the reason. I plan to dive deeper into gophercloud in the next several days try to study whether it is possible to mock it. If it is possible I'll commit anohter PR to add the unit tests.

Release note:

NONE

[k8s-ci-robot]

Hi @jeffyjf. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[dulek]

Why did this ended up in Routes controller? The issue description feels like this is a general issue in cases CAPO is missing SG rules to allow interconnectivity of Node.

[jeffyjf]

Why did this ended up in Routes controller? The issue description feels like this is a general issue in cases CAPO is missing SG rules to allow interconnectivity of Node.

According to the offical document:

The route controller is responsible for configuring routes in the cloud appropriately so that containers on different nodes in your Kubernetes cluster can communicate with each other.

I think that this is route controller's duty. I user don't activate route controller, the interconnectivity of pods should be ensured by other mechanisms.

[jichenjc]

/ok-to-test

[jeffyjf]

@dulek @jichenjc @kayrus @zetaab asking for review

[kayrus]

The PR needs a rebase. However the #2499 is on the way, and I adopted your getSecurityGroupRules change there as well.

[jeffyjf]

/hold

[jeffyjf]

/remove hold

[jeffyjf]

/retest pull-cloud-provider-openstack-test

[k8s-ci-robot]

@jeffyjf: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:

• /test openstack-cloud-controller-manager-e2e-test
• /test openstack-cloud-controller-manager-ovn-e2e-test
• /test openstack-cloud-csi-cinder-e2e-test
• /test openstack-cloud-csi-cinder-sanity-test
• /test openstack-cloud-csi-manila-e2e-test
• /test openstack-cloud-csi-manila-sanity-test
• /test openstack-cloud-keystone-authentication-authorization-test
• /test pull-cloud-provider-openstack-check
• /test pull-cloud-provider-openstack-test

Use /test all to run the following jobs that were automatically triggered:

• openstack-cloud-controller-manager-e2e-test
• openstack-cloud-controller-manager-ovn-e2e-test
• pull-cloud-provider-openstack-check
• pull-cloud-provider-openstack-test

In response to this:

/retest pull-cloud-provider-openstack-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jeffyjf]

/test pull-cloud-provider-openstack-test

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle rotten
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[dulek]

/remove-lifecycle rotten
/lgtm

[kayrus]

thanks for the PR. Could you take a look at comments I just left?

[kayrus]

the os is already passed to the NewRoutes func. There is no need to pass the os.routeOpts.AutoConfigSecurityGroup.

[kayrus]

Suggested change

	if err != nil {
	if errors.IsNotFound(err) {
	mc := metrics.NewMetricContext("security_group", "create")
	klog.V(2).InfoS("Create node security group", "name", sgName)
	group, err := groups.Create(r.network, groups.CreateOpts{Name: sgName}).Extract()
	if mc.ObserveRequest(err) != nil {
	return err
	}
	sgId = group.ID
	} else {
	return err
	}
	}
	if err != nil {
	if !errors.IsNotFound(err) {
	return err
	}
	mc := metrics.NewMetricContext("security_group", "create")
	klog.V(2).InfoS("Create node security group", "name", sgName)
	group, err := groups.Create(r.network, groups.CreateOpts{Name: sgName}).Extract()
	if mc.ObserveRequest(err) != nil {
	return err
	}
	r.nodeSecurityGroupId = group.ID
	return nil
	}

[k8s-ci-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle rotten
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[kayrus]

@jeffyjf could you please rebase + see code review comments?

[kayrus]

Suggested change

	if r.autoConfigSecurityGroup {
	// check if the node security group bind to the port
	nodePortBindSecurityGroup := false
	for _, sg := range port.SecurityGroups {
	if sg == r.nodeSecurityGroupId {
	nodePortBindSecurityGroup = true
	break
	}
	}
	if !nodePortBindSecurityGroup {
	return false
	}
	}
	// check if the node security group bind to the port
	if if r.autoConfigSecurityGroup && !slices.Contains(port.SecurityGroups, r.nodeSecurityGroupId)
	return false
	}

[kayrus]

Suggested change

	if r.allowedAddressPairs {
	// check whether the related AllowAddressPair is existing
	for _, addrPair := range port.AllowedAddressPairs {
	if addrPair.IPAddress == route.DestinationCIDR {
	return true
	}
	}
	return false
	}
	return true
	// check whether the related AllowAddressPair is existing
	if r.allowedAddressPairs && !slices.Contains(port.AllowedAddressPairs, route.DestinationCIDR) {
	return false
	}
	return true

[kayrus]

Suggested change

	`auto-config-node-security-group`
	* `auto-config-node-security-group`

[kayrus]

Suggested change

	if port.PortSecurityEnabled {
	if !r.checkPortSecurityRules(port, item) {
	continue
	}
	}
	if port.PortSecurityEnabled && !r.checkPortSecurityRules(port, item) {
	continue
	}

[kayrus]

you're adding a complexity here. before, the router API was called only once when atomic API was not available. Now this API is called even atomic method is available.