Merge pull request #1026 from shiftstack/devstack-on-openstack

✨Devstack on openstack and multi-AZ support

Author: k8s-ci-robot

Makefile

@@ -125,7 +125,7 @@ test: ## Run tests
 E2E_GINKGO_ARGS ?= -stream
 .PHONY: test-e2e ## Run e2e tests using clusterctl
 test-e2e: $(GINKGO) $(KIND) $(KUSTOMIZE) e2e-image test-e2e-image-prerequisites ## Run e2e tests
-	time $(GINKGO) -trace -progress -v -tags=e2e --nodes=$(E2E_GINKGO_PARALLEL) $(E2E_GINKGO_ARGS) ./test/e2e/suites/e2e/... -- -config-path="$(E2E_CONF_PATH)" -artifacts-folder="$(ARTIFACTS)" --data-folder="$(E2E_DATA_DIR)" $(E2E_ARGS)
+	time $(GINKGO) --failFast -trace -progress -v -tags=e2e --nodes=$(E2E_GINKGO_PARALLEL) $(E2E_GINKGO_ARGS) ./test/e2e/suites/e2e/... -- -config-path="$(E2E_CONF_PATH)" -artifacts-folder="$(ARTIFACTS)" --data-folder="$(E2E_DATA_DIR)" $(E2E_ARGS)
 
 .PHONY: e2e-image
 e2e-image: CONTROLLER_IMG_TAG = "gcr.io/k8s-staging-capi-openstack/capi-openstack-controller:e2e"

docs/book/src/SUMMARY.md

@@ -7,3 +7,5 @@
     - [external cloud provider](./topics/external-cloud-provider.md)
     - [move from bootstrap](./topics/mover.md)
     - [trouble shooting](./topics/troubleshooting.md)
+- [Development](./development/development.md)
+- [Hacking CI](./development/ci.md)

docs/book/src/development/ci.md

@@ -0,0 +1,80 @@
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+**Table of Contents**  *generated with [DocToc](https://github.com/thlorenz/doctoc)*
+
+- [Hacking CI for the E2E tests](#hacking-ci-for-the-e2e-tests)
+  - [Prow](#prow)
+  - [DevStack](#devstack)
+    - [Configuration](#configuration)
+    - [Build order](#build-order)
+    - [Networking](#networking)
+    - [Availability zones](#availability-zones)
+  - [Connecting to DevStack](#connecting-to-devstack)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
+# Hacking CI for the E2E tests
+
+## Prow
+
+CAPO tests are executed by Prow. They are defined in the [Kubernetes test-infra repository](https://github.com/kubernetes/test-infra/tree/master/config/jobs/kubernetes-sigs/cluster-api-provider-openstack). The E2E tests run as a presubmit. They run in a docker container in Prow infrastructure which contains a checkout of the CAPO tree under test. The entry point for tests is `scripts/ci-e2e.sh`, which is defined in the job in Prow.
+
+## DevStack
+
+The E2E tests require an OpenStack cloud to run against, which we provision during the test with DevStack. The project has access to capacity on GCP, so we provision DevStack on 2 GCP instances.
+
+The entry point for the creation of the test DevStack is `hack/ci/create_devstack.sh`, which is executed by `scripts/ci-e2e.sh`. We create 2 instances: `controller` and `worker`. Each will provision itself via cloud-init using config defined in `hack/ci/cloud-init`.
+
+### Configuration
+
+We configure a 2 node DevStack. `controller` is running:
+
+* All control plane services
+* Nova: all services, including compute
+* Glance: all services
+* Octavia: all services
+* Neutron: all services with ML2/OVS, including L3 agent
+* Cinder: all services, including volume with default LVM/iSCSI backend
+
+`worker` is running:
+
+* Nova: compute only
+* Neutron: agent only (not L3 agent)
+* Cinder: volume only with default LVM/iSCSI backend
+
+`controller` is using the `n2-standard-16` machine type with 16 vCPUs and 64 GB RAM. `worker` is using the `n2-standard-8` machine type with 8 vCPUs and 32 GB RAM. Each job has a quota limit of 24 vCPUs.
+
+### Build order
+
+We build `controller` first, and then `worker`. We let `worker` build asynchronously because tests which don't require a second AZ can run without it while it builds. A systemd job defined in the cloud-init of `controller` polls for `worker` coming up and automatically configures it.
+
+### Networking
+
+Both instances share a common network which uses the CIDR defined in `PRIVATE_NETORK_CIDR` in `hack/ci/create_devstack.sh`. Each instance has a single IP on this network:
+
+* `controller`: `10.0.2.15`
+* `worker`: `10.0.2.16`
+
+In addition, DevStack will create a floating IP network using CIDR defined in `FLOATING_RANGE` in `hack/ci/create_devstack.sh`. As the neutron L3 agent is only running on the controller, all of this traffic is handled on the controller, even if the source is an instance running on the worker. The controller creates `iptables` rules to NAT this traffic.
+
+The effect of this is that instances created on either `controller` or `worker` can get a floating ip from the `public` network. Traffic using this floating IP will be routed via `controller` and externally via NAT.
+
+### Availability zones
+
+We are running `nova compute` and `cinder volume` on each of `controller` and `worker`. Each `nova compute` and `cinder volume` are configured to be in their own availability zone. The names of the availability zones are defined in `OPENSTACK_FAILURE_DOMAIN` and `OPENSTACK_FAILURE_DOMAIN_ALT` in `test/e2e/data/e2e_conf.yaml`, with the services running on `controller` being in `OPENSTACK_FAILURE_DOMAIN` and the services running on `worker` being in `OPENSTACK_FAILURE_DOMAIN_ALT`.
+
+This configuration is intended only to allow the testing of functionality related to availability zones, and does not imply any robustness to failure.
+
+Nova is configured (via `[DEFAULT]/default_schedule_zone`) to place all workloads on the controller unless they have an explicit availability zone. The intention is that `controller` should have the capacity to run all tests which are agnostic to availability zones. This means that the explicitly multi-az tests do not risk failure due to capacity issues.
+
+However, this is not sufficient because by default [CAPI explicitly schedules the control plane across all discovered availability zones](https://github.com/kubernetes-sigs/cluster-api/blob/e7769d7a6b3a4eb32292938eed8c470b7018a8b3/controlplane/kubeadm/controllers/scale.go#L77-L82). Consequently we explicitly confine all clusters to `OPENSTACK_FAILURE_DOMAIN` (`controller`) in the test cluster definitions in `test/e2e/data/infrastructure-openstack`.
+
+## Connecting to DevStack
+
+The E2E tests running in Prow create a kind cluster. This also running in Prow using Docker in Docker. The E2E tests configure this cluster with clusterctl, which is where CAPO executes.
+
+`create_devstack.sh` wrote a `clouds.yaml` to the working directory, which is passed to CAPO via the cluster definitions in `test/e2e/data/infrastructure-openstack`. This `clouds.yaml` references the public, routable IP of `controller`. However, DevStack created all the service endpoints using `controller`'s private IP, which is not publicly routable. In addition, the tests need to be able to SSH to the floating IP of the Bastion. This floating IP is also allocated from a range which is not publicly routable.
+
+To allow this access we run `sshuttle` from `create_devstack.sh`. This creates an SSH tunnel and routes traffic for `PRIVATE_NETWORK_CIDR` and `FLOATING_RANGE` over it.
+
+Note that the semantics of a `sshuttle` tunnel are problematic. While they happen to work currently for DinD, Podman runs the kind cluster in a separate network namespace. This means that kind running in podman cannot route over `sshuttle` running outside the kind cluster. This may also break in future versions of Docker.

docs/book/src/development/development.md

@@ -7,6 +7,13 @@
     - [Building and upload your own capi-openstack controller image](#building-and-upload-your-own-capi-openstack-controller-image)
     - [Using your own capi-openstack controller image](#using-your-own-capi-openstack-controller-image)
   - [Developing with Tilt](#developing-with-tilt)
+  - [Running E2E tests locally](#running-e2e-tests-locally)
+    - [Support for clouds using SSL](#support-for-clouds-using-ssl)
+    - [Support for clouds with multiple external networks](#support-for-clouds-with-multiple-external-networks)
+    - [OpenStack prerequisites](#openstack-prerequisites)
+  - [Running E2E tests using rootless podman](#running-e2e-tests-using-rootless-podman)
+    - [Host configuration](#host-configuration)
+    - [Running podman system service to emulate docker daemon](#running-podman-system-service-to-emulate-docker-daemon)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 

docs/book/src/getting-started.md

@@ -1,3 +1,11 @@
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+**Table of Contents**  *generated with [DocToc](https://github.com/thlorenz/doctoc)*
+
+- [Getting Started](#getting-started)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
 # Getting Started
 
 {{#embed-github repo:"kubernetes-sigs/cluster-api" path:"docs/book/src/user/quick-start.md"}}

docs/book/src/topics/external-cloud-provider.md

@@ -1,3 +1,12 @@
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+**Table of Contents**  *generated with [DocToc](https://github.com/thlorenz/doctoc)*
+
+- [External Cloud Provider](#external-cloud-provider)
+  - [Steps](#steps)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
 # External Cloud Provider
 
 To deploy a cluster using [external cloud provider](https://github.com/kubernetes/cloud-provider-openstack), create a cluster configuration with the [external cloud provider template](https://github.com/kubernetes-sigs/cluster-api-provider-openstack/blob/master/templates/cluster-template-external-cloud-provider.yaml).

docs/book/src/topics/mover.md

@@ -3,9 +3,8 @@
 **Table of Contents**  *generated with [DocToc](https://github.com/thlorenz/doctoc)*
 
 - [Pre-condition](#pre-condition)
-- [Install openstack providers into target cluster](#install-openstack-providers-into-target-cluster)
-- [Move objects in `bootstrap` cluster into `target` cluster.](#move-objects-in-bootstrap-cluster-into-target-cluster)
-- [Create secret in `target` cluster](#create-secret-in-target-cluster)
+- [Install OpenStack Cluster API provider into target cluster](#install-openstack-cluster-api-provider-into-target-cluster)
+- [Move objects from `bootstrap` cluster into `target` cluster.](#move-objects-from-bootstrap-cluster-into-target-cluster)
 - [Check cluster status](#check-cluster-status)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->

hack/ci/.gitignore

@@ -0,0 +1,126 @@
+#!/usr/bin/env bash
+
+# Copyright 2021 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# hack script for preparing AWS to run cluster-api-provider-openstack e2e
+
+set -x -o errexit -o nounset -o pipefail
+
+function cloud_init {
+  AWS_REGION=${AWS_REGION:-"eu-central-1"}
+  AWS_ZONE=${AWS_ZONE:-"eu-central-1a"}
+  # AMIs:
+  # * capa-ami-ubuntu-20.04-1.20.4-00-1613898574 id: ami-0120656d38c206057
+  # * ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210223 id: ami-0767046d1677be5a0
+  AWS_AMI=${AWS_AMI:-"ami-0767046d1677be5a0"}
+  # Choose via: https://eu-central-1.console.aws.amazon.com/ec2/v2/home?region=eu-central-1#InstanceTypes:
+  AWS_MACHINE_TYPE=${AWS_MACHINE_TYPE:-"c5.metal"}
+  AWS_NETWORK_NAME=${AWS_NETWORK_NAME:-"${CLUSTER_NAME}-mynetwork"}
+  # prepare with:
+  # * create key pair:
+  # aws ec2 create-key-pair --key-name capo-e2e --query 'KeyMaterial' --region "${AWS_REGION}" --output text > ~/.ssh/aws-capo-e2e
+  # * add to local agent and generate public key:
+  # ssh-add ~/.ssh/aws-capo-e2e
+  # ssh-keygen -y -f ~/.ssh/aws-capo-e2e > ~/.ssh/aws-capo-e2e.pub
+  AWS_KEY_PAIR=${AWS_KEY_PAIR:-"capo-e2e"}
+  # disable pagination of AWS cli
+  export AWS_PAGER=""
+
+  echo "Using: AWS_REGION: ${AWS_REGION} AWS_NETWORK_NAME: ${AWS_NETWORK_NAME}"
+}
+
+function init_infrastructure() {
+  if [[ ${AWS_NETWORK_NAME} != "default" ]]; then
+    if [[ $(aws ec2 describe-vpcs --filters Name=tag:Name,Values=capo-e2e-mynetwork --region="${AWS_REGION}" --query 'length(*[0])') = "0" ]];
+    then
+      aws ec2 create-vpc --cidr-block "$PRIVATE_NETWORK_CIDR" --tag-specifications "ResourceType=vpc,Tags=[{Key=Name,Value=${AWS_NETWORK_NAME}}]" --region="${AWS_REGION}"
+      AWS_VPC_ID=$(aws ec2 describe-vpcs --filters Name=tag:Name,Values=capo-e2e-mynetwork --region "${AWS_REGION}" --query '*[0].VpcId' --output text)
+
+      aws ec2 create-subnet --cidr-block "$PRIVATE_NETWORK_CIDR" --vpc-id "${AWS_VPC_ID}" --tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=${AWS_NETWORK_NAME}}]" --region "${AWS_REGION}" --availability-zone "${AWS_ZONE}"
+      AWS_SUBNET_ID=$(aws ec2 describe-subnets --filters Name=tag:Name,Values=capo-e2e-mynetwork --region "${AWS_REGION}" --query '*[0].SubnetId' --output text)
+      # It's also the route table of the VPC
+      AWS_SUBNET_ROUTE_TABLE_ID=$(aws ec2 describe-route-tables --filters "Name=vpc-id,Values=${AWS_VPC_ID}" --region "${AWS_REGION}" --query '*[0].RouteTableId' --output text)
+
+      aws ec2 create-security-group --group-name "${AWS_NETWORK_NAME}" --description "${AWS_NETWORK_NAME}" --vpc-id "${AWS_VPC_ID}" --tag-specifications "ResourceType=security-group,Tags=[{Key=Name,Value=${AWS_NETWORK_NAME}}]" --region="${AWS_REGION}"
+      AWS_SECURITY_GROUP_ID=$(aws ec2 describe-security-groups --filters Name=tag:Name,Values=capo-e2e-mynetwork --region "${AWS_REGION}" --query '*[0].GroupId' --output text)
+
+      aws ec2 authorize-security-group-ingress --group-id "${AWS_SECURITY_GROUP_ID}" --protocol tcp --port 22 --cidr 0.0.0.0/0 --region="${AWS_REGION}"
+
+      # Documentation to enable internet access for subnet:
+      # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html#TroubleshootingInstancesConnectionTimeout
+      aws ec2 create-internet-gateway --tag-specifications "ResourceType=internet-gateway,Tags=[{Key=Name,Value=${AWS_NETWORK_NAME}}]" --region="${AWS_REGION}"
+      aws ec2 attach-internet-gateway --internet-gateway-id "${AWS_INTERNET_GATEWAY_ID}" --vpc-id "${AWS_VPC_ID}" --region="${AWS_REGION}"
+      AWS_INTERNET_GATEWAY_ID=$(aws ec2 describe-internet-gateways --filters Name=tag:Name,Values=capo-e2e-mynetwork --region "${AWS_REGION}" --query '*[0].InternetGatewayId' --output text)
+
+      aws ec2 create-route --route-table-id "${AWS_SUBNET_ROUTE_TABLE_ID}" --destination-cidr-block 0.0.0.0/0 --gateway-id "${AWS_INTERNET_GATEWAY_ID}" --region "${AWS_REGION}"
+      aws ec2 create-route --route-table-id "${AWS_SUBNET_ROUTE_TABLE_ID}" --destination-ipv6-cidr-block ::/0 --gateway-id "${AWS_INTERNET_GATEWAY_ID}" --region "${AWS_REGION}"
+    fi
+  fi
+}
+
+function create_vm {
+  local name=$1 && shift
+  local ip=$1 && shift
+  local userdata=$1 && shift
+  local public=$1 && shift # Unused by AWS
+
+  if [[ $(aws ec2 describe-instances --filters Name=tag:Name,Values="${name}" --region="${AWS_REGION}" --query 'length(*[0])') = "0" ]];
+  then
+    AWS_SUBNET_ID=$(aws ec2 describe-subnets --filters Name=tag:Name,Values=capo-e2e-mynetwork --region "${AWS_REGION}" --query '*[0].SubnetId' --output text)
+    AWS_SECURITY_GROUP_ID=$(aws ec2 describe-security-groups --filters Name=tag:Name,Values=capo-e2e-mynetwork --region "${AWS_REGION}" --query '*[0].GroupId' --output text)
+
+    # /dev/sda1 is renamed to /dev/nvme0n1 by AWS
+    aws ec2 run-instances --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=${name}}]" \
+      --region "${AWS_REGION}" \
+      --placement "AvailabilityZone=${AWS_ZONE}" \
+      --image-id "${AWS_AMI}" \
+      --instance-type "${AWS_MACHINE_TYPE}" \
+      --block-device-mappings 'DeviceName=/dev/sda1,Ebs={VolumeSize=300}' \
+      --subnet-id "${AWS_SUBNET_ID}"  \
+      --private-ip-address "${ip}" \
+      --count 1 \
+      --associate-public-ip-address \
+      --security-group-ids "${AWS_SECURITY_GROUP_ID}"  \
+      --key-name "${AWS_KEY_PAIR}" \
+      --user-data "file://${userdata}" \
+      --no-paginate
+  fi
+
+  # wait a bit so the server has time to get a public ip
+  sleep 30
+}
+
+function get_public_ip {
+  aws ec2 describe-instances --filters "Name=tag:Name,Values=${CLUSTER_NAME}-controller" --region "${AWS_REGION}" \
+      --query 'Reservations[*].Instances[*].PublicIpAddress' --output text
+}
+
+function get_mtu {
+    # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html
+    echo 1300
+}
+
+function get_ssh_public_key {
+  cat "${SSH_PUBLIC_KEY_FILE}"
+}
+
+function get_ssh_private_key_file {
+  echo "${SSH_PRIVATE_KEY_FILE}"
+}
+
+function cloud_cleanup {
+  echo Not implemented
+  exit 1
+}

hack/ci/aws-project.sh

@@ -0,0 +1,51 @@
+#cloud-config
+runcmd:
+- sysctl -p /etc/sysctl.d/devstack.conf
+- /root/devstack.sh
+final_message: "The system is finally up, after $UPTIME seconds"
+users:
+- name: cloud
+  lock_passwd: true
+  sudo: ALL=(ALL) NOPASSWD:ALL
+  ssh_authorized_keys:
+  - ${SSH_PUBLIC_KEY}
+# Infrastructure packages required:
+#   python3 - required by sshuttle
+#   git - required to obtain devstack
+#   jq - required by devstack-common.sh
+packages:
+- python3
+- git
+- jq
+package_upgrade: true
+write_files:
+- path: /etc/sysctl.d/devstack.conf
+  permissions: 0644
+  content: |
+    net.ipv4.ip_forward=1
+    net.ipv4.conf.default.rp_filter=0
+    net.ipv4.conf.all.rp_filter=0
+- path: /tmp/devstack-common.sh
+  permissions: 0644
+  content: |
+    # ensure nested virtualization
+    function ensure_kvm {
+      sudo modprobe kvm-intel
+      if [ ! -c /dev/kvm ]; then
+          echo /dev/kvm is not present
+          exit 1
+      fi
+    }
+
+    function run_devstack {
+      su - stack -c "TERM=vt100 /opt/stack/devstack/stack.sh"
+    }
+
+    function upload_images {
+      # Add environment variables for auth/endpoints
+      echo 'source /opt/stack/devstack/openrc admin admin' >> /opt/stack/.bashrc
+
+      # Upload the images so we don't have to upload them from Prow
+      su - stack -c "source /opt/stack/devstack/openrc admin admin && /opt/stack/devstack/tools/upload_image.sh https://storage.googleapis.com/artifacts.k8s-staging-capi-openstack.appspot.com/test/ubuntu/2021-03-27/ubuntu-2004-kube-v1.18.15.qcow2"
+      su - stack -c "source /opt/stack/devstack/openrc admin admin && /opt/stack/devstack/tools/upload_image.sh https://storage.googleapis.com/artifacts.k8s-staging-capi-openstack.appspot.com/test/cirros/2021-03-27/cirros-0.5.1-x86_64-disk.img"
+    }