OSASINFRA-3066: Added migration procedure for Kuryr SDN. (#54822)

Co-authored-by: Max Bridges <[email protected]>

Author: gryf

_topic_maps/_topic_map.yml

@@ -1292,6 +1292,8 @@ Topics:
     File: migrate-from-openshift-sdn
   - Name: Rolling back to the OpenShift SDN network plugin
     File: rollback-to-openshift-sdn
+  - Name: Migrating from Kuryr
+    File: migrate-from-kuryr-sdn
   - Name: Converting to IPv4/IPv6 dual stack networking
     File: converting-to-dual-stack
   - Name: Logging for egress firewall and network policy rules

modules/nw-kuryr-cleanup.adoc

@@ -0,0 +1,289 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/migrate-from-kuryr-sdn.adoc
+
+:_content-type: PROCEDURE
+[id="nw-kuryr-cleanup_{context}"]
+= Cleaning up resources after migration
+
+After migration from the Kuryr network plugin to the OVN-Kubernetes network
+plugin, you must clean up the resources that Kuryr created previously.
+
+[NOTE]
+====
+The clean up process relies on a Python virtual environment to ensure that the package versions that you use support tags for Octavia objects. You do not need a virtual environment if you are certain that your environment uses at minimum:
+* `openstacksdk` version 0.54.0
+* `python-openstackclient` version 5.5.0
+* `python-octaviaclient` version 2.3.0 
+====
+
+.Prerequisites
+
+* You installed the {product-title} CLI (`oc`).
+* You installed a Python interpreter.
+* You installed the `openstacksdk` Python package.
+* You installed the `openstack` CLI.
+* You have access to the underlying {rh-openstack} cloud.
+* You can access the cluster as a user with the `cluster-admin` role.
+
+.Procedure
+. Create a clean-up Python virtual environment:
+.. Create a temporary directory for your environment. For example:
++
+[source,terminal]
+----
+$ python3 -m venv /tmp/venv
+----
++
+The virtual environment located in `/tmp/venv` directory is used in all clean up examples.
+.. Enter the virtual environment. For example:
++
+[source,terminal]
+----
+$ source /tmp/venv/bin/activate
+----
+.. Upgrade the `pip` command in the virtual environment by running the following command:
++
+[source,terminal]
+----
+(venv) $ pip install pip --upgrade
+----
+.. Install the required Python packages by running the following command:
++
+[source,terminal]
+----
+(venv) $ pip install openstacksdk==0.54.0 python-openstackclient==5.5.0 python-octaviaclient==2.3.0
+----
+
+. In your terminal, set variables to cluster and Kuryr identifiers by running the following commands:
+
+.. Set the cluster ID:
++
+[source,terminal]
+----
+(venv) $ CLUSTERID=$(oc get infrastructure.config.openshift.io cluster -o=jsonpath='{.status.infrastructureName}')
+----
+
+.. Set the cluster tag:
++
+[source,terminal]
+----
+(venv) $ CLUSTERTAG="openshiftClusterID=${CLUSTERID}"
+----
+.. Set the router ID:
++
+[source,terminal]
+----
+(venv) $ ROUTERID=$(oc get kuryrnetwork -A --no-headers -o custom-columns=":status.routerId"|head -n 1)
+----
+
+. Create a Bash function that removes finalizers from specified resources by running the following command:
++
+[source,terminal]
+----
+(venv) $ function REMFIN {
+    local resource=$1
+    local finalizer=$2
+    for res in $(oc get $resource -A --template='{{range $i,$p := .items}}{{ $p.metadata.name }}|{{ $p.metadata.namespace }}{{"\n"}}{{end}}'); do
+        name=${res%%|*}
+        ns=${res##*|}
+        yaml=$(oc get -n $ns $resource $name -o yaml)
+        if echo "${yaml}" | grep -q "${finalizer}"; then
+            echo "${yaml}" | grep -v  "${finalizer}" | oc replace -n $ns $resource $name -f -
+        fi
+    done
+}
+----
++
+The function takes two parameters: the first parameter is name of the resource, and the second parameter is the finalizer to remove.
+The named resource is removed from the cluster and its definition is replaced with copied data, excluding the specified finalizer.
+
+. To remove Kuryr finalizers from services, enter the following command:
++
+[source,terminal]
+----
+(venv) $ REMFIN services kuryr.openstack.org/service-finalizer
+----
+
+. To remove the Kuryr `service-subnet-gateway-ip` service, enter the following command:
++
+[source,terminal]
+----
+(venv) $ if $(oc get -n openshift-kuryr service service-subnet-gateway-ip &>/dev/null); then
+    oc -n openshift-kuryr delete service service-subnet-gateway-ip
+fi
+----
+
+. To remove all tagged {rh-openstack} load balancers from Octavia, enter the following command:
++
+[source,terminal]
+----
+(venv) $ for lb in $(openstack loadbalancer list --tags $CLUSTERTAG -f value -c id); do
+    openstack loadbalancer delete --cascade $lb
+done
+----
+
+. To remove Kuryr finalizers from all `KuryrLoadBalancer` CRs, enter the following command:
++
+[source,terminal]
+----
+(venv) $ REMFIN kuryrloadbalancers.openstack.org kuryr.openstack.org/kuryrloadbalancer-finalizers
+----
+
+. To remove the `openshift-kuryr` namespace, enter the following command:
++
+[source,terminal]
+----
+(venv) $ oc delete namespace openshift-kuryr
+----
+
+. To remove the Kuryr service subnet from the router, enter the following command:
++
+[source,terminal]
+----
+(venv) $ openstack router remove subnet $ROUTERID ${CLUSTERID}-kuryr-service-subnet
+----
+
+. To remove the Kuryr service network, enter the following command:
++
+[source,terminal]
+----
+(venv) $ openstack network delete ${CLUSTERID}-kuryr-service-network
+----
+
+. To remove Kuryr finalizers from all pods, enter the following command:
++
+[source,terminal]
+----
+(venv) $ REMFIN pods kuryr.openstack.org/pod-finalizer
+----
+
+. To remove Kuryr finalizers from all `KuryrPort` CRs, enter the following command:
++
+[source,terminal]
+----
+(venv) $ REMFIN kuryrports.openstack.org kuryr.openstack.org/kuryrport-finalizer
+----
+This command deletes the `KuryrPort` CRs.
+
+. To remove Kuryr finalizers from network policies, enter the following command:
++
+[source,terminal]
+----
+(venv) $ REMFIN networkpolicy kuryr.openstack.org/networkpolicy-finalizer
+----
+
+. To remove Kuryr finalizers from remaining network policies, enter the following command:
++
+[source,terminal]
+----
+(venv) $ REMFIN kuryrnetworkpolicies.openstack.org kuryr.openstack.org/networkpolicy-finalizer
+----
+
+. To remove subports that Kuryr created from trunks, enter the following command:
++
+[source,terminal]
+----
+(venv) $ read -ra trunks <<< $(python -c "import openstack; n = openstack.connect().network; print(' '.join([x.id for x in n.trunks(any_tags='$CLUSTERTAG')]))") && \
+i=0 && \
+for trunk in "${trunks[@]}"; do
+    i=$((i+1))
+    echo "Processing trunk $trunk, ${i}/${#trunks[@]}."
+    subports=()
+    for subport in $(python -c "import openstack; n = openstack.connect().network; print(' '.join([x['port_id'] for x in n.get_trunk('$trunk').sub_ports if '$CLUSTERTAG' in n.get_port(x['port_id']).tags]))"); do
+        subports+=("$subport");
+    done
+    args=()
+    for sub in "${subports[@]}" ; do
+        args+=("--subport $sub")
+    done
+    if [ ${#args[@]} -gt 0 ]; then
+        openstack network trunk unset ${args[*]} $trunk
+    fi
+done
+----
+
+. To retrieve all networks and subnets from `KuryrNetwork` CRs and remove ports, router interfaces and the network itself, enter the following command:
++
+[source,terminal]
+----
+(venv) $ mapfile -t kuryrnetworks < <(oc get kuryrnetwork -A --template='{{range $i,$p := .items}}{{ $p.status.netId }}|{{ $p.status.subnetId }}{{"\n"}}{{end}}') && \
+i=0 && \
+for kn in "${kuryrnetworks[@]}"; do
+    i=$((i+1))
+    netID=${kn%%|*}
+    subnetID=${kn##*|}
+    echo "Processing network $netID, ${i}/${#kuryrnetworks[@]}"
+    # Remove all ports from the network.
+    for port in $(python -c "import openstack; n = openstack.connect().network; print(' '.join([x.id for x in n.ports(network_id='$netID') if x.device_owner != 'network:router_interface']))"); do
+        ( openstack port delete $port ) &
+
+        # Only allow 20 jobs in parallel.
+        if [[ $(jobs -r -p | wc -l) -ge 20 ]]; then
+            wait -n
+        fi
+    done
+    wait
+
+    # Remove the subnet from the router.
+    openstack router remove subnet $ROUTERID $subnetID
+
+    # Remove the network.
+    openstack network delete $netID
+done
+----
+
+. To remove the Kuryr security group, enter the following command:
++
+[source,terminal]
+----
+(venv) $ openstack security group delete ${CLUSTERID}-kuryr-pods-security-group
+----
+
+. To remove all tagged subnet pools, enter the following command:
++
+[source,terminal]
+----
+(venv) $ for subnetpool in $(openstack subnet pool list --tags $CLUSTERTAG -f value -c ID); do
+    openstack subnet pool delete $subnetpool
+done
+----
+
+. To check that all of the networks based on `KuryrNetwork` CRs were removed, enter the following command:
++
+[source,terminal]
+----
+(venv) $ networks=$(oc get kuryrnetwork -A --no-headers -o custom-columns=":status.netId") && \
+for existingNet in $(openstack network list --tags $CLUSTERTAG -f value -c ID); do
+    if [[ $networks =~ $existingNet ]]; then
+        echo "Network still exists: $existingNet"
+    fi
+done
+----
++
+If the command returns any existing networks, intestigate and remove them before you continue.
+
+. To remove security groups that are related to network policy, enter the following command:
++
+[source,terminal]
+----
+(venv) $ for sgid in $(openstack security group list -f value -c ID -c Description | grep 'Kuryr-Kubernetes Network Policy' | cut -f 1 -d ' '); do
+    openstack security group delete $sgid
+done
+----
+
+. To remove finalizers from `KuryrNetwork` CRs, enter the following command:
++
+[source,terminal]
+----
+(venv) $ REMFIN kuryrnetworks.openstack.org kuryrnetwork.finalizers.kuryr.openstack.org
+----
+
+. To remove the Kuryr router, enter the following command:
++
+[source,terminal]
+----
+(venv) $ if $(python3 -c "import sys; import openstack; n = openstack.connect().network; r = n.get_router('$ROUTERID'); sys.exit(0) if r.description != 'Created By OpenShift Installer' else sys.exit(1)"); then
+    openstack router delete $ROUTERID
+fi
+----

modules/nw-kuryr-migration-about.adoc

@@ -0,0 +1,58 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc
+
+:_content-type: CONCEPT
+[id="nw-kuryr-ovn-kubernetes-migration-about_{context}"]
+= Migration to the OVN-Kubernetes network provider
+
+You can manually migrate a cluster that runs on {rh-openstack-first} to the OVN-Kubernetes network provider.
+
+[IMPORTANT]
+====
+Migration to OVN-Kubernetes is a one-way process.
+During migration, your cluster will be unreachable for a brief time.
+====
+
+[id="considerations-kuryr-migrating-network-provider_{context}"]
+== Considerations when migrating to the OVN-Kubernetes network provider
+
+Kubernetes namespaces are kept by Kuryr in separate {rh-openstack} networking service (Neutron) subnets. Those subnets and the IP addresses that are assigned to individual pods are not preserved during the migration.
+
+[id="how-the-kuryr-migration-process-works_{context}"]
+== How the migration process works
+
+The following table summarizes the migration process by relating the steps that you perform with the actions that your cluster and Operators take.
+
+.The Kuryr to OVN-Kubernetes migration process
+[cols="1,1a",options="header"]
+|===
+
+|User-initiated steps|Migration activity
+
+|
+Set the `migration` field of the `Network.operator.openshift.io` custom resource (CR) named `cluster` to `OVNKubernetes`. Verify that the value of the `migration` field prints the `null` value before setting it to another value.
+|
+Cluster Network Operator (CNO):: Updates the status of the `Network.config.openshift.io` CR named `cluster` accordingly.
+Machine Config Operator (MCO):: Deploys an update to the systemd configuration that is required by OVN-Kubernetes. By default, the MCO updates a single machine per pool at a time. As a result, large clusters have longer migration times.
+
+|Update the `networkType` field of the `Network.config.openshift.io` CR.
+|
+CNO:: Performs the following actions:
++
+--
+* Destroys the Kuryr control plane pods: Kuryr CNIs and the Kuryr controller.
+* Deploys the OVN-Kubernetes control plane pods.
+* Updates the Multus objects to reflect the new network plugin.
+--
+
+|
+Reboot each node in the cluster.
+|
+Cluster:: As nodes reboot, the cluster assigns IP addresses to pods on the OVN-Kubernetes cluster network.
+
+|
+Clean up remaining resources Kuryr controlled.
+|
+Cluster:: Holds {rh-openstack} resources that need to be freed, as well as {product-title} resources to configure.
+|===