openshift
diff --git a/‎_topic_maps/_topic_map.yml
Lines changed: 4 additions & 0 deletions b/‎_topic_maps/_topic_map.yml
Lines changed: 4 additions & 0 deletions
diff --git a/‎images/357_OpenShift_MetalLB_VRF_0823.png
51.7 KB b/‎images/357_OpenShift_MetalLB_VRF_0823.png
51.7 KB
diff --git a/‎modules/nw-egress-service-cr.adoc
Lines changed: 45 additions & 0 deletions b/‎modules/nw-egress-service-cr.adoc
Lines changed: 45 additions & 0 deletions
diff --git a/‎modules/nw-egress-service-ovn.adoc
Lines changed: 125 additions & 0 deletions b/‎modules/nw-egress-service-ovn.adoc
Lines changed: 125 additions & 0 deletions
diff --git a/‎modules/nw-metallb-configure-return-traffic-proc.adoc
Lines changed: 203 additions & 0 deletions b/‎modules/nw-metallb-configure-return-traffic-proc.adoc
Lines changed: 203 additions & 0 deletions
@@ -1323,6 +1323,8 @@ Topics:
     File: configuring-egress-ips-ovn
   - Name: Assigning an egress IP address
     File: assigning-egress-ips-ovn
+  - Name: Configuring an egress service
+    File: configuring-egress-traffic-for-vrf-loadbalancer-services
   - Name: Considerations for the use of an egress router pod
     File: using-an-egress-router-ovn
   - Name: Deploying an egress router pod in redirect mode
@@ -1451,6 +1453,8 @@ Topics:
     File: metallb-configure-bfd-profiles
   - Name: Configuring services to use MetalLB
     File: metallb-configure-services
+  - Name: Managing symmetric routing with MetalLB
+    File: metallb-configure-return-traffic
   - Name: MetalLB logging, troubleshooting, and support
     File: metallb-troubleshoot-support
 - Name: Associating secondary interfaces metrics to network attachments
 
@@ -0,0 +1,45 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/configuring-egress-traffic-for-vrf-loadbalancer-services.adoc
+
+:_content-type: REFERENCE
+[id="nw-egress-service-ovn-cr_{context}"]
+= Egress service custom resource
+
+Define the configuration for an egress service in an `EgressService` custom resource. The following YAML describes the fields for the configuration of an egress service:
+
+[source,yaml]
+----
+apiVersion: k8s.ovn.org/v1
+kind: EgressService
+metadata:
+  name: <egress_service_name> <1>
+  namespace: <namespace> <2>
+spec:
+  sourceIPBy: <egress_traffic_ip> <3>
+  nodeSelector: <4>
+    matchLabels:
+      node-role.kubernetes.io/<role>: "" 
+  network: <egress_traffic_network> <5>
+----
+<1> Specify the name for the egress service. The name of the `EgressService` resource must match the name of the load-balancer service that you want to modify.
+<2> Specify the namespace for the egress service. The namespace for the `EgressService` must match the namespace of the load-balancer service that you want to modify. The egress service is namespace-scoped.
+<3> Specify the source IP address of egress traffic for pods behind a service. Valid values are `LoadBalancerIP` or `Network`. Use the `LoadBalancerIP` value to assign the `LoadBalancer` service ingress IP address as the source IP address for egress traffic. Specify `Network` to assign the network interface IP address as the source IP address for egress traffic.
+<4> Optional: If you use the `LoadBalancerIP` value for the `sourceIPBy` specification, a single node handles the `LoadBalancer` service traffic. Use the `nodeSelector` field to limit which node can be assigned this task. When a node is selected to handle the service traffic, OVN-Kubernetes labels the node in the following format: `egress-service.k8s.ovn.org/<svc-namespace>-<svc-name>: ""`. When the `nodeSelector` field is not specified, any node can manage the `LoadBalancer` service traffic. 
+<5> Optional: Specify the routing table for egress traffic. If you do not include the `network` specification, the egress service uses the default host network.
+
+.Example egress service specification
+[source,yaml]
+----
+apiVersion: k8s.ovn.org/v1
+kind: EgressService
+metadata:
+  name: test-egress-service
+  namespace: test-namespace
+spec:
+  sourceIPBy: "LoadBalancerIP"
+  nodeSelector:
+    matchLabels:
+      vrf: "true"
+  network: "2"
+----
@@ -0,0 +1,125 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/configuring-egress-traffic-for-vrf-loadbalancer-services.adoc
+
+:_content-type: PROCEDURE
+[id="nw-egress-service-ovn_{context}"]
+= Deploying an egress service
+
+You can deploy an egress service to manage egress traffic for pods behind a `LoadBalancer` service.
+
+The following example configures the egress traffic to have the same source IP address as the ingress IP address of the `LoadBalancer` service.
+
+.Prerequisites
+
+* Install the OpenShift CLI (`oc`).
+* Log in as a user with `cluster-admin` privileges.
+* You configured MetalLB `BGPPeer` resources.
+
+.Procedure
+
+. Create an `IPAddressPool` CR with the desired IP for the service: 
+
+.. Create a file, such as `ip-addr-pool.yaml`, with content like the following example:
++
+[source,yaml]
+----
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: example-pool
+  namespace: metallb-system
+spec:
+  addresses:
+  - 172.19.0.100/32
+----
+
+.. Apply the configuration for the IP address pool by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f ip-addr-pool.yaml
+----
+
+. Create `Service` and `EgressService` CRs. 
+
+.. Create a file, such as `service-egress-service.yaml`, with content like the following example:
++
+[source,yaml,subs="+quotes,+macros"]
+----
+apiVersion: v1
+kind: Service
+metadata:
+  name: example-service
+  namespace: example-namespace
+  annotations:
+    metallb.universe.tf/address-pool: example-pool <1>
+spec:
+  selector:
+    app: example
+  ports:
+    - name: http
+      protocol: TCP
+      port: 8080
+      targetPort: 8080
+  type: LoadBalancer
+---
+apiVersion: k8s.ovn.org/v1
+kind: EgressService
+metadata:
+  name: example-service
+  namespace: example-namespace
+spec:
+  sourceIPBy: "LoadBalancerIP" <2>
+  nodeSelector: <3>
+    matchLabels:
+      node-role.kubernetes.io/worker: "" 
+----
+<1> The `LoadBalancer` service uses the IP address assigned by MetalLB from the `example-pool` IP address pool. 
+<2> This example uses the `LoadBalancerIP` value to assign the ingress IP address of the `LoadBalancer` service as the source IP address of egress traffic.
+<3> When you specify the `LoadBalancerIP` value, a single node handles the `LoadBalancer` service's traffic. In this example, only nodes with the `worker` label can be selected to handle the traffic. When a node is selected, OVN-Kubernetes labels the node in the following format `egress-service.k8s.ovn.org/<svc-namespace>-<svc-name>: ""`.
++
+[NOTE]
+====
+If you use the `sourceIPBy: "LoadBalancerIP"` setting, you must specify the load-balancer node in the `BGPAdvertisement` custom resource (CR).
+====
+
+.. Apply the configuration for the service and egress service by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f service-egress-service.yaml
+----
+
+. Create a `BGPAdvertisement` CR to advertise the service:
+
+.. Create a file, such as `service-bgp-advertisement.yaml`, with content like the following example:
++
+[source,yaml]
+----
+apiVersion: metallb.io/v1beta1
+kind: BGPAdvertisement
+metadata:
+  name: example-bgp-adv
+  namespace: metallb-system
+spec:
+  ipAddressPools:
+  - example-pool
+  nodeSelector:
+  - matchLabels:
+      egress-service.k8s.ovn.org/example-namespace-example-service: "" <1>
+----
+
+<1> In this example, the `EgressService` CR configures the source IP address for egress traffic to use the load-balancer service IP address. Therefore, you must specify the load-balancer node for return traffic to use the same return path for the traffic originating from the pod.
+
+.Verification
+
+ . Verify that you can access the application endpoint of the pods running behind the MetalLB service by running the following command:
++
+[source,terminal]
+----
+$ curl <external_ip_address>:<port_number> <1>
+----
+<1> Update the external IP address and port number to suit your application endpoint.
+
+. If you assigned the `LoadBalancer` service's ingress IP address as the source IP address for egress traffic, verify this configuration by using tools such as `tcpdump` to analyze packets received at the external client. 
@@ -0,0 +1,203 @@
+// Module included in the following assemblies:
+//
+// * networking/ovn_kubernetes_network_provider/configuring-egress-traffic-for-vrf-loadbalancer-services.adoc
+
+:_content-type: PROCEDURE
+[id="nw-metallb-configure-return-traffic-proc_{context}"]
+= Configuring symmetric routing by using VRFs with MetalLB
+
+You can configure symmetric network routing for applications behind a MetalLB service that require the same ingress and egress network paths. 
+
+This example associates a VRF routing table with MetalLB and an egress service to enable symmetric routing for ingress and egress traffic for pods behind a `LoadBalancer` service.
+
+[NOTE]
+====
+* If you use the `sourceIPBy: "LoadBalancerIP"` setting in the `EgressService` CR, you must specify the load-balancer node in the `BGPAdvertisement` custom resource (CR).
+
+* You can use the `sourceIPBy: "Network"` setting on clusters that use OVN-Kubernetes configured with the `gatewayConfig.routingViaHost` specification set to `true` only. Additionally, if you use the `sourceIPBy: "Network"` setting, you must schedule the application workload on nodes configured with the network VRF instance. 
+====
+
+.Prerequisites
+
+* Install the OpenShift CLI (`oc`).
+* Log in as a user with `cluster-admin` privileges.
+
+.Procedure
+
+. Create a `NodeNetworkConfigurationPolicy` CR to define the VRF instance:
+
+.. Create a file, such as `node-network-vrf.yaml`, with content like the following example:
++
+[source,yaml]
+----
+apiVersion: nmstate.io/v1
+kind: NodeNetworkConfigurationPolicy
+metadata:
+  name: vrfpolicy <1>
+spec:
+  nodeSelector: 
+    vrf: "true" <2>
+  maxUnavailable: 3 
+  desiredState:
+    interfaces:
+      - name: ens4vrf <3>
+        type: vrf <4>
+        state: up
+        vrf:
+          port:
+            - ens4 <5>
+          route-table-id: 2 <6>
+    routes: <7>
+      config:
+        - destination: 0.0.0.0/0 
+          metric: 150
+          next-hop-address: 192.168.130.1
+          next-hop-interface: ens4
+          table-id: 2
+    route-rules: <8>
+      config:
+        - ip-to: 172.30.0.0/16
+          priority: 998
+          route-table: 254
+        - ip-to: 10.132.0.0/14
+          priority: 998
+          route-table: 254
+----
+<1> The name of the policy.
+<2> This example applies the policy to all nodes with the label `vrf:true`.
+<3> The name of the interface.
+<4> The type of interface. This example creates a VRF instance.
+<5> The node interface that the VRF attaches to.
+<6> The name of the route table ID for the VRF.
+<7> Defines the configuration for network routes. The `next-hop-address` field defines the IP address of the next hop for the route. The `next-hop-interface` field defines the outgoing interface for the route. In this example, the VRF routing table is `2`, which references the ID that you define in the `EgressService` CR.
+<8> Defines additional route rules. The `ip-to` fields must match the `Cluster Network` CIDR and `Service Network` CIDR. You can view the values for these CIDR address specifications by running the following command: `oc describe network.config/cluster`.
+
+.. Apply the policy by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f node-network-vrf.yaml
+----
+
+. Create a `BGPPeer` custom resource (CR):
+
+.. Create a file, such as `frr-via-vrf.yaml`, with content like the following example:
++
+[source,yaml]
+----
+apiVersion: metallb.io/v1beta2
+kind: BGPPeer
+metadata:
+  name: frrviavrf
+  namespace: metallb-system
+spec:
+  myASN: 100
+  peerASN: 200
+  peerAddress: 192.168.130.1
+  vrf: ens4vrf <1>
+----
+<1> Specifies the VRF instance to associate with the BGP peer. MetalLB can advertise services and make routing decisions based on the routing information in the VRF. 
+
+.. Apply the configuration for the BGP peer by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f frr-via-vrf.yaml
+----
+
+. Create an `IPAddressPool` CR:
+
+.. Create a file, such as `first-pool.yaml`, with content like the following example:
++
+[source,yaml]
+----
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: first-pool
+  namespace: metallb-system
+spec:
+  addresses:
+  - 192.169.10.0/32
+----
+
+.. Apply the configuration for the IP address pool by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f first-pool.yaml
+----
+
+. Create a `BGPAdvertisement` CR:
+
+.. Create a file, such as `first-adv.yaml`, with content like the following example:
++
+[source,yaml]
+----
+apiVersion: metallb.io/v1beta1
+kind: BGPAdvertisement
+metadata:
+  name: first-adv
+  namespace: metallb-system
+spec:
+  ipAddressPools:
+    - first-pool
+  peers:
+    - frrviavrf <1>
+  nodeSelectors: 
+    - matchLabels:
+        egress-service.k8s.ovn.org/test-server1: "" <2>
+----
+<1> In this example, MetalLB advertises a range of IP addresses from the `first-pool` IP address pool to the `frrviavrf` BGP peer.
+<2> In this example, the `EgressService` CR configures the source IP address for egress traffic to use the load-balancer service IP address. Therefore, you must specify the load-balancer node for return traffic to use the same return path for the traffic originating from the pod. 
+
+.. Apply the configuration for the BGP advertisement by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f first-adv.yaml
+----
+
+. Create an `EgressService` CR: 
+
+.. Create a file, such as `egress-service.yaml`, with content like the following example:
++
+[source,yaml,options="nowrap",role="white-space-pre"]
+----
+apiVersion: k8s.ovn.org/v1
+kind: EgressService
+metadata:
+  name: server1 <1>
+  namespace: test <2>
+spec:
+  sourceIPBy: "LoadBalancerIP" <3>
+  nodeSelector:
+    matchLabels:
+      vrf: "true" <4>
+  network: "2" <5>
+----
+<1> Specify the name for the egress service. The name of the `EgressService` resource must match the name of the load-balancer service that you want to modify. 
+<2> Specify the namespace for the egress service. The namespace for the `EgressService` must match the namespace of the load-balancer service that you want to modify. The egress service is namespace-scoped.
+<3> This example assigns the `LoadBalancer` service ingress IP address as the source IP address for egress traffic.
+<4> If you specify `LoadBalancer` for the `sourceIPBy` specification, a single node handles the `LoadBalancer` service traffic. In this example, only a node with the label `vrf: "true"` can handle the service traffic. If you do not specify a node, OVN-Kubernetes selects a worker node to handle the service traffic. When a node is selected, OVN-Kubernetes labels the node in the following format: `egress-service.k8s.ovn.org/<svc_namespace>-<svc_name>: ""`. 
+<5> Specify the routing table for egress traffic.
+
+.. Apply the configuration for the egress service by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f egress-service.yaml
+----
+
+.Verification
+
+. Verify that you can access the application endpoint of the pods running behind the MetalLB service by running the following command:
++
+[source,terminal]
+----
+$ curl <external_ip_address>:<port_number> <1>
+----
+<1> Update the external IP address and port number to suit your application endpoint.
+
+. Optional: If you assigned the `LoadBalancer` service ingress IP address as the source IP address for egress traffic, verify this configuration by using tools such as `tcpdump` to analyze packets received at the external client. 
+