Convert to DaemonSet and fix update strategy of ovnkube-identity pods

crnithya · crnithya · commit ad2d26353735 · 2025-04-14T21:55:50.000-07:00
Ovnkube-identity pods should run on all control-plane nodes and
require that a newly created pod is fully functional before the old
one can be terminated and hence require additional pods during upgrades

Signed-off-by: nithyar &lt;nithyar@nvidia.com&gt;
diff --git a/dist/templates/ovnkube-identity.yaml.j2 b/dist/templates/ovnkube-identity.yaml.j2
@@ -1,26 +1,24 @@
 # ovnkube-identity
 # starts ovnkube-identity
 # it is run on the master(s).
-kind: Deployment
+kind: DaemonSet
 apiVersion: apps/v1
 metadata:
   name: ovnkube-identity
   # namespace set up by install
   namespace: ovn-kubernetes
   annotations:
     kubernetes.io/description: |
-      This Deployment launches the ovnkube-identity networking component.
+      This DaemonSet launches the ovnkube-identity networking component on control-plane nodes.
 spec:
-  progressDeadlineSeconds: 600
-  replicas: {{ ovn_master_count | default(1|int) }}
   revisionHistoryLimit: 10
   selector:
     matchLabels:
       name: ovnkube-identity
-  strategy:
+  updateStrategy:
     rollingUpdate:
-      maxSurge: 0
-      maxUnavailable: 1
+      maxSurge: 100%
+      maxUnavailable: 0
     type: RollingUpdate
   template:
     metadata:
@@ -35,20 +33,9 @@ spec:
       serviceAccountName: ovnkube-identity
       hostNetwork: true
       dnsPolicy: Default
-
-      # required to be scheduled on a linux node with node-role.kubernetes.io/control-plane label and
-      # only one instance of ovnkube-control-plane pod per node
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-              - matchExpressions:
-                  - key: node-role.kubernetes.io/control-plane
-                    operator: Exists
-                  - key: kubernetes.io/os
-                    operator: In
-                    values:
-                      - "linux"
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+        kubernetes.io/os: "linux"
       containers:
       - name: ovnkube-identity
         image: "{{ ovn_image | default('docker.io/ovnkube/ovn-daemonset:latest') }}"
diff --git a/helm/ovn-kubernetes/charts/ovnkube-identity/templates/ovnkube-identity.yaml b/helm/ovn-kubernetes/charts/ovnkube-identity/templates/ovnkube-identity.yaml
@@ -2,26 +2,24 @@
 # ovnkube-identity
 # starts ovnkube-identity
 # it is run on the master(s).
-kind: Deployment
+kind: DaemonSet
 apiVersion: apps/v1
 metadata:
   name: ovnkube-identity
   # namespace set up by install
   namespace: ovn-kubernetes
   annotations:
     kubernetes.io/description: |
-      This Deployment launches the ovnkube-identity networking component.
+      This DaemonSet launches the ovnkube-identity networking component on control-plane nodes.
 spec:
-  progressDeadlineSeconds: 600
-  replicas: {{ default 1 .Values.replicas }}
   revisionHistoryLimit: 10
   selector:
     matchLabels:
       name: ovnkube-identity
-  strategy:
+  updateStrategy:
     rollingUpdate:
-      maxSurge: 0
-      maxUnavailable: 1
+      maxSurge: 100%
+      maxUnavailable: 0
     type: RollingUpdate
   template:
     metadata:
@@ -40,9 +38,9 @@ spec:
       serviceAccountName: ovnkube-identity
       hostNetwork: true
       dnsPolicy: Default
-      {{- if .Values.affinity }}
-      affinity: {{ toYaml .Values.affinity | nindent 8 }}
-      {{- end }}
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+        kubernetes.io/os: "linux"
       containers:
       - name: ovnkube-identity
         image: {{ include "getImage" . }}
@@ -78,4 +76,4 @@ spec:
             secretName: ovnkube-webhook-cert
       tolerations:
       - operator: "Exists"
-{{- end }}
+{{- end }}
diff --git a/helm/ovn-kubernetes/charts/ovnkube-identity/values.yaml b/helm/ovn-kubernetes/charts/ovnkube-identity/values.yaml
@@ -1,29 +1,4 @@
-replicas: 1
 logLevel: 4
 logFileMaxSize: 100
 logFileMaxBackups: 5
 logFileMaxAge: 5
-
-## Affinity for pod assignment
-## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
-## Required to be scheduled on a linux node and only one instance of ovnkube-identity pod per node
-affinity:
-  nodeAffinity:
-    requiredDuringSchedulingIgnoredDuringExecution:
-      nodeSelectorTerms:
-        - matchExpressions:
-            - key: node-role.kubernetes.io/control-plane
-              operator: Exists
-            - key: kubernetes.io/os
-              operator: In
-              values:
-                - "linux"
-  podAntiAffinity:
-    requiredDuringSchedulingIgnoredDuringExecution:
-      - labelSelector:
-          matchExpressions:
-            - key: name
-              operator: In
-              values:
-                - ovnkube-identity
-        topologyKey: kubernetes.io/hostname
