Update ovs-pipeline.md

[hongliangl]

Signed-off-by: Hongliang Liu [email protected]

[jianjuns]

How about: "a load balancer feature that always selects the same backend server for connections from a particular clients. For a K8s Service, session affinity can be enabled by setting..."?

[hongliangl]

I changed a little.

* *session affinity*: a load balancer feature that always selects the same backend
  Endpoint for connections from a particular client. For a K8s Service, session
  affinity can be enabled by setting `service.spec.sessionAffinity` to "ClientIP"
  (default is "None"). See [K8s Service](https://kubernetes.io/docs/concepts/services-networking/service/)
  for more information about session affinity.

[jianjuns]

Sure. Maybe change Endpoint to endpoint (I feel no reason to capitalize endpoint).

[hongliangl]

I changed Endpoint to Pod. I thought that Pod is more accurate.

[codecov-commenter]

Codecov Report

Merging #2725 (5c6668a) into main (e32664e) will decrease coverage by 20.34%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##             main    #2725       +/-   ##
===========================================
- Coverage   61.26%   40.92%   -20.35%     
===========================================
  Files         284      158      -126     
  Lines       23562    19539     -4023     
===========================================
- Hits        14436     7996     -6440     
- Misses       7564    10796     +3232     
+ Partials     1562      747      -815     

Flag	Coverage Δ
kind-e2e-tests	?
unit-tests	40.92% <ø> (+0.05%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/ovs/openflow/default.go	0.00% <0.00%> (-100.00%)	⬇️
pkg/util/runtime/runtime.go	0.00% <0.00%> (-100.00%)	⬇️
pkg/agent/cniserver/pod_configuration_linux.go	0.00% <0.00%> (-100.00%)	⬇️
pkg/ovs/openflow/logs.go	9.52% <0.00%> (-90.48%)	⬇️
pkg/apis/controlplane/register.go	0.00% <0.00%> (-90.00%)	⬇️
pkg/agent/nodeportlocal/k8s/annotations.go	0.00% <0.00%> (-83.88%)	⬇️
pkg/agent/agent_linux.go	0.00% <0.00%> (-80.00%)	⬇️
pkg/agent/client.go	0.00% <0.00%> (-77.42%)	⬇️
pkg/ovs/ovsconfig/ovs_client_linux.go	0.00% <0.00%> (-76.93%)	⬇️
pkg/flowaggregator/certificate.go	0.00% <0.00%> (-76.58%)	⬇️
... and 231 more

[jianjuns]

A few more comments.

[jianjuns]

done by -> done in

[hongliangl]

Thanks，updated.

[jianjuns]

Read it again, and feel "done in the target OVS group" is hard to understand. Should we say "done by the group action"?

[hongliangl]

done by the group action is better.

[jianjuns]

How about: "selection "is performed""

[hongliangl]

IMO, it is a little wierde to use perform only for this sentence as other related sentences use done.

[jianjuns]

I want to use "performed" is just because it is not really "done", and for the same reason I would use "is" rather than "has been", and also quote "is performed".

[hongliangl]

Got what you meant, thanks for explaining.

[hongliangl]

Updated.

[jianjuns]

I suggest to remove the "so..." sentence. It is even confusing with it.

[hongliangl]

Agreed.

[jianjuns]

workaround way -> workaround

[jianjuns]

Still I cannot understand what you want to express here. Probably you should add more information to explain why the workaround can help hold more endpoints, or say: "However, we set the bits here, for the purpose of supporting more Endpoints in an OVS group. Check PR #2101 to learn more information."

[hongliangl]

I prefer to say "However, we set the bits here, for the purpose of supporting more Endpoints in an OVS group. Check PR #2101 to learn more information". It's a little complicated to explain the reason, and I think it is unnecessary to explain in the doc.

[jianjuns]

Ok

[jianjuns]

should be -> need to be

[hongliangl]

Thanks, updated.

[jianjuns]

should be -> need to be

[hongliangl]

Thanks, updated.

[jianjuns]

Comments on the SVG diagram:

1. Service ClusterIP/LoadBalancer traffic -> ClusterIP/LoadBalancer Service traffic. The same for NodePort.
2. Could we keep the version when AntreaProxy is disabled? Do not have a good idea how to do that. Could we put the fragment of "ContrackStateTable, DNATTable, AntreaPolicyEgressRuleTable, output:gw, kube-proxy", after the main diagram?

We probably need @antoninbas to check the SVG format.

[hongliangl]

Service ClusterIP/LoadBalancer traffic -> ClusterIP/LoadBalancer Service traffic. The same for NodePort.

Updated

Could we keep the version when AntreaProxy is disabled? Do not have a good idea how to do that. Could we put the fragment of "ContrackStateTable, DNATTable, AntreaPolicyEgressRuleTable, output:gw, kube-proxy", after the main diagram?

If keeping the version when AntreaProxy is disabled, I think we need another document. I have made some assumptions for this document as we can see the following:

This document currently makes the following assumptions:

Antrea is used in encap mode (an overlay network is created between all Nodes)
AntreaProxy is enabled
All the Nodes are Linux Nodes
IPv6 is disabled

I think we may maintain a document for each of the following cases if possible:

• AntreaProxy is disabled.
• AntreaProxy is enabled and ProxyAll is disabled.
• AntreaProxy is enabled and ProxyAll is enabled.

But I don't have a good idea how to deal with the common parts(e.g, table 0, table 110, register introduction) of above three cases.

[jianjuns]

Probably not worthwhile to maintain two docs. How about just keep the pipeline SVG or a corner of it for the kube-proxy case?

[hongliangl]

Probably not worthwhile to maintain two docs. How about just keep the pipeline SVG or a corner of it for the kube-proxy case?

If we keep the pipeline SVG with AntreaProxy disabled, I think we need also to explain table DnatTable and add more explanation for table ServiceHairpinTable, HairpinSNATTable(They should not exist when AntreaProxy is disabled).
For table SpoofGuardTable, when AntreaProxy is disabled, the IP packet goes to ConntrackTable, otherwise the IP packet should go to ServiceHairpinTable. I think we should explain this, but this may confuse readers. Since AntreaProxy is enabled by default, I think we may not keep the pipeline SVG with AntreaProxy disabled.

a corner of it for the kube-proxy case?

Do you mean that we add a extra chapter to explain the case with AntreaProxy disabled?

[jianjuns]

Do you mean that we add a extra chapter to explain the case with AntreaProxy disabled?
Yeah, maybe we can add a section to talk about AntreaProxy disabled. It just needs to talk about the differences, like DNATTable.

[jianjuns]

It is ok to me too, if you like to merge the current PR. I can create another PR to add the contents with kube-proxy back.

[hongliangl]

It is ok to me too, if you like to merge the current PR. I can create another PR to add the contents with kube-proxy back.

Updated, I have add contents with kube-proxy back.

[jianjuns]

How about adding a separate section under Tables that talks about the case when kube-proxy is used, and put the diagram and DNATTable there?
@antoninbas : thoughts?

[antoninbas]

yes, that sounds good to me. We should just emphasize the default case, which is AntreaProxy enabled.

[antoninbas]

took a quick look at the SVG file and the formatting looks good to me; I didn't review the rest of this PR

[antoninbas]

yes, that sounds good to me. We should just emphasize the default case, which is AntreaProxy enabled.

[antoninbas]

s/as the following/as follows

[hongliangl]

took a quick look at the SVG file and the formatting looks good to me; I didn't review the rest of this PR

Thanks.

[jianjuns]

is created only when AntreaProxy is disabled

[hongliangl]

Updated.

[jianjuns]

gateway -> gateway interface, to be clearer.

[hongliangl]

Thanks, updated.

[jianjuns]

EgressRuleTable -> AntreaPolicyEgressRuleTable

[hongliangl]

Thanks, updated.

[jianjuns]

Could you rename DnatTable to DNATTable in the SVG?

[hongliangl]

Sure, updated, @antoninbas could you please review the updated SVG file? Thanks!

[hongliangl]

/skip-all

[hongliangl]

/skip-test-ipv6-conformance
/skip-test-ipv6-e2e
/skip-test-ipv6-networkpolicy
/skip-test-ipv6-only-conformance
/skip-test-ipv6-only-networkpolicy
/skip-test-windows-conformance
/skip-test-windows-e2e
/skip-test-windows-networkpolicy

[jianjuns]

@hongliangl : I am going to merge this PR. Do you have any further revision to make?

[jianjuns]

/skip-all

[hongliangl]

@hongliangl : I am going to merge this PR. Do you have any further revision to make?

@jianjuns , thanks for merging this. No more further revision.