Add baremetal provisioning configuration in a new CR #540
Conversation
openshift-ci-robot
added
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: sadasu The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
sadasu
force-pushed
the
metal3-new-CR
branch
2 times, most recently
from
448c442 to
aa9604c
Compare
operator/v1/types_baremetal.go
Outdated
|
|
||
| // dhcpRange is the IP address range on the provisioning subnet from which baremetal hosts | ||
| // can be assigned an IP address. | ||
| DHCPRange string `json:"dhcpRange,omitempty"` |
There was a problem hiding this comment.
This needs an update to match the ProvisioningDHCP interface we finally settled on in openshift/enhancements#119
There was a problem hiding this comment.
I'd expect this type to also have OperatorSpec since it has several crucial elements that every operator's spec should have.
|
@sadasu can this get an update to unblock the related MAO and installer work? |
Yes, I have been working on it since the enahncement merged. I working through some issues in my code. Will update with latest code shortly. |
operator/v1/types_baremetal.go
Outdated
|
|
||
| // dhcpRange is the IP address range on the provisioning subnet from which baremetal hosts | ||
| // can be assigned an IP address. | ||
| DHCPRange string `json:"dhcpRange,omitempty"` |
There was a problem hiding this comment.
I'd expect this type to also have OperatorSpec since it has several crucial elements that every operator's spec should have.
sadasu
force-pushed
the
metal3-new-CR
branch
from
aa9604c to
4ba76a3
Compare
|
@abhinavdahiya @enxebre @soltysh here is my WIP implementation for https://github.com/openshift/enhancements/blob/master/enhancements/baremetal/baremetal-provisioning-config.md. I still have some TODOs which I am hoping to get some help with:
Thanks! |
sadasu
force-pushed
the
metal3-new-CR
branch
from
4ba76a3 to
d4c2393
Compare
sadasu
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
Have a look at one of the pre-existing CRDs definitions if in doubt where to put stuff, https://github.com/openshift/api/blob/master/operator/v1/types_scheduler.go, for example.
List struct is to enable passing the resource and retrieving it through regular GET operation when you don't specify name. It should be there, look at others again, most if not all our operators' CRs exists as a single instance.
No, you need to provide the initial YAML for the CRD, the generation will update its contents with the validation parts, only. |
operator/v1/types_baremetal.go
Outdated
| type ProvisioningDHCP struct { | ||
| // managementState indicates whether the DHCP service would be started within | ||
| // the metal3 cluster or would use an external DHCP service | ||
| ManagementState ManagementState `json:"managementState"` |
There was a problem hiding this comment.
I think instead of adding the ManagementState fields, we could embed the OperatorSpec struct instead
| ManagementState ManagementState `json:"managementState"` | |
| OperatorSpec `json:",inline"` |
There was a problem hiding this comment.
if you need an operatorspec, that sounds good, but please place it directly in spec.
There was a problem hiding this comment.
I am trying to follow what was agreed upon in https://github.com/openshift/enhancements/blob/master/enhancements/baremetal/baremetal-provisioning-config.md.
I'll add OperatorSpec instead of just adding ManagementState since we could use the additional fields in OperatorSpec.
I am not clear about adding OperatorSpec directly into the Spec struct for the new CR. According to the proposal that just merged, we were going to add another struct just for the DHCP fields : ManagementState (which is now OperatorSpec) and DHCP Range. If we move the OperatorSpec directly to the Spec, then we do not need a separate ProvisioningDHCP struct and add the DHCP range also directly to the Spec.
There was a problem hiding this comment.
if you need an operatorspec, that sounds good, but please place it directly in spec.
What do you mean by "directly in the spec"? Why not embed it in ProvisioningDHCP? This is an OperatorSpec for the DHCP service and originates from the discussion we had in the enhancements PR, as it fits that model.
This was also suggested by @soltysh #540 (comment)
There was a problem hiding this comment.
@deads2k I can see why OperatorSpec could be added directly in the spec. In our case, we are using the ManagementState within the OperatorSpec to mean something specific about the state of the DHCP service. This value combined with the DHCPRange represents the complete DHCP configuration. So, for that reason we really cannot embed it in the Spec and have to leave it within the ProvisioningDHCP struct.
operator/v1/register.go
Outdated
| &ServiceCatalogControllerManagerList{}, | ||
| &IngressController{}, | ||
| &IngressControllerList{}, | ||
| &Metal3ProvisioningController{}, |
There was a problem hiding this comment.
Why is this called controller?
IngressController is the per object config which instantiates a new specific ingress controller pod which is not the case here.
I think this should be called just Metal3Provisioning, Metal3ProvisioningConfig or similar.
There was a problem hiding this comment.
It's config for the Metal3 provisioning controller, and related containers - Metal3ProvisioningConfig sounds fine to me, but we already went over some of this in the enhancement PR - @sadasu were there specific reasons for the current naming?
operator/v1/types_baremetal.go
Outdated
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
| ) | ||
|
|
||
| // +genclient |
There was a problem hiding this comment.
The enhancment talks about creating these only in one namespace. Why have a namespaced object that can only be created in a single namespace by a privileged user?
There was a problem hiding this comment.
Agreed. This can be made Non-namespaced.
There was a problem hiding this comment.
Yes. At the time of writing the enhancement proposal, it appeared that having the CR Namespaced was not required but harmless.
There was a problem hiding this comment.
update to make non-namespaced
operator/v1/types_baremetal.go
Outdated
| type Metal3ProvisioningControllerSpec struct { | ||
| // provisioningInterface is the name of the network interface on a Baremetal server connected | ||
| // to the provisioning network. | ||
| ProvisioningInterface string `json:"provisioningInterface"` |
There was a problem hiding this comment.
@damemi we need to explicitly say required in our repo, right?
There was a problem hiding this comment.
@deads2k yup, because we set operator/v1 to default optional at the package level https://github.com/openshift/api/blob/master/operator/v1/doc.go#L5
operator/v1/types_baremetal.go
Outdated
| ProvisioningInterface string `json:"provisioningInterface"` | ||
|
|
||
| // provisioningIP is the IP address assigned to the provisioningInterface for provisioning | ||
| // the baremetal node. This IP address should be within the provisioning subnet, and |
There was a problem hiding this comment.
where is this subnet defined, is there validation to ensure this?
There was a problem hiding this comment.
It will be defined in the installer, and there is WIP (which depends on this PR) to ensure validation of the IP specified:
Also related is openshift/installer#2091 and openshift/installer#2320
operator/v1/types_baremetal.go
Outdated
|
|
||
| // provisioningNetworkCIDR is the network on which the baremetal nodes are provisioned. | ||
| // The provisioningIP and the IPs in the dhcpRange all come from within this network. | ||
| ProvisioningNetworkCIDR string `json:"provisioningNetworkCIDR"` |
There was a problem hiding this comment.
Is this informative? What happens if not all my baremetal servers agree?
This may go back to what is the scoping of this resource: is it one per machine or one per type of machine or something else? The IP defined above suggests its one per machine,.
There was a problem hiding this comment.
Currently it is one per cluster, we start only one metal3 deployment via the MAO, and this config data is used as input to that deployment.
That deployment is used to deploy all machines on a common provisioning subnet.
The ProvisioningIP is the IP on this subnet where the provisioning services run (those hosted by the metal3 deployment configured by this resource). It's not one per machine, that is a cluster-wide IP.
There was a problem hiding this comment.
Can this IP change? Is this used as input to force that IP? It doesn't sound like it. It sounds like this is an IP that is used to tell something else where to connect to an already existent system. In which case this is status, not spec.
There was a problem hiding this comment.
Yes, the provisioning network already exists. But, the IP address to use during the provisioning process is not known ahead of time. So, it should be provided by the admin.
My understanding is that fields in the Metal3ProvisioningStatus should be updated by someone/something other than the user/admin based on current state of the metal3 cluster. There is no way for metal3 to "discover" the provisioning network details. So, how can it update the Status?
There was a problem hiding this comment.
This is data provided at install time via openshift-install, which is then used by the metal3 provisioning components to configure networking appropriately.
This will always be environment specific (so we need input from the human admin at install time), and at this time we've not considered changing any of the values as a day-2 operation, but in theory we could have that requirement in future (particularly for the DHCP Range which you might need to e.g expand after initial install).
This is not an IP used to tell something where to connect, it's configuration data we use to start the cluster hosted provisioning services, e.g we're starting the service using this data, which is later connected to (the baremetal controller and the provisioning services run in the same pod, started by the MAO).
| // provisioningIP is the IP address assigned to the provisioningInterface of | ||
| // the baremetal server. This IP address should be within the provisioning | ||
| // subnet, and outside of the DHCP range. | ||
| ProvisioningIP string `json:"provisioningIP"` |
There was a problem hiding this comment.
provisioningTemporaryBootstrapIP please
There was a problem hiding this comment.
That will make it more confusing - there is already a provisioning bootstrap IP (that is temporary) configured on the bootstrap VM, that isn't what this is - it's the permanent provisioning IP of the cluster-hosted provisioning services.
|
|
||
| // provisioningIP is the IP address assigned to the provisioningInterface of | ||
| // the baremetal server. This IP address should be within the provisioning | ||
| // subnet, and outside of the DHCP range. |
There was a problem hiding this comment.
explain why it's temporary, and reused.
There was a problem hiding this comment.
My understanding is that the godoc needs to have enough guidance so that the user can provide correct values for these fields. Why do we need to explain the underlying design here within the godoc?
| // provisioningNetworkCIDR is the network on which the baremetal nodes are | ||
| // provisioned. The provisioningIP and the IPs in the dhcpRange all come from | ||
| // within this network. | ||
| ProvisioningNetworkCIDR string `json:"provisioningNetworkCIDR"` |
There was a problem hiding this comment.
This isn't required for a first cut. Let's drop this for now.
There was a problem hiding this comment.
Sorry what do you mean? This is absolutely critical to have
There was a problem hiding this comment.
Agreed, we've already pared this down to the absolute minimum in the $many review iterations of openshift/enhancements#119 - at this point we need to implement what was agreed, and IMHO it's not reasonable to start redefining the interface arbitrarily at this point.
| // server is internal or external to the metal3 cluster. If it is internal, | ||
| // the second parameter represents the DHCP address range to be provided | ||
| // to the baremetal hosts. | ||
| ProvisioningDHCP ProvisioningDHCP `json:"provisioningDHCP"` |
There was a problem hiding this comment.
This isn't required for a first cut. Let's drop this for now.
There was a problem hiding this comment.
Likewise - we really must have configurable network and configurable DHCP in 4.4.
There was a problem hiding this comment.
Agreed, lets stop trying to randomly remove things we already discussed and agreed in the enhancement please @deads2k
|
|
||
| // Metal3ProvisioningStatus defines the observed status of Metal3Provisioning. | ||
| type Metal3ProvisioningStatus struct { | ||
| OperatorStatus `json:",inline"` |
There was a problem hiding this comment.
this isn't needed because this is config.
There was a problem hiding this comment.
@deads2k if this is config then it should reside under config.openshift.io not next to other operators.
|
I'd like to see the DHCP aspects deferred so we can get this unstuck. After that, this is entirely config related (fields indicate infrastructure managed out of band), so this belongs in config.openshift.io. The only other "obvious" home for this is in the machine.openshift.io. As I understand it, this is only consumed by the the machine-api-operator. @enxebre why doesn't this live in machine.openshift.io? Before it is reintroduced, the DHCP configuration needs to consider:
|
| // consumed by the machine-api-operator to bring up and update containers | ||
| // in a metal3 cluster. | ||
| // | ||
| type Metal3Provisioning struct { |
There was a problem hiding this comment.
I don't think this is an appropriate name for this object. Metal3 is not a human facing thing - it's a project name. This either belongs in an object named Provisioning in the metal3.io group, or should be human focused here BareMetalProvisioning
There was a problem hiding this comment.
When we run "oc get pods" we do see the metal3 -xxx-xx pod running. So, I assumed it would be OK to use/re-use metal3 here.
|
This feels either like a cluster infrastructure spec / status field, or something in a separate API group like |
Speaking to the developer, it doesn't fit there because there is a thought that there could be multiple of these in the future and our infrastructure is very much "one of". This is tightly associated to machines. |
| apiVersion: apiextensions.k8s.io/v1beta1 | ||
| kind: CustomResourceDefinition | ||
| metadata: | ||
| creationTimestamp: null |
| names: | ||
| kind: Metal3Provisioning | ||
| listKind: Metal3ProvisioningList | ||
| singular: metal3provisioning |
| kind: Metal3Provisioning | ||
| listKind: Metal3ProvisioningList | ||
| singular: metal3provisioning | ||
| scope: "" |
There was a problem hiding this comment.
Cluster, especially that you're setting nonNamespaced in the go code.
| // managed within the metal3 cluster. | ||
| // The other fields of OperatorSpec retain their existing | ||
| // semantics. | ||
| OperatorSpec `json:",inline"` |
There was a problem hiding this comment.
Based on a later comment from @deads2k this should not be needed, my bad from an earlier review, where I understood this is an operator. On the other hand if this is config, then it should land under config.openshift.io not here.
| type Metal3ProvisioningSpec struct { | ||
| // provisioningInterface is the name of the network interface on a Baremetal | ||
| // server to the provisioning network. It can have values like "eth1" or "ens3". | ||
| ProvisioningInterface string `json:"provisioningInterface"` |
There was a problem hiding this comment.
Why not just networkInterface if this is already part of Metal3ProvisioningSpec.
|
|
||
| // Metal3ProvisioningStatus defines the observed status of Metal3Provisioning. | ||
| type Metal3ProvisioningStatus struct { | ||
| OperatorStatus `json:",inline"` |
There was a problem hiding this comment.
@deads2k if this is config then it should reside under config.openshift.io not next to other operators.
I don't think it should be removed, in order to create a fully functioning Metal3 deployment, we need to wire in values from the installer into the first Metal3 pod, and that must include the DHCP configuration (whether it's turned on or not, and what network ranges to use). Landing part of this change doesn't make a lot of sense, TBH, as we can't make use of the CR until it's complete. This PR is already the minimum set of changes we required to implement https://github.com/openshift/enhancements/blob/master/enhancements/baremetal/baremetal-provisioning-config.md
There's only envisioned to be one
To this point, I think there's a misunderstanding here - there are two networks used for baremetal IPI. It's described in https://github.com/openshift/installer/blob/master/docs/user/metal/install_ipi.md. The provisioning network is only provisioning, it's how new hosts PXE boot and become nodes. The control plane isn't reliant on that DHCP server being available after it itself is provisioned during bootstrapping. |
Context invariants (please any bare metal team folk prove me wrong here):
Based on this I initially suggested for this to live under Based on all the above, if we think |
hardys
left a comment
hardys
left a comment
There was a problem hiding this comment.
@deads2k /cc @smarterclayton @russellb
I'd like to see the DHCP aspects deferred so we can get this unstuck.
This absolutely cannot happen - we need to configure this network e.g for ipv6 provisioning, or to configure a provisioning subnet that is always going to be customer environment specific please can we stop trying to arbitrarily redefine this interface without any understanding of the functional impact.
We've spent the time to get openshift/enhancements#119 approved, so it seems unreasonable to start redefining that here - we already stripped back these configuration items to the bare minimum so can we just resolve the naming nits and move this forward?
How can we work together to reach a better shared understanding of this work, including the priority as this is a critical blocker for baremetal IPI end users?
|
|
||
| // spec is the specification of the desired behavior of the | ||
| // Metal3Provisioning. | ||
| Spec Metal3ProvisioningSpec `json:"spec,omitempty"` |
|
@enxebre Regarding your comment #540 (comment), we have no issue adding this CR to (metal3 or baremetal)/v1 in the openshift/api repo. We have never discussed adding this new CRD to MAO just like https://github.com/openshift/machine-api-operator/blob/master/install/0000_30_machine-api-operator_08_baremetalhost.crd.yaml. Do you forsee any issues? |
I've spoken with the install team and I think this is tractable. I'd like to confirm that you (@sadasu and team) own the metal3.io apigroup and I would suggest making a subgroup like
This path
I reserve the right to edit this comment with more detail because I want to be sure I get something out before the EOD, but my rough sketch leading to this was.... the metal3 provisioning api belongs in its own group because:
discounted arguments for moving it openshift/api
Before anyone gets really bent of shape, find me on slack. I think I'm in channels with most of you. |
|
Thanks for the detailed response @deads2k - it's unfortunate that we didn't identify this approach in any of the previous PRs (openshift/installer#2149 #480 openshift/enhancements#90 and openshift/enhancements#119 - several of which you, @enxebre @wking @abhinavdahiya and others participated in) - this is the fourth(!) redirection on approach we've encountered so it's been an inefficient process to say the least. Perhaps when this is all done we can have some kind of retrospective to figure out how to avoid such wasted effort and miscommunication in future. Anyway some replies/questions below:
Co-locating the CRD and the component that consumes it makes sense to me, provided that is acceptable to the MAO team - it can publish an interface which is basically a more strongly defined alternative to the current ConfigMap approach.
I'm still not clear why we need the dynamic client - can't the regular openshift client in the MAO just look for a resource with the expected type while reconciling? Then the installer can instantiate CRs of this type, the same way it already does for the BareMetalHost resources mentioned above?
To be clear the intention is absolutely for this to be embedded in code in the installer, we want the user of the installer to provide these details via the install-config, we'll then use them to configure the metal3 components on the masters (e.g by writing this new CR), so we can deploy workers without additional user interaction (mirroring the installer experience on all other platforms). openshift/installer#2449 is the latest attempt to do this, but it's been blocked for $months now on agreement around this interface. |
|
This patch openshift/installer#2849 is using this API change to create a CRD/CR, or refer to the link hardys posted for the previous version that used the baremetal platform status. |
imain
left a comment
imain
left a comment
There was a problem hiding this comment.
Looks good IMO Sandhya :) Just a few nits/questions.
| validation: | ||
| openAPIV3Schema: | ||
| description: "Metal3Provisioning contains configuration used by the Provisioning | ||
| service (Ironic) to provision baremetal hosts. \n Metal3Provisioning is created |
There was a problem hiding this comment.
Just curious, do we actually need the \n's here? None of the other longer texts have them..
| range is taken to be the default range which goes from .10 to | ||
| .100 of the ProvisioningNetworkCIDR. This is the only value in | ||
| all of the provisioning configuration that can be changed after | ||
| the installer has created the CR. |
There was a problem hiding this comment.
I would mention that the dhcp range is two IPs separated by a comma.
| // goes from .10 to .100 of the ProvisioningNetworkCIDR. This is the only | ||
| // value in all of the provisioning configuration that can be changed | ||
| // after the installer has created the CR. | ||
| DHCPRange string `json:"DHCPRange,omitempty"` |
There was a problem hiding this comment.
We can get this updated after deployment? :) Do we actually have the machinery there to do this? Again I'd mention that it's 2 comma separated IPs
|
Could we get a short summary here of the agreement to move this to MAO and close this PR so it's clear what the path forward on this is? |
|
Based on comment #540 (comment) , we have decided to add a CRD to the MAO. The PR for this work is here : openshift/machine-api-operator#460. Work listed in 3 & 4 in the path forward, will be in future PRs to MAO and installer respectively. |
This is so baremetal can fetch the provisioning.metal3.io object and parametarise their deployment. Related openshift/api#540 and openshift#460
This is so baremetal can fetch the provisioning.metal3.io object and parametarise their deployment. Related openshift/api#540 and openshift#460
Implementation of the Baremetal provisioning CR changed based on comment openshift/api#540 (comment) after this original enhancement proposal merged. Updating the proposal to reflect the current implementation.
Implementation of the Baremetal provisioning CR changed based on comment openshift/api#540 (comment) after this original enhancement proposal merged. Updating the proposal to reflect the current implementation.
12 participants
Add a new CR within operator scope or all the provisioning config items
needed by metal3 to provision baremetal servers.
Implements : https://github.com/openshift/enhancements/blob/master/enhancements/baremetal/baremetal-provisioning-config.md