SDN-5477: blocked-edges/4.14.40-OVNlibreswan: "is IPsec enabled?" PromQL

[wking]

Checking 4.13 OVN CI in PromeCIeus:

group by (__name__) ({__name__=~".*ipsec.*"})

only turns up ovnkube_master_ipsec_enabled, which we'd used previously, e.g. in 2797989 (#5334). But checking 4.14 OVN CI, that same __name__ search turns up:

• openshift:openshift_network_operator_ipsec_state:info,
• openshift_network_operator_ipsec_state, and
• ovnkube_controller_ipsec_enabled,

but not 4.13's ovnkube_master_ipsec_enabled. The PromQL I'm adding here looks for the 4.14 ovnkube_controller_ipsec_enabled, if it can't find that it falls back to the 4.13 ovnkube_master_ipsec_enabled, and if it can't find that it falls back to the Kube-API standard apiserver_storage_objects we'd been using before for "am I OVN or not?".

[openshift-ci-robot]

@wking: This pull request references SDN-5477 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.18.0" version, but no target version was set.

Details

In response to this:

Checking 4.13 OVN CI in PromeCIeus:

group by (__name__) ({__name__=~".*ipsec.*"})

only turns up ovnkube_master_ipsec_enabled, which we'd used previously, e.g. in 2797989 (#5334). But checking 4.14 OVN CI, that same __name__ search turns up:

• openshift:openshift_network_operator_ipsec_state:info,
• openshift_network_operator_ipsec_state, and
• ovnkube_controller_ipsec_enabled,

but not 4.13's ovnkube_master_ipsec_enabled. The PromQL I'm adding here looks for the 4.14 ovnkube_controller_ipsec_enabled, if it can't find that it falls back to the 4.13 ovnkube_master_ipsec_enabled, and if it can't find that it falls back to the Kube-API standard apiserver_storage_objects we'd been using before for "am I OVN or not?".

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[wking]

I'm not aware of IPsec-enabled 4.13 or 4.14 CI for testing this PromQL against, but here are:

4.13.0-0.nightly-2024-11-11-123738 's aws-sdn-serial, which knows it isn't exposed:

4.14.0-0.nightly-2024-11-11-222143's aws-sdn, which knows it isn't exposed:

4.13.53's azure-ovn-upgrade-4.13-micro, which knows it's OVN and not exposed:

4.14.40's aws-ovn-serial, which knows it's OVN and not exposed:

[openshift-ci]

@wking: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[zshi-redhat]

LGTM @pperiyasamy @huiran0826 PTAL

[huiran0826]

lgtm

[pperiyasamy]

the ovnkube_controller_ipsec_enabled gauge metric is at zone/node level in 4.14, so this is set from every node. are we ok with this ?

[wking]

group by (ipsec) (...) will collapse matching ovnkube_controller_ipsec_enabled per ipsec label, and the label_replace ensures only a single enabled (4.14) value for that label. So that means that a single node reporting a value of 1 for that metric will get the cluster treated as IPsec-enabled as far as this risk is concerned. Which sounds like the semantics we want.

[pperiyasamy]

ok @wking , that's great.

[pperiyasamy]

LGTM

[PratikMahajan]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: PratikMahajan, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [PratikMahajan,wking]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment