USHIFT-6790: MicroShift Cluster 2 Cluster Communication

[pmtk]

No description provided.

[openshift-ci-robot]

@pmtk: This pull request references USHIFT-6790 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign sdodson for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[agullon]

Pod-to-Pod, Pod-to-Service (ClusterIP), and Pod-to-Service (DNS) must be always bidirectional? I mean, is it possible to have communication in only 1 direction: for example, from Pod(cluster1)->Pod(cluster2) but NOT from Pod(cluster2)->Pod(cluster1).

[pmtk]

It's certainly doable, but is it what we want? Maybe as an accidental by-product, but I would not support it. WDYT?

[agullon]

I was asking to learn if this was already discussed. I'd say keep it simple, I'm happy if we advertised in the docs /enhacement something like: "By default it's always biderectional. One direction only is not tested neither supported." WDYT?

[agullon]

Which microshift? If I understand correctly MicroShift must be restarted every time the config under c2cc changes, right?.

[pmtk]

Yeah, as with any configuration changes - we don't have hot reloading.

[agullon]

What will happen if c2cc is only set in only 1 cluster, but not the other? Is this something we will support? Is it mandatory to configure it always in both clusters?

[pmtk]

I guess it's related to #1970 (comment)

What would happen? Provided that firewall ports are open on both hosts, I would assume that the C1 -> C2 would succeed, but I have not tested it.

[agullon]

As I said before, I prefer to keep it simple and add a note: we only support when c2cc is set in both cluster. I think it's a limitation @DanielFroehlich will agree about. I just want to keep the scope as small as possible.

@DanielFroehlich what do you think?

[agullon]

Should this be removed from both clusters at the same time, right?

[pmtk]

Yeah... I haven't considered partial configuration of "Cluster TO Cluster communication" :D

[pmtk]

So far, there's nothing in the enhancement about MicroShifts communicating with each other to ensure proper cross-config. Maybe it's a GA feature?

[agullon]

Is it easy to add a check and if not report an error in the log? Do you think is a good idea?

[pmtk]

What kind of check? Do you mean like ask other clusters what their c2cc configuration is?

[agullon]

If Daniel agree only bidirectional is supported I was thinking on different checks, from easy to more complex:

• Every MicroShift check if c2cc is defined in the remote cluster, if not report an error.
• Every MicroShift check if the subnets defined in the c2cc match the network subnet of the remote cluster.
  • I guess this is more complicated when more than 2 clusters, it's mostly about user experience and probably not worth it.

[agullon]

because RemoteClusters []RemoteCluster is an array, does it means we can configure more than 1 remote cluster? How would the routing work then?

[pmtk]

For TP, I think we'll want to support only 1 remote, but it's an array to keep the API open for the future (if we need it).

Each cluster would have different Cluster and Service CIDRs:

# Cluster B
   network:
     clusterNetwork:
       - 10.45.0.0/16
     serviceNetwork:
       - 10.46.0.0/16

# Cluster C
   network:
     clusterNetwork:
       - 10.48.0.0/16
     serviceNetwork:
       - 10.49.0.0/16
       - 
# Cluster D
   network:
     clusterNetwork:
       - 10.51.0.0/16
     serviceNetwork:
       - 10.52.0.0/16

   # Cluster A config
   c2cc:
     remoteClusters:
       - nextHop: "192.168.122.101"
         clusterNetwork: 
            - "10.45.0.0/16"
         serviceNetwork: 
            - "10.46.0.0/16"
         domain: "cluster-b.remote"

       - nextHop: "192.168.122.102"
         clusterNetwork: 
            - "10.48.0.0/16"
         serviceNetwork: 
            - "10.49.0.0/16"
         domain: "cluster-c.remote"

       - nextHop: "192.168.122.103"
         clusterNetwork: 
            - "10.51.0.0/16"
         serviceNetwork: 
            - "10.52.0.0/16"
         domain: "cluster-d.remote"

[agullon]

It's great we can configure more than 1 cluster to comunicate multiple cluster between them. I really like it. I think to think about this in deep mostly about how can this be tested and all the unexpected and conflicts in configurations.

[vthapar]

I think would be good to capture it explicitly in Goal section that this is for 1 remote cluster and that multiple remotes is a non goal. Can have a separate EP later for multiple remotes.

[vthapar]

remote-cluster here refers to remote cluster name or a generic replacement for cluster?

[pmtk]

That would come from the config

   c2cc:
     remoteClusters:
       - nextHop: "192.168.122.101"
         clusterNetwork: 
            - "10.45.0.0/16"
         serviceNetwork: 
            - "10.46.0.0/16"
         domain: "cluster-b.remote" <-----

I haven't decided on specific names yet (if we'll put remote-cluster.local or cluster-b.remote as an example config)

[vthapar]

Does this include validating peer configuration to make sure using correct CIDRs for a given remote or onus on user to make sure it is correct?

[pmtk]

Right now it's on user to make sure the configs are correct.
Mutual configuration check between MicroShift instances could be a goal for GA.

[vthapar]

I think would be good to capture it explicitly in Goal section that this is for 1 remote cluster and that multiple remotes is a non goal. Can have a separate EP later for multiple remotes.

[vthapar]

Would be good to provide sample CoreDNS config for a server block.

[pmtk]

Added to the enhancement

other-cluster.local:5353 {
    bufsize 1232
    errors
    rewrite name suffix .other-cluster.local .cluster.local answer auto
    forward . 10.46.0.10:53
}

[vthapar]

Can you clarify "user will be able to override CoreDNS configuration completely"?

One option can be to deploy probe pods as headless service with single pod and use same name for probe pod service on all clusters.

[pmtk]

We have another feature (OCPSTRAT-2998) for complete override of the config.
Let me clarify the enhancement

[pmtk]

And this is what the customer is planning to do, so the other-cluster.local:5353 { on our side is more for completeness at this time.

[openshift-ci]

@pmtk: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.