[deploy-env] Setup vxlan overlay before k8s deployment

Sometimes multinode nodesets consist of nodes
with private IPs from different L2 segments. So they can
not communicate with each other using their IPs
assigned to their gateway interfaces.

This PR sets up VXLAN overlay using nodes inventory public
IPs (those IPs used by zuul to get access to nodes).
So nodes are convinced they are in the same L2 segment.

We can use this overlay for internal K8s communication.
For this we have to disable overlay setup in a CNI implementation
(Calico, Cilium, etc.) and use the overlay interface for internal
Openstack communication.

Also:
- Upgrade Kubeadm config API version to kubeadm.k8s.io/v1beta4
- Ignore single cpu kubeadm errors. By default Kubeadm requires
  at least 2 cpus on nodes.

Change-Id: I34663de277951135c44607f093f8f1f93eafab86
Signed-off-by: Vladimir Kozhukalov <kozhukalov@gmail.com>

roles/deploy-env/defaults/main.yaml

@@ -74,4 +74,16 @@ tunnel_cluster_cidr: "172.24.5.1/24"
 
 dnsmasq_image: "quay.io/airshipit/neutron:2024.2-ubuntu_jammy"
 nginx_image: "quay.io/airshipit/nginx:alpine3.18"
+
+overlay_network_setup: true
+overlay_network_prefix: "10.248.0."
+overlay_network_vxlan_iface: vxlan42
+overlay_network_vxlan_id: 42
+# NOTE: This is to avoid conflicts with the vxlan overlay managed by Openstack
+# which uses 4789 by default. Some alternative implementations used to
+# leverage 8472, so let's use it.
+overlay_network_vxlan_port: 8472
+overlay_network_bridge_name: brvxlan
+overlay_network_bridge_ip: "{{ overlay_network_prefix }}{{ (groups['all'] | sort).index(inventory_hostname) + 1 }}"
+overlay_network_underlay_dev: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['interface'] }}"
 ...

roles/deploy-env/files/calico_patch.yaml

@@ -1,20 +1,10 @@
 ---
 spec:
   template:
-    metadata:
-      annotations:
-        prometheus.io/scrape: "true"
-        prometheus.io/port: "9091"
     spec:
       containers:
         - name: calico-node
           env:
-            - name: FELIX_PROMETHEUSMETRICSENABLED
-              value: "true"
-            - name: FELIX_PROMETHEUSMETRICSPORT
-              value: "9091"
-            - name: FELIX_IGNORELOOSERPF
-              value: "true"
             # we need Calico to skip this interface while discovering the
             # network changes on the host to prevent announcing unnecessary networks.
             - name: IP_AUTODETECTION_METHOD

roles/deploy-env/files/kubeadm_config.yaml

@@ -1,27 +0,0 @@
----
-apiVersion: kubeproxy.config.k8s.io/v1alpha1
-kind: KubeProxyConfiguration
-mode: ipvs
-ipvs:
-  strictARP: true
-...
----
-apiVersion: kubeadm.k8s.io/v1beta3
-kind: ClusterConfiguration
-networking:
-  serviceSubnet: "{{ kubeadm.service_cidr }}"  # --service-cidr
-  podSubnet: "{{ kubeadm.pod_network_cidr }}"  # --pod-network-cidr
-  dnsDomain: "cluster.local"
-...
----
-apiVersion: kubeadm.k8s.io/v1beta3
-kind: InitConfiguration
-nodeRegistration:
-  taints: []
-...
----
-apiVersion: kubeadm.k8s.io/v1beta3
-kind: JoinConfiguration
-nodeRegistration:
-  taints: []
-...

roles/deploy-env/files/kubeadm_config.yaml.j2

@@ -0,0 +1,38 @@
+---
+apiVersion: kubeproxy.config.k8s.io/v1alpha1
+kind: KubeProxyConfiguration
+mode: ipvs
+ipvs:
+  strictARP: true
+...
+---
+apiVersion: kubeadm.k8s.io/v1beta4
+kind: ClusterConfiguration
+networking:
+  serviceSubnet: "{{ kubeadm.service_cidr }}"  # --service-cidr
+  podSubnet: "{{ kubeadm.pod_network_cidr }}"  # --pod-network-cidr
+  dnsDomain: "cluster.local"
+...
+---
+apiVersion: kubeadm.k8s.io/v1beta4
+kind: InitConfiguration
+nodeRegistration:
+  criSocket: unix:///run/containerd/containerd.sock
+  taints: []
+  ignorePreflightErrors:
+    - NumCPU
+localAPIEndpoint:
+{% if overlay_network_setup %}
+  advertiseAddress: "{{ overlay_network_prefix }}{{ (groups['all'] | sort).index(groups['k8s_control_plane'][0]) + 1 }}"
+{% endif %}
+  bindPort: 6443
+...
+---
+apiVersion: kubeadm.k8s.io/v1beta4
+kind: JoinConfiguration
+nodeRegistration:
+  criSocket: unix:///run/containerd/containerd.sock
+  taints: []
+  ignorePreflightErrors:
+    - NumCPU
+...

roles/deploy-env/tasks/calico.yaml

@@ -7,6 +7,7 @@
   shell: |
     curl -LSs {{ calico_manifest_url }} -o /tmp/calico.yaml
     sed -i -e 's#docker.io/calico/#quay.io/calico/#g' /tmp/calico.yaml
+    sed -i '/CALICO_IPV4POOL_IPIP/{n;s/Always/Never/}' /tmp/calico.yaml
     export CONTAINER_RUNTIME_ENDPOINT=unix:///run/containerd/containerd.sock
     export IMAGE_SERVICE_ENDPOINT=unix:///run/containerd/containerd.sock
     awk '/image:/ { print $2 }' /tmp/calico.yaml | xargs -I{} crictl pull {}
@@ -22,6 +23,7 @@
         if [[ ! -f /tmp/calico.yaml ]]; then
           curl -LSs {{ calico_manifest_url }} -o /tmp/calico.yaml
           sed -i -e 's#docker.io/calico/#quay.io/calico/#g' /tmp/calico.yaml
+          sed -i '/CALICO_IPV4POOL_IPIP/{n;s/Always/Never/}' /tmp/calico.yaml
         fi
       args:
         executable: /bin/bash
@@ -47,6 +49,9 @@
     - name: Patch Calico
       command: kubectl -n kube-system patch daemonset calico-node --patch-file /tmp/calico_patch.yaml
 
+    - name: Delete Calico pods (for hard restart)
+      command: kubectl -n kube-system delete pods -l k8s-app=calico-node
+
     - name: Wait for Calico pods ready (after patch)
       command: kubectl -n kube-system wait --timeout=20s --for=condition=Ready pods -l k8s-app=calico-node
       register: calico_pods_wait

roles/deploy-env/tasks/k8s_control_plane.yaml

@@ -21,7 +21,7 @@
 
 - name: Prepare kubeadm config
   template:
-    src: files/kubeadm_config.yaml
+    src: files/kubeadm_config.yaml.j2
     dest: /tmp/kubeadm_config.yaml
 
 - name: Initialize the Kubernetes cluster using kubeadm

roles/deploy-env/tasks/main.yaml

@@ -15,6 +15,11 @@
   include_tasks:
     file: prerequisites.yaml
 
+- name: Overlay network
+  include_tasks:
+    file: overlay.yaml
+  when: overlay_network_setup
+
 - name: Configure /etc/hosts
   template:
     src: files/hosts

roles/deploy-env/tasks/overlay.yaml

@@ -0,0 +1,42 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: Create vxlan bridge
+  shell: |
+    ip link add name {{ overlay_network_bridge_name }} type bridge
+    ip link set dev {{ overlay_network_bridge_name }} up
+    ip addr add {{ overlay_network_bridge_ip }}/24 dev {{ overlay_network_bridge_name }}
+  args:
+    creates: "/sys/class/net/{{ overlay_network_bridge_name }}"
+
+- name: Create vxlan interface
+  shell: |
+    ip link add {{ overlay_network_vxlan_iface }} \
+      type vxlan \
+      id {{ overlay_network_vxlan_id }} \
+      dev {{ overlay_network_underlay_dev }} \
+      dstport {{ overlay_network_vxlan_port }} \
+      local {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}
+    ip link set {{ overlay_network_vxlan_iface }} up
+    ip link set {{ overlay_network_vxlan_iface }} master {{ overlay_network_bridge_name }}
+  args:
+    creates: "/sys/class/net/{{ overlay_network_vxlan_iface }}"
+
+- name: Populate FDB
+  shell: |
+    bridge fdb append 00:00:00:00:00:00 \
+      dev {{ overlay_network_vxlan_iface }} \
+      dst {{ hostvars[item]['ansible_host'] }}
+  loop: "{{ groups['all'] | sort }}"
+  when: item != inventory_hostname
+...

tools/deployment/component/compute-kit/compute-kit.sh

@@ -57,7 +57,9 @@ helm upgrade --install nova ${OSH_HELM_REPO}/nova \
 tee /tmp/neutron.yaml << EOF
 network:
   interface:
-    tunnel: null
+    # the CI env overlay interface is used by default
+    # for internal cluster communication
+    tunnel: brvxlan
 conf:
   neutron:
     DEFAULT:

zuul.d/base.yaml

@@ -73,6 +73,7 @@
       - playbooks/deploy-env.yaml
       - playbooks/run-scripts.yaml
     vars:
+      overlay_network_setup: true
       extra_volume:
         size: 80G
         type: Linux

zuul.d/infra_jobs.yaml

@@ -82,10 +82,7 @@
 - job:
     name: openstack-helm-mariadb-operator-2024-1-ubuntu_jammy
     parent: openstack-helm-deploy
-    nodeset: openstack-helm-3nodes-ubuntu_jammy
-    pre-run:
-      - playbooks/prepare-hosts.yaml
-      - playbooks/mount-volumes.yaml
+    nodeset: openstack-helm-5nodes-ubuntu_jammy
     vars:
       osh_params:
         openstack_release: "2024.1"
@@ -95,10 +92,10 @@
       gate_scripts:
         - ./tools/deployment/common/prepare-k8s.sh
         - ./tools/deployment/common/prepare-charts.sh
-        - ./tools/deployment/common/namespace-config.sh
-        - ./tools/deployment/ceph/ceph.sh
-        - ./tools/deployment/ceph/ceph-ns-activate.sh
         - ./tools/deployment/common/setup-client.sh
+        - ./tools/deployment/common/namespace-config.sh
+        - ./tools/deployment/ceph/ceph-rook.sh
+        - ./tools/deployment/ceph/ceph-adapter-rook.sh
         - ./tools/deployment/component/common/rabbitmq.sh
         - ./tools/deployment/component/common/memcached.sh
         - ./tools/deployment/db/mariadb-operator-cluster.sh

zuul.d/project.yaml

@@ -25,7 +25,9 @@
         - openstack-helm-tls-2024-1-ubuntu_jammy  # 3 nodes rook
         - openstack-helm-cinder-2024-1-ubuntu_jammy  # 5 nodes rook
         - openstack-helm-compute-kit-2024-1-ubuntu_jammy  # 3 nodes
-        - openstack-helm-compute-kit-cilium-2024-1-ubuntu_jammy  # 1 node + 3 nodes
+        # TODO: Configure Cilium not to setup it's own overlay and
+        # use existing VXLAN overlay interface for internal K8s communication
+        # - openstack-helm-compute-kit-cilium-2024-1-ubuntu_jammy  # 1 node + 3 nodes
         - openstack-helm-horizon-2024-1-ubuntu_jammy  # 1 node
         - openstack-helm-tacker-2024-1-ubuntu_jammy
         - openstack-helm-compute-kit-dpdk-2024-1-ubuntu_jammy  # 32GB node