Bug 2060542

The ingress operator changes will be tracked in bug 2079517.  I'm deleting the doc text that I wrote from this BZ and copying it to bug 2079517.

Verified on 4.9.0-0.nightly-2022-04-27-100704

ETP=local works on 4.9 if
1) its SGW mode and
2) service in question has backends that are OVN pods.

So feature is partially supported under the above conditions ^

Testing:

$ oc get pods -owide -n surya
NAME                             READY   STATUS    RESTARTS   AGE   IP            NODE                                         NOMINATED NODE   READINESS GATES
hello-world-2-5ff4c549d9-bq4r8   1/1     Running   0          13m   10.131.0.30   ip-10-0-148-77.us-east-2.compute.internal    <none>           <none>
hello-world-2-5ff4c549d9-mbrg4   1/1     Running   0          13m   10.129.2.14   ip-10-0-206-103.us-east-2.compute.internal   <none>           <none>

$ oc get svc -n surya
NAME            TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE
hello-world-2   NodePort   172.30.39.87   <none>        80:30672/TCP   24m

$ oc get ep -n surya
NAME            ENDPOINTS                           AGE
hello-world-2   10.129.2.14:8080,10.131.0.30:8080   24m

curl from external client towards the nodePort service :

sh-4.4# curl 10.0.148.77:30672
Hello Kubernetes!

sh-4.4# curl 10.0.206.103:30672
Hello Kubernetes!sh-4.4# 

sh-4.4# curl 10.0.130.199:30672
curl: (7) Failed to connect to 10.0.130.199 port 30672: Connection refused
sh-4.4# 

LBs are created in OVNK correctly:

_uuid               : f4b2b08c-7016-4e61-8697-6c2bccb42213
external_ids        : {"k8s.ovn.org/kind"=Service, "k8s.ovn.org/owner"="surya/hello-world-2"}
health_check        : []
ip_port_mappings    : {}
name                : "Service_surya/hello-world-2_TCP_node_local_router_ip-10-0-206-103.us-east-2.compute.internal"
options             : {event="false", reject="true", skip_snat="true"}
protocol            : tcp
selection_fields    : []
vips                : {"10.0.206.103:30672"="10.129.2.14:8080"}

_uuid               : 02d572c6-162a-4ef2-b0e1-eee9ab79a92e
external_ids        : {"k8s.ovn.org/kind"=Service, "k8s.ovn.org/owner"="surya/hello-world-2"}
health_check        : []
ip_port_mappings    : {}
name                : "Service_surya/hello-world-2_TCP_node_local_router_ip-10-0-148-77.us-east-2.compute.internal"
options             : {event="false", reject="true", skip_snat="true"}
protocol            : tcp
selection_fields    : []
vips                : {"10.0.148.77:30672"="10.131.0.30:8080"}


_uuid               : e44f3964-f8e0-4060-992b-efbb66706ba1
external_ids        : {"k8s.ovn.org/kind"=Service, "k8s.ovn.org/owner"="surya/hello-world-2"}
health_check        : []
ip_port_mappings    : {}
name                : "Service_surya/hello-world-2_TCP_node_router_ip-10-0-143-110.us-east-2.compute.internal"
options             : {event="false", reject="true", skip_snat="false"}
protocol            : tcp
selection_fields    : []
vips                : {"10.0.143.110:30672"=""}

_uuid               : 8ecc4d38-97dc-4a0c-9439-1fed6a827de2
external_ids        : {"k8s.ovn.org/kind"=Service, "k8s.ovn.org/owner"="surya/hello-world-2"}
health_check        : []
ip_port_mappings    : {}
name                : "Service_surya/hello-world-2_TCP_node_router_ip-10-0-243-144.us-east-2.compute.internal"
options             : {event="false", reject="true", skip_snat="false"}
protocol            : tcp
selection_fields    : []
vips                : {"10.0.243.144:30672"=""}

_uuid               : a4fb5ab9-a266-4660-abd1-9bdea8e9aa16
external_ids        : {"k8s.ovn.org/kind"=Service, "k8s.ovn.org/owner"="surya/hello-world-2"}
health_check        : []
ip_port_mappings    : {}
name                : "Service_surya/hello-world-2_TCP_node_router_ip-10-0-136-225.us-east-2.compute.internal"
options             : {event="false", reject="true", skip_snat="false"}
protocol            : tcp
selection_fields    : []
vips                : {"10.0.136.225:30672"=""}

_uuid               : 58f5c13c-f0a4-4068-b704-dbf60e1adbfb
external_ids        : {"k8s.ovn.org/kind"=Service, "k8s.ovn.org/owner"="surya/hello-world-2"}
health_check        : []
ip_port_mappings    : {}
name                : "Service_surya/hello-world-2_TCP_node_router_ip-10-0-130-199.us-east-2.compute.internal"
options             : {event="false", reject="true", skip_snat="false"}
protocol            : tcp
selection_fields    : []
vips                : {"10.0.130.199:30672"=""}

We accidentally added support in 4.9 for this when we merged https://github.com/openshift/ovn-kubernetes/pull/942. This was merged in 4.9.24: https://bugzilla.redhat.com/show_bug.cgi?id=2056883#c6. Moving this to docs team to add/edit the docs for partial support.


Testing notes for host-net pod backends:

sh-4.4# tcpdump -i any -neep port 36363
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
21:53:49.159698  In 02:00:7c:97:6b:66 ethertype IPv4 (0x0800), length 76: 10.0.130.199.36363 > 10.0.148.77.30098: Flags [S], seq 4117051636, win 26883, options [mss 8961,sackOK,TS val 4053999068 ecr 0,nop,wscale 7], length 0
21:53:49.160537 Out 02:d1:23:a2:00:72 ethertype IPv4 (0x0800), length 76: 10.0.130.199.36363 > 169.254.169.2.webcache: Flags [S], seq 4117051636, win 26883, options [mss 8961,sackOK,TS val 4053999068 ecr 0,nop,wscale 7], length 0
21:53:50.175593  In 02:00:7c:97:6b:66 ethertype IPv4 (0x0800), length 76: 10.0.130.199.36363 > 10.0.148.77.30098: Flags [S], seq 4117051636, win 26883, options [mss 8961,sackOK,TS val 4054000085 ecr 0,nop,wscale 7], length 0
21:53:50.175838 Out 02:d1:23:a2:00:72 ethertype IPv4 (0x0800), length 76: 10.0.130.199.36363 > 169.254.169.2.webcache: Flags [S], seq 4117051636, win 26883, options [mss 8961,sackOK,TS val 4054000085 ecr 0,nop,wscale 7], length 0
21:53:52.222580  In 02:00:7c:97:6b:66 ethertype IPv4 (0x0800), length 76: 10.0.130.199.36363 > 10.0.148.77.30098: Flags [S], seq 4117051636, win 26883, options [mss 8961,sackOK,TS val 4054002132 ecr 0,nop,wscale 7], length 0
21:53:52.222638 Out 02:d1:23:a2:00:72 ethertype IPv4 (0x0800), length 76: 10.0.130.199.36363 > 169.254.169.2.webcache: Flags [S], seq 4117051636, win 26883, options [mss 8961,sackOK,TS val 4054002132 ecr 0,nop,wscale 7], length 0
21:53:56.254582  In 02:00:7c:97:6b:66 ethertype IPv4 (0x0800), length 76: 10.0.130.199.36363 > 10.0.148.77.30098: Flags [S], seq 4117051636, win 26883, options [mss 8961,sackOK,TS val 4054006164 ecr 0,nop,wscale 7], length 0
21:53:56.254661 Out 02:d1:23:a2:00:72 ethertype IPv4 (0x0800), length 76: 10.0.130.199.36363 > 169.254.169.2.webcache: Flags [S], seq 4117051636, win 26883, options [mss 8961,sackOK,TS val 4054006164 ecr 0,nop,wscale 7], length 0
21:54:04.766580  In 02:00:7c:97:6b:66 ethertype IPv4 (0x0800), length 76: 10.0.130.199.36363 > 10.0.148.77.30098: Flags [S], seq 4117051636, win 26883, options [mss 8961,sackOK,TS val 4054014676 ecr 0,nop,wscale 7], length 0
21:54:04.766677 Out 02:d1:23:a2:00:72 ethertype IPv4 (0x0800), length 76: 10.0.130.199.36363 > 169.254.169.2.webcache: Flags [S], seq 4117051636, win 26883, options [mss 8961,sackOK,TS val 4054014676 ecr 0,nop,wscale 7], length 0



we do the LB DNAT & preserve srcIP, there is some flows to send this back to host and for response to come back to GR before going out where we go wrong, so reply doesn't reach client.

Hi Docs Team,

This is a 4.9.z only bug, moving Versions to reflect that.

So this bug is still WIP for OVN local GW mode, and will be fixed? Thanks!

Since this is merged in 4.9.24, I am marking this as closed. If we need to add missing documentation, please create a docs specific bug for it.