From 0df0404b61548b9890275f9349ac6337615c9724 Mon Sep 17 00:00:00 2001 From: Francesco Cheinasso Date: Thu, 9 Jan 2025 15:34:58 +0100 Subject: [PATCH] feat: fabric ports setup --- deployments/liqo/README.md | 2 ++ .../liqo/templates/liqo-fabric-daemonset.yaml | 10 +++++++ ...iqo-wireguard-gateway-client-template.yaml | 18 +++++++++++ ...wireguard-gateway-server-template-eks.yaml | 21 +++++++++++++ ...iqo-wireguard-gateway-server-template.yaml | 30 +++++++++++++++---- deployments/liqo/values.yaml | 6 ++++ 6 files changed, 81 insertions(+), 6 deletions(-) diff --git a/deployments/liqo/README.md b/deployments/liqo/README.md index 6673be1ab1..f2861e2f7b 100644 --- a/deployments/liqo/README.md +++ b/deployments/liqo/README.md @@ -86,6 +86,8 @@ | networking.enabled | bool | `true` | Use the default Liqo networking module. | | networking.fabric.config.fullMasquerade | bool | `false` | Enabe/Disable the full masquerade mode for the fabric pod. It means that all traffic will be masquerade using the first external cidr IP, instead of using the pod IP. Full masquerade is useful when the cluster nodeports uses a PodCIDR IP to masqerade the incoming traffic. IMPORTANT: Please consider that enabling this feature will masquerade the source IP of traffic towards a remote cluster, making impossible for a pod that receives the traffic to know the original source IP. | | networking.fabric.config.gatewayMasqueradeBypass | bool | `false` | Enable/Disable the masquerade bypass for the gateway pods. It means that the packets from gateway pods will not be masqueraded from the host where the pod is scheduled. This is useful in scenarios where CNIs masquerade the traffic from pod to nodes. For example this is required when using the Azure CNI or Kindnet. | +| networking.fabric.config.healthProbeBindAddress | string | `":8081"` | Set the address where the fabric pod will expose the health probe. To disable the health probe, set the address to ":0". | +| networking.fabric.config.metricsAddress | string | `":8082"` | Set the address where the fabric pod will expose the metrics. To disable the metrics, set the address to ":0". | | networking.fabric.config.nftablesMonitor | bool | `true` | Enable/Disable the nftables monitor for the fabric pod. It means that the fabric pod will monitor the nftables rules and will restore them in case of changes. In some cases (like K3S), this monitor can cause a huge amount of CPU usage. If you are experiencing high CPU usage, you can disable this feature. | | networking.fabric.image.name | string | `"ghcr.io/liqotech/fabric"` | Image repository for the fabric pod. | | networking.fabric.image.version | string | `""` | Custom version for the fabric image. If not specified, the global tag is used. | diff --git a/deployments/liqo/templates/liqo-fabric-daemonset.yaml b/deployments/liqo/templates/liqo-fabric-daemonset.yaml index a5da07bc8d..120618270a 100644 --- a/deployments/liqo/templates/liqo-fabric-daemonset.yaml +++ b/deployments/liqo/templates/liqo-fabric-daemonset.yaml @@ -45,6 +45,8 @@ spec: - --podname=$(POD_NAME) - --nodename=$(NODE_NAME) - --geneve-port={{ .Values.networking.genevePort }} + - --health-probe-bind-address=:{{ .Values.networking.fabric.config.healthProbeBindAddressPort}} + - --metrics-address=:{{ .Values.networking.fabric.config.metricsAddressPort}} {{- if not .Values.requirements.kernel.enabled }} - --disable-kernel-version-check {{- end }} @@ -79,6 +81,14 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + ports: + - name: healthz + containerPort: {{ .Values.networking.fabric.config.healthProbeBindAddressPort }} + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz hostNetwork: true {{- if .Values.networking.fabric.pod.priorityClassName }} priorityClassName: {{ .Values.networking.fabric.pod.priorityClassName }} diff --git a/deployments/liqo/templates/liqo-wireguard-gateway-client-template.yaml b/deployments/liqo/templates/liqo-wireguard-gateway-client-template.yaml index f5206b1ce2..4b654d6892 100644 --- a/deployments/liqo/templates/liqo-wireguard-gateway-client-template.yaml +++ b/deployments/liqo/templates/liqo-wireguard-gateway-client-template.yaml @@ -78,6 +78,8 @@ spec: ports: - containerPort: 8082 name: gw-metrics + - containerPort: 8083 + name: healthz {{- end }} env: - name: NODE_NAME @@ -94,6 +96,10 @@ spec: add: - NET_ADMIN - NET_RAW + readinessProbe: + httpGet: + path: /readyz + port: healthz - name: wireguard image: {{ .Values.networking.gatewayTemplates.container.wireguard.image.name }}{{ include "liqo.suffix" $wireguardConfig }}:{{ include "liqo.version" $wireguardConfig }} imagePullPolicy: {{ .Values.pullPolicy }} @@ -116,6 +122,8 @@ spec: ports: - containerPort: 8084 name: wg-metrics + - containerPort: 8085 + name: healthz {{- end }} securityContext: capabilities: @@ -130,6 +138,10 @@ spec: mountPath: /ipc - name: wireguard-config mountPath: /etc/wireguard/keys + readinessProbe: + httpGet: + path: /readyz + port: healthz - name: geneve image: {{ .Values.networking.gatewayTemplates.container.geneve.image.name }}{{ include "liqo.suffix" $geneveConfig }}:{{ include "liqo.version" $geneveConfig }} imagePullPolicy: {{ .Values.pullPolicy }} @@ -154,6 +166,8 @@ spec: ports: - containerPort: 8086 name: gv-metrics + - containerPort: 8087 + name: healthz {{- end }} env: - name: NODE_NAME @@ -169,6 +183,10 @@ spec: add: - NET_ADMIN - NET_RAW + readinessProbe: + httpGet: + path: /readyz + port: healthz # Uncomment to set a priorityClassName # priorityClassName: "" volumes: diff --git a/deployments/liqo/templates/liqo-wireguard-gateway-server-template-eks.yaml b/deployments/liqo/templates/liqo-wireguard-gateway-server-template-eks.yaml index 5b99706ed6..5cbb62ac42 100644 --- a/deployments/liqo/templates/liqo-wireguard-gateway-server-template-eks.yaml +++ b/deployments/liqo/templates/liqo-wireguard-gateway-server-template-eks.yaml @@ -106,6 +106,13 @@ spec: - containerPort: 8082 name: gw-metrics {{- end }} + ports: + - containerPort: 8083 + name: healthz + readinessProbe: + httpGet: + path: /readyz + port: healthz env: - name: NODE_NAME valueFrom: @@ -143,6 +150,13 @@ spec: - containerPort: 8084 name: wg-metrics {{- end }} + ports: + - containerPort: 8085 + name: healthz + readinessProbe: + httpGet: + path: /readyz + port: healthz securityContext: capabilities: add: @@ -181,6 +195,13 @@ spec: - containerPort: 8086 name: gv-metrics {{- end }} + ports: + - containerPort: 8087 + name: healthz + readinessProbe: + httpGet: + path: /readyz + port: healthz env: - name: NODE_NAME valueFrom: diff --git a/deployments/liqo/templates/liqo-wireguard-gateway-server-template.yaml b/deployments/liqo/templates/liqo-wireguard-gateway-server-template.yaml index d35301d13f..4808a33196 100644 --- a/deployments/liqo/templates/liqo-wireguard-gateway-server-template.yaml +++ b/deployments/liqo/templates/liqo-wireguard-gateway-server-template.yaml @@ -80,9 +80,9 @@ spec: {{- include "liqo.concatenateMap" $d | nindent 16 }} {{- end }} {{- if .Values.metrics.enabled }} - - --metrics-address=:8084 + - --metrics-address=:8082 {{- end }} - - --health-probe-bind-address=:8085 + - --health-probe-bind-address=:8083 - --ping-enabled=true - --ping-loss-threshold={{ .Values.networking.gatewayTemplates.ping.lossThreshold }} - --ping-interval={{ .Values.networking.gatewayTemplates.ping.interval }} @@ -96,9 +96,15 @@ spec: mountPath: /ipc {{- if .Values.metrics.enabled }} ports: - - containerPort: 8084 + - containerPort: 8082 name: gw-metrics + - containerPort: 8083 + name: healthz {{- end }} + readinessProbe: + httpGet: + path: /readyz + port: healthz env: - name: NODE_NAME valueFrom: @@ -127,15 +133,21 @@ spec: - --mtu={{"{{ .Spec.MTU }}"}} - --listen-port={{"{{ .Spec.Endpoint.Port }}"}} {{- if .Values.metrics.enabled }} - - --metrics-address=:8082 + - --metrics-address=:8084 {{- end }} - - --health-probe-bind-address=:8083 + - --health-probe-bind-address=:8085 - --implementation={{ .Values.networking.gatewayTemplates.wireguard.implementation }} {{- if .Values.metrics.enabled }} ports: - - containerPort: 8082 + - containerPort: 8084 name: wg-metrics + - containerPort: 8085 + name: healthz {{- end }} + readinessProbe: + httpGet: + path: /readyz + port: healthz securityContext: capabilities: add: @@ -173,7 +185,13 @@ spec: ports: - containerPort: 8086 name: gv-metrics + - containerPort: 8087 + name: healthz {{- end }} + readinessProbe: + httpGet: + path: /readyz + port: healthz env: - name: NODE_NAME valueFrom: diff --git a/deployments/liqo/values.yaml b/deployments/liqo/values.yaml index 36da845086..cbf2b32935 100644 --- a/deployments/liqo/values.yaml +++ b/deployments/liqo/values.yaml @@ -124,6 +124,12 @@ networking: # In some cases (like K3S), this monitor can cause a huge amount of CPU usage. # If you are experiencing high CPU usage, you can disable this feature. nftablesMonitor: true + # -- Set the port where the fabric pod will expose the health probe. + # To disable the health probe, set the port to 0. + healthProbeBindAddressPort: "8081" + # -- Set the port where the fabric pod will expose the metrics. + # To disable the metrics, set the port to 0. + metricsAddressPort: "8082" authentication: # -- Enable/Disable the authentication module.