Support EgressIP assigning and failover in antrea-agent

[wenqiq]

Support EgressIP assigning and failover in antrea-agent

A cluster will be created in the background when the Egress feature is turned on.
And the local Node will join all the other K8s Nodes in a memberlist cluster.

Each Node in the cluster holds the same consistent hash ring for each ExternalIPPool,
in order to distribute egress IPs equally among the selected Nodes (which are part of the
memberlist cluster). When a Node leaves the cluster, its IPs are redistributed.
When a Node joins the cluster, it's added to the hash ring and a small fraction of IPs are re-assigned to that Node.

For #2128

[codecov-commenter]

Codecov Report

Merging #2186 (c1b970c) into main (a8c7970) will increase coverage by 2.46%.
The diff coverage is 54.44%.

@@            Coverage Diff             @@
##             main    #2186      +/-   ##
==========================================
+ Coverage   61.91%   64.38%   +2.46%     
==========================================
  Files         281      283       +2     
  Lines       21771    22121     +350     
==========================================
+ Hits        13480    14243     +763     
+ Misses       6871     6409     -462     
- Partials     1420     1469      +49     

Flag	Coverage Δ
e2e-tests	54.02% <32.95%> (?)
kind-e2e-tests	51.55% <0.00%> (-0.70%)	⬇️
unit-tests	41.89% <58.23%> (+0.23%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/controller/metrics/prometheus.go	4.34% <ø> (ø)
.../controller/egress/ipassigner/ip_assigner_linux.go	25.00% <25.00%> (ø)
pkg/agent/controller/egress/egress_controller.go	63.85% <25.45%> (+23.05%)	⬆️
pkg/agent/memberlist/cluster.go	74.75% <74.75%> (ø)
pkg/ovs/openflow/ofctrl_bridge.go	50.00% <0.00%> (+0.34%)	⬆️
pkg/agent/openflow/network_policy.go	76.41% <0.00%> (+0.59%)	⬆️
pkg/controller/networkpolicy/status_controller.go	87.09% <0.00%> (+0.64%)	⬆️
pkg/agent/cniserver/pod_configuration.go	54.68% <0.00%> (+0.78%)	⬆️
... and 34 more

[tnqn]

The test itself is O(n^2), I understand it needs to construct a fakeCluster for each Node to check whether a Node can select the Egress in current implementation. Why don't just change ShouldSelectNode return the desired Node to make the test much easier. The client just needs to check whether the desired Node is itself.

[wenqiq]

done

[tnqn]

You missed the comment: "Currently it's used only when the Egress feature is enabled."

[tnqn]

I think yes

[tnqn]

Please update the commit message which has out-of-date description about when the node will join and leave the cluster.

[tnqn]

nit: don't mix the usage and the default value in same line.

ClusterMembershipPort is the server port used by the antrea-agent to run a gossip-based cluster membership protocol. Currently it's used only when the Egress feature is enabled.
Defaults to 10351.

[tnqn]

I'm a bit confused by the test:

1. what does expectEgressSeqSum mean?
2. Does the 1st subtest have any difference from the 4th one given they have exactly same input?
3. What is it verifying given there is no expected value and it doesn't call any function/method in source file?

I feel it's likely just testing consistentHash directly which should be already covered by TestCluster_ShouldSelectEgress. If so, maybe just remove this one.

[wenqiq]

expectEgressSeqSum is the sum of all selected Egress sequence numbers. It ensures each Egress has been selected once. That is, Egresses distributed in different Nodes, no duplicate or missing items. Maybe I should rephrase nodeSelectedForEgress and use ShouldSelectEgress in this test case.

[tnqn]

If verifying duplicate or missing items is the purpose, maybe you can just make a little change toTestCluster_ShouldSelectEgress;

genNodes := func(n int) []string {
	nodes := make([]string, n)
	for i := 0; i < n; i++ {
		nodes[i] = fmt.Sprintf("node-%d", i)
	}
	return nodes
}

fakeEIPName := "fakeExternalIPPool"
fakeEgress := &crdv1a2.Egress{
	ObjectMeta: metav1.ObjectMeta{Name: "fakeEgress"},
	Spec:       crdv1a2.EgressSpec{ExternalIPPool: fakeEIPName, EgressIP: tCase.egressIP},
}
consistentHashMap := newNodeConsistentHashMap()
consistentHashMap.Add(genNodes(tCase.nodeNum)...)

fakeCluster := &Cluster{
	consistentHashMap: map[string]*consistenthash.Map{fakeEIPName: consistentHashMap},
}

for i := 0; i < n; i++ {
	node := fmt.Sprintf("node-%d", i)
	fakeCluster.nodeName = node
	selected, err := fakeCluster.ShouldSelectEgress(fakeEgress)
	assert.NoError(t, err)
	assert.Equal(t, node == tCase.expectedNode, selected, "Selected Node for Egress not match")
}

[wenqiq]

done

[tnqn]

The benchmark doesn't really measure a method in source code, it calls one step in ShouldSelectEgress but also counts the time spent on creating a consistenthashMap. Can it focus one method i.e. ShouldSelectEgress? I don't think we need many input matrix either (as long as it's efficient in 1000 nodes, no one will worry about 10 nodes).

[wenqiq]

done

[tnqn]

Maybe name the patch and PR "Support EgressIP assigning and failover in antrea-agent"

[tnqn]

@jianjuns @antoninbas do you have more comments after the existing ones are resolved? If no, I will merge it after all comments are resolved so I can rebase #2345 and #2342 on it.

[tnqn]

LGTM overall

[tnqn]

Integration test failed.
/test-all

[antoninbas]

@tnqn no further comments from me

[wenqiq]

Integration test failed.
/test-all

Fix integration test case.

-       if err := ipAssigner.UnassignEgressIP(eg.Spec.EgressIP); err != nil {
+       if err := ipAssigner.UnassignEgressIP(eg.Name); err != nil {
                t.Fatalf("Unassigning egress IP error: %v", err)
        }

go test -coverpkg=antrea.io/antrea/pkg/... -coverprofile=.coverage/coverage-integration.txt -covermode=atomic -cover antrea.io/antrea/test/integration/...
?       antrea.io/antrea/test/integration       [no test files]
ok      antrea.io/antrea/test/integration/agent 30.456s coverage: 11.8% of statements in antrea.io/antrea/pkg/...
ok      antrea.io/antrea/test/integration/ovs   36.092s coverage: 4.6% of statements in antrea.io/antrea/pkg/...

@tnqn

[jianjuns]

LGTM.
Some nits on comments.

[jianjuns]

Probably you missed a verb after ShouldSelectEgress

[wenqiq]

-// ShouldSelectEgress the local Node in the cluster holds the same consistent hash ring for each ExternalIPPool,
-// when selecting an owner Node for an Egress, the local Node labels must match an ExternalIPPool nodeSelectors.
+// ShouldSelectEgress returns true if the local Node selected as the owner Node of the Egress,
+// the local Node in the cluster holds the same consistent hash ring for each ExternalIPPool,

[jianjuns]

Need to rephrase this line too.

[wenqiq]

ditto

[jianjuns]

When a Node leaves
may have failed or have been deleted

[wenqiq]

-               // When a Node joins cluster, all matched ExternalIPPools consistentHash should be updated.
-               // when a Node leave cluster, the Node may failed or deleted,
-               // if Node has been deleted, affected ExternalIPPool should enqueue, deleteNode handler has processed
-               // if the Node failed, ExternalIPPools consistentHash maybe changed, affected ExternalIPPool should enqueue.
+               // When a Node joins cluster, all matched ExternalIPPools consistentHash should be updated;
+               // when a Node leaves cluster, the Node may have failed or have been deleted,
+               // if the Node has been deleted, affected ExternalIPPool should be enqueued, and deleteNode handler has been executed,
+               // if the Node has failed, ExternalIPPools consistentHash maybe changed, and affected ExternalIPPool should be enqueued.

[jianjuns]

If you do not like to capitalize "when" in the next sentence, probably change "." to ";"

[wenqiq]

ditto

[jianjuns]

should be enqueued
and deleteNode handler has been executed (?)

[wenqiq]

ditto

[jianjuns]

and affected...
should be enqueued.

[wenqiq]

ditto

[jianjuns]

and deleteNode handler has been executed

[wenqiq]

-                               // Node has been deleted, deleteNode handler has processed.
+                               // Node has been deleted, and deleteNode handler has been executed.

[jianjuns]

refreshes

[wenqiq]

-       // updateConsistentHash refresh the consistentHashMap.
+       // updateConsistentHash refreshes the consistentHashMap.

[jianjuns]

matches with -> match

[wenqiq]

-               // Node alive and Node labels matches with ExternalIPPool nodeSelector.
+               // Node alive and Node labels match ExternalIPPool nodeSelector.

[jianjuns]

so agent..
Or change "," to "." in the previous line.

[wenqiq]

-       // The Egress has been deleted but assigned IP has not been deleted,
-       // agent should delete those IPs when it starts.
+       // The Egress has been deleted but assigned IP has not been deleted, so agent should delete those IPs when it starts.

[tnqn]

LGTM

[tnqn]

/test-all

[tnqn]

It seems all comments have been addressed. I will merge this to unblock other PRs. If there are new comments, @wenqiq or I can address them in new PRs.

[wenqiq]

It seems all comments have been addressed. I will merge this to unblock other PRs. If there are new comments, @wenqiq or I can address them in new PRs.

Thanks for your professional and careful reviews, very helpful and inspiring for me, also thank @antoninbas and @jianjuns, no further comments from me at the moment.