Sometimes traffic can't be sent over created links, potential upstream bug

Replace the LB program with nfqueue-loadbalancer

Verify that the overall system still functions and the affected pod eventually recovers in case of pod failure (for FEs, proxies,, targets)

Replace the -ttl 72000 spire setting with renewals to prevent timeouts (after 72000 seconds)

Add an LB integrated FrontEnd that includes bird with BGP support

Add build parameter for OS base image in operator

Adding support for multiple trenches/vLANs

Here is the new api specifications

• Configuration Manager
• Target Registry
• Ambassador

nfqlb is integrated into Meridio but end-to-end verification has not yet done.
The scope of this ticket is to verify fragmentation handling in Meridio
To do once FE alpha is finalized.

Basic documentation for the deployment FW
Limited alpha scope, basic info needed for use and deployment

What happened:

On a target removal (scale-in or disconnection of a target from a trench), the traffic is not received by all remaining targets. For instance, if there are 4 targets connected to a trench and receiving the traffic correctly, if one is removed, the traffic might reach only 2 targets instead of 3.

This bug is happening rarely and randomly.

This could also happen when the e2e tests are running which makes some test cases failing.

STEP: Disconnecting the target from a trench
• Failure [10.618 seconds]
Target
/Meridio/test/e2e/target_test.go:30
  With one trench (trench-a) deployed in namespace red containing 2 VIP addresses (20.0.0.1:5000, [2000::1]:5000) and 4 target pods running ctraffic
  /Meridio/test/e2e/target_test.go:52
    should be possible for a target to disconnect from a trench and connect to it again [It]
    /Meridio/test/e2e/target_test.go:71

    Expected
        <int>: 2
    to equal
        <int>: 3

    /Meridio/test/e2e/target_test.go:78

What you expected to happen:

The traffic should reach and be load-balancer among all remaining targets.

How to reproduce it (as minimally and precisely as possible):

Deploy Meridio with 2 trenches, and 4 targets in each trench.

To reproduce it, we can or run the e2e tests:

make e2e

Or disconnect a target manually:
On a target:

./target-client disconnect -ns load-balancer -t trench-a

On the traffic generator host:

ctraffic -address 20.0.0.1:5000 -nconn 400 -rate 100 -monitor -stats all > v4traffic.json
ctraffic -analyze hosts -stat_file v4traffic.json

Environment:

• Kind (1 Master and 2 Workers)
• Kubernetes 1.20.1
• NSM 1.0
• Meridio - e570a21

Add version handling for the NSP API

Generic NSM 1.0 install script for testing

Add a helm chart for the meridio operator

In order to minimize the number of hops needed for connections the nTargets should connect to a proxy hosted on the same node as itself.

If an FE detects that the link towards the external gateway is broken: BGP down, BFD down or the interface is down (operational or administratively) Meridio should stop using this link for outgoing traffic. The traffic should be diverted to other still active links.
In the case where the LB/FE is combined in one pod (composite setup) the LB might also need to be withdrawn from the egress traffic path.

In order to minimize the requirements for running Meridio and strengthen security, evaluate and minimize the need for elevated privileges in Meridio

Mitigate or manage target identifier hashing collisions

Convert the meridio ambassador to use unix sockets for communication

Basic documentation for the FrontEnd
Limited alpha scope, basic info needed for use and deployment

One CR per trench, tested with 3 trenches in the system.

All mandatory trench specific settings handled
by the operator. Such as VIPs, gateway, FW addresses, vlan-id, vlan interface

Add support for setting VIP ranges with the operator

The functionality to ping meridio VIPs should already be in place in the latest LBs.

Verify cluster external pinging of the VIPs

Add liveness/readiness probes for Meridio images

Add an API based on the ambassador pattern to facilitate integration between targets and Meridio

ASN and hold-time should be runtime configurable
This needs an update in gateway CRD and controller

Upgrade support

Operator to take repo info from the external yaml files instead of the go code

Investigate and add high availability for the ipam/nsp pods

Add functionality in order to set on what worker nodes FEs will run (since not all nodes might have external interfaces available)

Note:
Likely not critical for the PRA as cloud based nodes generally are identical / can all provide external access

Add configuration support for traffic streams to the operator

Add/verify support for static routing + BFD in the Meridio FE

"Plumbing" config FW Implementation in Meridio

Deployment function based on Operator/CRDs

Phase 1:
Basic deployment with the "old"/pre-existing helmcharts, but now deployed through the operator

Add dualstack support for the Meridio elements

Add/verify support for BGP + BFD in the Meridio FE

A full NSM connection mesh is needed between the elements in the FE function block and all elements in all LB function block(s).
Remember that a trench can include several conduits, where each conduit can/will include a LB function block. But for the first implementation it will be enough to consider one conduit as the support for several conduits are to come at a later stage.

The full mesh solution should be generic supporting:

1. One FE being collocated with one LB in the same pod, where the FE must prioritize the forwarding of traffic to this local LB.
   Notice that although the FE and LB is collocated some traffic still may need to be forwarded to another LB. For example
   fragmentation handling will need all fragments from the same IP-message to be handled by the same LB instance although
   arriving though different FEs.
2. The FE and LB being separated in two pods.

Operator should watch for one namespace. This makes it possible to deploy different versions of the operator in one cluster

The NSM community recently provided new functionality to provide support for multiple IPs on the interfaces (both IPv4 and IPv6). Verify the functionality and evaluate if it provides what we need for dualstack support.

Adding the framework for runtime configuration

nfqlb 1.0 code review

Currently it is possible 2 targets open a stream (the streams have to be different for this to happen) with the same identifier which will create a conflict on the LB side since the IP rules/routes will collide.

3 solutions are possible:

1. Have common identifier range with a unique identifier for each target

• The number of identifier in use in equal to the number of target in the trench
• Stream and target needs to be detached in the LB. The conduit configures the target rules/routes.

2. Have common identifier range with a unique identifier for each stream opened

• The number of identifier in use in equal to the number of stream opened in the trench

3. Separated identifier ranges

• Each stream should have a max size + offset
• Needs extra parameters in the configmap and some work on the Operator to find available offset

related issue: #32

Alpha scope: Basic/fundamental config settings

"Plumbing" config FW Implementation in Meridio

Deployment function based on Operator/CRDs

Phase 2:
Set container specific options with the Operator/CRDs

Add support for scaling in/out the LBs and verify traffic

Split config into multiple CRDs per trench

7 crds per trench, remaining ones conduit, stream, flow