Currently, for every KeepalivedGroup, the name of the interface keepalived should use needs to be provided. However, this name could be unknown, or different per node in a cluster.

In the MetalK8s project we were running keepalived before to provide control-plane address failover, and ran into the same 'issue': from our configuration we knew the network/CIDR that should be used for VRRP traffic and such. keepalived requires the interface name, though, and I wanted to use a static configuration shared across nodes (not in a ConfigMap because we were using a static Pod to run keepalived, not a DaemonSet).

To 'fix' this, I used the following work-around:

• Built a container including keepalived, but an entrypoint which would check for /etc/keepalived/keepalived.conf.sh to exist, in which case this script would be executed (with a path in which it should write the generated config, looking back I could've done this using a simple redirect...), see scality/metalk8s@4979e75#diff-25e0a6c0ca4a5a8d93ae420bbd660b7c for the Dockerfile and scality/metalk8s@4979e75#diff-4eba8219d8fe53819f471ce29ccf4ac5 for the entrypoint.sh.
• Create such script (in the case of keepalived-operator, this could go in the ConfigMap) using ip route get ... | awk ... to find the interface name (on the node): scality/metalk8s@75cdefd#diff-624c2fd69a5217a756abfae035d2a77cR33
• The script uses a network address to figure out the right interface, which is passed in as an environment variable (but could be spliced into the ConfigMap template in keepalived-operator from the KeepalivedGroup configuration): scality/metalk8s@75cdefd#diff-624c2fd69a5217a756abfae035d2a77cR154

Just leaving this here in case you'd be looking for a way to get rid of static interface names being provided and allowing a more flexible by-network/CIDR configuration.

It would be great to allow the operator to serve the internal and external Kubernetes/OpenShift API.

After a Cluster Update there are always some keepalivedgroup Pods in CrashLoopBackOff:
The log of the keepalived container shows:

Starting Keepalived v1.3.5 (03/19,2017), git commit v1.3.5-6-g6fa32f2
Opening file '/etc/keepalived.d/keepalived.conf'.
daemon is already running

The reason seems to be a stale PID file:

sh-4.4# ls -la /proc/*/exe
ls: cannot read symbolic link '/proc/35/exe': Permission denied
lrwxrwxrwx. 1 root root 0 Aug  1 07:40 /proc/1/exe -> /usr/bin/pod
lrwxrwxrwx. 1 root root 0 Aug  1 17:21 /proc/22/exe -> /usr/bin/bash
lrwxrwxrwx. 1 root root 0 Aug  1 17:18 /proc/28391/exe -> /usr/bin/bash
lrwxrwxrwx. 1 root root 0 Aug  1 17:27 /proc/28854/exe -> /usr/bin/coreutils
lrwxrwxrwx. 1 1001 root 0 Aug  1 07:40 /proc/35/exe
lrwxrwxrwx. 1 root root 0 Aug  1 17:27 /proc/self/exe -> /usr/bin/coreutils
lrwxrwxrwx. 1 root root 0 Aug  1 17:27 /proc/thread-self/exe -> /usr/bin/coreutils
sh-4.4# cat /etc/keepalived.pid/keepalived.pid 
12

I think keepalived needs to remove the pid file instead of using it to detect a running instance (which will never exist in this container scenario?!)

When we create a Service with type LoadBalancer, it looks like this:

apiVersion: v1
kind: Service
metadata:
  annotations:
    keepalived-operator.redhat-cop.io/keepalivedgroup: keepalived-operator/shz
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{"keepalived-operator.redhat-cop.io/keepalivedgroup":"keepalived-operator/shz"},"name":"lb-test","namespace":"kucera"},"spec":{"externalTrafficPolicy":"Cluster","loadBalancerIP":"10.139.125.70","ports":[{"name":"http","port":80,"protocol":"TCP","targetPort":8080}],"selector":{"app":"abc"},"sessionAffinity":"None","type":"LoadBalancer"}}
  creationTimestamp: "2020-10-02T18:03:44Z"
  name: lb-test
  namespace: kucera
  resourceVersion: "94186695"
  selfLink: /api/v1/namespaces/kucera/services/lb-test
  uid: 5b2de9fb-e83f-4aea-9630-9398fad55880
spec:
  clusterIP: 172.30.98.102
  externalTrafficPolicy: Cluster
  loadBalancerIP: 10.139.125.70
  ports:
  - name: http
    nodePort: 30679
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: abc
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer: {}

although I have set loadBalancerIP in spec, it is not generated into status so keepalived gets configured like this:

vrrp_instance kucera/lb-test {
    interface ens192

    virtual_router_id 7

    virtual_ipaddress {

    }

}

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Pin dependencies (golang, quay.io/raffaelespazzoli/keepalived-operator, registry.access.redhat.com/ubi8/ubi)
• Update module github.com/redhat-cop/operator-utils to v1.3.8
• Update golang Docker tag to v1.22
• Update kubernetes packages to v0.29.3 (k8s.io/api, k8s.io/apimachinery, k8s.io/client-go)
• Update module github.com/go-logr/logr to v1.4.1
• Update module github.com/onsi/gomega to v1.32.0
• Update module sigs.k8s.io/controller-runtime to v0.17.2
• Update module github.com/onsi/ginkgo to v2
• Update module github.com/redhat-cop/operator-utils to v2
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Working in an openshift environment. Only 1 out of 3 clusters exhibit this problem.

[root@mtaylor-rh81 iperftest]# oc new-project iperftest
Already on project "iperftest" on server "https://api.ocp4dev01.meteorcomm.lan:6443".

You can add applications to this project with the 'new-app' command. For example, try:

oc new-app django-psql-example

to build a new example application in Python. Or use kubectl to deploy a simple Kubernetes application:

kubectl create deployment hello-node --image=gcr.io/hello-minikube-zero-install/hello-node

[root@mtaylor-rh81 iperftest]# oc apply -f iperf1-svc.yaml
service/iperf1 created
[root@mtaylor-rh81 iperftest]# oc get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
iperf1 LoadBalancer 172.30.151.208 10.22.4.109,10.22.4.104,10.22.4.109 25000:31415/TCP 2s

[root@mtaylor-rh81 iperftest]# cat iperf1-svc.yaml
apiVersion: v1
kind: Service
metadata:
annotations:
keepalived-operator.redhat-cop.io/keepalivedgroup: keepalived-operator/keepalivedgroup-workers
labels:
app: iperf
name: iperf1
namespace: iperftest
spec:
externalIPs:
- 10.22.4.104
ports:

• port: 25000
  protocol: TCP
  targetPort: 25000
  selector:
  app: iperf1
  sessionAffinity: ClientIP
  type: LoadBalancer

I would like to have that. Maybe it is already available, I didn't test it. But I couldn't find any hint on the README.

Hello,

I can't find keepalived on operatorhub.io, but it is there on dev.operatorhub.io.
Something happened?

The pods behind the service seem to see an internal Kubernetes IP address as client instead of the clients real IP.

Is this behavior wanted or changeable?

Thanks!

I found an issue regarding helmchart keepalived-operator-v1.0.0.tgz. There is a wrong arg inside the Chart-Template :

keepalived-operator/templates/manager.yaml

Does not work:

 containers:
      - command:
        - /manager
        args:
        - --enable-leader-election

Fix to working arg:

containers:
      - command:
        - /manager
        args:
        - --leader-elect

Currently, for every KeepalivedGroup, the name of the interface keepalived should use needs to be provided. However, this name could be unknown, or different per node in a cluster.

In the MetalK8s project we were running keepalived before to provide control-plane address failover, and ran into the same 'issue': from our configuration we knew the network/CIDR that should be used for VRRP traffic and such. keepalived requires the interface name, though, and I wanted to use a static configuration shared across nodes (not in a ConfigMap because we were using a static Pod to run keepalived, not a DaemonSet).

To 'fix' this, I used the following work-around:

• Built a container including keepalived, but an entrypoint which would check for /etc/keepalived/keepalived.conf.sh to exist, in which case this script would be executed (with a path in which it should write the generated config, looking back I could've done this using a simple redirect...), see scality/metalk8s@4979e75#diff-25e0a6c0ca4a5a8d93ae420bbd660b7c for the Dockerfile and scality/metalk8s@4979e75#diff-4eba8219d8fe53819f471ce29ccf4ac5 for the entrypoint.sh.
• Create such script (in the case of keepalived-operator, this could go in the ConfigMap) using ip route get ... | awk ... to find the interface name (on the node): scality/metalk8s@75cdefd#diff-624c2fd69a5217a756abfae035d2a77cR33
• The script uses a network address to figure out the right interface, which is passed in as an environment variable (but could be spliced into the ConfigMap template in keepalived-operator from the KeepalivedGroup configuration): scality/metalk8s@75cdefd#diff-624c2fd69a5217a756abfae035d2a77cR154

Just leaving this here in case you'd be looking for a way to get rid of static interface names being provided and allowing a more flexible by-network/CIDR configuration.

New version is trying to replace v1.3.1 and is failing across all of my openshift clusters.

Install strategy failed: Deployment.apps "keepalived-operator-controller-manager" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"operator":"keepalived-operator"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable

To align the CoP operators, update the provider field in the CSV to the following:

  provider:
    name: Red Hat Community of Practice

We have encountered a problem while trying to set up Keepalived operator in a disconnected environment. The operator receives a subnet of available IP addresses for load balancing from the OpenShift API in order to provide VIP addresses to services of type LoadBalancer. While we are able to set the available subnet CIDR, we can not exclude addresses from the given list at API level as it does not have an appropriate field for exclusion ( gateway for example).

Hi,
Sorry for using github for questions, but wondering whether i can use different vlan for loadbalancer service VIP.Using OpenShift 4 on Vmware ESXi. Implemented & reached LB VIPs when worker nodes' IP and LB VIPs are on the same vlan, but couldn't find a way to move LB VIPs to different vlan. Can it be via a verbatim config? Will you please guide me?
Thanks

All examples given in the doc show a KeepalivedGroup CR being created in the same Namespace as the Service referencing and needing it yet the KeepalivedGroup CR seems to have a central role that is more on cluster and admin level.
What's the actual limitation?

• KeepalivedGroup CR must be in the same Namespace as the Service needing it?
• If KeepalivedGroup must be in the same Namespace, how is router id conflict avoided between multiple KeepalivedGroup?
• One KeepalivedGroup CR can be used from multiple Namespaces?
• If a KeepalivedGroup can be shared from different Namespaces, is a NetworkPolicy needed when running multi-tenant SDN?

We've successfully deployed this operator on Openshift, but now I've installed the keepalive operator on a cluster running OKD 4.7 and there are issues pulling images. The worker nodes show ImagePullBackoff when trying to access this image:

Back-off pulling image "registry.redhat.io/openshift4/ose-keepalived-ipfailover"

Can this be made to work with OKD and is there a registry which OKD users can use to get an equivalent image? The operator was installed from the marketplace, so I presume it's compatible. Manually pulling the image shows the underlying error is this:

# docker pull registry.redhat.io/openshift4/ose-keepalived-ipfailover
Using default tag: latest
Error response from daemon: Head https://registry.redhat.io/v2/openshift4/ose-keepalived-ipfailover/manifests/latest: unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials. Further instructions can be found here: https://access.redhat.com/RegistryAuthentication

Any suggestions / advice?

If the cluster keepalived-operator is deployed on shares an environment with other instances of keepalived, it is possible for conflicts to happen. Operators should be able to override router_virtual_id to prevent this from happening

By default router_virtual_id always starts with "1" as VIPs are assigned, and this cannot be configured. If router_virtual_id is set by adding annotation `keepalived-operator.redhat-cop.io/verbatimconfig: '{ "router_virtual_id": "11" }' It does not overwrite the original entry, instead producing the config:

vrrp_instance helloworld/helloworld {
  interface ens192
  virtual_router_id 1
  virtual_ipaddress {
    13.37.13.37
  }

  virtual_router_id 10
}

Which leads to more issues.

Using OCP4.10.47. We've created a service and defined an IP address in spec.ExternalIPs.

Keepalived operator sucessfully brings up the ExternalIP as a VIP, but doesn't write back the service status updating the service.status.loadBalancer.ingress[0].ip.
If dynamic ExternalIP is used, the service.status.loadBalancer.ingress[0].ip does get updated (from what I can tell, not by the keepalived operator).

Is this a missing feature of keepalived operator or is the update of the service.spec when using a static ExternalIP supposed to be done by a different process within openshift? According to redhat support, the updating of the service.status should be done by the external loadbalancer.

When specifying an interface for the keepalived group, are there anything we should take into consideration for bridge interfaces?

My current setup is:

• 3 node bare metal OCP cluster
• 4 integrated 1GBE NICs
  • first NIC is being used as the service network
  • other three NICs are bonded (using network configuration policy)
• The bond has several VLANs
• Each VLAN has its own bridge
  This is primarily so I can deploy VMs using OpenShift virtualization into different networks

For external IPS I have set the interface to bridge0.200, being the bridge that is associated with VLAN 200
The externalIP cluster config is as follows (this subnet matches what is on VLAN 200):

  externalIP:
    autoAssignCIDRs:
      - 172.16.0.0/16

keepalived-operator - keepalived-workers seems to find the external IP address associated with a Redis Enterprise Cluster instance and creates a VIP for it, but I can't seem to hit that IP address. It should be routable, and I can see three MAC addresses associated with that VLAN

vrrp_instance rec/rec-ui {
    interface bridge0.200
    
    virtual_router_id 3  
    
    virtual_ipaddress {
      
      172.16.224.156
      
    }

Any ideas welcome

A service annotation of the form:

keepalived-operator.redhat-cop.io/keepalivedgroup: group1

Panics the controller as it tries to log the error at https://github.com/redhat-cop/keepalived-operator/blob/master/controllers/keepalivedgroup_controller.go#L406

E0310 17:53:27.189342       1 runtime.go:78] Observed a panic: "invalid memory address or nil pointer dereference" (runtime error: invalid memory address or nil pointer dereference)
goroutine 817 [running]:
k8s.io/apimachinery/pkg/util/runtime.logPanic(0x16ed4a0, 0x247e2e0)
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/runtime/runtime.go:74 +0x95
k8s.io/apimachinery/pkg/util/runtime.HandleCrash(0x0, 0x0, 0x0)
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/runtime/runtime.go:48 +0x89
panic(0x16ed4a0, 0x247e2e0)
	/usr/local/go/src/runtime/panic.go:969 +0x1b9
github.com/redhat-cop/keepalived-operator/controllers.(*enqueueRequestForReferredKeepAlivedGroup).Create(0xc00000c880, 0x1add8e0, 0xc00153b5c0, 0x1accce0, 0xc000be8500)
	/workspace/controllers/keepalivedgroup_controller.go:406 +0x177
sigs.k8s.io/controller-runtime/pkg/source/internal.EventHandler.OnAdd(0x1ab83c0, 0xc00000c880, 0x1accce0, 0xc000be8500, 0xc00070c730, 0x1, 0x1, 0x188fee0, 0xc00153b5c0)
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/source/internal/eventsource.go:63 +0x132
k8s.io/client-go/tools/cache.(*processorListener).run.func1()
	/go/pkg/mod/k8s.io/[email protected]/tools/cache/shared_informer.go:777 +0xc2
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1(0xc00072ff60)
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155 +0x5f
k8s.io/apimachinery/pkg/util/wait.BackoffUntil(0xc000734f60, 0x1a7f1e0, 0xc000a3db00, 0x16ba801, 0xc0006586c0)
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156 +0xad
k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc00072ff60, 0x3b9aca00, 0x0, 0x1, 0xc0006586c0)
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133 +0x98
k8s.io/apimachinery/pkg/util/wait.Until(...)
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:90
k8s.io/client-go/tools/cache.(*processorListener).run(0xc000ca6180)
	/go/pkg/mod/k8s.io/[email protected]/tools/cache/shared_informer.go:771 +0x95
k8s.io/apimachinery/pkg/util/wait.(*Group).Start.func1(0xc0006387d0, 0xc000272410)
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:73 +0x51
created by k8s.io/apimachinery/pkg/util/wait.(*Group).Start
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:71 +0x65
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
	panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x15afdb7]

goroutine 817 [running]:
k8s.io/apimachinery/pkg/util/runtime.HandleCrash(0x0, 0x0, 0x0)
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/runtime/runtime.go:55 +0x10c
panic(0x16ed4a0, 0x247e2e0)
	/usr/local/go/src/runtime/panic.go:969 +0x1b9
github.com/redhat-cop/keepalived-operator/controllers.(*enqueueRequestForReferredKeepAlivedGroup).Create(0xc00000c880, 0x1add8e0, 0xc00153b5c0, 0x1accce0, 0xc000be8500)
	/workspace/controllers/keepalivedgroup_controller.go:406 +0x177
sigs.k8s.io/controller-runtime/pkg/source/internal.EventHandler.OnAdd(0x1ab83c0, 0xc00000c880, 0x1accce0, 0xc000be8500, 0xc00070c730, 0x1, 0x1, 0x188fee0, 0xc00153b5c0)
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/source/internal/eventsource.go:63 +0x132
k8s.io/client-go/tools/cache.(*processorListener).run.func1()
	/go/pkg/mod/k8s.io/[email protected]/tools/cache/shared_informer.go:777 +0xc2
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1(0xc00072ff60)
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155 +0x5f
k8s.io/apimachinery/pkg/util/wait.BackoffUntil(0xc0001aff60, 0x1a7f1e0, 0xc000a3db00, 0x16ba801, 0xc0006586c0)
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156 +0xad
k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc00072ff60, 0x3b9aca00, 0x0, 0x1, 0xc0006586c0)
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133 +0x98
k8s.io/apimachinery/pkg/util/wait.Until(...)
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:90
k8s.io/client-go/tools/cache.(*processorListener).run(0xc000ca6180)
	/go/pkg/mod/k8s.io/[email protected]/tools/cache/shared_informer.go:771 +0x95
k8s.io/apimachinery/pkg/util/wait.(*Group).Start.func1(0xc0006387d0, 0xc000272410)
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:73 +0x51
created by k8s.io/apimachinery/pkg/util/wait.(*Group).Start
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:71 +0x65

To better support integrating new features/enhancements, some sort of unit testing should be implemented in this project.

Hi,

I installed keepalived-operator on an on-prem Kubernetes cluster. So far all is installed, but when I add a keepalivedgroup and the pods try to start, they fail, because the default image "registry.redhat.io/openshift4/ose-keepalived-ipfailover" is not free to pull. So do you have another suggestion for such an image that is freely available? And maybe this would be a nice information in the readme as well :-)

Thanks in advance

Christian

Currently, the operator is bundled with 0.2.0

Some users are landing in this repository after reading some recommendations about using this operator for their ExternalIPs and are concerned about the support about it.

It would be very helpful if you can add a disclaimer at the top of the README to say that this repository and the code is considered a 3rd party software and therefore it's not supported by Red Hat and that any issue with it should be reported in this Issues page.

Upgraded openshift to 4.7 and now get issues where kube-proxy is not properly routing messages from the external IP to the internal service.

For example:
curl 10.22.4.97:10010
404: Page Not Found

kube-proxy claims that the IP is already in use:

Warning listen tcp4 10.22.4.97:10010: bind: address already in use 36s (x39 over 84m) kube-proxy can't open "externalIP for deepa-eetest/zrr-backoffice-rbx-0" (10.22.4.97:10010/tcp), skipping this externalIP: listen tcp4 10.22.4.97:10010: bind: address already in use.

Seems that keepalived keeps changing VRID and the numbers keep incrementing. I need to force keepalived to use a specific VRID.

ip address associated with VRID 20 not present in MASTER advert

Can you give me an example of how to do that? I am not able to understand the documented example.

I tried to pull the keepalived image as used by the operator (docker pull registry.redhat.io/openshift4/ose-keepalived-ipfailover). However, it appears one needs Red Hat Registry credentials to do so (which I don't have, AFAIK). Would it be possible to either use a public image, or (even better?) include a/the Dockerfile to build such image?

vSphere IPI is avalable since 4.5 and includes a keepalived component for HA IP for api and ingress.
This is the config:

sh-4.2# cat /etc/keepalived/keepalived.conf 
vrrp_script chk_ocp {
    script "/usr/bin/curl -o /dev/null -kLfs https://localhost:6443/readyz && /usr/bin/curl -o /dev/null -kLfs http://localhost:50936/readyz"
    interval 1
    weight 50
}

# TODO: Improve this check. The port is assumed to be alive.
# Need to assess what is the ramification if the port is not there.
vrrp_script chk_ingress {
    script "/usr/bin/curl -o /dev/null -kLfs http://localhost:1936/healthz"
    interval 1
    weight 50
}

vrrp_instance oc2-yw674_API {
    state BACKUP
    interface ens192
    virtual_router_id 1
    priority 40
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass oc2-yw674_api_vip
    }
    virtual_ipaddress {
        192.168.100.10/24
    }
    track_script {
        chk_ocp
    }
}

vrrp_instance oc2-yw674_INGRESS {
    state BACKUP
    interface ens192
    virtual_router_id 223
    priority 40
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass oc2-yw674_ingress_vip
    }
    virtual_ipaddress {
        192.168.100.11/24
    }
    track_script {
        chk_ingress
    }
}

It is now even more important to allow configuration of router id to avoid collision.
See also #26

If one would like to configure Keepalived authentication in a configuration file using block in vrrp_instance section:

   authentication {
       auth_type PASS
       auth_pass passw123
   }

it doesn't work because verbatim configs are not really designed for multi-line configurations.
Maybe this is worth making authentication a first-class parameter of the CR, maybe referencing a secret.

some config on the OCP network operator is needed for this operator to work properly. Currently this config is not well explained in the docs.

I have a daemon that keeps trying to setup a VIP on a node when that VIP already exists on another node.

Fri Sep 17 16:07:21 2021: (deepa-zrr/backoffice-ip-elm) Receive advertisement timeout
Fri Sep 17 16:07:21 2021: (deepa-zrr/backoffice-ip-elm) Entering MASTER STATE
Fri Sep 17 16:07:21 2021: (deepa-zrr/backoffice-ip-elm) setting VIPs.
Fri Sep 17 16:07:21 2021: (deepa-zrr/backoffice-ip-elm) Sending/queueing gratuitous ARPs on ens192 for 10.22.4.117

This results in kube-proxy failures such as this:
can't open "externalIP for deepa-zrr/backoffice-ip-elm" (10.22.4.117:8010/tcp), skipping this externalIP: listen tcp4 10.22.4.117:8010: bind: cannot assign requested address

I am having this issue across the entire cluster where daemons keep trying to take over a VIP when it is functional and active.

Currently the KeepalivedGroup CRD is a namespaced resource, but it makes more sense for it to be a cluster-level resource.

Hi,

I tried setting up the keepalived operator together with the default IngressController. Unfortunately I noticed that since the IPs are set as an externalIp on a service source IP received by the default IngressController (HAProxy in OKD 4.7) will only receive the loadbalancer IP instead of a potential external source, which breaks the ip whitelist annotation.

For now I had to completely drop the keepalived Operator and I use a NodePort configuration to bypass the issue.

Is there something I missed with my configuration? Otherwise I think we could add a disclaimer in the how-to-ingress.md to state this point.

Hi all,

There seams to be an issue in the latest keepalived release (keepalived-operator.v1.2.2). The container "config-reloader" crashloops with the following error:

/usr/local/bin/notify.sh: line 20: create_config_only: unbound variable

and yes, the var "create_config_only" is not set in the deamonset. Do i miss something?

Thanks,
Michael

PR #53 already addresses this concern, but only partially. Its impact is, unfortunately, quite limited. It's quite rare that a service would have multiple VIPs such that they would be balanced.
The current shortcoming is that if one deploys keepalived-operator on OKD/Openshift 4.x, most VIPs would be colocated on a single node. This is especially problematic for services that require quorum, like kafka or mongodb with multiple instances. It's also affecting traffic scalability, as all traffic is mostly handled by a single node.
Ideally, by default, keepalived-operator would try to randomize the VIP distribution across the members. Further, it would be great if based on an annotation, some VIPs are kept on different members (for example, create an "anti-affinity" for kafka broker services, such that they are not placed on the same node).

Is it possible to configure an K8s operator with CIDR block to be uses as Load Balancer IPs. In many cases specifying ExternalIPs on Service is not possible (3rd party Helm Chart you do not have control of, or even services that gets created dynamically by other operators). Would be very helpful to have a MetalLB style of configuration, something like:
data: config: | address-pools: - name: default addresses: - 192.168.1.240-192.168.1.250

In our disconnected environment we have a need to separate one Class C segment per KeepalivedGroup. Although we can create an interface per node per segment and specify the appropriate network interface within KeepalivedGroup, all groups take IP addresses from a single pool ('autoAssignedCIDRs' field within the network.config.openshift.io object). Therefore there is no guarantee one KeepalivedGroup won't use an address from a segment designated to another KeepalivedGroup's interface.

We need to run keepalived on nodes with taints.

This means we either need the operator to create keepalived daemon set with absolute tolerations:

tolerations:
 - operator: Exists

or to be able to specify tolerations in the CRD.

Could you implement this?

When the Service is updated and annotation changed (or removed), the Keepalived group is not updated automatically, one has to restart the controller.

The main image has been made configurable, but the config-reloader and prometheus-exporter containers are hardcoded with quay.io/redhat-cop/keepalived-operator:latest.
In the case of helm deployments, these could be configured with the same image (registry/repo/tag) as the operator itself was run with.
This would immediately make everything work in an airgapped (to the internet) environment.

Hi Guys,

I am encountering the following problem. I have installed in the namespace openshift-operators the operator namespace-configuration-operator, now I try to install the keepalived operator however it starts arguing because the ServiceAccount default is already managed by another operator. The status of keepalived operator is as follows:

requirementStatus:
    - group: apiextensions.k8s.io
      child: CustomResourceDefinition
      message: CRD is present and Established condition is true
      name: keepalivedgroups.redhatcop.redhat.io
      status: Present
      uuid: 1bbc50ee-1419-4f15-8022-6cc4004c4c59
      version: v1
    - group: ''
      child: ServiceAccount
      message: Service account is not owned by this ClusterServiceVersion
      name: default
      status: PresentNotSatisfied
      version: v1

And here is the yaml of the ServiceAccount:

kind: ServiceAccount
apiVersion: v1
metadata:
  name: default
  namespace: openshift-operators
  selfLink: /api/v1/namespaces/openshift-operators/serviceaccounts/default
  uid: 4dafa9ae-6eae-4e93-a36b-0b1f4ce160b5
  resourceVersion: '8624328671'
  creationTimestamp: '2021-02-15T14:50:53Z'
  tags:
    operators.coreos.com/namespace-configuration-operator.openshift-operators: ''
  ownerReferences:
    - apiVersion: operators.coreos.com/v1alpha1
      child: ClusterServiceVersion
      name: namespace-configuration-operator.v1.0.1
      uid: bd32838a-0647-4bf5-9190-1e6199025be8
      controller: false
      blockOwnerDeletion: false
secrets:
  - name: default-token-bfxqm
  - name: default-dockercfg-n2zvz
imagePullSecrets:
  - name: default-dockercfg-n2zvz

The operators now continue to fight whether the ownership

Observed behavior

All Keepalived containers created by the operator are in InitCrashLoopBackoff with the following error message in the log of the config-setup init container:

bash: /usr/local/bin/notify.sh: No such file or directory

As a result, all managed IPs (and hence all applications on the cluster) are unreachable.

Cause

The latest version of quay.io/redhat-cop/keepalived-operator:latest is missing the notify scripts used in the init container as well as the config-reloader container of the generated keepalived Daemonsets.

This is a problem because

• The operator hardcodes the image of those containers to quay.io/redhat-cop/keepalived-operator:latest
• The operator hardcodes the imagePullPolicy to Always
• the containers can't come up without said scripts.

Workaround

1. Scale the keepalived-operator-controller-manager deployment to zero
2. Manually patch all generated keepalived DaemonSets to use quay.io/redhat-cop/keepalived-operator:v1.4.2 instead

This is very brittle as the deployment may be scaled up again at any time by the OLM or whatever.

currently each KeepalivedGroup supports up to 255 services.
This limit is due to the way keepalived works and how the operator was designed: each services maps to a keepalived vrrp instance. With a different design where each vrrp instance can carry more than one VIP, it's possible to go beyond that limit.
Here is a possible design:

1. a function maps services/VIPs to vrrp instance in a way that can be calculated at any point in time, so no state has to be held anywhere. For example sha256(namespace/service/VIP) mod 255. The pseudo randomness of the hash function ensures that VIPs are rather evenly distributed across vrrp groups.
2. during the reconcile cycle VIPs are assigned via the above function and the keepalived map is computed.

This will allow supporting an unlimited number of VIPs/services. The only downside is that VIPs from different services share the same fail-over dynamic. This is not usually an issue.

each image that is used should always be pinned to the correct version.

Version: 1.2.2

After configuring a second KeepalivedGroup both of the instances keep flapping. Both KeepalivedGroups are constrained to different nodes, but they are still in the same physical network.

The goal is to have different sets of ip adresses assigned to different groups of nodes.

logoutput from one pod:

Thu Apr 29 12:59:52 2021: (namespace/website-test) Receive advertisement timeout
Thu Apr 29 12:59:52 2021: (namespace/website-test) Entering MASTER STATE
Thu Apr 29 12:59:52 2021: (namespace/website-test) setting VIPs.
Thu Apr 29 12:59:52 2021: Sending gratuitous ARP on eth0 for 10.1.1.11
Thu Apr 29 12:59:52 2021: (namespace/website-test) Sending/queueing gratuitous ARPs on eth0 for 10.1.1.11
Thu Apr 29 12:59:52 2021: Sending gratuitous ARP on eth0 for 10.1.1.11
Thu Apr 29 12:59:52 2021: Sending gratuitous ARP on eth0 for 10.1.1.11
Thu Apr 29 12:59:52 2021: Sending gratuitous ARP on eth0 for 10.1.1.11
Thu Apr 29 12:59:52 2021: Sending gratuitous ARP on eth0 for 10.1.1.11
Thu Apr 29 12:59:52 2021: (namespace/website-test) Master received advert from 10.1.2.92 with same priority 100 but higher IP address than ours
Thu Apr 29 12:59:52 2021: (namespace/website-test) Entering BACKUP STATE
Thu Apr 29 12:59:52 2021: (namespace/website-test) removing VIPs.
Thu Apr 29 12:59:53 2021: (namespace/website-test) ip address associated with VRID 1 not present in MASTER advert : 10.1.1.11
Thu Apr 29 12:59:54 2021: (namespace/website-test) ip address associated with VRID 1 not present in MASTER advert : 10.1.1.11
Thu Apr 29 12:59:55 2021: (namespace/website-test) ip address associated with VRID 1 not present in MASTER advert : 10.1.1.11
Thu Apr 29 12:59:56 2021: (namespace/website-test) Receive advertisement timeout
Thu Apr 29 12:59:56 2021: (namespace/website-test) Entering MASTER STATE
Thu Apr 29 12:59:56 2021: (namespace/website-test) setting VIPs.
Thu Apr 29 12:59:56 2021: Sending gratuitous ARP on eth0 for 10.1.1.11
Thu Apr 29 12:59:56 2021: (namespace/website-test) Sending/queueing gratuitous ARPs on eth0 for 10.1.1.11
Thu Apr 29 12:59:56 2021: Sending gratuitous ARP on eth0 for 10.1.1.11
Thu Apr 29 12:59:56 2021: Sending gratuitous ARP on eth0 for 10.1.1.11
Thu Apr 29 12:59:56 2021: Sending gratuitous ARP on eth0 for 10.1.1.11
Thu Apr 29 12:59:56 2021: Sending gratuitous ARP on eth0 for 10.1.1.11
Thu Apr 29 12:59:56 2021: (namespace/website-test) Master received advert from 10.1.2.92 with same priority 100 but higher IP address than ours
Thu Apr 29 12:59:56 2021: (namespace/website-test) Entering BACKUP STATE
Thu Apr 29 12:59:56 2021: (namespace/website-test) removing VIPs.
Thu Apr 29 12:59:57 2021: (namespace/website-test) ip address associated with VRID 1 not present in MASTER advert : 10.1.1.11
Thu Apr 29 12:59:58 2021: (namespace/website-test) ip address associated with VRID 1 not present in MASTER advert : 10.1.1.11

I'm not seeing the latest changes from the following merge in the newly released keepalived-operator container v1.5.1.

docker run -it --rm --entrypoint cat quay.io/redhat-cop/keepalived-operator:v1.5.1 /templates/keepalived-template.yaml | grep -i daemonset
  kind: DaemonSet

Running this command does not show the new daemonsetPodsAnnotations field that were included in v1.5.1 release.

Hi,
we have now run into the issue, that a client ip, which accesses the keepalived ip, is in the same CIDR IP range, like the internal OpenShift CIDR and can't access the services exposed by Keepalived. Requests from other Client IP ranges, whch are not in the CIDR of the OpenShift cluster work without any problem.
Our assumption is, that the packets are dropped by the OpenShift firewall, since the rules think, the packets come from the internal CIDR as SRC.

Current situation:
Client IP (10.131.3.x)->Keepalived IP(10.25.178.x) -> OpenShift internal CIDR (10.128.0.0/14)

IPTables:
Chain OPENSHIFT-FIREWALL-FORWARD (1 references)
target prot opt source destination
DROP all -- 10.128.0.0/14 anywhere /* attempted resend after connection close / ctstate INVALID
ACCEPT all -- anywhere 10.128.0.0/14 / forward traffic from SDN

Question:
Is the keepalived operator working in NAT mode for its ip, so the 10.25.178.x should be the src ip of the packets in the cluster or is it really the problem, that the src ip 10.131.3.x is beeing routed directly ?

Since i din't find any infos about the mode (NAT/DR) in this documentation and only found an annotation in another documentation
https://github.com/munnerz/keepalived-cloud-provider

The kube-keepalived-vip service supports both the NAT and DR methods of IPVS forwarding for the service traffic. The default forwarding method is NAT. Depending on your network topology, you may need to change that to DR (direct routing). To change this globally, you can set the environment variable KEEPALIVED_DEFAULT_FORWARD_METHOD to NAT or DR. To change it on a per service basis, then specify the method via the k8s.co/keepalived-forward-method annotation on the service as shown below:

Can you please give me the info, how the routing works and if it can be changed by a annotation ?

Thanks
Miro

If I understand correctly, currently the LoadBalancer and externalIPs of a Service will be handled in a vrrp_instance that can be running on any Node that's part of the KeepalivedGroup matcher.

However, I believe this poses an issue when this Service is configured to use the Local externalTrafficPolicy, in which case traffic sent to the service on Nodes which have 0 backing Pods running will be dropped (i.e., clients need to time-out), at least for the LoadBalancer IPs (not sure about the externalIPs traffic...).

This seems like an issue.

Luckily, there's the service.spec.healthCheckNodePort for such Services which can be HTTP-queried on /healthz (it's a NodePort). This will return HTTP 200 if there's a backing Pod available on the node (i.e., traffic sent there will be handled, not dropped), and HTTP 503 otherwise (i.e., traffic sent would be dropped).

More background at https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-type-loadbalancer.

As such, for externalTrafficPolicy Local Services, it could make sense to use a Keepalived vrrp_script which queries this healthCheckNodePort on localhost and exits successfully only when this query yields a HTTP 200 result (taking script timeouts etc. into account). If no local Pods are present, the VIP should be migrated to another node which is willing to host the VIP (i.e., has local Endpoints for the Service).