Metrics: Add server for Egress IP/firewall

[martinkennelly]

Add an insecure HTTP metrics server that serves
metrics on loopback port 29100.

Add metrics to count egress firewalls,
egress firewall rules and egress IPs count.

In order to validate the metrics:

Metric num_egress_ips:

1. Configure EgressIP: https://docs.openshift.com/container-platform/4.9/networking/openshift_sdn/assigning-egress-ips.html
2. Exec into SDN pod that is the current LE leader. You can see whos the leader in a config map in the SDN namespace.
3. curl localhost:29100/metrics | grep num_egress_ips
4. You should see an integer from step 3 which represents the total number of egress IPs. This should be the same as the amount you created in step 1.

Metric num_egress_firewall_rules:

1. Configure EgressFirewall: https://docs.openshift.com/container-platform/4.9/networking/openshift_sdn/configuring-egress-firewall.html
2. Exec into SDN pod that is the current LE leader. You can see whos the leader in a config map in the SDN namespace.
3. curl localhost:29100/metrics | grep num_egress_firewall_rules
4. You should see an integer from step 3 which represents the total number of EgressFirewall egress rules. This should be the same as the amount you created in step 1.

Metric num_egress_firewalls:

1. 1. Configure X number EgressFirewall: https://docs.openshift.com/container-platform/4.9/networking/openshift_sdn/configuring-egress-firewall.html
2. Exec into SDN pod that is the current LE leader. You can see whos the leader in a config map in the SDN namespace.
3. curl localhost:29100/metrics | grep num_egress_firewalls
4. You should see an integer from step 3 which represents the total number of EgressFirewalls. This should be the same as the amount you created in step 1.

Signed-off-by: Martin Kennelly mkennell@redhat.com

[martinkennelly]

Forced pushed to group cache + mutex together in the same struct.

[martinkennelly]

I was weighing up whether to bind to loopback or not. I went with loopback because it's an insecure HTTP server and I want to protect this server against exposure by mistake. This server will be exposed via RBAC proxy.

[danwinship]

Yes, loopback+rbac proxy is correct.
When this merges you also need to update dev-guide/host-port-registry.md in openshift/enhancements to reflect the fact that this port is now used by openshift-sdn-controller.

[martinkennelly]

/assign @danwinship
Feel free to reassign/unassign. I notice you are the most active on here..
No rush on review.

[danwinship]

Yes, loopback+rbac proxy is correct.
When this merges you also need to update dev-guide/host-port-registry.md in openshift/enhancements to reflect the fact that this port is now used by openshift-sdn-controller.

[martinkennelly]

@danwinship The first iteration was poor. It wasn't a good idea to have a metric for egress firewall per namespace. I got rid of that and just keep a total count for egress firewall rules.

If this merges, I will update the port number reservation in dev-guide/host-port-registry.md in repo openshift/enhancements.
Thank you for the informer education.

[martinkennelly]

Forced pushed to change default port from 29102 -> 29100 so as not to possibly conflict with ovn-k port.

[martinkennelly]

/retest

[martinkennelly]

/retest

[martinkennelly]

/retest
CI flaking. Submitted BZ for flake: https://bugzilla.redhat.com/show_bug.cgi?id=2019001

[danwinship]

/approve
general idea is good, needs a few tweaks, but then anyone can /lgtm it after that

[martinkennelly]

@danwinship I made the changes you requested - ENP metric, renamed file, and unit tests.
During my testing, I decided to change the definition of num_egress_ips to count egress IPs assigned to nodes [1]. This is better than counting all because it lets us know how many egress IPs are currently active on a cluster. I updated the HELP field to inform consumers of this distinction.

I also noticed an error I made in the original code you reviewed. I made the mistake of checking if interface{} was nil for func parameter old in handleAddUpdate. I now check the event type to find out if its an add or update operation [2].

[1] https://github.com/openshift/sdn/pull/358/files#diff-cb8e1be9489f2925e33943b9051dded85e22f36cb5b9905ebeb807f820cb9627R700

[2] https://github.com/openshift/sdn/pull/358/files#diff-2153a20dc3cd4885ce75eac5c9e4a51f6343d6be8b0d154be9973c1e66bad0a0R30

[martinkennelly]

/retest
CI flakes. Added BZ for one of them.

[alexanderConstantinescu]

This is really an lgtm, I just had a small nit that I wanted to give you time to decide what to do about (and if I put a real lgtm, the bot will merge the PR). Let me know

[alexanderConstantinescu]

Very small nit (you can discard it and slightest hesitation): call it num_assigned_egress_ips as to not confuse it with the number of egress IP objects

[martinkennelly]

Id love to change it to what you suggested but I want to keep this name consistent with OVN-K and that PR is merged. Its not worth it for me to rename it now.

[alexanderConstantinescu]

Understood then :)

[alexanderConstantinescu]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexanderConstantinescu, danwinship, martinkennelly

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [danwinship]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment