openshift-docs/modules/nw-egress-service-ovn.adoc

// Module included in the following assemblies:
//
// * networking/ovn_kubernetes_network_provider/configuring-egress-traffic-for-vrf-loadbalancer-services.adoc

:_mod-docs-content-type: PROCEDURE
[id="nw-egress-service-ovn_{context}"]
= Deploying an egress service

You can deploy an egress service to manage egress traffic for pods behind a `LoadBalancer` service.

The following example configures the egress traffic to have the same source IP address as the ingress IP address of the `LoadBalancer` service.

.Prerequisites

* Install the OpenShift CLI (`oc`).
* Log in as a user with `cluster-admin` privileges.
* You configured MetalLB `BGPPeer` resources.

.Procedure

. Create an `IPAddressPool` CR with the desired IP for the service:

.. Create a file, such as `ip-addr-pool.yaml`, with content like the following example:
+
[source,yaml]
----
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: example-pool
  namespace: metallb-system
spec:
  addresses:
  - 172.19.0.100/32
----

.. Apply the configuration for the IP address pool by running the following command:
+
[source,terminal]
----
$ oc apply -f ip-addr-pool.yaml
----

. Create `Service` and `EgressService` CRs:

.. Create a file, such as `service-egress-service.yaml`, with content like the following example:
+
[source,yaml,subs="+quotes,+macros"]
----
apiVersion: v1
kind: Service
metadata:
  name: example-service
  namespace: example-namespace
  annotations:
    metallb.io/address-pool: example-pool <1>
spec:
  selector:
    app: example
  ports:
    - name: http
      protocol: TCP
      port: 8080
      targetPort: 8080
  type: LoadBalancer
---
apiVersion: k8s.ovn.org/v1
kind: EgressService
metadata:
  name: example-service
  namespace: example-namespace
spec:
  sourceIPBy: "LoadBalancerIP" <2>
  nodeSelector: <3>
    matchLabels:
      node-role.kubernetes.io/worker: ""
----
<1> The `LoadBalancer` service uses the IP address assigned by MetalLB from the `example-pool` IP address pool.
<2> This example uses the `LoadBalancerIP` value to assign the ingress IP address of the `LoadBalancer` service as the source IP address of egress traffic.
<3> When you specify the `LoadBalancerIP` value, a single node handles the `LoadBalancer` service's traffic. In this example, only nodes with the `worker` label can be selected to handle the traffic. When a node is selected, OVN-Kubernetes labels the node in the following format `egress-service.k8s.ovn.org/<svc-namespace>-<svc-name>: ""`.
+
[NOTE]
====
If you use the `sourceIPBy: "LoadBalancerIP"` setting, you must specify the load-balancer node in the `BGPAdvertisement` custom resource (CR).
====

.. Apply the configuration for the service and egress service by running the following command:
+
[source,terminal]
----
$ oc apply -f service-egress-service.yaml
----

. Create a `BGPAdvertisement` CR to advertise the service:

.. Create a file, such as `service-bgp-advertisement.yaml`, with content like the following example:
+
[source,yaml]
----
apiVersion: metallb.io/v1beta1
kind: BGPAdvertisement
metadata:
  name: example-bgp-adv
  namespace: metallb-system
spec:
  ipAddressPools:
  - example-pool
  nodeSelectors:
  - matchLabels:
      egress-service.k8s.ovn.org/example-namespace-example-service: "" <1>
----
<1> In this example, the `EgressService` CR configures the source IP address for egress traffic to use the load-balancer service IP address. Therefore, you must specify the load-balancer node for return traffic to use the same return path for the traffic originating from the pod.

.Verification

 . Verify that you can access the application endpoint of the pods running behind the MetalLB service by running the following command:
+
[source,terminal]
----
$ curl <external_ip_address>:<port_number> <1>
----
<1> Update the external IP address and port number to suit your application endpoint.

. If you assigned the `LoadBalancer` service's ingress IP address as the source IP address for egress traffic, verify this configuration by using tools such as `tcpdump` to analyze packets received at the external client.