From c9d43f1c2a3716e705f2ca17c468cdec889e56dc Mon Sep 17 00:00:00 2001
From: Periyasamy Palanisamy <pepalani@redhat.com>
Date: Wed, 21 May 2025 18:46:54 +0200
Subject: [PATCH] Provide config map to force loose isolation for UDN networks

This commit provides support for configuring loose isolation mode for
the BGP advertised UDN networks. The config map with name
openshift-network-operator/udn-config-overrides must be created with
"force-loose-isolation" key set to "true" which rolls out the loose
mode by recreating ovnkube-node daemonset pods.

Signed-off-by: Periyasamy Palanisamy <pepalani@redhat.com>
---
 .../ovn-kubernetes/managed/ovnkube-node.yaml  |  4 ++++
 .../self-hosted/ovnkube-node.yaml             |  4 ++++
 pkg/bootstrap/types.go                        |  5 +++++
 pkg/network/ovn_kubernetes.go                 |  1 +
 pkg/platform/platform.go                      | 22 +++++++++++++++++++
 5 files changed, 36 insertions(+)

diff --git a/bindata/network/ovn-kubernetes/managed/ovnkube-node.yaml b/bindata/network/ovn-kubernetes/managed/ovnkube-node.yaml
index b40a2bf114..5e66ff4183 100644
--- a/bindata/network/ovn-kubernetes/managed/ovnkube-node.yaml
+++ b/bindata/network/ovn-kubernetes/managed/ovnkube-node.yaml
@@ -430,6 +430,10 @@ spec:
         - name: "NO_PROXY"
           value: "{{ .NO_PROXY}}"
 {{ end }}
+        {{ if .IsLooseUDNIsolationEnabled }}
+        - name: UDN_ISOLATION_MODE
+          value: "loose"
+        {{ end }}
         - name: K8S_NODE
           valueFrom:
             fieldRef:
diff --git a/bindata/network/ovn-kubernetes/self-hosted/ovnkube-node.yaml b/bindata/network/ovn-kubernetes/self-hosted/ovnkube-node.yaml
index aae45f8d5a..9e465452c4 100644
--- a/bindata/network/ovn-kubernetes/self-hosted/ovnkube-node.yaml
+++ b/bindata/network/ovn-kubernetes/self-hosted/ovnkube-node.yaml
@@ -562,6 +562,10 @@ spec:
         - name: OVNKUBE_NODE_MGMT_PORT_DP_RESOURCE_NAME
           value: {{ .MgmtPortResourceName }}
         {{ end }}
+        {{ if .IsLooseUDNIsolationEnabled }}
+        - name: UDN_ISOLATION_MODE
+          value: "loose"
+        {{ end }}
         - name: K8S_NODE
           valueFrom:
             fieldRef:
diff --git a/pkg/bootstrap/types.go b/pkg/bootstrap/types.go
index 7b6c6cc72f..0c506047bd 100644
--- a/pkg/bootstrap/types.go
+++ b/pkg/bootstrap/types.go
@@ -126,6 +126,11 @@ type InfraStatus struct {
 
 	// ConsolePluginCRDExists set to true when the consoleplugins.console.openshift.io has been deployed.
 	ConsolePluginCRDExists bool
+
+	// LooseUDNIsolationModeEnabled set to true when loose isolation mode is enabled between two BGP advertised
+	// UDN networks. In loose isolation mode, those network pods can communicate with each other accoding to
+	// provider network configuration.
+	LooseUDNIsolationModeEnabled bool
 }
 
 // APIServer is the hostname & port of a given APIServer. (This is the
diff --git a/pkg/network/ovn_kubernetes.go b/pkg/network/ovn_kubernetes.go
index f1da1d850f..261f5347c6 100644
--- a/pkg/network/ovn_kubernetes.go
+++ b/pkg/network/ovn_kubernetes.go
@@ -180,6 +180,7 @@ func renderOVNKubernetes(conf *operv1.NetworkSpec, bootstrapResult *bootstrap.Bo
 	data.Data["NETWORK_NODE_IDENTITY_ENABLE"] = bootstrapResult.Infra.NetworkNodeIdentityEnabled
 	data.Data["NodeIdentityCertDuration"] = OVN_NODE_IDENTITY_CERT_DURATION
 	data.Data["IsNetworkTypeLiveMigration"] = false
+	data.Data["IsLooseUDNIsolationEnabled"] = bootstrapResult.Infra.LooseUDNIsolationModeEnabled
 
 	if conf.Migration != nil {
 		if conf.Migration.MTU != nil && conf.Migration.Mode != operv1.LiveNetworkMigrationMode {
diff --git a/pkg/platform/platform.go b/pkg/platform/platform.go
index b49a97dcb3..3ee824562a 100644
--- a/pkg/platform/platform.go
+++ b/pkg/platform/platform.go
@@ -62,6 +62,22 @@ func isNetworkNodeIdentityEnabled(client cnoclient.Client, infra *bootstrap.Infr
 	return true, nil
 }
 
+// isLooseUDNIsolationEnabled determines if loose udn isolation mode should be enabled.
+// It checks the `force-loose-isolation` key in the openshift-network-operator/udn-config-overrides configmap.
+// If the configmap doesn't exist, it returns false (the UDN isolation is protected by default).
+func isLooseUDNIsolationEnabled(client cnoclient.Client) (bool, error) {
+	configMap := &corev1.ConfigMap{}
+	if err := client.ClientFor("").CRClient().Get(context.TODO(),
+		types.NamespacedName{Name: "udn-config-overrides", Namespace: names.APPLIED_NAMESPACE}, configMap); err != nil {
+		if apierrors.IsNotFound(err) {
+			return false, nil
+		}
+		return false, fmt.Errorf("unable to bootstrap OVN, unable to retrieve udn-config-overrides config: %s", err)
+	}
+	isLooseIsolationEnabled := configMap.Data["force-loose-isolation"]
+	return isLooseIsolationEnabled == "true", nil
+}
+
 func InfraStatus(client cnoclient.Client) (*bootstrap.InfraStatus, error) {
 	infraConfig := &configv1.Infrastructure{}
 	if err := client.Default().CRClient().Get(context.TODO(), types.NamespacedName{Name: "cluster"}, infraConfig); err != nil {
@@ -148,6 +164,12 @@ func InfraStatus(client cnoclient.Client) (*bootstrap.InfraStatus, error) {
 	}
 	res.NetworkNodeIdentityEnabled = netIDEnabled
 
+	isLooseUDNIsolationEnabled, err := isLooseUDNIsolationEnabled(client)
+	if err != nil {
+		return nil, fmt.Errorf("failed to determine if loose udn isolation should be enabled: %w", err)
+	}
+	res.LooseUDNIsolationModeEnabled = isLooseUDNIsolationEnabled
+
 	res.ConsolePluginCRDExists, err = consolePluginCRDExists(client)
 	if err != nil {
 		return nil, err