diff --git a/bindata/network/frr-k8s/001-crd.yaml b/bindata/network/frr-k8s/001-crd.yaml index 264d43a5d6..676d22e4ae 100644 --- a/bindata/network/frr-k8s/001-crd.yaml +++ b/bindata/network/frr-k8s/001-crd.yaml @@ -184,9 +184,15 @@ spec: 0 disableMP: default: false - description: To set if we want to disable MP BGP that - will separate IPv4 and IPv6 route exchanges into - distinct BGP sessions. + description: |- + To set if we want to disable MP BGP that will separate IPv4 and IPv6 route exchanges into distinct BGP sessions. + Deprecated: DisableMP is deprecated in favor of dualStackAddressFamily. + type: boolean + dualStackAddressFamily: + default: false + description: |- + To set if we want to enable the neighbor not only for the ipfamily related to its session, + but also the other one. This allows to advertise/receive IPv4 prefixes over IPv6 sessions and vice versa. type: boolean dynamicASN: description: |- @@ -222,6 +228,8 @@ spec: represents an interface name on the host and if user provides an invalid value, only the actual BGP session will not be established. Address and Interface are mutually exclusive and one of them must be specified. + Note: when enabling unnumbered, the neighbor will be enabled for both + IPv4 and IPv6 address families. type: string keepaliveTime: description: |- diff --git a/bindata/network/frr-k8s/config.yaml b/bindata/network/frr-k8s/config.yaml index 5f39c32ef3..1b559f70de 100644 --- a/bindata/network/frr-k8s/config.yaml +++ b/bindata/network/frr-k8s/config.yaml @@ -46,7 +46,7 @@ data: # vtysh_enable=yes zebra_options=" -A 127.0.0.1 -s 90000000 --limit-fds 100000" - bgpd_options=" -A 127.0.0.1 --limit-fds 100000" + bgpd_options=" -A 127.0.0.1 -p 0 --limit-fds 100000" ospfd_options=" -A 127.0.0.1" ospf6d_options=" -A ::1" ripd_options=" -A 127.0.0.1" diff --git a/bindata/network/frr-k8s/webhook.yaml b/bindata/network/frr-k8s/webhook.yaml index cb0414ff15..e1b08c722c 100644 --- a/bindata/network/frr-k8s/webhook.yaml +++ b/bindata/network/frr-k8s/webhook.yaml @@ -9,7 +9,7 @@ metadata: spec: ports: - port: 443 - targetPort: 9443 + targetPort: webhook selector: component: frr-k8s-webhook-server --- @@ -61,7 +61,7 @@ spec: component: frr-k8s-webhook-server annotations: target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' - openshift.io/required-scc: restricted-v2 + openshift.io/required-scc: privileged spec: containers: - command: @@ -71,7 +71,8 @@ spec: - --webhook-mode=onlywebhook - --disable-cert-rotation=true - --namespace=$(NAMESPACE) - - --metrics-bind-address=:7572 + - --metrics-bind-address=0 + - --webhook-port=9123 env: - name: NAMESPACE valueFrom: @@ -80,10 +81,8 @@ spec: image: {{.FRRK8sImage}} name: frr-k8s-webhook-server ports: - - containerPort: 7572 - name: monitoring - securityContext: - runAsNonRoot: true + - containerPort: 9123 + name: webhook resources: requests: cpu: 10m @@ -91,15 +90,17 @@ spec: terminationMessagePolicy: FallbackToLogsOnError livenessProbe: httpGet: - path: /metrics - port: monitoring + path: /healthz + port: webhook + scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 failureThreshold: 3 readinessProbe: httpGet: - path: /metrics - port: monitoring + path: /healthz + port: webhook + scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 failureThreshold: 3 @@ -122,3 +123,4 @@ spec: serviceAccountName: frr-k8s-daemon priorityClassName: system-cluster-critical terminationGracePeriodSeconds: 10 + hostNetwork: true diff --git a/bindata/network/multus-admission-controller/003-webhook.yaml b/bindata/network/multus-admission-controller/003-webhook.yaml index aca1cf39e5..533001a069 100644 --- a/bindata/network/multus-admission-controller/003-webhook.yaml +++ b/bindata/network/multus-admission-controller/003-webhook.yaml @@ -27,6 +27,10 @@ webhooks: apiGroups: ["k8s.cni.cncf.io"] apiVersions: ["v1"] resources: ["network-attachment-definitions"] + matchConditions: + # On updates, only validate if the Spec changes + - name: CreateDeleteOrUpdatedSpec + expression: oldObject == null || object == null || object.spec != oldObject.spec sideEffects: NoneOnDryRun admissionReviewVersions: - v1 diff --git a/bindata/network/ovn-kubernetes/common/008-script-lib.yaml b/bindata/network/ovn-kubernetes/common/008-script-lib.yaml index 2cf4530b6c..a804ac4510 100644 --- a/bindata/network/ovn-kubernetes/common/008-script-lib.yaml +++ b/bindata/network/ovn-kubernetes/common/008-script-lib.yaml @@ -322,6 +322,11 @@ data: # let northd sleep so it takes less CPU NORTHD_SLEEP_OPTION="options:northd-backoff-interval-ms={{.OVN_NORTHD_BACKOFF_MS}}" + NORTHD_CT_INV_OPTION="" + +{{ if and (.OVN_ROUTE_ADVERTISEMENTS_ENABLE) (eq .OVN_GATEWAY_MODE "local") }} + NORTHD_CT_INV_OPTION="options:use_ct_inv_match=false" +{{ end }} local ipsec=false local ipsec_encapsulation=false {{ if .OVNIPsecEnable }} @@ -342,7 +347,7 @@ data: IPSEC_OPTION="ipsec=${ipsec} options:ipsec_encapsulation=${ipsec_encapsulation}" # set all the NB_GLOBAL options - if ! retry 20 "nb-global options" "ovn-nbctl -t 5 set nb_global . ${IC_OPTION} ${NORTHD_PROBE_OPTION} ${NORTHD_SLEEP_OPTION} ${IPSEC_OPTION}"; then + if ! retry 20 "nb-global options" "ovn-nbctl -t 5 set nb_global . ${IC_OPTION} ${NORTHD_PROBE_OPTION} ${NORTHD_SLEEP_OPTION} ${IPSEC_OPTION} ${NORTHD_CT_INV_OPTION}"; then exit 1 fi } diff --git a/bindata/network/ovn-kubernetes/self-hosted/ovnkube-control-plane.yaml b/bindata/network/ovn-kubernetes/self-hosted/ovnkube-control-plane.yaml index 75a2ddff25..fbdf37107e 100644 --- a/bindata/network/ovn-kubernetes/self-hosted/ovnkube-control-plane.yaml +++ b/bindata/network/ovn-kubernetes/self-hosted/ovnkube-control-plane.yaml @@ -148,6 +148,15 @@ spec: route_advertisements_enable_flag="--enable-route-advertisements" fi + if [ "{{.OVN_GATEWAY_MODE}}" == "shared" ]; then + gateway_mode_flags="--gateway-mode shared" + elif [ "{{.OVN_GATEWAY_MODE}}" == "local" ]; then + gateway_mode_flags="--gateway-mode local" + else + echo "Invalid OVN_GATEWAY_MODE: \"{{.OVN_GATEWAY_MODE}}\". Must be \"local\" or \"shared\"." + exit 1 + fi + echo "I$(date "+%m%d %H:%M:%S.%N") - ovnkube-control-plane - start ovnkube --init-cluster-manager ${K8S_NODE}" exec /usr/bin/ovnkube \ --enable-interconnect \ @@ -165,6 +174,7 @@ spec: ${persistent_ips_enabled_flag} \ ${multi_network_enabled_flag} \ ${network_segmentation_enabled_flag} \ + ${gateway_mode_flags} \ ${route_advertisements_enable_flag} volumeMounts: - mountPath: /run/ovnkube-config/