OCPBUGS-8080,OCPBUGS-8280,OCPBUGS-8278,OCPBUGS-7988,OCPBUGS-7932,OCPBUGS-9990: Downstream Merge [10-mar-2023]

contrib/kind-dual-stack-conversion.sh

@@ -130,7 +130,7 @@ spec:
     spec:
       containers:
       - name: agnhost
-        image: k8s.gcr.io/e2e-test-images/agnhost:2.21
+        image: registry.k8s.io/e2e-test-images/agnhost:2.21
         args:
           - netexec
           - --http-port=80

contrib/kind.sh

@@ -329,6 +329,8 @@ print_params() {
      echo "RUN_IN_CONTAINER = $RUN_IN_CONTAINER"
      echo "KIND_CLUSTER_NAME = $KIND_CLUSTER_NAME"
      echo "KIND_LOCAL_REGISTRY = $KIND_LOCAL_REGISTRY"
+     echo "KIND_LOCAL_REGISTRY_NAME = $KIND_LOCAL_REGISTRY_NAME"
+     echo "KIND_LOCAL_REGISTRY_PORT = $KIND_LOCAL_REGISTRY_PORT"
      echo "KIND_DNS_DOMAIN = $KIND_DNS_DOMAIN"
      echo "KIND_CONFIG_FILE = $KIND_CONFIG"
      echo "KIND_REMOVE_TAINT = $KIND_REMOVE_TAINT"
@@ -459,12 +461,14 @@ set_default_params() {
   fi
   RUN_IN_CONTAINER=${RUN_IN_CONTAINER:-false}
   KIND_IMAGE=${KIND_IMAGE:-kindest/node}
-  K8S_VERSION=${K8S_VERSION:-v1.24.0}
+  K8S_VERSION=${K8S_VERSION:-v1.26.0}
   OVN_GATEWAY_MODE=${OVN_GATEWAY_MODE:-shared}
   KIND_INSTALL_INGRESS=${KIND_INSTALL_INGRESS:-false}
   KIND_INSTALL_METALLB=${KIND_INSTALL_METALLB:-false}
   OVN_HA=${OVN_HA:-false}
   KIND_LOCAL_REGISTRY=${KIND_LOCAL_REGISTRY:-false}
+  KIND_LOCAL_REGISTRY_NAME=${KIND_LOCAL_REGISTRY_NAME:-kind-registry}
+  KIND_LOCAL_REGISTRY_PORT=${KIND_LOCAL_REGISTRY_PORT:-5000}
   KIND_DNS_DOMAIN=${KIND_DNS_DOMAIN:-"cluster.local"}
   KIND_CONFIG=${KIND_CONFIG:-${DIR}/kind.yaml.j2}
   KIND_REMOVE_TAINT=${KIND_REMOVE_TAINT:-true}
@@ -593,29 +597,75 @@ set_cluster_cidr_ip_families() {
   fi
 }
 
+create_local_registry() {
+    # create registry container unless it already exists
+    if [ "$($OCI_BIN inspect -f '{{.State.Running}}' "${KIND_LOCAL_REGISTRY_NAME}" 2>/dev/null || true)" != 'true' ]; then
+      $OCI_BIN run \
+        -d --restart=always -p "127.0.0.1:${KIND_LOCAL_REGISTRY_PORT}:5000" --name "${$KIND_LOCAL_REGISTRY_NAME}" \
+        registry:2
+    fi
+}
+
+connect_local_registry() {
+    # connect the registry to the cluster network if not already connected
+    if [ "$($OCI_BIN inspect -f='{{json .NetworkSettings.Networks.kind}}' "${KIND_LOCAL_REGISTRY_NAME}")" = 'null' ]; then
+      $OCI_BIN network connect "kind" "${KIND_LOCAL_REGISTRY_NAME}"
+    fi
+
+    # Reference docs for local registry:
+    # - https://kind.sigs.k8s.io/docs/user/local-registry/
+    # - https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
+    cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: local-registry-hosting
+  namespace: kube-public
+data:
+  localRegistryHosting.v1: |
+    host: "localhost:${KIND_LOCAL_REGISTRY_PORT}"
+    help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
+EOF
+
+}
+
 create_kind_cluster() {
   # Output of the j2 command
   KIND_CONFIG_LCL=${DIR}/kind-${KIND_CLUSTER_NAME}.yaml
 
-    ovn_ip_family=${IP_FAMILY} \
-    ovn_ha=${OVN_HA} \
-    net_cidr=${NET_CIDR} \
-    svc_cidr=${SVC_CIDR} \
-    use_local_registy=${KIND_LOCAL_REGISTRY} \
-    dns_domain=${KIND_DNS_DOMAIN} \
-    ovn_num_master=${KIND_NUM_MASTER} \
-    ovn_num_worker=${KIND_NUM_WORKER} \
-    cluster_log_level=${KIND_CLUSTER_LOGLEVEL:-4} \
-    j2 "${KIND_CONFIG}" -o "${KIND_CONFIG_LCL}"
+  ovn_ip_family=${IP_FAMILY} \
+  ovn_ha=${OVN_HA} \
+  net_cidr=${NET_CIDR} \
+  svc_cidr=${SVC_CIDR} \
+  use_local_registy=${KIND_LOCAL_REGISTRY} \
+  dns_domain=${KIND_DNS_DOMAIN} \
+  ovn_num_master=${KIND_NUM_MASTER} \
+  ovn_num_worker=${KIND_NUM_WORKER} \
+  cluster_log_level=${KIND_CLUSTER_LOGLEVEL:-4} \
+  kind_local_registry_port=${KIND_LOCAL_REGISTRY_PORT} \
+  kind_local_registry_name=${KIND_LOCAL_REGISTRY_NAME} \
+  j2 "${KIND_CONFIG}" -o "${KIND_CONFIG_LCL}"
 
   # Create KIND cluster. For additional debug, add '--verbosity <int>': 0 None .. 3 Debug
   if kind get clusters | grep ovn; then
     delete
   fi
+
+  if [[ "${KIND_LOCAL_REGISTRY}" == true ]]; then
+    create_local_registry
+  fi
+
   kind create cluster --name "${KIND_CLUSTER_NAME}" --kubeconfig "${KUBECONFIG}" --image "${KIND_IMAGE}":"${K8S_VERSION}" --config=${KIND_CONFIG_LCL} --retain
+
+  if [[ "${KIND_LOCAL_REGISTRY}" == true ]]; then
+    connect_local_registry
+  fi
+
   cat "${KUBECONFIG}"
 }
 
+
+
 docker_disable_ipv6() {
   # Docker disables IPv6 globally inside containers except in the eth0 interface.
   # Kind enables IPv6 globally the containers ONLY for dual-stack and IPv6 deployments.
@@ -672,7 +722,7 @@ build_ovn_image() {
       OVN_IMAGE="localhost/ovn-daemonset-f:dev"
     fi
 
-    # Build ovn docker image
+    # Build ovn image
     pushd ${DIR}/../go-controller
     make
     popd
@@ -686,18 +736,24 @@ build_ovn_image() {
 
     # store in local registry
     if [ "$KIND_LOCAL_REGISTRY" == true ];then
-      echo "Pushing built image to local docker registry"
-      docker push "${OVN_IMAGE}"
+      echo "Pushing built image to local $OCI_BIN registry"
+      $OCI_BIN push "${OVN_IMAGE}"
     fi
     popd
   fi
 }
 
 create_ovn_kube_manifests() {
+    local ovnkube_image=${OVN_IMAGE}
+    if [ "$KIND_LOCAL_REGISTRY" == true ];then
+      # When updating with local registry we have to reference the sha
+      ovnkube_image=$($OCI_BIN inspect --format='{{index .RepoDigests 0}}' $OVN_IMAGE)
+    fi
     pushd ${DIR}/../dist/images
   ./daemonset.sh \
     --output-directory="${MANIFEST_OUTPUT_DIR}"\
     --image="${OVN_IMAGE}" \
+    --ovnkube-image="${ovnkube_image}" \
     --net-cidr="${NET_CIDR}" \
     --svc-cidr="${SVC_CIDR}" \
     --gateway-mode="${OVN_GATEWAY_MODE}" \
@@ -783,8 +839,9 @@ install_ovn() {
 
   popd
 
-  # Force pod reload just the ones with golang containers
-  if [ "${KIND_CREATE}" == false ]; then
+  # When using internal registry force pod reload just the ones with 
+  # non OVS containers, restarting OVS pods breaks the cluster.
+  if [ "${KIND_CREATE}" == false ] && [ "${KIND_LOCAL_REGISTRY}" == false ] ; then
     for pod in ${OVN_DEPLOY_PODS}; do
         run_kubectl delete pod -n ovn-kubernetes -l name=$pod
     done

contrib/kind.yaml.j2

@@ -17,8 +17,8 @@ networking:
 {%- if use_local_registy == "true"%}
 containerdConfigPatches:
   - |-
-    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"]
-      endpoint = ["http://kind-registry:5000"]
+    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:{{ kind_local_registry_port }}"]
+      endpoint = ["http://{{ kind_local_registry_name }}:5000"]
 {%- endif %}
 kubeadmConfigPatches:
 - |

dist/images/Dockerfile.fedora

@@ -15,7 +15,7 @@ USER root
 
 ENV PYTHONDONTWRITEBYTECODE yes
 
-ARG ovnver=ovn-22.12.0-25.fc37
+ARG ovnver=ovn-23.03.0-4.fc37
 # Automatically populated when using docker buildx
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM

dist/images/daemonset.sh

@@ -14,14 +14,14 @@ install_j2_renderer() {
 # The script renders j2 templates into yaml files in ../yaml/
 
 # ensure j2 renderer installed
-if ! command -v j2 >/dev/null 2>&1 ; then 
-  if ! command -v pip >/dev/null 2>&1 ; then 
+if ! command -v j2 >/dev/null 2>&1 ; then
+  if ! command -v pip >/dev/null 2>&1 ; then
     echo "Dependency not met: 'j2' not installed and cannot install with 'pip'"
     exit 1
   fi
   echo "'j2' not found, installing with 'pip'"
   install_j2_renderer
-fi 
+fi
 
 OVN_OUTPUT_DIR=""
 OVN_IMAGE=""
@@ -87,12 +87,15 @@ while [ "$1" != "" ]; do
   PARAM=$(echo $1 | awk -F= '{print $1}')
   VALUE=$(echo $1 | cut -d= -f2-)
   case $PARAM in
-  --output-directory) 
+  --output-directory)
     OVN_OUTPUT_DIR=$VALUE
     ;;
   --image)
     OVN_IMAGE=$VALUE
     ;;
+  --ovnkube-image)
+    OVNKUBE_IMAGE=$VALUE
+    ;;
   --image-pull-policy)
     OVN_IMAGE_PULL_POLICY=$VALUE
     ;;
@@ -261,6 +264,9 @@ while [ "$1" != "" ]; do
   --ovnkube-node-mgmt-port-netdev)
     OVNKUBE_NODE_MGMT_PORT_NETDEV=$VALUE
     ;;
+  --ovnkube-node-mgmt-port-dp-resource-name)
+    OVNKUBE_NODE_MGMT_PORT_DP_RESOURCE_NAME=$VALUE
+    ;;
   --ovnkube-config-duration-enable)
     OVNKUBE_CONFIG_DURATION_ENABLE=$VALUE
     ;;
@@ -282,19 +288,22 @@ done
 # Create the daemonsets with the desired image
 # They are expanded into daemonsets in the specified
 # output directory.
-if [ -z ${OVN_OUTPUT_DIR} ] ; then 
+if [ -z ${OVN_OUTPUT_DIR} ] ; then
   output_dir="../yaml"
-else 
+else
   output_dir=${OVN_OUTPUT_DIR}
   if [ ! -d ${OVN_OUTPUT_DIR} ]; then
     mkdir $output_dir
-  fi 
-fi 
+  fi
+fi
 echo "output_dir: $output_dir"
 
 image=${OVN_IMAGE:-"docker.io/ovnkube/ovn-daemonset:latest"}
 echo "image: ${image}"
 
+ovnkube_image=${OVNKUBE_IMAGE:-${image}}
+echo "ovnkube_image: ${ovnkube_image}"
+
 image_pull_policy=${OVN_IMAGE_PULL_POLICY:-"IfNotPresent"}
 echo "imagePullPolicy: ${image_pull_policy}"
 
@@ -412,7 +421,7 @@ echo "ovnkube_config_duration_enable: ${ovnkube_config_duration_enable}"
 ovnkube_metrics_scale_enable=${OVNKUBE_METRICS_SCALE_ENABLE}
 echo "ovnkube_metrics_scale_enable: ${ovnkube_metrics_scale_enable}"
 
-ovn_image=${image} \
+ovn_image=${ovnkube_image} \
   ovn_image_pull_policy=${image_pull_policy} \
   ovn_unprivileged_mode=${ovn_unprivileged_mode} \
   ovn_gateway_mode=${ovn_gateway_mode} \
@@ -484,7 +493,7 @@ ovn_image=${image} \
   ovnkube_app_name=ovnkube-node-dpu-host \
   j2 ../templates/ovnkube-node.yaml.j2 -o ${output_dir}/ovnkube-node-dpu-host.yaml
 
-ovn_image=${image} \
+ovn_image=${ovnkube_image} \
   ovn_image_pull_policy=${image_pull_policy} \
   ovnkube_master_loglevel=${master_loglevel} \
   ovn_loglevel_northd=${ovn_loglevel_northd} \

dist/images/ovnkube.sh

@@ -79,6 +79,7 @@ fi
 # OVN_UNPRIVILEGED_MODE - execute CNI ovs/netns commands from host (default no)
 # OVNKUBE_NODE_MODE - ovnkube node mode of operation, one of: full, dpu, dpu-host (default: full)
 # OVNKUBE_NODE_MGMT_PORT_NETDEV - ovnkube node management port netdev.
+# OVNKUBE_NODE_MGMT_PORT_DP_RESOURCE_NAME - ovnkube node management port device plugin resource
 # OVN_ENCAP_IP - encap IP to be used for OVN traffic on the node. mandatory in case ovnkube-node-mode=="dpu"
 # OVN_HOST_NETWORK_NAMESPACE - namespace to classify host network traffic for applying network policies
 
@@ -234,6 +235,9 @@ ovn_ipfix_cache_active_timeout=${OVN_IPFIX_CACHE_ACTIVE_TIMEOUT:-} \
 ovnkube_node_mode=${OVNKUBE_NODE_MODE:-"full"}
 # OVNKUBE_NODE_MGMT_PORT_NETDEV - is the net device to be used for management port
 ovnkube_node_mgmt_port_netdev=${OVNKUBE_NODE_MGMT_PORT_NETDEV:-}
+# OVNKUBE_NODE_MGMT_PORT_DP_RESOURCE_NAME - is the device plugin resource name that has
+# allocated interfaces to be used for the management port
+ovnkube_node_mgmt_port_dp_resource_name=${OVNKUBE_NODE_MGMT_PORT_DP_RESOURCE_NAME:-}
 ovnkube_config_duration_enable=${OVNKUBE_CONFIG_DURATION_ENABLE:-false}
 ovnkube_metrics_scale_enable=${OVNKUBE_METRICS_SCALE_ENABLE:-false}
 # OVN_ENCAP_IP - encap IP to be used for OVN traffic on the node
@@ -792,7 +796,7 @@ ovn-dbchecker() {
   trap 'kill $(jobs -p); exit 0' TERM
   check_ovn_daemonset_version "3"
   rm -f ${OVN_RUNDIR}/ovn-dbchecker.pid
-  
+
   # wait for ready_to_start_node
   echo "=============== ovn-dbchecker - (wait for ready_to_start_node)"
   wait_for_event ready_to_start_node
@@ -818,18 +822,18 @@ ovn-dbchecker() {
         --sb-cert-common-name ${ovn_controller_cname}
       "
   }
-  
+
   echo "=============== ovn-dbchecker ========== OVNKUBE_DB"
   /usr/bin/ovndbchecker \
     --nb-address=${ovn_nbdb} --sb-address=${ovn_sbdb} \
-    ${ovn_db_ssl_opts} \  
+    ${ovn_db_ssl_opts} \
     --loglevel=${ovnkube_loglevel} \
     --logfile-maxsize=${ovnkube_logfile_maxsize} \
     --logfile-maxbackups=${ovnkube_logfile_maxbackups} \
     --logfile-maxage=${ovnkube_logfile_maxage} \
     --pidfile ${OVN_RUNDIR}/ovn-dbchecker.pid \
     --logfile /var/log/ovn-kubernetes/ovn-dbchecker.log &
-  
+
   echo "=============== ovn-dbchecker ========== running"
   wait_for_event attempts=3 process_ready ovn-dbchecker
 
@@ -924,7 +928,7 @@ ovn-master() {
   if [[ -n ${ovn_v4_join_subnet} ]]; then
       ovn_v4_join_subnet_opt="--gateway-v4-join-subnet=${ovn_v4_join_subnet}"
   fi
-  
+
   ovn_v6_join_subnet_opt=
   if [[ -n ${ovn_v6_join_subnet} ]]; then
       ovn_v6_join_subnet_opt="--gateway-v6-join-subnet=${ovn_v6_join_subnet}"
@@ -1481,6 +1485,9 @@ ovn-node() {
   if [[ ${ovnkube_node_mgmt_port_netdev} != "" ]]; then
     ovnkube_node_mgmt_port_netdev_flag="--ovnkube-node-mgmt-port-netdev=${ovnkube_node_mgmt_port_netdev}"
   fi
+  if [[ -n "${ovnkube_node_mgmt_port_dp_resource_name}" ]] ; then
+    node_mgmt_port_netdev_flags="$node_mgmt_port_netdev_flags --ovnkube-node-mgmt-port-dp-resource-name ${ovnkube_node_mgmt_port_dp_resource_name}"
+  fi
 
   local ovn_node_ssl_opts=""
   if [[ ${ovnkube_node_mode} != "dpu-host" ]]; then

dist/templates/k8s.ovn.org_egressfirewalls.yaml.j2

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.7.0
+    controller-gen.kubebuilder.io/version: v0.11.3
   creationTimestamp: null
   name: egressfirewalls.k8s.ovn.org
 spec:
@@ -79,6 +79,8 @@ spec:
                     to:
                       description: to is the target that traffic is allowed/denied
                         to
+                      maxProperties: 1
+                      minProperties: 1
                       properties:
                         cidrSelector:
                           description: cidrSelector is the CIDR range to allow/deny
@@ -93,7 +95,7 @@ spec:
                           type: string
                         nodeSelector:
                           description: nodeSelector will allow/deny traffic to the
-                            Kubernetes node IP of selected nodes. If this is, set
+                            Kubernetes node IP of selected nodes. If this is set,
                             cidrSelector and DNSName must be unset.
                           properties:
                             matchExpressions:
@@ -138,6 +140,7 @@ spec:
                                 contains only "value". The requirements are ANDed.
                               type: object
                           type: object
+                          x-kubernetes-map-type: atomic
                       type: object
                     type:
                       description: type marks this as an "Allow" or "Deny" rule

dist/templates/ovnkube-node.yaml.j2

@@ -214,6 +214,11 @@ spec:
             configMapKeyRef:
               name: ovn-config
               key: host_network_namespace
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.name
 
         readinessProbe:
           exec: