Skip to content

OCPBUGS-48330,OCPBUGS-42609,OCPBUGS-46585,SDN-4930,OCPBUGS-48412: Downstream Merge [01-23-2025] #2420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 79 commits into from
Jan 25, 2025
Merged

OCPBUGS-48330,OCPBUGS-42609,OCPBUGS-46585,SDN-4930,OCPBUGS-48412: Downstream Merge [01-23-2025] #2420

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
79 commits
Select commit Hold shift + click to select a range
901989c
(C)UDN CRD: update CEL validations.
npinaeva Dec 18, 2024
d940cab
UDN EIP IP: change scope from link to global
martinkennelly Jan 12, 2025
6c5f5d9
Update OVS bridge flows for supporting gateway VLANs
crnithya Sep 30, 2024
d31b047
Require namespace label for primary UDN
trozet Dec 13, 2024
7bb83ce
Disable adding/removing the UDN namespace label
kyrtapz Dec 12, 2024
0b71fe6
Update E2Es to for required UDN label
trozet Dec 17, 2024
41dfd98
Fix multicast net seg tests ip family
trozet Dec 19, 2024
253025a
Fix egress IP tests
trozet Dec 20, 2024
0dd81cf
Fix egress IP delete path
trozet Jan 8, 2025
a9b3e44
Update kubevirt e2es
trozet Jan 8, 2025
ef21acb
Remove per network load balancer groups on cleanup
trozet Jan 13, 2025
a084679
Adds e2e test to for wiring pod with missing UDN label
trozet Jan 13, 2025
b8c3d78
Adds E2E to verify UDN label cannot be added/removed later
trozet Jan 13, 2025
10a2af0
Add GetInterfaceUDNs to convert interface name to (C)UDN ns+name.
npinaeva Oct 22, 2024
da702b8
Fix multicast tests for ipv6 with UDN
trozet Jan 14, 2025
592de25
Merge pull request #4780 from crnithya/gw_vlans
girishmg Jan 16, 2025
299db52
(C)UDN CRD: add IPAM section and IPAM.Mode field.
npinaeva Dec 19, 2024
f31b70f
e2e,udn crd: Use the right IP family according to env
ormergi Jan 16, 2025
5df01a4
Merge pull request #4970 from ormergi/cudn-e2e-fix-ip-family
tssurya Jan 16, 2025
20e7a0e
Merge pull request #4940 from npinaeva/observ-udn-enrichment
trozet Jan 16, 2025
8bbeac7
Fix pods cleanup in ClusterUserDefinedNetwork test
kyrtapz Jan 17, 2025
605d8b9
Merge pull request #4975 from kyrtapz/cudn_cleanup_fix
tssurya Jan 17, 2025
b52daaa
Merge pull request #4912 from trozet/enforce_udn_ns_annotation
tssurya Jan 17, 2025
b30c515
Merge pull request #4933 from npinaeva/udn-ipam
trozet Jan 17, 2025
a3c44c2
Add missing host-cidrs annotation for DPU Host
crnithya Jan 17, 2025
a8b9c3c
Merge pull request #4974 from crnithya/dpu_host_cidr
girishmg Jan 18, 2025
4be55de
EIP: reduce log spam from errors that arent really errors due to race…
martinkennelly Jan 18, 2025
87de9f8
Suppress layer 2 missing pod anno errors
trozet Jan 18, 2025
e8a0e68
Fix missing error wrap on IC remote node add
trozet Jan 18, 2025
0058b32
e2e/external_gateways: Update test to avoid accidental matching of co…
dceara Dec 11, 2024
73492d9
Dockerfile.fedora: Bump OVN to ovn24.09-24.09.1-10.fc41
dceara Dec 11, 2024
94b6fb9
Merge pull request #4978 from trozet/fix_pod_errors
tssurya Jan 20, 2025
acc803c
Merge pull request #4979 from trozet/suppress_remote_node_ic
tssurya Jan 20, 2025
9743feb
Refactor and fix UDN/CUDN readiness checks
kyrtapz Jan 20, 2025
b18eeac
Merge pull request #4956 from martinkennelly/fix-udn-eip-ip-scope
trozet Jan 20, 2025
344d4dc
Remove per-pod-SNAT for UDNs
tssurya Jan 15, 2025
df55ae6
Merge pull request #4977 from martinkennelly/suppress-eip-noise
trozet Jan 20, 2025
089009c
Skip session affinity conformance test
trozet Jan 20, 2025
bc9c081
Merge pull request #4887 from dceara/bump-ovn24.09.1-10
trozet Jan 20, 2025
5389c0b
Merge pull request #4984 from kyrtapz/fix_udn_e2es
tssurya Jan 21, 2025
561af6e
Use annotations in mirrored EndpointSlices for potentially long values
kyrtapz Jan 13, 2025
8240348
Merge pull request #4985 from trozet/skip_session_affinity
tssurya Jan 21, 2025
46c34a2
e2e, pudn: Use port to check overlapping isolation
qinqon Jan 21, 2025
0a06cfe
docs: update (C)UDN CRD reference.
npinaeva Jan 21, 2025
16ef5d8
Ignore removed namespaces in clustermanager
kyrtapz Jan 21, 2025
fa59c2f
Merge pull request #4986 from qinqon/e2e-udn-overlap-simplify
tssurya Jan 21, 2025
674a9d4
Merge pull request #4989 from kyrtapz/ignore_removed_namespaces
trozet Jan 21, 2025
beafdea
Merge pull request #4976 from tssurya/remove-per-pod-SNAT-for-UDNs
trozet Jan 22, 2025
b5cc056
Merge pull request #4957 from kyrtapz/fix_mirrored_eps
tssurya Jan 22, 2025
0306d4c
Do not rely on the active network while removing the EndpointSlice
kyrtapz Jan 22, 2025
c5b834d
EIP node: skip OVN managed interfaces that don't serve as secondary
jcaamano Jan 21, 2025
e65cc4e
Unit tests: set klog level explicitly
trozet Jan 22, 2025
af08442
Merge pull request #4988 from npinaeva/udn-ipam-docs
tssurya Jan 22, 2025
f0723b3
Set network ID on netInfo even when already annotated
jcaamano Jan 22, 2025
f21f8fb
Fixes SNAT removal with egress IP
trozet Jan 22, 2025
9ee4c0e
Merge pull request #4995 from trozet/fix_loglevel_unit_tests
trozet Jan 22, 2025
e07ba60
Merge pull request #4993 from kyrtapz/epsgw_fix
trozet Jan 22, 2025
bbc5677
Fix race between NAD and NetPol deletions
pperiyasamy Jan 22, 2025
24e1d96
Merge pull request #4996 from pperiyasamy/nad-delete-before-netpol
tssurya Jan 23, 2025
14ffa61
Merge pull request #4998 from trozet/fix_egress_ip_snat_deletion
trozet Jan 23, 2025
ab83afb
UDN isolation: trigger update on open-default-ports annotation change.
npinaeva Jan 23, 2025
5530ab8
Always use queued informer
trozet Dec 6, 2024
2b8be27
factory: Use 15 event queues per informer for pod, node and namespace.
kyrtapz Jan 15, 2025
fe17136
factory: Reduce contention on informer locks.
dceara Dec 2, 2024
6dda0b5
factory: Bump the event queue size to 1K.
dceara Dec 23, 2024
f952cee
factory: Reduce event queue size for unit tests.
dceara Jan 23, 2025
ad85acc
ovn_test: Properly shutdown the watch factory.
dceara Jan 7, 2025
199d61d
gateway_localnet_linux_test: Serialize access to openflow manager flo…
dceara Jan 7, 2025
3bf5109
node_ip_handler_linux_test: Avoid DATA race due to concurrent config …
dceara Jan 9, 2025
29ec106
subnet_allocator: Take lock when reading subnetAllocatorRanges.
dceara Jan 15, 2025
a1427dc
gateway_localnet_linux_test.go: Fix various test issues.
dceara Jan 22, 2025
715687e
Merge pull request #4999 from npinaeva/udn-open-ports-fix
trozet Jan 24, 2025
ecd6ee6
Merge pull request #4939 from dceara/multiplex-informer
trozet Jan 24, 2025
d3bd070
Merge pull request #4997 from jcaamano/fix-network-id
trozet Jan 24, 2025
988cb71
Get active network from annotations on pod deletion
kyrtapz Jan 23, 2025
e82f43d
Cleanup networkpolicy when a namespace was already removed
kyrtapz Jan 24, 2025
25ee891
Merge pull request #5001 from kyrtapz/ipallocator_activenet_fix
trozet Jan 24, 2025
0e277d5
Merge remote-tracking branch 'upstream/master' into ds_merge_01222025
kyrtapz Jan 24, 2025
d108b05
Revert "hard code disable-udn-host-isolation to "true""
kyrtapz Jan 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion dist/images/Dockerfile.fedora
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ USER root

ENV PYTHONDONTWRITEBYTECODE yes

ARG ovnver=ovn-24.09.0-33.fc41
ARG ovnver=ovn-24.09.1-10.fc41
# Automatically populated when using docker buildx
ARG TARGETPLATFORM
ARG BUILDPLATFORM
Expand Down
16 changes: 16 additions & 0 deletions dist/images/ovnkube.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1906,6 +1906,14 @@ ovnkube-controller-with-node() {
fi
fi

if [[ ${ovnkube_node_mode} != "dpu-host" && ! ${ovn_gateway_opts} =~ "gateway-vlanid" ]]; then
# get the gateway vlanid
gw_vlanid=$(ovs-vsctl --if-exists get Open_vSwitch . external_ids:ovn-gw-vlanid | tr -d \")
if [[ -n ${gw_vlanid} ]]; then
ovn_gateway_opts+="--gateway-vlanid=${gw_vlanid}"
fi
fi

ovnkube_node_mgmt_port_netdev_flag=
if [[ ${ovnkube_node_mgmt_port_netdev} != "" ]]; then
ovnkube_node_mgmt_port_netdev_flag="--ovnkube-node-mgmt-port-netdev=${ovnkube_node_mgmt_port_netdev}"
Expand Down Expand Up @@ -2570,6 +2578,14 @@ ovn-node() {

fi

if [[ ${ovnkube_node_mode} != "dpu-host" && ! ${ovn_gateway_opts} =~ "gateway-vlanid" ]]; then
# get the gateway vlanid
gw_vlanid=$(ovs-vsctl --if-exists get Open_vSwitch . external_ids:ovn-gw-vlanid | tr -d \")
if [[ -n ${gw_vlanid} ]]; then
ovn_gateway_opts+="--gateway-vlanid=${gw_vlanid}"
fi
fi

local ovn_node_ssl_opts=""
if [[ ${ovnkube_node_mode} != "dpu-host" ]]; then
[[ "yes" == ${OVN_SSL_ENABLE} ]] && {
Expand Down
118 changes: 99 additions & 19 deletions dist/templates/k8s.ovn.org_clusteruserdefinednetworks.yaml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,16 +94,42 @@ spec:
layer2:
description: Layer2 is the Layer2 topology configuration.
properties:
ipamLifecycle:
description: |-
IPAMLifecycle controls IP addresses management lifecycle.
ipam:
description: IPAM section contains IPAM-related configuration
for the network.
minProperties: 1
properties:
lifecycle:
description: |-
Lifecycle controls IP addresses management lifecycle.

The only allowed value is Persistent. When set, OVN Kubernetes assigned IP addresses will be persisted in an
`ipamclaims.k8s.cni.cncf.io` object. These IP addresses will be reused by other pods if requested.
Only supported when "subnets" are set.
enum:
- Persistent
type: string
The only allowed value is Persistent. When set, OVN Kubernetes assigned IP addresses will be persisted in an
`ipamclaims.k8s.cni.cncf.io` object. These IP addresses will be reused by other pods if requested.
Only supported when mode is `Enabled`.
enum:
- Persistent
type: string
mode:
description: |-
Mode controls how much of the IP configuration will be managed by OVN.
`Enabled` means OVN-Kubernetes will apply IP configuration to the SDN infrastructure and it will also assign IPs
from the selected subnet to the individual pods.
`Disabled` means OVN-Kubernetes will only assign MAC addresses and provide layer 2 communication, letting users
configure IP addresses for the pods.
`Disabled` is only available for Secondary networks.
By disabling IPAM, any Kubernetes features that rely on selecting pods by IP will no longer function
(such as network policy, services, etc). Additionally, IP port security will also be disabled for interfaces attached to this network.
Defaults to `Enabled`.
enum:
- Enabled
- Disabled
type: string
type: object
x-kubernetes-validations:
- message: lifecycle Persistent is only supported when ipam.mode
is Enabled
rule: '!has(self.lifecycle) || self.lifecycle != ''Persistent''
|| !has(self.mode) || self.mode == ''Enabled'''
joinSubnets:
description: |-
JoinSubnets are used inside the OVN network topology.
Expand All @@ -113,10 +139,19 @@ spec:
It is not recommended to set this field without explicit need and understanding of the OVN network topology.
When omitted, the platform will choose a reasonable default which is subject to change over time.
items:
maxLength: 43
type: string
x-kubernetes-validations:
- message: CIDR is invalid
rule: isCIDR(self)
maxItems: 2
minItems: 1
type: array
x-kubernetes-validations:
- message: When 2 CIDRs are set, they must be from different
IP families
rule: size(self) != 2 || !isCIDR(self[0]) || !isCIDR(self[1])
|| cidr(self[0]).ip().family() != cidr(self[1]).ip().family()
mtu:
description: |-
MTU is the maximum transmission unit for a network.
Expand All @@ -141,26 +176,42 @@ spec:
Dual-stack clusters may set 2 subnets (one for each IP family), otherwise only 1 subnet is allowed.

The format should match standard CIDR notation (for example, "10.128.0.0/16").
This field may be omitted. In that case the logical switch implementing the network only provides layer 2 communication,
and users must configure IP addresses for the pods. As a consequence, Port security only prevents MAC spoofing.
This field must be omitted if `ipam.mode` is `Disabled`.
items:
maxLength: 43
type: string
x-kubernetes-validations:
- message: CIDR is invalid
rule: isCIDR(self)
maxItems: 2
minItems: 1
type: array
x-kubernetes-validations:
- message: When 2 CIDRs are set, they must be from different
IP families
rule: size(self) != 2 || !isCIDR(self[0]) || !isCIDR(self[1])
|| cidr(self[0]).ip().family() != cidr(self[1]).ip().family()
required:
- role
type: object
x-kubernetes-validations:
- message: Subnets is required for Primary Layer2 topology
rule: self.role != 'Primary' || has(self.subnets) && size(self.subnets)
> 0
- message: Subnets is required with ipam.mode is Enabled or unset
rule: has(self.ipam) && has(self.ipam.mode) && self.ipam.mode
!= 'Enabled' || has(self.subnets)
- message: Subnets must be unset when ipam.mode is Disabled
rule: '!has(self.ipam) || !has(self.ipam.mode) || self.ipam.mode
!= ''Disabled'' || !has(self.subnets)'
- message: Disabled ipam.mode is only supported for Secondary
network
rule: '!has(self.ipam) || !has(self.ipam.mode) || self.ipam.mode
!= ''Disabled'' || self.role == ''Secondary'''
- message: JoinSubnets is only supported for Primary network
rule: '!has(self.joinSubnets) || has(self.role) && self.role
== ''Primary'''
- message: IPAMLifecycle is only supported when subnets are set
rule: '!has(self.ipamLifecycle) || has(self.subnets) && size(self.subnets)
> 0'
- message: MTU should be greater than or equal to 1280 when IPv6
subent is used
rule: '!has(self.subnets) || !has(self.mtu) || !self.subnets.exists_one(i,
isCIDR(i) && cidr(i).ip().family() == 6) || self.mtu >= 1280'
layer3:
description: Layer3 is the Layer3 topology configuration.
properties:
Expand All @@ -173,10 +224,19 @@ spec:
It is not recommended to set this field without explicit need and understanding of the OVN network topology.
When omitted, the platform will choose a reasonable default which is subject to change over time.
items:
maxLength: 43
type: string
x-kubernetes-validations:
- message: CIDR is invalid
rule: isCIDR(self)
maxItems: 2
minItems: 1
type: array
x-kubernetes-validations:
- message: When 2 CIDRs are set, they must be from different
IP families
rule: size(self) != 2 || !isCIDR(self[0]) || !isCIDR(self[1])
|| cidr(self[0]).ip().family() != cidr(self[1]).ip().family()
mtu:
description: |-
MTU is the maximum transmission unit for a network.
Expand Down Expand Up @@ -208,7 +268,11 @@ spec:
cidr:
description: CIDR specifies L3Subnet, which is split
into smaller subnets for every node.
maxLength: 43
type: string
x-kubernetes-validations:
- message: CIDR is invalid
rule: isCIDR(self)
hostSubnet:
description: |-
HostSubnet specifies the subnet size for every node.
Expand All @@ -221,19 +285,35 @@ spec:
required:
- cidr
type: object
x-kubernetes-validations:
- message: HostSubnet must be smaller than CIDR subnet
rule: '!has(self.hostSubnet) || !isCIDR(self.cidr) ||
self.hostSubnet > cidr(self.cidr).prefixLength()'
- message: HostSubnet must < 32 for ipv4 CIDR
rule: '!has(self.hostSubnet) || !isCIDR(self.cidr) ||
(cidr(self.cidr).ip().family() == 4 && self.hostSubnet
< 32)'
maxItems: 2
minItems: 1
type: array
x-kubernetes-validations:
- message: When 2 CIDRs are set, they must be from different
IP families
rule: size(self) != 2 || !isCIDR(self[0].cidr) || !isCIDR(self[1].cidr)
|| cidr(self[0].cidr).ip().family() != cidr(self[1].cidr).ip().family()
required:
- role
- subnets
type: object
x-kubernetes-validations:
- message: Subnets is required for Layer3 topology
rule: has(self.subnets) && size(self.subnets) > 0
- message: JoinSubnets is only supported for Primary network
rule: '!has(self.joinSubnets) || has(self.role) && self.role
== ''Primary'''
- message: MTU should be greater than or equal to 1280 when IPv6
subent is used
rule: '!has(self.subnets) || !has(self.mtu) || !self.subnets.exists_one(i,
isCIDR(i.cidr) && cidr(i.cidr).ip().family() == 6) || self.mtu
>= 1280'
topology:
description: |-
Topology describes network configuration.
Expand Down
Loading