OCPBUGS-65688, OCPBUGS-66235: DownStream Merge [12-19-2025]

.github/workflows/docker.yml

@@ -14,7 +14,7 @@ env:
   REPOSITORY: ovn-kubernetes
   FEDORA_IMAGE_NAME: ovn-kube-fedora
   UBUNTU_IMAGE_NAME: ovn-kube-ubuntu
-
+  BUILDER_IMAGE: quay.io/lib/golang:1.24
 jobs:
   build:
     name: Build Images
@@ -84,9 +84,11 @@ jobs:
       uses: docker/build-push-action@v5
       with:
         builder: ${{ steps.buildx.outputs.name }}
-        context: ./dist/images
+        context: .
         file: ./dist/images/Dockerfile.fedora
         push: true
+        build-args: |
+          BUILDER_IMAGE=${{ env.BUILDER_IMAGE }}
         platforms: linux/amd64,linux/arm64
         tags: ${{ steps.meta-fedora.outputs.tags }}
         labels: ${{ steps.meta-fedora.outputs.labels }}

.github/workflows/test.yml

@@ -24,8 +24,9 @@ env:
   KIND_CLUSTER_NAME: ovn
   KIND_INSTALL_INGRESS: true
   KIND_ALLOW_SYSTEM_WRITES: true
-  # This skips tests tagged as Serial
-  # Current Serial tests are not relevant for OVN
+  ENABLE_COREDUMPS: true
+  # This skips tests tagged as Serial for most lanes
+  # Serial tests are run in a dedicated lane
   PARALLEL: true
 
   # This must be a directory
@@ -436,7 +437,7 @@ jobs:
       fail-fast: false
       matrix:
         # Valid options are:
-        # target: ["shard-conformance", "control-plane", "multi-homing", "multi-node-zones", "node-ip-mac-migration", "compact-mode"]
+        # target: ["shard-conformance", "control-plane", "multi-homing", "multi-node-zones", "node-ip-mac-migration", "compact-mode", "serial"]
         #         shard-conformance: hybrid-overlay = multicast-enable = emptylb-enable = false
         #         control-plane: hybrid-overlay = multicast-enable = emptylb-enable = true
         # ha: ["HA", "noHA"]
@@ -490,6 +491,7 @@ jobs:
           - {"target": "bgp-loose-isolation", "ha": "noHA", "gateway-mode": "shared", "ipfamily": "dualstack", "disable-snat-multiple-gws": "snatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "routeadvertisements": "advertise-default", "network-segmentation": "enable-network-segmentation", "advertised-udn-isolation-mode": "loose"}
           - {"target": "traffic-flow-test-only","ha": "noHA", "gateway-mode": "shared", "ipfamily": "ipv4", "disable-snat-multiple-gws": "noSnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "traffic-flow-tests": "1-24", "network-segmentation": "enable-network-segmentation"}
           - {"target": "tools", "ha": "noHA", "gateway-mode": "local", "ipfamily": "dualstack", "disable-snat-multiple-gws": "SnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "network-segmentation": "enable-network-segmentation"}
+          - {"target": "serial", "ha": "noHA", "gateway-mode": "shared", "ipfamily": "ipv4", "disable-snat-multiple-gws": "snatGW", "second-bridge": "1br", "ic": "ic-single-node-zones"}
     needs: [ build-pr ]
     env:
       JOB_NAME: "${{ matrix.target }}-${{ matrix.ha }}-${{ matrix.gateway-mode }}-${{ matrix.ipfamily }}-${{ matrix.disable-snat-multiple-gws }}-${{ matrix.second-bridge }}-${{ matrix.ic }}"
@@ -519,7 +521,10 @@ jobs:
       ENABLE_ROUTE_ADVERTISEMENTS: "${{ matrix.routeadvertisements != '' }}"
       ADVERTISE_DEFAULT_NETWORK:  "${{ matrix.routeadvertisements == 'advertise-default' }}"
       ENABLE_PRE_CONF_UDN_ADDR: "${{ matrix.ic == 'ic-single-node-zones' && (matrix.target == 'network-segmentation' || matrix.network-segmentation == 'enable-network-segmentation') }}"
+      ENABLE_NETWORK_CONNECT: "${{ matrix.target == 'network-segmentation' }}"
       ADVERTISED_UDN_ISOLATION_MODE: "${{ matrix.advertised-udn-isolation-mode }}"
+      # Override PARALLEL=true for Serial tests target to run Serial tests
+      PARALLEL: "${{ matrix.target != 'serial' }}"
       OVN_UNPRIVILEGED_MODE: "${{ matrix.cni-mode == 'unprivileged' }}"
       MULTI_POD_SUBNET: true
     steps:
@@ -676,6 +681,9 @@ jobs:
           make -C test control-plane WHAT="ClusterNetworkConnect"
         elif [ "${{ matrix.target }}" == "bgp" ] || [ "${{ matrix.target }}" == "bgp-loose-isolation" ]; then
           make -C test control-plane
+        elif [ "${{ matrix.target }}" == "serial" ]; then
+          # Run only Serial tests with ginkgo focus
+          make -C test control-plane WHAT=Serial
         elif [ "${{ matrix.target }}" == "tools" ]; then
           make -C go-controller build
           make -C test tools

GOVERNANCE.md

@@ -1,38 +1,41 @@
 # ovn-kubernetes Project Governance
 
-The ovn-kubernetes  project is dedicated to creating a robust Kubernetes Networking platform built from the ground up by leveraging Open vSwitch (OVS) as the data plane, and Open Virtual Network (OVN) as the SDN Controller. The project focuses strictly on enhancing networking for the Kubernetes platform and includes a wide variety of features that are critical to enterprise and telco users.
+The ovn-kubernetes project is dedicated to creating a robust Kubernetes Networking platform built from the ground up by leveraging Open vSwitch (OVS) as the data plane, and Open Virtual Network (OVN) as the SDN Controller. The project focuses strictly on enhancing networking for the Kubernetes platform and includes a wide variety of features that are critical to enterprise and telco users.
 
 This governance explains how the project is run.
 
 - [Values](#values)
 - [Maintainers](#maintainers)
-- [Becoming a Maintainer](#becoming-a-maintainer)
+  - [Becoming a Maintainer](#becoming-a-maintainer)
+  - [Removing a Maintainer](#removing-a-maintainer)
+- [Members](#members)
+  - [Becoming a Member](#becoming-a-member)
+  - [Removing a Member](#removing-a-member)
 - [Meetings](#meetings)
-- [CNCF Resources](#cncf-resources)
-- [Code of Conduct Enforcement](#code-of-conduct)
+- [Code of Conduct](#code-of-conduct)
 - [Security Response Team](#security-response-team)
 - [Voting](#voting)
-- [Modifications](#modifying-this-charter)
+- [Modifying this Charter](#modifying-this-charter)
 
 ## Values
 
 The ovn-kubernetes and its leadership embrace the following values:
 
-* Openness: Communication and decision-making happens in the open and is discoverable for future
+- Openness: Communication and decision-making happens in the open and is discoverable for future
   reference. As much as possible, all discussions and work take place in public
   forums and open repositories.
 
-* Fairness: All stakeholders have the opportunity to provide feedback and submit
+- Fairness: All stakeholders have the opportunity to provide feedback and submit
   contributions, which will be considered on their merits.
 
-* Community over Product or Company: Sustaining and growing our community takes
+- Community over Product or Company: Sustaining and growing our community takes
   priority over shipping code or sponsors' organizational goals.  Each
   contributor participates in the project as an individual.
 
-* Inclusivity: We innovate through different perspectives and skill sets, which
+- Inclusivity: We innovate through different perspectives and skill sets, which
   can only be accomplished in a welcoming and respectful environment.
 
-* Participation: Responsibilities within the project are earned through
+- Participation: Responsibilities within the project are earned through
   participation, and there is a clear path up the contributor ladder into leadership
   positions.
 
@@ -60,15 +63,15 @@ is the governing body for the project.
 
 To become a Maintainer you need to demonstrate the following:
 
-  * commitment to the project:
-    * participate in discussions, contributions, code and documentation reviews
-      for 10 months or more,
-    * perform reviews for 10 non-trivial pull requests,
-    * contribute 15 non-trivial pull requests and have them merged,
-  * ability to write quality code and/or documentation,
-  * ability to collaborate with the team,
-  * understanding of how the team works (policies, processes for testing and code review, etc),
-  * understanding of the project's code base and coding and documentation style.
+- commitment to the project:
+  - participate in discussions, contributions, code and documentation reviews
+    for 10 months or more,
+  - perform reviews for 10 non-trivial pull requests,
+  -  contribute 15 non-trivial pull requests and have them merged,
+- ability to write quality code and/or documentation,
+- ability to collaborate with the team,
+- understanding of how the team works (policies, processes for testing and code review, etc),
+- understanding of the project's code base and coding and documentation style.
 
 A new Maintainer must be proposed by an existing maintainer by sending a message to the
 [developer mailing list](https://groups.google.com/g/ovn-kubernetes). A simple majority vote of existing Maintainers
@@ -94,6 +97,46 @@ Depending on the reason for removal, a Maintainer may be converted to Emeritus
 status.  Emeritus Maintainers will still be consulted on some project matters,
 and can be rapidly returned to Maintainer status if their availability changes.
 
+## Members
+
+Members are active contributors who have shown a commitment to the project. They
+have privileges to review pull requests and are part of the
+`ovn-kubernetes/ovn-kubernetes-members` GitHub team, which makes them eligible
+for automatic PR review assignments. Members are not Maintainers, but they are
+expected to contribute to the project and collaborate with the team.
+
+### Becoming a Member
+
+To become a Member, you need to demonstrate the following:
+- commitment to the project:
+  - participate in discussions, contributions, code and documentation reviews
+    for 3 months or more,
+  - perform reviews for 5 non-trivial pull requests,
+  - contribute 10 non-trivial pull requests and have them merged,
+- ability to write quality code and/or documentation,
+- ability to collaborate with the team (e.g., participate in project meetings,
+  join discussion in the CNCF slack channel, etc.),
+- understanding of how the team works (policies, processes for testing and
+  code review, etc),
+- understanding of the project's code base and coding and documentation style.
+
+A new Member must be proposed by an existing maintainer by sending a message to
+the developer mailing list. The application is approved with two affirmative
+votes from current maintainers.
+
+### Removing a Member
+
+Members may resign at any time.
+
+Members may also be removed after being inactive for a period of 6 months or
+more, for failure to fulfill their responsibilities, or for violating the Code
+of Conduct. A Member may be removed at any time by a simple majority vote of the
+maintainers.
+
+Members who are consistently unresponsive to assigned PR reviews may be
+contacted by Maintainers to discuss their availability and commitment. If the
+pattern of non-responsiveness continues, the Member may be removed.
+
 ## Meetings
 
 Time zones permitting, Maintainers are expected to participate in the public

contrib/kind-common

@@ -857,7 +857,10 @@ install_ffr_k8s() {
 echo "Attempting to reach frr-k8s webhook"
 kind export kubeconfig --name ovn
 while true; do
-$OCI_BIN exec ovn-control-plane curl -ksS --connect-timeout 0.1 https://$(kubectl get svc -n frr-k8s-system frr-k8s-webhook-service -o jsonpath='{.spec.clusterIP}')
+CLUSTER_IP=\$(kubectl get svc -n frr-k8s-system frr-k8s-webhook-service -o jsonpath='{.spec.clusterIP}')
+# Wrap IPv6 addresses in brackets for URL syntax
+[[ \${CLUSTER_IP} =~ : ]] && CLUSTER_IP="[\${CLUSTER_IP}]"
+$OCI_BIN exec ovn-control-plane curl -ksS --connect-timeout 0.1 https://\${CLUSTER_IP}
 [ \$? -eq 0 ] && exit 0
 echo "Couldn't reach frr-k8s webhook, trying in 1s..."
 sleep 1s
@@ -916,3 +919,29 @@ interconnect_arg_check() {
     echo "INFO: Interconnect mode is now the default mode, you do not need to use pass -ic or --enable-interconnect anymore"
   fi
 }
+
+setup_coredumps() {
+  # Setup core dump collection
+  #
+  # Core dumps will be saved on the HOST at /tmp/kind/logs/coredumps (not inside containers)
+  # because kernel.core_pattern is a kernel-level setting shared across all containers.
+  #
+  # - Using a pipe instead of a file path avoids needing to mount
+  #   /tmp/kind/logs/coredumps into every container that might crash
+  # - The pipe executes in the host's namespace, so /tmp/kind/logs/coredumps
+  #   automatically refers to the host path
+  #
+  # Location: /tmp/kind/logs is used to ensure coredumps are exported in CI
+  # Use container exec to avoid asking for root permissions
+
+  mkdir -p "/tmp/kind/logs/coredumps"
+  ulimit -c unlimited
+  for node in $(kind get nodes --name "${KIND_CLUSTER_NAME}"); do
+    # Core dump filename pattern variables:
+    #   %P - global PID
+    #   %e - executable filename
+    #   %h - hostname (container hostname)
+    #   %s - signal number that caused dump
+    ${OCI_BIN} exec "$node" sysctl -w kernel.core_pattern="|/bin/dd of=/tmp/kind/logs/coredumps/core.%P.%e.%h.%s bs=1M status=none"
+  done
+}

contrib/kind-helm.sh

@@ -27,6 +27,7 @@ set_default_params() {
   export KIND_REMOVE_TAINT=${KIND_REMOVE_TAINT:-true}
   export ENABLE_MULTI_NET=${ENABLE_MULTI_NET:-false}
   export ENABLE_NETWORK_SEGMENTATION=${ENABLE_NETWORK_SEGMENTATION:-false}
+  export ENABLE_NETWORK_CONNECT=${ENABLE_NETWORK_CONNECT:-false}
   export ENABLE_PRE_CONF_UDN_ADDR=${ENABLE_PRE_CONF_UDN_ADDR:-false}
   export OVN_NETWORK_QOS_ENABLE=${OVN_NETWORK_QOS_ENABLE:-false}
   export KIND_NUM_WORKER=${KIND_NUM_WORKER:-2}
@@ -88,6 +89,7 @@ set_default_params() {
 
   export OVN_ENABLE_DNSNAMERESOLVER=${OVN_ENABLE_DNSNAMERESOLVER:-false}
   export MULTI_POD_SUBNET=${MULTI_POD_SUBNET:-false}
+  export ENABLE_COREDUMPS=${ENABLE_COREDUMPS:-false}
 }
 
 usage() {
@@ -104,12 +106,14 @@ usage() {
     echo "       [ -ikv | --install-kubevirt ]"
     echo "       [ -mne | --multi-network-enable ]"
     echo "       [ -nse | --network-segmentation-enable ]"
+    echo "       [ -nce | --network-connect-enable ]"
     echo "       [ -uae | --preconfigured-udn-addresses-enable ]"
     echo "       [ -nqe | --network-qos-enable ]"
     echo "       [ -wk  | --num-workers <num> ]"
     echo "       [ -ic  | --enable-interconnect]"
     echo "       [ -npz | --node-per-zone ]"
     echo "       [ -cn  | --cluster-name ]"
+    echo "       [ --enable-coredumps ]"
     echo "       [ -h ]"
     echo ""
     echo "--delete                                      Delete current cluster"
@@ -127,11 +131,13 @@ usage() {
     echo "-ikv | --install-kubevirt                     Install kubevirt"
     echo "-mne | --multi-network-enable                 Enable multi networks. DEFAULT: Disabled"
     echo "-nse | --network-segmentation-enable          Enable network segmentation. DEFAULT: Disabled"
+    echo "-nce | --network-connect-enable               Enable network connect (requires network segmentation). DEFAULT: Disabled"
     echo "-uae | --preconfigured-udn-addresses-enable   Enable connecting workloads with preconfigured network to user-defined networks. DEFAULT: Disabled"
     echo "-nqe | --network-qos-enable                   Enable network QoS. DEFAULT: Disabled"
     echo "-ha  | --ha-enabled                           Enable high availability. DEFAULT: HA Disabled"
     echo "-wk  | --num-workers                          Number of worker nodes. DEFAULT: 2 workers"
     echo "-cn  | --cluster-name                         Configure the kind cluster's name"
+    echo "--enable-coredumps                            Enable coredump collection on kind nodes. DEFAULT: Disabled"
     echo "-dns | --enable-dnsnameresolver               Enable DNSNameResolver for resolving the DNS names used in the DNS rules of EgressFirewall."
     echo "-ce  | --enable-central                       Deploy with OVN Central (Legacy Architecture)"
     echo "-npz | --nodes-per-zone                       Specify number of nodes per zone (Default 0, which means global zone; >0 means interconnect zone, where 1 for single-node zone, >1 for multi-node zone). If this value > 1, then (total k8s nodes (workers + 1) / num of nodes per zone) should be zero."
@@ -176,6 +182,8 @@ parse_args() {
                                                   ;;
             -nse | --network-segmentation-enable) ENABLE_NETWORK_SEGMENTATION=true
                                                   ;;
+            -nce | --network-connect-enable )     ENABLE_NETWORK_CONNECT=true
+                                                  ;;
             -uae | --preconfigured-udn-addresses-enable)    ENABLE_PRE_CONF_UDN_ADDR=true
                                                   ;;
             -nqe | --network-qos-enable )         OVN_NETWORK_QOS_ENABLE=true
@@ -214,6 +222,8 @@ parse_args() {
                                                   ;;
             -mps| --multi-pod-subnet )            MULTI_POD_SUBNET=true
                                                   ;;
+            --enable-coredumps )                  ENABLE_COREDUMPS=true
+                                                  ;;
             * )                                   usage
                                                   exit 1
         esac
@@ -244,6 +254,7 @@ print_params() {
      echo "KIND_REMOVE_TAINT = $KIND_REMOVE_TAINT"
      echo "ENABLE_MULTI_NET = $ENABLE_MULTI_NET"
      echo "ENABLE_NETWORK_SEGMENTATION = $ENABLE_NETWORK_SEGMENTATION"
+     echo "ENABLE_NETWORK_CONNECT = $ENABLE_NETWORK_CONNECT"
      echo "ENABLE_PRE_CONF_UDN_ADDR = $ENABLE_PRE_CONF_UDN_ADDR"
      echo "OVN_NETWORK_QOS_ENABLE = $OVN_NETWORK_QOS_ENABLE"
      echo "OVN_IMAGE = $OVN_IMAGE"
@@ -295,22 +306,9 @@ build_ovn_image() {
       return
     fi
 
-    # Build ovn image
-    pushd ${DIR}/../go-controller
-    make
-    popd
-
     # Build ovn kube image
     pushd ${DIR}/../dist/images
-    # Find all built executables, but ignore the 'windows' directory if it exists
-    find ../../go-controller/_output/go/bin/ -maxdepth 1 -type f -exec cp -f {} . \;
-    echo "ref: $(git rev-parse  --symbolic-full-name HEAD)  commit: $(git rev-parse  HEAD)" > git_info
-    $OCI_BIN build \
-      --build-arg http_proxy="$http_proxy" \
-      --build-arg https_proxy="$https_proxy" \
-      --network=host \
-      -t "${OVN_IMAGE}" \
-      -f Dockerfile.fedora .
+    make fedora-image
     popd
 }
 
@@ -461,12 +459,14 @@ helm install ovn-kubernetes . -f "${value_file}" \
           --set global.enableMulticast=$(if [ "${OVN_MULTICAST_ENABLE}" == "true" ]; then echo "true"; else echo "false"; fi) \
           --set global.enableMultiNetwork=$(if [ "${ENABLE_MULTI_NET}" == "true" ]; then echo "true"; else echo "false"; fi) \
           --set global.enableNetworkSegmentation=$(if [ "${ENABLE_NETWORK_SEGMENTATION}" == "true" ]; then echo "true"; else echo "false"; fi) \
+          --set global.enableNetworkConnect=$(if [ "${ENABLE_NETWORK_CONNECT}" == "true" ]; then echo "true"; else echo "false"; fi) \
           --set global.enablePreconfiguredUDNAddresses=$(if [ "${ENABLE_PRE_CONF_UDN_ADDR}" == "true" ]; then echo "true"; else echo "false"; fi) \
           --set global.enableHybridOverlay=$(if [ "${OVN_HYBRID_OVERLAY_ENABLE}" == "true" ]; then echo "true"; else echo "false"; fi) \
           --set global.enableObservability=$(if [ "${OVN_OBSERV_ENABLE}" == "true" ]; then echo "true"; else echo "false"; fi) \
           --set global.emptyLbEvents=$(if [ "${OVN_EMPTY_LB_EVENTS}" == "true" ]; then echo "true"; else echo "false"; fi) \
           --set global.enableDNSNameResolver=$(if [ "${OVN_ENABLE_DNSNAMERESOLVER}" == "true" ]; then echo "true"; else echo "false"; fi) \
           --set global.enableNetworkQos=$(if [ "${OVN_NETWORK_QOS_ENABLE}" == "true" ]; then echo "true"; else echo "false"; fi) \
+          --set global.enableCoredumps=$(if [ "${ENABLE_COREDUMPS}" == "true" ]; then echo "true"; else echo "false"; fi) \
           ${ovnkube_db_options}
 EOF
        )
@@ -495,6 +495,9 @@ print_params
 helm_prereqs
 build_ovn_image
 create_kind_cluster
+if [ "$ENABLE_COREDUMPS" == true ]; then
+  setup_coredumps
+fi
 detect_apiserver_url
 docker_disable_ipv6
 coredns_patch