Skip to content

OCPBUGS-77257, OCPBUGS-78094: Branch Sync release-4.22 to release-4.21 [03-23-2026]#3080

Merged
openshift-merge-bot[bot] merged 283 commits intoopenshift:release-4.21from
jluhrsen:sync-release-4.22-to-release-4.21-03-23-2026
Mar 25, 2026
Merged

OCPBUGS-77257, OCPBUGS-78094: Branch Sync release-4.22 to release-4.21 [03-23-2026]#3080
openshift-merge-bot[bot] merged 283 commits intoopenshift:release-4.21from
jluhrsen:sync-release-4.22-to-release-4.21-03-23-2026

Conversation

@jluhrsen
Copy link
Copy Markdown
Contributor

@jluhrsen jluhrsen commented Mar 23, 2026
edited
Loading

Manual sync of release-4.22 → release-4.21, excluding recent commits from PR #3011.

Details

This PR syncs commits from release-4.22 up to commit eedfcd073 (Merge pull request #2978) into release-4.21, intentionally excluding the 91 commits from PR #3011 which merged on March 22, 2026.

Excluded Commits

Sync Process

  1. Merged release-4.22 up to eedfcd073 into release-4.21
  2. Resolved merge conflicts in go-controller/pkg/ovn/base_network_controller_pods.go:
    • Simple variable rename from nadName to nadKey
    • Removed duplicate isNonHostSubnetSwitch method declaration
  3. Ran go mod tidy in openshift/ (no changes)
  4. Ran go mod vendor and ./openshift/hack/update-tests-annotation.sh
    • Updated test annotations (committed separately)
  5. Verified make lint passes

Merge Conflict Resolution

Two conflicts were resolved in base_network_controller_pods.go:

  1. Variable renamed from nadName to nadKey (matching the function parameter)
  2. Duplicate method declaration removed (both copies were identical - merge artifact)

Note: This PR includes an automated sync of test annotations with upstream test changes (go mod vendor + update-tests-annotation.sh).

/ok-to-test

ormergi and others added 30 commits December 28, 2025 12:18
@ormergi
dist: Use the project golang container image
54bc895 
Recently the golang container image we use was changed due to issues
with the image on quay.io.

Use the same image for creating the project container images.

Signed-off-by: Or Mergi <ormergi@redhat.com>
@ormergi
dist, fedora: Use the right package manager
47cecd9 
Recently fedora Dockerfile was mistakenly changed to use the wrong
package manager.

Use dnf package manager in fedora Dockerfile.

Signed-off-by: Or Mergi <ormergi@redhat.com>
@qinqon @jcaamano
fix(localnet, ipamless): Prevent LSP deletion on sync
d1c55f1 
When ovnkube-node restarts, it runs syncPodsForUserDefinedNetwork which calls
allocatePodIPs. For IPAM-less localnet networks (switches with no subnets),
IsNonHostSubnetSwitch returns true, causing allocatePodIPs to return empty string.
This prevents the pod from being added to expectedLogicalPorts map, causing
deleteStaleLogicalSwitchPorts to delete the LSP.

This change add an explicit flag at the subnet allocator to denote that
that allocator was created as part of a no host subnet switch, this way
code explicitly diferenciates between localnet ipamless and no host
subnet since both do no have a subnet but no host subnet do not even
have LSPs

Signed-off-by: Enrique Llorente <ellorent@redhat.com>
@pliurh @jcaamano
egressip: Skip bridge configuration for secondary network IPs
2d4a479 
Skip configuring EgressIPs on the bridge when they don't belong to the
OVN (primary) network. This prevents conflicts when EgressIPs are
assigned to secondary host networks. SyncEgressIP() will clean up
existing mistaken configurations during bootup while uprading OVN-K.

Uses util.IsOVNNetwork() to check network membership and adds a helper
function parseAndValidateEIP() to consolidate validation logic and fix
missing packet mark validation.

Tests have been added to verify that secondary network IPs are ignored
and that existing mistaken configurations are cleaned up.

Signed-off-by: Peng Liu <pliu@redhat.com>
@zhaozhanqi
add nodePort etp=local e2e test for UDN and default network when adve…
61cc216 
…rtised BGP routes

For testing nodePort service etp=local for UDN network and default network including scenarios:
ETP=Local:UDN pod to the same node nodeport service in same UDN network should work
ETP=Local:UDN pod to a different node nodeport service in same UDN network should work
ETP=Local:UDN pod to the same node nodeport service in different UDN network should not work
ETP=Local:UDN pod to a different node nodeport service in different UDN network should work
ETP=Local:UDN pod to the same node nodeport service in default network should not work
ETP=Local:UDN pod to a different node nodeport service in default network should work
ETP=Local:Default network pod to same node nodeport service in UDN network should not work
ETP=Local:Default network pod to different node nodeport service in UDN network should work

Signed-off-by: zhaozhanqi <zzhao@redhat.com>
@tssurya
Merge pull request #5826 from ormergi/fix-fedora-build
d88fb5a 
dist: Fix fedora build
@openshift-merge-bot
Merge pull request openshift#2910 from openshift/d/s-merge-12-19-2025
b65f94d 
OCPBUGS-66235: DownStream Merge [12-19-2025]
Merge remote-tracking branch 'upstream/master' into d/s-merge-01-03-2026
0a9976c
@pliurh
node: fix DeleteEndpointSlice namespace deletion race condition
2ea53bd 
When processing an EndpointSlice delete event, if the namespace is
deleted before the event is processed, the old code would fail early
with a "namespace not found" error from GetActiveNetworkForNamespace
before executing delServiceRules. This left stale iptables/nftables
rules and OpenFlow rules in place, causing a resource leak.

Move the GetActiveNetworkForNamespace call to after delServiceRules
and before addServiceRules in DeleteEndpointSlice. This ensures old
service rules are always cleaned up, even if the namespace or UDN is
deleted during event processing.

Add graceful error handling for:
- Namespace NotFound: Skip adding new rules (namespace deleted)
- InvalidPrimaryNetworkError: Skip adding new rules (UDN deleted)
- Other errors: Propagate as before

Unit tests added to verify:
- delServiceRules executes before network lookup
- Graceful handling of namespace/UDN deletion scenarios
- Proper error propagation for non-graceful errors

Assisted-by: Cline
Signed-off-by: Peng Liu <pliu@redhat.com>
@openshift-merge-bot
Merge pull request openshift#2912 from openshift-bot/art-consistency-…
904d66a 
…openshift-4.22-ose-ovn-kubernetes

OCPBUGS-70058: Updating ose-ovn-kubernetes-container image to be consistent with ART for 4.22
@tssurya
Merge pull request #5669 from pliurh/endpoint_slice_deletion
3604a7f 
node: fix DeleteEndpointSlice namespace deletion race condition
Updating ose-ovn-kubernetes-base-container image to be consistent wit…
3c0e3d2 
…h ART for 4.22

Reconciling with https://github.com/openshift/ocp-build-data/tree/532305ad2d84f57355ac03b308650bcc5a8d7740/images/ovn-kubernetes-base.yml
@cathy-zhou
support pod with multiple same secondary UDN
66cf063 
Signed-off-by: Yun Zhou <yunz@nvidia.com>
@cathy-zhou
add additional pod-if-name external-id for Pod OVS interface
1597b78 
Add pod-if-name external-ids for pod OVS interface to identify OVS
interfaces plumbed by CNI with the same UDN for the same pod.

Signed-off-by: Yun Zhou <yunz@nvidia.com>
@cathy-zhou
support ipamClaim for multiple same UDN on the pod
d012030 
Signed-off-by: Yun Zhou <yunz@nvidia.com>
@cathy-zhou
add ECMP pod route for multiple same secondary UDN interfaces
76d27a2 
Signed-off-by: Yun Zhou <yunz@nvidia.com>
@cathy-zhou
e2e: add e2e test case for Pod with multiple same secondary UDN
36ddd00 
Signed-off-by: Yun Zhou <yunz@nvidia.com>
@trozet
Merge pull request #5796 from npinaeva/inf-retry
3b44daf 
[retry] Make an exception for pods and retry them infinitely.
@trozet
Merge pull request #5714 from cathy-zhou/upstream-VMAAS-654
05527d3 
support pod with multiple same secondary UDN
@cathy-zhou
docs/multi-homing: support of multiple interfaces in the same network
e200f2d 
Signed-off-by: Yun Zhou <yunz@nvidia.com>
@cathy-zhou
always set arp sysctl configuration for multiple same network interfaces
4e343bc 
Signed-off-by: Yun Zhou <yunz@nvidia.com>
@kyrtapz
Use interface index for IPv6 zone when sending unsolicited neighbor a…
0c3604e 
…dvertisements

The ndp.Listen() function uses the interface name for the IPv6 zone
identifier. Golang net pkg caches zone name to index mappings, which
means the zone can become stale if the interface is recreated in under a minute.
This caused unsolicited neighbor advertisements to be sent on the wrong zone which
caused them to be dropped by the kernel.

Fix by using icmp.ListenPacket directly with the interface index as the zone identifier.

Signed-off-by: Patryk Diak <pdiak@redhat.com>
@jechen0648
bump up frr-k8s and frr image versions
67f9fbf 
* bump up frr-k8s and frr image versions
* change to check frr-k8s-statuscleaner status
* update dependencies

Signed-off-by: Jean Chen <jechen@redhat.com>
@huiran0826
add eip e2e case on namespace/pod labels update
3c1c396 
Add one e2e EgressIP cases covering below scenarios:
should handle EIP reassignment correctly on namespace label update
should handle EIP reassignment correctly on pod label update
should handle EIP reassignment correctly on EgressIP object update

Signed-off-by: Huiran Wang <huirwang@redhat.com>
@trozet
Merge pull request #5834 from cathy-zhou/VMAAS-654-doc
c6a4fc0 
docs/multi-homing: support of multiple interfaces in the same network
@trozet
Merge pull request #5833 from kyrtapz/fix_una_zone
3cafd56 
Use interface index for IPv6 zone when sending unsolicited neighbor advertisements
@trozet
Merge pull request #5835 from cathy-zhou/VMAAS-654-more
9d31999 
always set arp sysctl configuration for multiple same network interfaces
@jtaleric
Adding kubelet-density-cni performance workload
ac29faf 
To run performance tests we needed to modify the kind cluster setup.
Creating infra nodes and installing prometheus is required so we can get
metrics about the SUT.

Installing and running kube-burner is also required for this new
workload.

In a follow on PR we will collect pprofs from the test

Signed-off-by: jtalerico <joe.talerico@gmail.com>
@jtaleric
Attempt to capture and store pprof data
560aee2 
Needed to change the endpoint we listen on for pprof. It was listening
on the pod ip -- instead we should listen on localhost.

Signed-off-by: jtalerico <joe.talerico@gmail.com>
@tssurya
Merge pull request #5721 from huiran0826/e2e-eip-ns-update
35dfdea 
add eip e2e cases on ns/pod labels update
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Mar 24, 2026

@arkadeepsen: This pull request references Jira Issue OCPBUGS-77257, which is valid.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.21.z) matches configured target version for branch (4.21.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note text is set and does not match the template
  • dependent bug Jira Issue OCPBUGS-61524 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-61524 targets the "4.22.0" version, which is one of the valid target versions: 4.22.0
  • bug has dependents

Requesting review from QA contact:
/cc @huiran0826

This pull request references Jira Issue OCPBUGS-78094, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.21.z) matches configured target version for branch (4.21.z)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note text is set and does not match the template
  • dependent bug Jira Issue OCPBUGS-74164 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-74164 targets the "4.22.0" version, which is one of the valid target versions: 4.22.0
  • bug has dependents

Requesting review from QA contact:
/cc @huiran0826

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Mar 24, 2026
edited
Loading

@jluhrsen: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-openstack-ovn 4e1a7ac link false /test e2e-openstack-ovn
ci/prow/security 4e1a7ac link false /test security
ci/prow/e2e-vsphere-ovn 4e1a7ac link false /test e2e-vsphere-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@arkadeepsen
Copy link
Copy Markdown
Member

arkadeepsen commented Mar 24, 2026

@kyrtapz PTAL

@arkadeepsen
Copy link
Copy Markdown
Member

arkadeepsen commented Mar 24, 2026

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Mar 24, 2026
@huiran0826
Copy link
Copy Markdown
Contributor

huiran0826 commented Mar 25, 2026

/verified by @huiran0826 with pre-merge testing of the two bugs

@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Mar 25, 2026

@huiran0826: Jira verification commands are restricted to collaborators for this repo.

Details

In response to this:

/verified by @huiran0826 with pre-merge testing of the two bugs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@huiran0826
Copy link
Copy Markdown
Contributor

huiran0826 commented Mar 25, 2026

/verified by @huiran0826

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Mar 25, 2026
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Mar 25, 2026

@huiran0826: This PR has been marked as verified by @huiran0826.

Details

In response to this:

/verified by @huiran0826

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@kyrtapz
Copy link
Copy Markdown
Contributor

kyrtapz commented Mar 25, 2026

/approve

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Mar 25, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: arkadeepsen, jluhrsen, kyrtapz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 25, 2026
@kyrtapz
Copy link
Copy Markdown
Contributor

kyrtapz commented Mar 25, 2026

/override ci/prow/qe-perfscale-payload-control-plane-6nodes

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Mar 25, 2026

@kyrtapz: Overrode contexts on behalf of kyrtapz: ci/prow/qe-perfscale-payload-control-plane-6nodes

Details

In response to this:

/override ci/prow/qe-perfscale-payload-control-plane-6nodes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kyrtapz
Copy link
Copy Markdown
Contributor

kyrtapz commented Mar 25, 2026

/label backport-risk-assessed

@openshift-ci openshift-ci Bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Mar 25, 2026
@openshift-merge-bot openshift-merge-bot Bot merged commit 0fd9d30 into openshift:release-4.21 Mar 25, 2026
57 of 60 checks passed
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Mar 25, 2026

@jluhrsen: Jira Issue Verification Checks: Jira Issue OCPBUGS-77257
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-77257 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Jira Issue Verification Checks: Jira Issue OCPBUGS-78094
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-78094 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Manual sync of release-4.22 → release-4.21, excluding recent commits from PR #3011.

Details

This PR syncs commits from release-4.22 up to commit eedfcd073 (Merge pull request #2978) into release-4.21, intentionally excluding the 91 commits from PR #3011 which merged on March 22, 2026.

Excluded Commits

Sync Process

  1. Merged release-4.22 up to eedfcd073 into release-4.21
  2. Resolved merge conflicts in go-controller/pkg/ovn/base_network_controller_pods.go:
  • Simple variable rename from nadName to nadKey
  • Removed duplicate isNonHostSubnetSwitch method declaration
  1. Ran go mod tidy in openshift/ (no changes)
  2. Ran go mod vendor and ./openshift/hack/update-tests-annotation.sh
  • Updated test annotations (committed separately)
  1. Verified make lint passes

Merge Conflict Resolution

Two conflicts were resolved in base_network_controller_pods.go:

  1. Variable renamed from nadName to nadKey (matching the function parameter)
  2. Duplicate method declaration removed (both copies were identical - merge artifact)

Note: This PR includes an automated sync of test annotations with upstream test changes (go mod vendor + update-tests-annotation.sh).

/ok-to-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@arkadeepsen arkadeepsen mentioned this pull request Mar 25, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kyrtapz kyrtapz Awaiting requested review from kyrtapz

@tssurya tssurya Awaiting requested review from tssurya

@huiran0826 huiran0826 Awaiting requested review from huiran0826

Assignees

@mffiedler mffiedler

@rbbratta rbbratta

@arkadeepsen arkadeepsen

@anuragthehatter anuragthehatter

@huiran0826 huiran0826

@asood-rh asood-rh

@jechen0648 jechen0648

@qiowang721 qiowang721

@meinali566 meinali566

@barbora137 barbora137

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.