Allow overriding OVN-Kubernetes configuration

pliurh · pliurh · commit 428f44ac152e · 2025-07-28T03:58:12.000-04:00
This change introduces a mechanism to provide hidden or experimental
configuration to OVN-Kubernetes through a ConfigMap. This provides a
flexible way to enable advanced or experimental OVN-Kubernetes
features without modifying the CNO API.

A new ConfigMap 'ovn-kubernetes-config-overrides', is now read by
the operator during the bootstrap process. The key-value data from
this ConfigMap is passed down to the OVN-K components.

As an initial implementation, this is used to support the
flag 'udn-isolation-mode' which is to enable user to select the UDN
isolation mode between 'loose' and 'strict'. If unset, the default
mode is 'strict'.

Signed-off-by: Peng Liu &lt;pliu@redhat.com&gt;
diff --git a/bindata/network/ovn-kubernetes/common/008-script-lib.yaml b/bindata/network/ovn-kubernetes/common/008-script-lib.yaml
@@ -490,6 +490,9 @@ data:
       local metrics_port=$2
       local ovn_metrics_port=$3
 
+      # Ensure ovn_udn_isolation_mode_flag is always defined
+      ovn_udn_isolation_mode_flag=
+
       if [[ $# -ne 3 ]]; then
         echo "Expected three arguments but got $#"
         exit 1
@@ -605,6 +608,10 @@ data:
         sysctl -w net.ipv6.conf.all.forwarding=0
       fi
 
+      if [[ "{{.UDNIsolationMode}}" != "" ]]; then
+        ovn_udn_isolation_mode_flag="--udn-isolation-mode={{.UDNIsolationMode}}"
+      fi
+
       NETWORK_NODE_IDENTITY_ENABLE=
       if [[ "{{.NETWORK_NODE_IDENTITY_ENABLE}}" == "true" ]]; then
         NETWORK_NODE_IDENTITY_ENABLE="
@@ -673,6 +680,7 @@ data:
         --acl-logging-rate-limit "{{.OVNPolicyAuditRateLimit}}" \
         ${gw_interface_flag} \
         ${ip_forwarding_flag} \
+        ${ovn_udn_isolation_mode_flag} \
         ${NETWORK_NODE_IDENTITY_ENABLE} \
         ${ovn_v4_join_subnet_opt} \
         ${ovn_v6_join_subnet_opt} \
diff --git a/pkg/bootstrap/types.go b/pkg/bootstrap/types.go
@@ -32,6 +32,11 @@ type OVNConfigBoostrapResult struct {
 	SmartNicModeLabel     string
 	SmartNicModeNodes     []string
 	MgmtPortResourceName  string
+	// ConfigOverrides contains the overrides for the OVN Kubernetes configuration
+	// This is used to set the hidden OVN Kubernetes configuration in the cluster
+	// It is a map of key-value pairs where the key is the configuration option and the
+	// value is the configuration value.
+	ConfigOverrides map[string]string
 }
 
 // OVNUpdateStatus contains the status of existing daemonset
diff --git a/pkg/network/ovn_kubernetes.go b/pkg/network/ovn_kubernetes.go
@@ -68,7 +68,9 @@ const OVN_NODE_IDENTITY_CERT_DURATION = "24h"
 const OVN_EGRESSIP_HEALTHCHECK_PORT = "9107"
 
 const (
-	OVSFlowsConfigMapName        = "ovs-flows-config"
+	OVSFlowsConfigMapName              = "ovs-flows-config"
+	OVNKubernetesConfigOverridesCMName = "ovn-kubernetes-config-overrides"
+
 	OVSFlowsConfigNamespace      = names.APPLIED_NAMESPACE
 	defaultV4InternalSubnet      = "100.64.0.0/16"
 	defaultV6InternalSubnet      = "fd98::/64"
@@ -180,6 +182,10 @@ func renderOVNKubernetes(conf *operv1.NetworkSpec, bootstrapResult *bootstrap.Bo
 	data.Data["NETWORK_NODE_IDENTITY_ENABLE"] = bootstrapResult.Infra.NetworkNodeIdentityEnabled
 	data.Data["NodeIdentityCertDuration"] = OVN_NODE_IDENTITY_CERT_DURATION
 	data.Data["IsNetworkTypeLiveMigration"] = false
+	data.Data["UDNIsolationMode"] = ""
+	if mode, ok := bootstrapResult.OVN.OVNKubernetesConfig.ConfigOverrides["udn-isolation-mode"]; ok {
+		data.Data["UDNIsolationMode"] = mode
+	}
 
 	if conf.Migration != nil {
 		if conf.Migration.MTU != nil && conf.Migration.Mode != operv1.LiveNetworkMigrationMode {
@@ -866,6 +872,11 @@ func bootstrapOVNConfig(conf *operv1.Network, kubeClient cnoclient.Client, hc *h
 		return nil, fmt.Errorf("Node %s has multiple hardware offload labels.", nodeName)
 	}
 
+	ovnConfigResult.ConfigOverrides, err = getOVNKubernetesConfigOverrides(kubeClient)
+	if err != nil {
+		return nil, fmt.Errorf("Could not get OVN Kubernetes config overrides: %w", err)
+	}
+
 	klog.Infof("OVN configuration is now %+v", ovnConfigResult)
 
 	ovnConfigResult.DisableUDPAggregation = getDisableUDPAggregation(kubeClient.ClientFor("").CRClient())
@@ -1972,3 +1983,21 @@ func GetMasqueradeSubnet(conf *operv1.OVNKubernetesConfig) (v4Subnet, v6Subnet s
 	}
 	return
 }
+
+// getOVNKubernetesConfigOverrides retrieves OVN Kubernetes configuration overrides from the
+// openshift-network-operator/ovn-kubernetes-config-overrides configmap.
+// If the configmap exists, it returns the data as a map.
+// If the configmap does not exist, it returns nil, indicating that no overrides are set
+// and no error.
+// If there is an error retrieving the configmap, it returns an error.
+func getOVNKubernetesConfigOverrides(client cnoclient.Client) (map[string]string, error) {
+	configMap := &corev1.ConfigMap{}
+	if err := client.Default().CRClient().Get(context.TODO(),
+		types.NamespacedName{Name: OVNKubernetesConfigOverridesCMName, Namespace: names.APPLIED_NAMESPACE}, configMap); err != nil {
+		if apierrors.IsNotFound(err) {
+			return nil, nil
+		}
+		return nil, fmt.Errorf("unable to retrieve config from configmap %v: %s", OVNKubernetesConfigOverridesCMName, err)
+	}
+	return configMap.Data, nil
+}
