Avoid multus-admission webhook race with ovn-kubernetes

Add CEL expression to ignore default/openshift-ovn-kubernetes NAD to prevent
circular dependency where ovn-k fails to start because multus webhook blocks
NAD creation, while webhook uses cluster-networked pdos which require ovn-k to be running.

Signed-off-by: Patryk Diak <[email protected]>

Author: kyrtapz

bindata/network/multus-admission-controller/003-webhook.yaml

@@ -31,6 +31,11 @@ webhooks:
       # On updates, only validate if the Spec changes
       - name: CreateDeleteOrUpdatedSpec
         expression: oldObject == null || object == null || has(object.spec) != has(oldObject.spec) || (has(object.spec) && object.spec != oldObject.spec)
+{{if .OVN_PRE_CONF_UDN_ADDR_ENABLE}}
+      # Ignore default/openshift-ovn-kubernetes NAD to avoid a race between ovn-kubernetes and the multus webhook on install
+      - name: IgnoreDefaultOVNKubernetesNAD
+        expression: object == null || object.metadata.namespace != "openshift-ovn-kubernetes" || object.metadata.name != "default"
+  {{- end }}
     sideEffects: NoneOnDryRun
     admissionReviewVersions:
     - v1

pkg/network/multus_admission_controller.go

@@ -24,6 +24,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	uns "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/klog/v2"
+	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
+	apifeatures "github.com/openshift/api/features"
 )
 
 const bytesInMiB = 1024 * 1024
@@ -54,7 +56,7 @@ func getOpenshiftNamespaces(client cnoclient.Client) (string, error) {
 }
 
 // renderMultusAdmissonControllerConfig returns the manifests of Multus Admisson Controller
-func renderMultusAdmissonControllerConfig(manifestDir string, externalControlPlane bool, bootstrapResult *bootstrap.BootstrapResult, client cnoclient.Client, hsc *hypershift.HyperShiftConfig, clientName string) ([]*uns.Unstructured, error) {
+func renderMultusAdmissonControllerConfig(manifestDir string, externalControlPlane bool, bootstrapResult *bootstrap.BootstrapResult, client cnoclient.Client, hsc *hypershift.HyperShiftConfig, clientName string, featureGates featuregates.FeatureGate) ([]*uns.Unstructured, error) {
 	objs := []*uns.Unstructured{}
 	var err error
 
@@ -83,6 +85,8 @@ func renderMultusAdmissonControllerConfig(manifestDir string, externalControlPla
 	data.Data["ResourceRequestCPU"] = nil
 	data.Data["ResourceRequestMemory"] = nil
 	data.Data["PriorityClass"] = nil
+	data.Data["OVN_PRE_CONF_UDN_ADDR_ENABLE"] = featureGates.Enabled(apifeatures.FeatureGatePreconfiguredUDNAddresses)
+
 	if hsc.Enabled {
 		data.Data["AdmissionControllerNamespace"] = hsc.Namespace
 		data.Data["KubernetesServiceHost"] = bootstrapResult.Infra.APIServers[bootstrap.APIServerDefaultLocal].Host

pkg/network/multus_admission_controller_test.go

@@ -62,14 +62,14 @@ func TestRenderMultusAdmissionController(t *testing.T) {
 	bootstrap := fakeBootstrapResult()
 
 	// disable MultusAdmissionController
-	objs, err := renderMultusAdmissionController(config, manifestDir, false, bootstrap, fakeClient)
+	objs, err := renderMultusAdmissionController(config, manifestDir, false, bootstrap, fakeClient, nil)
 	g.Expect(err).NotTo(HaveOccurred())
 	g.Expect(objs).NotTo(ContainElement(HaveKubernetesID("Deployment", "openshift-multus", "multus-admission-controller")))
 
 	// enable MultusAdmissionController
 	enabled := false
 	config.DisableMultiNetwork = &enabled
-	objs, err = renderMultusAdmissionController(config, manifestDir, false, bootstrap, fakeClient)
+	objs, err = renderMultusAdmissionController(config, manifestDir, false, bootstrap, fakeClient, nil)
 	g.Expect(err).NotTo(HaveOccurred())
 	g.Expect(objs).To(ContainElement(HaveKubernetesID("Deployment", "openshift-multus", "multus-admission-controller")))
 
@@ -143,7 +143,7 @@ func TestRenderMultusAdmissonControllerConfigForHyperShift(t *testing.T) {
 	hsc.ReleaseImage = "MyImage"
 	hsc.ControlPlaneImage = "MyCPOImage"
 
-	objs, err := renderMultusAdmissonControllerConfig(manifestDir, false, bootstrap, fakeClient, hsc, "")
+	objs, err := renderMultusAdmissonControllerConfig(manifestDir, false, bootstrap, fakeClient, hsc, "", nil)
 	g.Expect(err).NotTo(HaveOccurred())
 
 	// Check rendered object

pkg/network/render.go

@@ -65,7 +65,7 @@ func Render(operConf *operv1.NetworkSpec, clusterConf *configv1.NetworkSpec, man
 
 	// render MultusAdmissionController
 	o, err = renderMultusAdmissionController(operConf, manifestDir,
-		bootstrapResult.Infra.ControlPlaneTopology == configv1.ExternalTopologyMode, bootstrapResult, client)
+		bootstrapResult.Infra.ControlPlaneTopology == configv1.ExternalTopologyMode, bootstrapResult, client, featureGates)
 	if err != nil {
 		return nil, progressing, err
 	}
@@ -805,7 +805,7 @@ func getMultusAdmissionControllerReplicas(bootstrapResult *bootstrap.BootstrapRe
 }
 
 // renderMultusAdmissionController generates the manifests of Multus Admission Controller
-func renderMultusAdmissionController(conf *operv1.NetworkSpec, manifestDir string, externalControlPlane bool, bootstrapResult *bootstrap.BootstrapResult, client cnoclient.Client) ([]*uns.Unstructured, error) {
+func renderMultusAdmissionController(conf *operv1.NetworkSpec, manifestDir string, externalControlPlane bool, bootstrapResult *bootstrap.BootstrapResult, client cnoclient.Client, featureGates featuregates.FeatureGate) ([]*uns.Unstructured, error) {
 	if *conf.DisableMultiNetwork {
 		return nil, nil
 	}
@@ -815,7 +815,7 @@ func renderMultusAdmissionController(conf *operv1.NetworkSpec, manifestDir strin
 
 	hsc := hypershift.NewHyperShiftConfig()
 	objs, err := renderMultusAdmissonControllerConfig(manifestDir, externalControlPlane,
-		bootstrapResult, client, hsc, names.ManagementClusterName)
+		bootstrapResult, client, hsc, names.ManagementClusterName, featureGates)
 	if err != nil {
 		return nil, err
 	}