Skip to content

OCPBUGS-55962: DownStream Merge [08-20-2025] #2729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Aug 21, 2025
Merged

OCPBUGS-55962: DownStream Merge [08-20-2025] #2729

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
b05875b
SDN-3674 Copy annotations from UDN to NAD
Jun 9, 2025
d0e0e28
Add VF device support for primary UDN Pod interface
cathy-zhou Jun 16, 2025
bf174d6
support unprivileged mode CNI for plumbing the UDN primary interface
cathy-zhou Aug 13, 2025
3c08235
Revert "Skip session affinity conformance test"
npinaeva Aug 18, 2025
e1ac399
Provide global routed udn isolation option
pperiyasamy May 30, 2025
636eaeb
Skip adding drop ACLs when Routed UDN Isolation is disabled
pperiyasamy May 22, 2025
b1c9b28
Add CI lane and E2E to test loosly isolated advertised UDNs
pperiyasamy Jun 3, 2025
01fccb7
Set nodes default gateway to the external FRR router for isolation lo…
pliurh Jul 17, 2025
28c67ea
node: refactor MEG/Advertised UDN ingress and egress flows
pliurh Jul 21, 2025
742041b
Refactor: Rename config flag routed-udn-isolation to advertised-udn-i…
pliurh Jul 22, 2025
9f9571e
Merge pull request #5475 from cathy-zhou/upstream-unpriv
trozet Aug 19, 2025
72d1776
Merge pull request #5498 from npinaeva/reenable-test
trozet Aug 19, 2025
e0dd341
Merge remote-tracking branch 'upstream/master' into d/s-merge-08-20-2025
Aug 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -483,14 +483,15 @@ jobs:
- {"target": "network-segmentation", "ha": "noHA", "gateway-mode": "shared", "ipfamily": "ipv6", "disable-snat-multiple-gws": "noSnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones"}
- {"target": "bgp", "ha": "noHA", "gateway-mode": "local", "ipfamily": "dualstack", "disable-snat-multiple-gws": "snatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "routeadvertisements": "advertise-default", "network-segmentation": "enable-network-segmentation", "dns-name-resolver": "enable-dns-name-resolver"}
- {"target": "bgp", "ha": "noHA", "gateway-mode": "shared", "ipfamily": "dualstack", "disable-snat-multiple-gws": "noSnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "routeadvertisements": "advertise-default", "network-segmentation": "enable-network-segmentation", "dns-name-resolver": "enable-dns-name-resolver"}
- {"target": "bgp-loose-isolation", "ha": "noHA", "gateway-mode": "shared", "ipfamily": "dualstack", "disable-snat-multiple-gws": "snatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "routeadvertisements": "advertise-default", "network-segmentation": "enable-network-segmentation", "advertised-udn-isolation-mode": "loose"}
- {"target": "traffic-flow-test-only","ha": "noHA", "gateway-mode": "shared", "ipfamily": "ipv4", "disable-snat-multiple-gws": "noSnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "traffic-flow-tests": "1-24", "network-segmentation": "enable-network-segmentation"}
- {"target": "tools", "ha": "noHA", "gateway-mode": "local", "ipfamily": "dualstack", "disable-snat-multiple-gws": "SnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "network-segmentation": "enable-network-segmentation"}
needs: [ build-pr ]
env:
JOB_NAME: "${{ matrix.target }}-${{ matrix.ha }}-${{ matrix.gateway-mode }}-${{ matrix.ipfamily }}-${{ matrix.disable-snat-multiple-gws }}-${{ matrix.second-bridge }}-${{ matrix.ic }}"
OVN_HYBRID_OVERLAY_ENABLE: ${{ (matrix.target == 'control-plane' || matrix.target == 'control-plane-helm') && (matrix.ipfamily == 'ipv4' || matrix.ipfamily == 'dualstack' ) }}
OVN_MULTICAST_ENABLE: "${{ matrix.target == 'control-plane' || matrix.target == 'control-plane-helm' || matrix.target == 'network-segmentation' || matrix.target == 'bgp' }}"
OVN_EMPTY_LB_EVENTS: "${{ matrix.target == 'control-plane' || matrix.target == 'control-plane-helm' || matrix.target == 'bgp' }}"
OVN_MULTICAST_ENABLE: "${{ matrix.target == 'control-plane' || matrix.target == 'control-plane-helm' || matrix.target == 'network-segmentation' || matrix.target == 'bgp' || matrix.target == 'bgp-loose-isolation' }}"
OVN_EMPTY_LB_EVENTS: "${{ matrix.target == 'control-plane' || matrix.target == 'control-plane-helm' || matrix.target == 'bgp' || matrix.target == 'bgp-loose-isolation' }}"
OVN_HA: "${{ matrix.ha == 'HA' }}"
OVN_DISABLE_SNAT_MULTIPLE_GWS: "${{ matrix.disable-snat-multiple-gws == 'noSnatGW' }}"
KIND_INSTALL_METALLB: "${{ matrix.target == 'control-plane' || matrix.target == 'control-plane-helm' || matrix.target == 'network-segmentation' }}"
Expand All @@ -514,6 +515,7 @@ jobs:
ENABLE_ROUTE_ADVERTISEMENTS: "${{ matrix.routeadvertisements != '' }}"
ADVERTISE_DEFAULT_NETWORK: "${{ matrix.routeadvertisements == 'advertise-default' }}"
ENABLE_PRE_CONF_UDN_ADDR: "${{ matrix.ic == 'ic-single-node-zones' && (matrix.target == 'network-segmentation' || matrix.network-segmentation == 'enable-network-segmentation') }}"
ADVERTISED_UDN_ISOLATION_MODE: "${{ matrix.advertised-udn-isolation-mode }}"
steps:

- name: Install VRF kernel module
Expand Down Expand Up @@ -647,7 +649,7 @@ jobs:
# set 3 hours for control-plane tests as these might take a while
# give 10m extra to give ginkgo chance to timeout before github so that we
# get its output
timeout-minutes: ${{ matrix.target == 'bgp' && 190 || matrix.target == 'control-plane' && 190 || matrix.target == 'control-plane-helm' && 190 || matrix.target == 'external-gateway' && 190 || 130 }}
timeout-minutes: ${{ matrix.target == 'bgp-loose-isolation' && 190 || matrix.target == 'bgp' && 190 || matrix.target == 'control-plane' && 190 || matrix.target == 'control-plane-helm' && 190 || matrix.target == 'external-gateway' && 190 || 130 }}
run: |
# used by e2e diagnostics package
export OVN_IMAGE="ovn-daemonset-fedora:pr"
Expand All @@ -671,7 +673,7 @@ jobs:
fi
elif [ "${{ matrix.target }}" == "network-segmentation" ]; then
make -C test control-plane WHAT="Network Segmentation"
elif [ "${{ matrix.target }}" == "bgp" ]; then
elif [ "${{ matrix.target }}" == "bgp" ] || [ "${{ matrix.target }}" == "bgp-loose-isolation" ]; then
make -C test control-plane
elif [ "${{ matrix.target }}" == "tools" ]; then
make -C go-controller build
Expand Down
50 changes: 40 additions & 10 deletions contrib/kind-common
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -758,22 +758,52 @@ deploy_bgp_external_server() {
$OCI_BIN run --cap-add NET_ADMIN --user 0 -d --network bgpnet --rm --name bgpserver -p 8080:8080 registry.k8s.io/e2e-test-images/agnhost:2.45 netexec
# let's make the bgp external server have its default route towards FRR router so that we don't need to add routes during tests back to the pods in the
# cluster for return traffic
local bgp_network_frr_v4 bgp_network_frr_v6
local bgp_network_frr_v4 bgp_network_frr_v6 kind_network_frr_v4 kind_network_frr_v6
bgp_network_frr_v4=$($OCI_BIN inspect -f '{{.NetworkSettings.Networks.bgpnet.IPAddress}}' frr)
echo "FRR kind network IPv4: ${bgp_network_frr_v4}"
echo "FRR bgp network IPv4: ${bgp_network_frr_v4}"
$OCI_BIN exec bgpserver ip route replace default via "$bgp_network_frr_v4"
if [ "$PLATFORM_IPV6_SUPPORT" == true ] ; then
bgp_network_frr_v6=$($OCI_BIN inspect -f '{{.NetworkSettings.Networks.bgpnet.GlobalIPv6Address}}' frr)
echo "FRR kind network IPv6: ${bgp_network_frr_v6}"
echo "FRR bgp network IPv6: ${bgp_network_frr_v6}"
$OCI_BIN exec bgpserver ip -6 route replace default via "$bgp_network_frr_v6"
fi
# disable the default route to make sure the container only routes accross
# directly connected or learnt networks (doing this at the very end since
# docker changes the routing table when a new network is connected)
$OCI_BIN exec frr ip route delete default
$OCI_BIN exec frr ip route
$OCI_BIN exec frr ip -6 route delete default
$OCI_BIN exec frr ip -6 route
if [ "$ADVERTISED_UDN_ISOLATION_MODE" == "loose" ]; then
kind_network_frr_v4=$($OCI_BIN inspect -f '{{.NetworkSettings.Networks.kind.IPAddress}}' frr)
echo "FRR kind network IPv4: ${kind_network_frr_v4}"
# If UDN isolation is in loose disabled, we need to set the default gateway for the nodes in the cluster
# to the FRR router so that cross-UDN traffic can be routed back to the pods in the cluster in the loose mode.
echo "Setting default gateway for nodes in the cluster to FRR router IPv4: ${kind_network_frr_v4}"
set_nodes_default_gw "$kind_network_frr_v4"
if [ "$PLATFORM_IPV6_SUPPORT" == true ] ; then
kind_network_frr_v6=$($OCI_BIN inspect -f '{{.NetworkSettings.Networks.kind.GlobalIPv6Address}}' frr)
echo "FRR kind network IPv6: ${kind_network_frr_v6}"
set_nodes_default_gw "$kind_network_frr_v6"
fi
else
# disable the default route to make sure the container only routes accross
# directly connected or learnt networks (doing this at the very end since
# docker changes the routing table when a new network is connected)
$OCI_BIN exec frr ip route delete default
$OCI_BIN exec frr ip route
$OCI_BIN exec frr ip -6 route delete default
$OCI_BIN exec frr ip -6 route
fi
}

set_nodes_default_gw() {
local gw="$1"
local ip_cmd="ip"
local route_cmd="route replace default via"

# Check if $gw is IPv6 (contains ':')
if [[ "$gw" == *:* ]]; then
ip_cmd="ip -6"
fi

KIND_NODES=$(kind_get_nodes)
for node in $KIND_NODES; do
$OCI_BIN exec "$node" $ip_cmd $route_cmd "$gw"
done
}

destroy_bgp() {
Expand Down
7 changes: 7 additions & 0 deletions contrib/kind.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ usage() {
echo " [-ic | --enable-interconnect]"
echo " [-uae | --preconfigured-udn-addresses-enable]"
echo " [-rae | --enable-route-advertisements]"
echo " [-rud | --routed-udn-isolation-disable]"
echo " [-adv | --advertise-default-network]"
echo " [-nqe | --network-qos-enable]"
echo " [--isolated]"
Expand Down Expand Up @@ -127,6 +128,7 @@ echo "-obs | --observability Enable OVN Observability fea
echo "-uae | --preconfigured-udn-addresses-enable Enable connecting workloads with preconfigured network to user-defined networks"
echo "-rae | --enable-route-advertisements Enable route advertisements"
echo "-adv | --advertise-default-network Applies a RouteAdvertisements configuration to advertise the default network on all nodes"
echo "-rud | --routed-udn-isolation-disable Disable isolation across BGP-advertised UDNs (sets advertised-udn-isolation-mode=loose). DEFAULT: strict."
echo ""
}

Expand Down Expand Up @@ -316,6 +318,8 @@ parse_args() {
;;
-adv | --advertise-default-network) ADVERTISE_DEFAULT_NETWORK=true
;;
-rud | --routed-udn-isolation-disable) ADVERTISED_UDN_ISOLATION_MODE=loose
;;
-ce | --enable-central ) OVN_ENABLE_INTERCONNECT=false
CENTRAL_ARG_PROVIDED=true
;;
Expand Down Expand Up @@ -417,6 +421,7 @@ print_params() {
echo "ENABLE_MULTI_NET = $ENABLE_MULTI_NET"
echo "ENABLE_NETWORK_SEGMENTATION= $ENABLE_NETWORK_SEGMENTATION"
echo "ENABLE_ROUTE_ADVERTISEMENTS= $ENABLE_ROUTE_ADVERTISEMENTS"
echo "ADVERTISED_UDN_ISOLATION_MODE= $ADVERTISED_UDN_ISOLATION_MODE"
echo "ADVERTISE_DEFAULT_NETWORK = $ADVERTISE_DEFAULT_NETWORK"
echo "ENABLE_PRE_CONF_UDN_ADDR = $ENABLE_PRE_CONF_UDN_ADDR"
echo "OVN_ENABLE_INTERCONNECT = $OVN_ENABLE_INTERCONNECT"
Expand Down Expand Up @@ -663,6 +668,7 @@ set_default_params() {
echo "Preconfigured UDN addresses requires interconnect to be enabled (-ic)"
exit 1
fi
ADVERTISED_UDN_ISOLATION_MODE=${ADVERTISED_UDN_ISOLATION_MODE:-strict}
ADVERTISE_DEFAULT_NETWORK=${ADVERTISE_DEFAULT_NETWORK:-false}
OVN_COMPACT_MODE=${OVN_COMPACT_MODE:-false}
if [ "$OVN_COMPACT_MODE" == true ]; then
Expand Down Expand Up @@ -916,6 +922,7 @@ create_ovn_kube_manifests() {
--preconfigured-udn-addresses-enable="${ENABLE_PRE_CONF_UDN_ADDR}" \
--route-advertisements-enable="${ENABLE_ROUTE_ADVERTISEMENTS}" \
--advertise-default-network="${ADVERTISE_DEFAULT_NETWORK}" \
--advertised-udn-isolation-mode="${ADVERTISED_UDN_ISOLATION_MODE}" \
--ovnkube-metrics-scale-enable="${OVN_METRICS_SCALE_ENABLE}" \
--compact-mode="${OVN_COMPACT_MODE}" \
--enable-interconnect="${OVN_ENABLE_INTERCONNECT}" \
Expand Down
14 changes: 14 additions & 0 deletions dist/images/daemonset.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ OVN_NETWORK_SEGMENTATION_ENABLE=
OVN_PRE_CONF_UDN_ADDR_ENABLE=
OVN_ROUTE_ADVERTISEMENTS_ENABLE=
OVN_ADVERTISE_DEFAULT_NETWORK=
OVN_ADVERTISED_UDN_ISOLATION_MODE=
OVN_V4_JOIN_SUBNET=""
OVN_V6_JOIN_SUBNET=""
OVN_V4_MASQUERADE_SUBNET=""
Expand Down Expand Up @@ -283,6 +284,9 @@ while [ "$1" != "" ]; do
--advertise-default-network)
OVN_ADVERTISE_DEFAULT_NETWORK=$VALUE
;;
--advertised-udn-isolation-mode)
OVN_ADVERTISED_UDN_ISOLATION_MODE=$VALUE
;;
--egress-service-enable)
OVN_EGRESSSERVICE_ENABLE=$VALUE
;;
Expand Down Expand Up @@ -478,6 +482,8 @@ ovn_route_advertisements_enable=${OVN_ROUTE_ADVERTISEMENTS_ENABLE}
echo "ovn_route_advertisements_enable: ${ovn_route_advertisements_enable}"
ovn_advertise_default_network=${OVN_ADVERTISE_DEFAULT_NETWORK}
echo "ovn_advertise_default_network: ${ovn_advertise_default_network}"
ovn_advertised_udn_isolation_mode=${OVN_ADVERTISED_UDN_ISOLATION_MODE}
echo "ovn_advertised_udn_isolation_mode: ${ovn_advertised_udn_isolation_mode}"
ovn_hybrid_overlay_net_cidr=${OVN_HYBRID_OVERLAY_NET_CIDR}
echo "ovn_hybrid_overlay_net_cidr: ${ovn_hybrid_overlay_net_cidr}"
ovn_disable_snat_multiple_gws=${OVN_DISABLE_SNAT_MULTIPLE_GWS}
Expand Down Expand Up @@ -620,6 +626,7 @@ ovn_image=${ovnkube_image} \
ovn_network_segmentation_enable=${ovn_network_segmentation_enable} \
ovn_pre_conf_udn_addr_enable=${ovn_pre_conf_udn_addr_enable} \
ovn_route_advertisements_enable=${ovn_route_advertisements_enable} \
ovn_advertised_udn_isolation_mode=${ovn_advertised_udn_isolation_mode} \
ovn_egress_service_enable=${ovn_egress_service_enable} \
ovn_ssl_en=${ovn_ssl_en} \
ovn_remote_probe_interval=${ovn_remote_probe_interval} \
Expand Down Expand Up @@ -674,6 +681,7 @@ ovn_image=${ovnkube_image} \
ovn_multi_network_enable=${ovn_multi_network_enable} \
ovn_network_segmentation_enable=${ovn_network_segmentation_enable} \
ovn_route_advertisements_enable=${ovn_route_advertisements_enable} \
ovn_advertised_udn_isolation_mode=${ovn_advertised_udn_isolation_mode} \
ovn_egress_service_enable=${ovn_egress_service_enable} \
ovn_ssl_en=${ovn_ssl_en} \
ovn_remote_probe_interval=${ovn_remote_probe_interval} \
Expand Down Expand Up @@ -773,6 +781,7 @@ ovn_image=${ovnkube_image} \
ovn_multi_network_enable=${ovn_multi_network_enable} \
ovn_network_segmentation_enable=${ovn_network_segmentation_enable} \
ovn_route_advertisements_enable=${ovn_route_advertisements_enable} \
ovn_advertised_udn_isolation_mode=${ovn_advertised_udn_isolation_mode} \
ovn_egress_service_enable=${ovn_egress_service_enable} \
ovn_ssl_en=${ovn_ssl_en} \
ovn_master_count=${ovn_master_count} \
Expand Down Expand Up @@ -823,6 +832,7 @@ ovn_image=${ovnkube_image} \
ovn_network_segmentation_enable=${ovn_network_segmentation_enable} \
ovn_pre_conf_udn_addr_enable=${ovn_pre_conf_udn_addr_enable} \
ovn_route_advertisements_enable=${ovn_route_advertisements_enable} \
ovn_advertised_udn_isolation_mode=${ovn_advertised_udn_isolation_mode} \
ovn_egress_service_enable=${ovn_egress_service_enable} \
ovn_ssl_en=${ovn_ssl_en} \
ovn_master_count=${ovn_master_count} \
Expand Down Expand Up @@ -904,6 +914,7 @@ ovn_image=${ovnkube_image} \
ovn_network_segmentation_enable=${ovn_network_segmentation_enable} \
ovn_pre_conf_udn_addr_enable=${ovn_pre_conf_udn_addr_enable} \
ovn_route_advertisements_enable=${ovn_route_advertisements_enable} \
ovn_advertised_udn_isolation_mode=${ovn_advertised_udn_isolation_mode} \
ovn_egress_service_enable=${ovn_egress_service_enable} \
ovn_ssl_en=${ovn_ssl_en} \
ovn_remote_probe_interval=${ovn_remote_probe_interval} \
Expand Down Expand Up @@ -972,6 +983,7 @@ ovn_image=${ovnkube_image} \
ovn_network_segmentation_enable=${ovn_network_segmentation_enable} \
ovn_pre_conf_udn_addr_enable=${ovn_pre_conf_udn_addr_enable} \
ovn_route_advertisements_enable=${ovn_route_advertisements_enable} \
ovn_advertised_udn_isolation_mode=${ovn_advertised_udn_isolation_mode} \
ovn_ssl_en=${ovn_ssl_en} \
ovn_remote_probe_interval=${ovn_remote_probe_interval} \
ovn_monitor_all=${ovn_monitor_all} \
Expand Down Expand Up @@ -1070,12 +1082,14 @@ ovn_network_segmentation_enable=${ovn_network_segmentation_enable} \
ovn_pre_conf_udn_addr_enable=${ovn_pre_conf_udn_addr_enable} \
ovn_enable_dnsnameresolver=${ovn_enable_dnsnameresolver} \
ovn_route_advertisements_enable=${ovn_route_advertisements_enable} \
ovn_advertised_udn_isolation_mode=${ovn_advertised_udn_isolation_mode} \
jinjanate ../templates/rbac-ovnkube-cluster-manager.yaml.j2 -o ${output_dir}/rbac-ovnkube-cluster-manager.yaml

ovn_network_segmentation_enable=${ovn_network_segmentation_enable} \
ovn_enable_dnsnameresolver=${ovn_enable_dnsnameresolver} \
ovn_route_advertisements_enable=${ovn_route_advertisements_enable} \
ovn_pre_conf_udn_addr_enable=${ovn_pre_conf_udn_addr_enable} \
ovn_advertised_udn_isolation_mode=${ovn_advertised_udn_isolation_mode} \
jinjanate ../templates/rbac-ovnkube-master.yaml.j2 -o ${output_dir}/rbac-ovnkube-master.yaml

cp ../templates/rbac-ovnkube-identity.yaml.j2 ${output_dir}/rbac-ovnkube-identity.yaml
Expand Down
Loading