Merge pull request #2501 from jcaamano/dmerge-20250321

OCPBUGS-54245, SDN-5772: Downstream merge 2025-03-21

Author: openshift-merge-bot[bot]

.github/workflows/test.yml

@@ -414,6 +414,8 @@ jobs:
         include:
           - {"target": "shard-conformance", "ha": "HA",   "gateway-mode": "shared", "ipfamily": "ipv4",      "disable-snat-multiple-gws": "snatGW",   "second-bridge": "1br", "ic": "ic-disabled"}
           - {"target": "shard-conformance", "ha": "noHA", "gateway-mode": "local",  "ipfamily": "dualstack", "disable-snat-multiple-gws": "snatGW",   "second-bridge": "1br", "ic": "ic-single-node-zones"}
+          - {"target": "shard-conformance", "ha": "HA",   "gateway-mode": "shared", "ipfamily": "ipv4",      "disable-snat-multiple-gws": "noSnatGW",   "second-bridge": "1br", "ic": "ic-single-node-zones", "routeadvertisements": "advertise-default"}
+          - {"target": "shard-conformance", "ha": "HA", "gateway-mode": "local",  "ipfamily": "dualstack", "disable-snat-multiple-gws": "noSnatGW",   "second-bridge": "1br", "ic": "ic-single-node-zones", "routeadvertisements": "advertise-default"}
           - {"target": "shard-conformance", "ha": "noHA", "gateway-mode": "shared", "ipfamily": "ipv6",      "disable-snat-multiple-gws": "snatGW",   "second-bridge": "1br", "ic": "ic-single-node-zones"}
           - {"target": "shard-conformance", "ha": "noHA", "gateway-mode": "shared", "ipfamily": "ipv4",      "disable-snat-multiple-gws": "snatGW",   "second-bridge": "1br", "ic": "ic-single-node-zones"}
           - {"target": "control-plane",     "ha": "HA",   "gateway-mode": "shared", "ipfamily": "ipv6",      "disable-snat-multiple-gws": "noSnatGW", "second-bridge": "1br", "ic": "ic-disabled",          "dns-name-resolver": "enable-dns-name-resolver"}
@@ -443,6 +445,8 @@ jobs:
           - {"target": "network-segmentation", "ha": "noHA", "gateway-mode": "shared", "ipfamily": "dualstack", "disable-snat-multiple-gws": "SnatGW", "second-bridge": "1br", "ic": "ic-disabled"}
           - {"target": "network-segmentation", "ha": "noHA", "gateway-mode": "shared", "ipfamily": "ipv4", "disable-snat-multiple-gws": "noSnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones"}
           - {"target": "network-segmentation", "ha": "noHA", "gateway-mode": "shared", "ipfamily": "ipv6", "disable-snat-multiple-gws": "noSnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones"}
+          - {"target": "bgp", "ha": "noHA", "gateway-mode": "local",  "ipfamily": "dualstack", "disable-snat-multiple-gws": "snatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "routeadvertisements": "advertise-default"}
+          - {"target": "bgp", "ha": "noHA", "gateway-mode": "shared",  "ipfamily": "ipv4", "disable-snat-multiple-gws": "snatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "routeadvertisements": "advertise-default"}
           - {"target": "traffic-flow-test-only","ha": "noHA", "gateway-mode": "shared", "ipfamily": "ipv4", "disable-snat-multiple-gws": "noSnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "traffic-flow-tests": "1-24"}
           - {"target": "tools", "ha": "noHA", "gateway-mode": "local", "ipfamily": "dualstack", "disable-snat-multiple-gws": "SnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones"}
     needs: [ build-pr ]
@@ -458,8 +462,8 @@ jobs:
       OVN_SECOND_BRIDGE: "${{ matrix.second-bridge == '2br' }}"
       KIND_IPV4_SUPPORT: "${{ matrix.ipfamily == 'IPv4' || matrix.ipfamily == 'dualstack' }}"
       KIND_IPV6_SUPPORT: "${{ matrix.ipfamily == 'IPv6' || matrix.ipfamily == 'dualstack' }}"
-      ENABLE_MULTI_NET: "${{ matrix.target == 'multi-homing' || matrix.target == 'kv-live-migration' || matrix.target == 'network-segmentation' || matrix.target == 'tools' || matrix.target == 'multi-homing-helm' || matrix.target == 'traffic-flow-test-only' }}"
-      ENABLE_NETWORK_SEGMENTATION: "${{ matrix.target == 'network-segmentation' || matrix.target == 'tools' || matrix.target == 'kv-live-migration' || matrix.target == 'traffic-flow-test-only' }}"
+      ENABLE_MULTI_NET: "${{ matrix.target == 'multi-homing' || matrix.target == 'kv-live-migration' || matrix.target == 'network-segmentation' || matrix.target == 'tools' || matrix.target == 'multi-homing-helm' || matrix.target == 'traffic-flow-test-only' || matrix.routeadvertisements != '' }}"
+      ENABLE_NETWORK_SEGMENTATION: "${{ matrix.target == 'network-segmentation' || matrix.target == 'tools' || matrix.target == 'kv-live-migration' || matrix.target == 'traffic-flow-test-only' || matrix.target == 'bgp' }}"
       DISABLE_UDN_HOST_ISOLATION: "true"
       KIND_INSTALL_KUBEVIRT: "${{ matrix.target == 'kv-live-migration' }}"
       OVN_COMPACT_MODE: "${{ matrix.target == 'compact-mode' }}"
@@ -471,6 +475,8 @@ jobs:
       USE_HELM: "${{ matrix.target == 'control-plane-helm' || matrix.target == 'multi-homing-helm' }}"
       OVN_ENABLE_DNSNAMERESOLVER: "${{ matrix.dns-name-resolver == 'enable-dns-name-resolver' }}"
       TRAFFIC_FLOW_TESTS: "${{ matrix.traffic-flow-tests }}"
+      ENABLE_ROUTE_ADVERTISEMENTS: "${{ matrix.routeadvertisements != '' }}"
+      ADVERTISE_DEFAULT_NETWORK:  "${{ matrix.routeadvertisements == 'advertise-default' }}"
     steps:
 
     - name: Install VRF kernel module
@@ -514,6 +520,30 @@ jobs:
           echo OVN_TEST_EX_GW_NETWORK=kindexgw >> $GITHUB_ENV
           echo OVN_ENABLE_EX_GW_NETWORK_BRIDGE=true >> $GITHUB_ENV
         fi
+        if [[ "$JOB_NAME" == *"shard-conformance"* ]] && [ "$ADVERTISE_DEFAULT_NETWORK" == "true" ]; then
+          echo "ADVERTISE_DEFAULT_NETWORK=true" >> $GITHUB_ENV
+
+          # Use proper variable declaration with default values
+          NET_CIDR_IPV4=${NET_CIDR_IPV4:-10.244.0.0/16}
+          NET_CIDR_IPV6=${NET_CIDR_IPV6:-fd00:10:244::/48}
+
+          sudo ip a
+          sudo ip r
+
+          # Add masquerade rules for both IPv4 and IPv6 networks
+          echo "Adding masquerade rule for $NET_CIDR_IPV4"
+          sudo iptables -t nat -A POSTROUTING -s $NET_CIDR_IPV4 -o eth0 -j MASQUERADE
+
+          echo "Adding masquerade rule for $NET_CIDR_IPV6"
+          sudo ip6tables -t nat -A POSTROUTING -s $NET_CIDR_IPV6 -o eth0 -j MASQUERADE
+
+          # Verify the rules were added
+          echo "IPv4 POSTROUTING rules:"
+          sudo iptables -t nat -L POSTROUTING -v
+
+          echo "IPv6 POSTROUTING rules:"
+          sudo ip6tables -t nat -L POSTROUTING -v
+        fi
 
     - name: Disable ufw
       # For IPv6 and Dualstack, ufw (Uncomplicated Firewall) should be disabled.
@@ -569,6 +599,8 @@ jobs:
           make -C test conformance
         elif [ "${{ matrix.target }}" == "network-segmentation" ]; then
           make -C test control-plane WHAT="Network Segmentation"
+        elif [ "${{ matrix.target }}" == "bgp" ]; then
+          make -C test control-plane WHAT="BGP"
         elif [ "${{ matrix.target }}" == "tools" ]; then
           make -C go-controller build
           make -C test tools

MEETINGS.md

@@ -6,15 +6,17 @@ All are welcome to join our meetings! If you want to discuss something with the
 
 ## Meeting time
 
-We meet alternate Monday's at 10:00 AM US Pacific Time.
+We meet alternate Monday's at 6:00 PM CET/CEST.
 In order to figure out when our next meeting is, please check our agenda for previous meeting history.
 The meetings last up to 1 hour.
 
 ## Meeting location
 
-* Video call link: <https://meet.google.com/tgr-pqke-cen>
-* Or dial: (DE) +49 30 300195060 PIN: 846 145 117 7213#
-* More phone numbers: <https://tel.meet/tgr-pqke-cen?pin=8461451177213>
+* Platform: CNCF Zoom
+* [Meeting Link](https://zoom-lfx.platform.linuxfoundation.org/meeting/98741709730?password=ec6c1c1d-8f40-4a3a-a13d-5e284db7ff43)
+* MeetingID: 98741709730
+* Meeting Passcode: Please check the Meeting Notes Top section where passcode is represented
+* [Project Community Calendar ics Link for importing](https://webcal.prod.itx.linuxfoundation.org/lfx/lfUT0YkGZgOXRcnNGf)
 
 ## Meeting agenda and minutes
 

contrib/kind-common

@@ -324,7 +324,11 @@ install_kubevirt() {
     # vX.Y.Z - install specific stable (i.e v1.3.1)
     # nightly - install newest nightly
     # nightly tag - install specific nightly (i.e 20240910)
-    KUBEVIRT_VERSION=${KUBEVIRT_VERSION:-"stable"}
+    # KUBEVIRT_VERSION=${KUBEVIRT_VERSION:-"stable"}
+
+    # FIXME: kubevirt v1.5.0 is breaking live migration tcp connections at
+    #        at e2e tests, this pin to v1.4.0 wich is known to work
+    KUBEVIRT_VERSION=${KUBEVIRT_VERSION:-"v1.4.0"}
 
     for node in $(kubectl get node --no-headers  -o custom-columns=":metadata.name"); do
         $OCI_BIN exec -t $node bash -c "echo 'fs.inotify.max_user_watches=1048576' >> /etc/sysctl.conf"
@@ -409,7 +413,7 @@ install_multus() {
 
 install_mpolicy_crd() {
   echo "Installing multi-network-policy CRD ..."
-  mpolicy_manifest="https://raw.githubusercontent.com/k8snetworkplumbingwg/multi-networkpolicy/master/scheme.yml"
+  mpolicy_manifest="https://raw.githubusercontent.com/k8snetworkplumbingwg/multi-networkpolicy/refs/tags/v1.0.1/scheme.yml"
   run_kubectl apply -f "$mpolicy_manifest"
 }
 
@@ -648,14 +652,23 @@ get_kubevirt_release_url() {
     echo "$kubevirt_release_url"
 }
 
-readonly FRR_K8S_VERSION=v0.0.14
+readonly FRR_K8S_VERSION=v0.0.17
 readonly FRR_TMP_DIR=$(mktemp -d -u)
 
 clone_frr() {
   [ -d "$FRR_TMP_DIR" ] || {
     mkdir -p "$FRR_TMP_DIR" && trap 'rm -rf $FRR_TMP_DIR' EXIT
     pushd "$FRR_TMP_DIR" || exit 1
     git clone --depth 1 --branch $FRR_K8S_VERSION https://github.com/metallb/frr-k8s
+
+    # Download the patches
+    curl -Ls https://github.com/jcaamano/frr-k8s/archive/refs/heads/ovnk-bgp.tar.gz | tar xzvf - frr-k8s-ovnk-bgp/patches --strip-components 1
+
+    # Change into the cloned repo directory before applying patches
+    pushd frr-k8s
+    git apply ../patches/*
+    popd
+
     popd || exit 1
   }
 }
@@ -672,19 +685,86 @@ deploy_frr_external_container() {
   # can peer with acting as BGP (reflector) external gateway
   pushd "${FRR_TMP_DIR}"/frr-k8s/hack/demo || exit 1
   # modify config template to configure neighbors as route reflector clients
+  # First check if IPv4 network already exists
+  grep -q 'network '"${BGP_SERVER_NET_SUBNET_IPV4}" frr/frr.conf.tmpl || \
+    sed -i '/address-family ipv4 unicast/a \ \ network '"${BGP_SERVER_NET_SUBNET_IPV4}"'' frr/frr.conf.tmpl
+
+  # Add route reflector client config
   sed -i '/remote-as 64512/a \ neighbor {{ . }} route-reflector-client' frr/frr.conf.tmpl
+
+  if [ "$KIND_IPV6_SUPPORT" == true ]; then
+    # Check if IPv6 address-family section exists
+    if ! grep -q 'address-family ipv6 unicast' frr/frr.conf.tmpl; then
+      # Add IPv6 address-family section if it doesn't exist
+      sed -i '/exit-address-family/a \ \
+  address-family ipv6 unicast\
+    network '"${BGP_SERVER_NET_SUBNET_IPV6}"'\
+  exit-address-family' frr/frr.conf.tmpl
+    else
+      # Add network to existing IPv6 section
+      sed -i '/address-family ipv6 unicast/a \ \ network '"${BGP_SERVER_NET_SUBNET_IPV6}"'' frr/frr.conf.tmpl
+    fi
+
+    # Add route-reflector-client for IPv6 neighbors
+    sed -i '/neighbor fc00.*remote-as 64512/a \ neighbor {{ . }} route-reflector-client' frr/frr.conf.tmpl
+  fi
   ./demo.sh
   popd || exit 1
+  if  [ "$KIND_IPV6_SUPPORT" == true ]; then
+    # Enable IPv6 forwarding in FRR
+    docker exec frr sysctl -w net.ipv6.conf.all.forwarding=1
+  fi
+}
 
-  # this container will act as the gateway for the cluster and will masquerade
-  # towards the external world
-  $OCI_BIN exec frr iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-  # set default route
-  FRR_IP=$($OCI_BIN inspect -f "{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}" frr)
-  KIND_NODES=$(kind_get_nodes)
-  for n in $KIND_NODES; do
-    $OCI_BIN exec "$n" ip route replace default via "$FRR_IP"
-  done
+deploy_bgp_external_server() {
+  # We create an external docker container that acts as the server (or client) outside the cluster
+  # in the e2e tests that levergae router advertisements.
+  # This container will be connected to the frr container deployed above to simulate a realistic
+  # network topology
+  # -----------------               ------------------                         ---------------------
+  # |               | 172.26.0.0/16 |                |       172.18.0.0/16     | ovn-control-plane |
+  # |   external    |<------------- |   FRR router   |<------ KIND cluster --  ---------------------
+  # |    server     |               |                |                         |    ovn-worker     |   (client pod advertised
+  # -----------------               ------------------                         ---------------------    using RouteAdvertisements
+  #                                                                            |    ovn-worker2    |    from default pod network)
+  #                                                                            ---------------------
+  local ip_family ipv6_network
+  if [ "$KIND_IPV4_SUPPORT" == true ] && [ "$KIND_IPV6_SUPPORT" == true ]; then
+    ip_family="dual"
+    ipv6_network="--ipv6 --subnet=${BGP_SERVER_NET_SUBNET_IPV6}"
+  elif  [ "$KIND_IPV6_SUPPORT" == true ]; then
+    ip_family="ipv6"
+    ipv6_network="--ipv6 --subnet=${BGP_SERVER_NET_SUBNET_IPV6}"
+  else
+    ip_family="ipv4"
+    ipv6_network=""
+  fi
+  docker network create --subnet="${BGP_SERVER_NET_SUBNET_IPV4}" ${ipv6_network} --driver bridge bgpnet
+  docker network connect bgpnet frr
+  docker run  --cap-add NET_ADMIN --user 0  -d --network bgpnet  --rm  --name bgpserver -p 8080:8080  registry.k8s.io/e2e-test-images/agnhost:2.45 netexec
+  # let's make the bgp external server have its default route towards FRR router so that we don't need to add routes during tests back to the pods in the
+  # cluster for return traffic
+  local bgp_network_frr_v4 bgp_network_frr_v6
+  bgp_network_frr_v4=$($OCI_BIN inspect -f '{{index .NetworkSettings.Networks "bgpnet" "IPAddress"}}' frr)
+  echo "FRR kind network IPv4: ${bgp_network_frr_v4}"
+  $OCI_BIN exec bgpserver ip route replace default via "$bgp_network_frr_v4"
+  if  [ "$KIND_IPV6_SUPPORT" == true ] ; then
+    bgp_network_frr_v6=$($OCI_BIN inspect -f '{{index .NetworkSettings.Networks "bgpnet" "GlobalIPv6Address"}}' frr)
+    echo "FRR kind network IPv6: ${bgp_network_frr_v6}"
+    $OCI_BIN exec bgpserver ip -6 route replace default via "$bgp_network_frr_v6"
+  fi
+}
+
+destroy_bgp() {
+  if docker ps --format '{{.Names}}' | grep -Eq '^bgpserver$'; then
+      docker stop bgpserver
+  fi
+  if docker ps --format '{{.Names}}' | grep -Eq '^frr$'; then
+      docker stop frr
+  fi
+  if docker network ls --format '{{.Name}}' | grep -q '^bgpnet$'; then
+      docker network rm bgpnet
+  fi
 }
 
 install_ffr_k8s() {
@@ -699,9 +779,57 @@ install_ffr_k8s() {
   # apply a BGP peer configration with the external gateway that does not
   # exchange routes
   pushd "${FRR_TMP_DIR}"/frr-k8s/hack/demo/configs || exit 1
-  sed 's/all$/filtered/g' receive_all.yaml > receive_filtered.yaml
-  kubectl apply -f receive_filtered.yaml
+  sed 's/mode: all/mode: filtered/g' receive_all.yaml > receive_filtered.yaml
+  # Allow receiving the bgp external server's prefix
+  sed -i '/mode: filtered/a\            prefixes:\n            - prefix: '"${BGP_SERVER_NET_SUBNET_IPV4}"'' receive_filtered.yaml
+  # If IPv6 is enabled, add the IPv6 prefix as well
+  if [ "$KIND_IPV6_SUPPORT" == true ]; then
+    # Find all line numbers where the IPv4 prefix is defined
+    IPv6_LINE="            - prefix: ${BGP_SERVER_NET_SUBNET_IPV6}"
+    # Process each occurrence of the IPv4 prefix
+    for LINE_NUM in $(grep -n "prefix: ${BGP_SERVER_NET_SUBNET_IPV4}" receive_filtered.yaml | cut -d ':' -f 1); do
+      # Insert the IPv6 prefix after each IPv4 prefix line
+      sed -i "${LINE_NUM}a\\${IPv6_LINE}" receive_filtered.yaml
+    done
+  fi
+  kubectl apply -n frr-k8s-system -f receive_filtered.yaml
   popd || exit 1
 
   rm -rf "${FRR_TMP_DIR}"
+  # Add routes for pod networks dynamically into the github runner for return traffic to pass back
+  if [ -n "${JOB_NAME:-}" ] && [[ "$JOB_NAME" == *"shard-conformance"* ]] && [ "$ADVERTISE_DEFAULT_NETWORK" == "true" ]; then
+    echo "Adding routes for Kubernetes pod networks..."
+    NODES=$(kubectl get nodes -o jsonpath='{.items[*].metadata.name}')
+    echo "Found nodes: $NODES"
+    for node in $NODES; do
+      # Get the addresses
+      node_ips=$(kubectl get node $node -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}')
+      # Get subnet information
+      subnet_json=$(kubectl get node $node -o jsonpath='{.metadata.annotations.k8s\.ovn\.org/node-subnets}')
+      
+      if [ "$KIND_IPV4_SUPPORT" == true ]; then
+        # Extract IPv4 address (first address)
+        node_ipv4=$(echo "$node_ips" | awk '{print $1}')
+        ipv4_subnet=$(echo "$subnet_json" | jq -r '.default[0]')
+        
+        # Add IPv4 route
+        if [ -n "$ipv4_subnet" ] && [ -n "$node_ipv4" ]; then
+          echo "Adding IPv4 route for $node ($node_ipv4): $ipv4_subnet"
+          sudo ip route add $ipv4_subnet via $node_ipv4
+        fi
+      fi
+
+      # Add IPv6 route if enabled
+      if [ "$KIND_IPV6_SUPPORT" == true ]; then
+        # Extract IPv6 address (second address, if present)
+        node_ipv6=$(echo "$node_ips" | awk '{print $2}')
+        ipv6_subnet=$(echo "$subnet_json" | jq -r '.default[1] // empty')
+        
+        if [ -n "$ipv6_subnet" ] && [ -n "$node_ipv6" ]; then
+          echo "Adding IPv6 route for $node ($node_ipv6): $ipv6_subnet"
+          sudo ip -6 route add $ipv6_subnet via $node_ipv6
+        fi
+      fi
+    done
+  fi
 }