Merge pull request #2627 from trozet/merge-6-10-25

OCPBUGS-44481: DownStream Merge [06-10-2025]

Author: openshift-merge-bot[bot]

.github/workflows/test.yml

@@ -200,6 +200,7 @@ jobs:
       if: steps.is_pr_image_build_needed.outputs.PR_IMAGE_RESTORED != 'true' && success()
       run: |
         set -x
+        sudo apt update
         sudo apt-get install linux-modules-extra-$(uname -r) -y
         sudo modprobe vrf
 
@@ -463,15 +464,15 @@ jobs:
           - {"target": "network-segmentation", "ha": "noHA", "gateway-mode": "shared", "ipfamily": "ipv4", "disable-snat-multiple-gws": "noSnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones"}
           - {"target": "network-segmentation", "ha": "noHA", "gateway-mode": "shared", "ipfamily": "ipv6", "disable-snat-multiple-gws": "noSnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones"}
           - {"target": "bgp", "ha": "noHA", "gateway-mode": "local",  "ipfamily": "dualstack", "disable-snat-multiple-gws": "snatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "routeadvertisements": "advertise-default", "network-segmentation": "enable-network-segmentation"}
-          - {"target": "bgp", "ha": "noHA", "gateway-mode": "shared",  "ipfamily": "ipv4", "disable-snat-multiple-gws": "snatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "routeadvertisements": "advertise-default", "network-segmentation": "enable-network-segmentation"}
+          - {"target": "bgp", "ha": "noHA", "gateway-mode": "shared",  "ipfamily": "dualstack", "disable-snat-multiple-gws": "noSnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "routeadvertisements": "advertise-default", "network-segmentation": "enable-network-segmentation"}
           - {"target": "traffic-flow-test-only","ha": "noHA", "gateway-mode": "shared", "ipfamily": "ipv4", "disable-snat-multiple-gws": "noSnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "traffic-flow-tests": "1-24", "network-segmentation": "enable-network-segmentation"}
           - {"target": "tools", "ha": "noHA", "gateway-mode": "local", "ipfamily": "dualstack", "disable-snat-multiple-gws": "SnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "network-segmentation": "enable-network-segmentation"}
     needs: [ build-pr ]
     env:
       JOB_NAME: "${{ matrix.target }}-${{ matrix.ha }}-${{ matrix.gateway-mode }}-${{ matrix.ipfamily }}-${{ matrix.disable-snat-multiple-gws }}-${{ matrix.second-bridge }}-${{ matrix.ic }}"
       OVN_HYBRID_OVERLAY_ENABLE: ${{ (matrix.target == 'control-plane' || matrix.target == 'control-plane-helm') && (matrix.ipfamily == 'ipv4' || matrix.ipfamily == 'dualstack' ) }}
-      OVN_MULTICAST_ENABLE:  "${{ matrix.target == 'control-plane' || matrix.target == 'control-plane-helm' || matrix.target == 'network-segmentation' }}"
-      OVN_EMPTY_LB_EVENTS: "${{ matrix.target == 'control-plane' || matrix.target == 'control-plane-helm' }}"
+      OVN_MULTICAST_ENABLE:  "${{ matrix.target == 'control-plane' || matrix.target == 'control-plane-helm' || matrix.target == 'network-segmentation' || matrix.target == 'bgp' }}"
+      OVN_EMPTY_LB_EVENTS: "${{ matrix.target == 'control-plane' || matrix.target == 'control-plane-helm' || matrix.target == 'bgp' }}"
       OVN_HA: "${{ matrix.ha == 'HA' }}"
       OVN_DISABLE_SNAT_MULTIPLE_GWS: "${{ matrix.disable-snat-multiple-gws == 'noSnatGW' }}"
       KIND_INSTALL_METALLB: "${{ matrix.target == 'control-plane' || matrix.target == 'control-plane-helm' || matrix.target == 'network-segmentation' }}"
@@ -500,6 +501,7 @@ jobs:
     - name: Install VRF kernel module
       run: |
         set -x
+        sudo apt update
         sudo apt-get install linux-modules-extra-$(uname -r) -y
         sudo modprobe vrf
 
@@ -557,7 +559,7 @@ jobs:
           echo OVN_TEST_EX_GW_NETWORK=xgw >> $GITHUB_ENV
           echo OVN_ENABLE_EX_GW_NETWORK_BRIDGE=true >> $GITHUB_ENV
         fi
-        if [[ "$JOB_NAME" == *"shard-conformance"* ]] && [ "$ADVERTISE_DEFAULT_NETWORK" == "true" ]; then
+        if [ "$ADVERTISE_DEFAULT_NETWORK" == "true" ]; then
           echo "ADVERTISE_DEFAULT_NETWORK=true" >> $GITHUB_ENV
 
           # Use proper variable declaration with default values
@@ -614,7 +616,9 @@ jobs:
     - name: Run Tests
       # e2e tests take ~60 minutes normally, 120 should be more than enough
       # set 3 hours for control-plane tests as these might take a while
-      timeout-minutes: ${{ matrix.target == 'control-plane' && 180 || matrix.target == 'control-plane-helm' && 180 || matrix.target == 'external-gateway' && 180 || 120 }}
+      # give 10m extra to give ginkgo chance to timeout before github so that we
+      # get its output
+      timeout-minutes: ${{ matrix.target == 'bgp' && 190 || matrix.target == 'control-plane' && 190 || matrix.target == 'control-plane-helm' && 190 || matrix.target == 'external-gateway' && 190 || 130 }}
       run: |
         # used by e2e diagnostics package
         export OVN_IMAGE="ovn-daemonset-fedora:pr"
@@ -639,7 +643,7 @@ jobs:
         elif [ "${{ matrix.target }}" == "network-segmentation" ]; then
           make -C test control-plane WHAT="Network Segmentation"
         elif [ "${{ matrix.target }}" == "bgp" ]; then
-          make -C test control-plane WHAT="BGP"
+          make -C test control-plane
         elif [ "${{ matrix.target }}" == "tools" ]; then
           make -C go-controller build
           make -C test tools

contrib/kind-common

@@ -751,6 +751,13 @@ deploy_bgp_external_server() {
     echo "FRR kind network IPv6: ${bgp_network_frr_v6}"
     $OCI_BIN exec bgpserver ip -6 route replace default via "$bgp_network_frr_v6"
   fi
+  # disable the default route to make sure the container only routes accross
+  # directly connected or learnt networks (doing this at the very end since
+  # docker changes the routing table when a new network is connected)
+  docker exec frr ip route delete default
+  docker exec frr ip route
+  docker exec frr ip -6 route delete default
+  docker exec frr ip -6 route
 }
 
 destroy_bgp() {
@@ -817,7 +824,7 @@ EOF
 
   rm -rf "${FRR_TMP_DIR}"
   # Add routes for pod networks dynamically into the github runner for return traffic to pass back
-  if [ -n "${JOB_NAME:-}" ] && [[ "$JOB_NAME" == *"shard-conformance"* ]] && [ "$ADVERTISE_DEFAULT_NETWORK" == "true" ]; then
+  if [ "$ADVERTISE_DEFAULT_NETWORK" = "true" ]; then
     echo "Adding routes for Kubernetes pod networks..."
     NODES=$(kubectl get nodes -o jsonpath='{.items[*].metadata.name}')
     echo "Found nodes: $NODES"
@@ -835,7 +842,7 @@ EOF
         # Add IPv4 route
         if [ -n "$ipv4_subnet" ] && [ -n "$node_ipv4" ]; then
           echo "Adding IPv4 route for $node ($node_ipv4): $ipv4_subnet"
-          sudo ip route add $ipv4_subnet via $node_ipv4
+          sudo ip route replace $ipv4_subnet via $node_ipv4
         fi
       fi
 
@@ -847,7 +854,7 @@ EOF
 
         if [ -n "$ipv6_subnet" ] && [ -n "$node_ipv6" ]; then
           echo "Adding IPv6 route for $node ($node_ipv6): $ipv6_subnet"
-          sudo ip -6 route add $ipv6_subnet via $node_ipv6
+          sudo ip -6 route replace $ipv6_subnet via $node_ipv6
         fi
       fi
     done

go-controller/pkg/clustermanager/userdefinednetwork/template/net-attach-def-template.go

@@ -192,7 +192,7 @@ func renderCNINetworkConfig(networkName, nadName string, spec SpecGetter) (map[s
 		cniNetConf["mtu"] = mtu
 	}
 	if len(netConfSpec.JoinSubnet) > 0 {
-		cniNetConf["joinSubnets"] = netConfSpec.JoinSubnet
+		cniNetConf["joinSubnet"] = netConfSpec.JoinSubnet
 	}
 	if len(netConfSpec.Subnets) > 0 {
 		cniNetConf["subnets"] = netConfSpec.Subnets

go-controller/pkg/clustermanager/userdefinednetwork/template/net-attach-def-template_test.go

@@ -326,7 +326,7 @@ var _ = Describe("NetAttachDefTemplate", func() {
 				"netAttachDefName": "mynamespace/test-net",
 				"role": "primary",
 				"topology": "layer3",
-				"joinSubnets": "100.65.0.0/16,fd99::/64",
+				"joinSubnet": "100.65.0.0/16,fd99::/64",
 				"subnets": "192.168.100.0/16,2001:dbb::/60",
 				"mtu": 1500
 			}`,
@@ -350,7 +350,7 @@ var _ = Describe("NetAttachDefTemplate", func() {
 			  "netAttachDefName": "mynamespace/test-net",
 			  "role": "primary",
 			  "topology": "layer2",
-			  "joinSubnets": "100.65.0.0/16,fd99::/64",
+			  "joinSubnet": "100.65.0.0/16,fd99::/64",
 			  "subnets": "192.168.100.0/24,2001:dbb::/64",
 			  "mtu": 1500,
 			  "allowPersistentIPs": true
@@ -376,7 +376,7 @@ var _ = Describe("NetAttachDefTemplate", func() {
 			  "netAttachDefName": "mynamespace/test-net",
 			  "role": "primary",
 			  "topology": "layer2",
-			  "joinSubnets": "100.62.0.0/24,fd92::/64",
+			  "joinSubnet": "100.62.0.0/24,fd92::/64",
 			  "subnets": "192.168.100.0/24,2001:dbb::/64",
 			  "mtu": 1500,
 			  "allowPersistentIPs": true
@@ -461,7 +461,7 @@ var _ = Describe("NetAttachDefTemplate", func() {
 				"netAttachDefName": "mynamespace/test-net",
 				"role": "primary",
 				"topology": "layer3",
-				"joinSubnets": "100.65.0.0/16,fd99::/64",
+				"joinSubnet": "100.65.0.0/16,fd99::/64",
 				"subnets": "192.168.100.0/16,2001:dbb::/60",
 				"mtu": 1500
 			}`,
@@ -485,7 +485,7 @@ var _ = Describe("NetAttachDefTemplate", func() {
 			  "netAttachDefName": "mynamespace/test-net",
 			  "role": "primary",
 			  "topology": "layer2",
-			  "joinSubnets": "100.65.0.0/16,fd99::/64",
+			  "joinSubnet": "100.65.0.0/16,fd99::/64",
 			  "subnets": "192.168.100.0/24,2001:dbb::/64",
 			  "mtu": 1500,
 			  "allowPersistentIPs": true
@@ -511,7 +511,7 @@ var _ = Describe("NetAttachDefTemplate", func() {
 			  "netAttachDefName": "mynamespace/test-net",
 			  "role": "primary",
 			  "topology": "layer2",
-			  "joinSubnets": "100.62.0.0/24,fd92::/64",
+			  "joinSubnet": "100.62.0.0/24,fd92::/64",
 			  "subnets": "192.168.100.0/24,2001:dbb::/64",
 			  "mtu": 1500,
 			  "allowPersistentIPs": true

go-controller/pkg/kubevirt/router.go

@@ -95,7 +95,16 @@ func EnsureLocalZonePodAddressesToNodeRoute(watchFactory *factory.WatchFactory,
 	if config.OVNKubernetesFeature.EnableInterconnect {
 		// NOTE: EIP & ESVC use same route and if this is already present thanks to those features,
 		// this will be a no-op
-		if err := libovsdbutil.CreateDefaultRouteToExternal(nbClient, types.OVNClusterRouter, types.GWRouterPrefix+pod.Spec.NodeName, clusterSubnets); err != nil {
+		node, err := watchFactory.GetNode(pod.Spec.NodeName)
+		if err != nil {
+			return fmt.Errorf("failed getting to list node %q for pod %s/%s: %w", pod.Spec.NodeName, pod.Namespace, pod.Name, err)
+		}
+		gatewayIPs, err := util.ParseNodeGatewayRouterJoinAddrs(node, types.DefaultNetworkName)
+		if err != nil {
+			return fmt.Errorf("failed to get default network gateway router join IPs for node %q: %w", node.Name, err)
+		}
+		if err := libovsdbutil.CreateDefaultRouteToExternal(nbClient, types.OVNClusterRouter,
+			types.GWRouterPrefix+pod.Spec.NodeName, clusterSubnets, gatewayIPs); err != nil {
 			return err
 		}
 	}

go-controller/pkg/libovsdb/util/router.go

@@ -13,7 +13,6 @@ import (
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/config"
 	libovsdbops "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/libovsdb/ops"
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/nbdb"
-	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/types"
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/util"
 )
 
@@ -34,11 +33,7 @@ import (
 // (TODO: FIXME): With this route, we are officially breaking support for IC with zones that have multiple-nodes
 // NOTE: This route is exactly the same as what is added by pod-live-migration feature and we keep the route exactly
 // same across the 3 features so that if the route already exists on the node, this is just a no-op
-func CreateDefaultRouteToExternal(nbClient libovsdbclient.Client, clusterRouter, gwRouterName string, clusterSubnets []config.CIDRNetworkEntry) error {
-	gatewayIPs, err := GetLRPAddrs(nbClient, types.GWRouterToJoinSwitchPrefix+gwRouterName)
-	if err != nil {
-		return fmt.Errorf("attempt at finding node gateway router %s network information failed, err: %w", gwRouterName, err)
-	}
+func CreateDefaultRouteToExternal(nbClient libovsdbclient.Client, clusterRouter, gwRouterName string, clusterSubnets []config.CIDRNetworkEntry, gatewayIPs []*net.IPNet) error {
 	for _, clusterSubnet := range clusterSubnets {
 		isClusterSubnetIPV6 := utilnet.IsIPv6String(clusterSubnet.CIDR.IP.String())
 		gatewayIP, err := util.MatchFirstIPNetFamily(isClusterSubnetIPV6, gatewayIPs)

go-controller/pkg/libovsdb/util/router_test.go

@@ -31,6 +31,9 @@ func TestCreateDefaultRouteToExternal(t *testing.T) {
 	gwRouterPortName := types.GWRouterToJoinSwitchPrefix + gwRouterName
 	gwRouterIPAddressV4 := "100.64.0.3"
 	gwRouterIPAddressV6 := "fd98::3"
+	gwRouterIPAddressV4CIDR := fmt.Sprintf("%s/32", gwRouterIPAddressV4)
+	gwRouterIPAddressV6CIDR := fmt.Sprintf("%s/128", gwRouterIPAddressV6)
+	gatewayIPs := []*net.IPNet{ovntest.MustParseIPNet(gwRouterIPAddressV4CIDR), ovntest.MustParseIPNet(gwRouterIPAddressV6CIDR)}
 	gwRouterPort := &nbdb.LogicalRouterPort{
 		UUID:     gwRouterPortName + "-uuid",
 		Name:     gwRouterPortName,
@@ -228,7 +231,7 @@ func TestCreateDefaultRouteToExternal(t *testing.T) {
 				tc.preTestAction()
 			}
 
-			if err = CreateDefaultRouteToExternal(nbClient, ovnClusterRouterName, gwRouterName, config.Default.ClusterSubnets); err != nil {
+			if err = CreateDefaultRouteToExternal(nbClient, ovnClusterRouterName, gwRouterName, config.Default.ClusterSubnets, gatewayIPs); err != nil {
 				t.Fatal(fmt.Errorf("failed to run CreateDefaultRouteToExternal: %v", err))
 			}