Add a new CP lane for BGP tests

This commit adds two new lanes to run
lgw, sgw BGP e2e tests.

Signed-off-by: Surya Seetharaman <[email protected]>

Author: tssurya

.github/workflows/test.yml

@@ -445,6 +445,8 @@ jobs:
           - {"target": "network-segmentation", "ha": "noHA", "gateway-mode": "shared", "ipfamily": "dualstack", "disable-snat-multiple-gws": "SnatGW", "second-bridge": "1br", "ic": "ic-disabled"}
           - {"target": "network-segmentation", "ha": "noHA", "gateway-mode": "shared", "ipfamily": "ipv4", "disable-snat-multiple-gws": "noSnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones"}
           - {"target": "network-segmentation", "ha": "noHA", "gateway-mode": "shared", "ipfamily": "ipv6", "disable-snat-multiple-gws": "noSnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones"}
+          - {"target": "bgp", "ha": "noHA", "gateway-mode": "local",  "ipfamily": "dualstack", "disable-snat-multiple-gws": "snatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "routeadvertisements": "advertise-default"}
+          - {"target": "bgp", "ha": "noHA", "gateway-mode": "shared",  "ipfamily": "ipv4", "disable-snat-multiple-gws": "snatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "routeadvertisements": "advertise-default"}
           - {"target": "traffic-flow-test-only","ha": "noHA", "gateway-mode": "shared", "ipfamily": "ipv4", "disable-snat-multiple-gws": "noSnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones", "traffic-flow-tests": "1-24"}
           - {"target": "tools", "ha": "noHA", "gateway-mode": "local", "ipfamily": "dualstack", "disable-snat-multiple-gws": "SnatGW", "second-bridge": "1br", "ic": "ic-single-node-zones"}
     needs: [ build-pr ]
@@ -461,7 +463,7 @@ jobs:
       KIND_IPV4_SUPPORT: "${{ matrix.ipfamily == 'IPv4' || matrix.ipfamily == 'dualstack' }}"
       KIND_IPV6_SUPPORT: "${{ matrix.ipfamily == 'IPv6' || matrix.ipfamily == 'dualstack' }}"
       ENABLE_MULTI_NET: "${{ matrix.target == 'multi-homing' || matrix.target == 'kv-live-migration' || matrix.target == 'network-segmentation' || matrix.target == 'tools' || matrix.target == 'multi-homing-helm' || matrix.target == 'traffic-flow-test-only' || matrix.routeadvertisements != '' }}"
-      ENABLE_NETWORK_SEGMENTATION: "${{ matrix.target == 'network-segmentation' || matrix.target == 'tools' || matrix.target == 'kv-live-migration' || matrix.target == 'traffic-flow-test-only' }}"
+      ENABLE_NETWORK_SEGMENTATION: "${{ matrix.target == 'network-segmentation' || matrix.target == 'tools' || matrix.target == 'kv-live-migration' || matrix.target == 'traffic-flow-test-only' || matrix.target == 'bgp' }}"
       DISABLE_UDN_HOST_ISOLATION: "true"
       KIND_INSTALL_KUBEVIRT: "${{ matrix.target == 'kv-live-migration' }}"
       OVN_COMPACT_MODE: "${{ matrix.target == 'compact-mode' }}"
@@ -597,6 +599,8 @@ jobs:
           make -C test conformance
         elif [ "${{ matrix.target }}" == "network-segmentation" ]; then
           make -C test control-plane WHAT="Network Segmentation"
+        elif [ "${{ matrix.target }}" == "bgp" ]; then
+          make -C test control-plane WHAT="BGP"
         elif [ "${{ matrix.target }}" == "tools" ]; then
           make -C go-controller build
           make -C test tools

contrib/kind-common

@@ -652,14 +652,23 @@ get_kubevirt_release_url() {
     echo "$kubevirt_release_url"
 }
 
-readonly FRR_K8S_VERSION=v0.0.14
+readonly FRR_K8S_VERSION=v0.0.17
 readonly FRR_TMP_DIR=$(mktemp -d -u)
 
 clone_frr() {
   [ -d "$FRR_TMP_DIR" ] || {
     mkdir -p "$FRR_TMP_DIR" && trap 'rm -rf $FRR_TMP_DIR' EXIT
     pushd "$FRR_TMP_DIR" || exit 1
     git clone --depth 1 --branch $FRR_K8S_VERSION https://github.com/metallb/frr-k8s
+
+    # Download the patches
+    curl -Ls https://github.com/jcaamano/frr-k8s/archive/refs/heads/ovnk-bgp.tar.gz | tar xzvf - frr-k8s-ovnk-bgp/patches --strip-components 1
+
+    # Change into the cloned repo directory before applying patches
+    pushd frr-k8s
+    git apply ../patches/*
+    popd
+
     popd || exit 1
   }
 }
@@ -676,9 +685,86 @@ deploy_frr_external_container() {
   # can peer with acting as BGP (reflector) external gateway
   pushd "${FRR_TMP_DIR}"/frr-k8s/hack/demo || exit 1
   # modify config template to configure neighbors as route reflector clients
+  # First check if IPv4 network already exists
+  grep -q 'network '"${BGP_SERVER_NET_SUBNET_IPV4}" frr/frr.conf.tmpl || \
+    sed -i '/address-family ipv4 unicast/a \ \ network '"${BGP_SERVER_NET_SUBNET_IPV4}"'' frr/frr.conf.tmpl
+
+  # Add route reflector client config
   sed -i '/remote-as 64512/a \ neighbor {{ . }} route-reflector-client' frr/frr.conf.tmpl
+
+  if [ "$KIND_IPV6_SUPPORT" == true ]; then
+    # Check if IPv6 address-family section exists
+    if ! grep -q 'address-family ipv6 unicast' frr/frr.conf.tmpl; then
+      # Add IPv6 address-family section if it doesn't exist
+      sed -i '/exit-address-family/a \ \
+  address-family ipv6 unicast\
+    network '"${BGP_SERVER_NET_SUBNET_IPV6}"'\
+  exit-address-family' frr/frr.conf.tmpl
+    else
+      # Add network to existing IPv6 section
+      sed -i '/address-family ipv6 unicast/a \ \ network '"${BGP_SERVER_NET_SUBNET_IPV6}"'' frr/frr.conf.tmpl
+    fi
+
+    # Add route-reflector-client for IPv6 neighbors
+    sed -i '/neighbor fc00.*remote-as 64512/a \ neighbor {{ . }} route-reflector-client' frr/frr.conf.tmpl
+  fi
   ./demo.sh
   popd || exit 1
+  if  [ "$KIND_IPV6_SUPPORT" == true ]; then
+    # Enable IPv6 forwarding in FRR
+    docker exec frr sysctl -w net.ipv6.conf.all.forwarding=1
+  fi
+}
+
+deploy_bgp_external_server() {
+  # We create an external docker container that acts as the server (or client) outside the cluster
+  # in the e2e tests that levergae router advertisements.
+  # This container will be connected to the frr container deployed above to simulate a realistic
+  # network topology
+  # -----------------               ------------------                         ---------------------
+  # |               | 172.26.0.0/16 |                |       172.18.0.0/16     | ovn-control-plane |
+  # |   external    |<------------- |   FRR router   |<------ KIND cluster --  ---------------------
+  # |    server     |               |                |                         |    ovn-worker     |   (client pod advertised
+  # -----------------               ------------------                         ---------------------    using RouteAdvertisements
+  #                                                                            |    ovn-worker2    |    from default pod network)
+  #                                                                            ---------------------
+  local ip_family ipv6_network
+  if [ "$KIND_IPV4_SUPPORT" == true ] && [ "$KIND_IPV6_SUPPORT" == true ]; then
+    ip_family="dual"
+    ipv6_network="--ipv6 --subnet=${BGP_SERVER_NET_SUBNET_IPV6}"
+  elif  [ "$KIND_IPV6_SUPPORT" == true ]; then
+    ip_family="ipv6"
+    ipv6_network="--ipv6 --subnet=${BGP_SERVER_NET_SUBNET_IPV6}"
+  else
+    ip_family="ipv4"
+    ipv6_network=""
+  fi
+  docker network create --subnet="${BGP_SERVER_NET_SUBNET_IPV4}" ${ipv6_network} --driver bridge bgpnet
+  docker network connect bgpnet frr
+  docker run  --cap-add NET_ADMIN --user 0  -d --network bgpnet  --rm  --name bgpserver -p 8080:8080  registry.k8s.io/e2e-test-images/agnhost:2.45 netexec
+  # let's make the bgp external server have its default route towards FRR router so that we don't need to add routes during tests back to the pods in the
+  # cluster for return traffic
+  local bgp_network_frr_v4 bgp_network_frr_v6
+  bgp_network_frr_v4=$($OCI_BIN inspect -f '{{index .NetworkSettings.Networks "bgpnet" "IPAddress"}}' frr)
+  echo "FRR kind network IPv4: ${bgp_network_frr_v4}"
+  $OCI_BIN exec bgpserver ip route replace default via "$bgp_network_frr_v4"
+  if  [ "$KIND_IPV6_SUPPORT" == true ] ; then
+    bgp_network_frr_v6=$($OCI_BIN inspect -f '{{index .NetworkSettings.Networks "bgpnet" "GlobalIPv6Address"}}' frr)
+    echo "FRR kind network IPv6: ${bgp_network_frr_v6}"
+    $OCI_BIN exec bgpserver ip -6 route replace default via "$bgp_network_frr_v6"
+  fi
+}
+
+destroy_bgp() {
+  if docker ps --format '{{.Names}}' | grep -Eq '^bgpserver$'; then
+      docker stop bgpserver
+  fi
+  if docker ps --format '{{.Names}}' | grep -Eq '^frr$'; then
+      docker stop frr
+  fi
+  if docker network ls --format '{{.Name}}' | grep -q '^bgpnet$'; then
+      docker network rm bgpnet
+  fi
 }
 
 install_ffr_k8s() {
@@ -693,7 +779,19 @@ install_ffr_k8s() {
   # apply a BGP peer configration with the external gateway that does not
   # exchange routes
   pushd "${FRR_TMP_DIR}"/frr-k8s/hack/demo/configs || exit 1
-  sed 's/all$/filtered/g' receive_all.yaml > receive_filtered.yaml
+  sed 's/mode: all/mode: filtered/g' receive_all.yaml > receive_filtered.yaml
+  # Allow receiving the bgp external server's prefix
+  sed -i '/mode: filtered/a\            prefixes:\n            - prefix: '"${BGP_SERVER_NET_SUBNET_IPV4}"'' receive_filtered.yaml
+  # If IPv6 is enabled, add the IPv6 prefix as well
+  if [ "$KIND_IPV6_SUPPORT" == true ]; then
+    # Find all line numbers where the IPv4 prefix is defined
+    IPv6_LINE="            - prefix: ${BGP_SERVER_NET_SUBNET_IPV6}"
+    # Process each occurrence of the IPv4 prefix
+    for LINE_NUM in $(grep -n "prefix: ${BGP_SERVER_NET_SUBNET_IPV4}" receive_filtered.yaml | cut -d ':' -f 1); do
+      # Insert the IPv6 prefix after each IPv4 prefix line
+      sed -i "${LINE_NUM}a\\${IPv6_LINE}" receive_filtered.yaml
+    done
+  fi
   kubectl apply -f receive_filtered.yaml
   popd || exit 1
 

contrib/kind.sh

@@ -45,6 +45,9 @@ delete() {
   if [ "$KIND_INSTALL_METALLB" == true ]; then
     destroy_metallb
   fi
+  if [ "$ENABLE_ROUTE_ADVERTISEMENTS" == true ]; then
+    destroy_bgp
+  fi
   timeout 5 kubectl --kubeconfig "${KUBECONFIG}" delete namespace ovn-kubernetes || true
   sleep 5
   kind delete cluster --name "${KIND_CLUSTER_NAME:-ovn}"
@@ -586,6 +589,8 @@ set_default_params() {
   TRANSIT_SWITCH_SUBNET_IPV6=${TRANSIT_SWITCH_SUBNET_IPV6:-fd97::/64}
   METALLB_CLIENT_NET_SUBNET_IPV4=${METALLB_CLIENT_NET_SUBNET_IPV4:-172.22.0.0/16}
   METALLB_CLIENT_NET_SUBNET_IPV6=${METALLB_CLIENT_NET_SUBNET_IPV6:-fc00:f853:ccd:e792::/64}
+  BGP_SERVER_NET_SUBNET_IPV4=${BGP_SERVER_NET_SUBNET_IPV4:-172.26.0.0/16}
+  BGP_SERVER_NET_SUBNET_IPV6=${BGP_SERVER_NET_SUBNET_IPV6:-fc00:f853:ccd:e796::/64}
 
   KIND_NUM_MASTER=1
   OVN_ENABLE_INTERCONNECT=${OVN_ENABLE_INTERCONNECT:-false}
@@ -1183,6 +1188,7 @@ if [ "$OVN_ENABLE_DNSNAMERESOLVER" == true ]; then
 fi
 if [ "$ENABLE_ROUTE_ADVERTISEMENTS" == true ]; then
   deploy_frr_external_container
+  deploy_bgp_external_server
 fi
 build_ovn_image
 detect_apiserver_url

test/scripts/e2e-cp.sh

@@ -160,6 +160,15 @@ if [[ "${WHAT}" != "${NETWORK_SEGMENTATION_TESTS}"* ]]; then
   SKIPPED_TESTS+=$NETWORK_SEGMENTATION_TESTS
 fi
 
+# Only run bgp tests if they are explicitly requested
+BGP_TESTS="BGP"
+if [[ "${WHAT}" != "${BGP_TESTS}"* ]]; then
+  if [ "$SKIPPED_TESTS" != "" ]; then
+	SKIPPED_TESTS+="|"
+  fi
+  SKIPPED_TESTS+=$BGP_TESTS
+fi
+
 # setting these is required to make RuntimeClass tests work ... :/
 export KUBE_CONTAINER_RUNTIME=remote
 export KUBE_CONTAINER_RUNTIME_ENDPOINT=unix:///run/containerd/containerd.sock