Merge pull request #593 from abays/OSPRH-18411-2

Refactor HCI VA to use single NIC instead of bridged control plane

Implements OSPRH-18411 by refactoring the HCI VA from a bridged control plane network to a dual NIC architecture with dedicated interfaces.
Major Changes:


Created lib/nncp-single-nic/ for single NIC node network configuration

Assigns control plane IP directly to physical interface
Eliminates linux-bridge creation over physical interface



Refactored lib/control-plane/ into modular components:

base/: Core OpenStackControlPlane resources and secrets
service-endpoints/: Network endpoint annotations and service types
dns/: DNS resolver configuration
storage/: Storage class configuration
ovn-bridge/: Traditional bridge-based OVN (backward compatibility)
ovn-nic/: Single NIC OVN configuration (new approach)
job-settings/: Service preservation job configuration



Refactored lib/networking/metallb/ into modular components:

base/: Core IPAddressPool and L2Advertisement resources
ip-addresses/: IP address pool configurations
l2-bridge/: Bridge-based L2Advertisement interfaces (backward compatibility)
l2-single-nic/: Single NIC L2Advertisement interfaces (new approach)



Updated HCI VA to use single NIC components:

va/hci/: Uses ovn-nic and l2-single-nic components
va/hci/networking/: Uses modular metallb components
va/hci/edpm-post-ceph/: Uses modular control-plane components



Updated network configuration for dual NIC architecture:

enp6s0: Control plane, internal API, storage, tenant networks
enp8s0: Datacentre/external network for OVN connectivity
Removed bridgeName references from HCI VA configuration
Updated dataplane node comments for interface connectivity



Updated examples/va/hci/ configuration:

Network attachment definitions use physical interfaces
Documentation reflects dual NIC requirements
Values.yaml includes interface specifications



Architecture Benefits:

Maintains full backward compatibility for all existing VAs and DTs
Provides clean separation between control plane and external networks
Eliminates bridge-related complexity for HCI deployments
Enables modular component reuse across different VA architectures
Supports both traditional bridge and modern single NIC approaches

Co-authored-by: Claude (AI Assistant) [email protected]
Depends-On: openstack-k8s-operators/ci-framework#3170

Reviewed-by: John Fulton <[email protected]>

Author: softwarefactory-project-zuul[bot]

examples/va/hci/control-plane/networking/nncp/kustomization.yaml

@@ -18,7 +18,7 @@ transformers:
         create: true
 
 components:
-  - ../../../../../../lib/nncp
+  - ../../../../../../lib/nncp-single-nic
 
 resources:
   - values.yaml

examples/va/hci/control-plane/networking/nncp/values.yaml

@@ -53,7 +53,7 @@ data:
         "cniVersion": "0.3.1",
         "name": "ctlplane",
         "type": "macvlan",
-        "master": "ospbr",
+        "master": "enp6s0",
         "ipam": {
           "type": "whereabouts",
           "range": "192.168.122.0/24",
@@ -173,12 +173,13 @@ data:
         name: subnet1
     mtu: 1500
   datacentre:
+    iface: enp8s0
     net-attach-def: |
       {
         "cniVersion": "0.3.1",
         "name": "datacentre",
-        "type": "bridge",
-        "bridge": "ospbr",
+        "type": "host-device",
+        "device": "enp8s0",
         "ipam": {}
       }
 
@@ -206,4 +207,3 @@ data:
 
   lbServiceType: LoadBalancer
   storageClass: local-storage
-  bridgeName: ospbr

examples/va/hci/edpm-pre-ceph/nodeset/values.yaml

@@ -30,11 +30,11 @@ data:
         edpm_network_config_hide_sensitive_logs: false
         edpm_network_config_os_net_config_mappings:
           edpm-compute-0:
-            nic2: 6a:fe:54:3f:8a:02  # CHANGEME
+            nic2: 6a:fe:54:3f:8a:02  # CHANGEME - should connect to same network as control plane enp6s0
           edpm-compute-1:
-            nic2: 6b:fe:54:3f:8a:02  # CHANGEME
+            nic2: 6b:fe:54:3f:8a:02  # CHANGEME - should connect to same network as control plane enp6s0
           edpm-compute-2:
-            nic2: 6c:fe:54:3f:8a:02  # CHANGEME
+            nic2: 6c:fe:54:3f:8a:02  # CHANGEME - should connect to same network as control plane enp6s0
         edpm_network_config_template: |
           ---
           {% set mtu_list = [ctlplane_mtu] %}

lib/control-plane/base/kustomization.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+secretGenerator:
+  - name: osp-secret
+    behavior: create
+    envs:
+      - osp-secrets.env
+    options:
+      disableNameSuffixHash: true
+
+resources:
+  - openstackcontrolplane.yaml

lib/control-plane/base/openstackcontrolplane.yaml

@@ -0,0 +1,294 @@
+---
+apiVersion: core.openstack.org/v1beta1
+kind: OpenStackControlPlane
+metadata:
+  name: controlplane
+spec:
+  barbican:
+    apiOverride:
+      route: {}
+    template:
+      databaseInstance: openstack
+      secret: osp-secret
+      barbicanAPI:
+        replicas: 3
+      barbicanWorker:
+        replicas: 3
+      barbicanKeystoneListener:
+        replicas: 1
+  ceilometer:
+    template:
+      passwordSelector:
+        service: CeilometerPassword
+      secret: osp-secret
+      serviceUser: ceilometer
+  cinder:
+    uniquePodNames: true
+    apiOverride:
+      route: {"haproxy.router.openshift.io/timeout": "60s"}
+    template:
+      cinderAPI:
+        replicas: 3
+      customServiceConfig: |
+        # Debug logs by default, jobs can override as needed.
+        [DEFAULT]
+        debug = true
+      cinderBackup:
+        networkAttachments:
+          - storage
+        replicas: 0
+      cinderScheduler:
+        replicas: 1
+      cinderVolumes: {}
+      databaseInstance: openstack
+      secret: osp-secret
+  designate:
+    enabled: false
+    template:
+      customServiceConfig: |
+        [DEFAULT]
+        debug = true
+      designateAPI:
+        replicas: 3
+      designateBackendbind9:
+        networkAttachments:
+          - designate
+        replicas: 3
+        storageClass: _replaced_
+        storageRequest: 10G
+      designateCentral:
+        replicas: 1
+      designateMdns:
+        replicas: 3
+        networkAttachments:
+          - designate
+      designateProducer:
+        replicas: 2
+        networkAttachments:
+          - designate
+      designateWorker:
+        replicas: 3
+        networkAttachments:
+          - designate
+      designateUnbound:
+        replicas: 1
+        networkAttachments:
+          - designate
+      nsRecords:
+        - hostname: ns1.example.org.
+          priority: 1
+        - hostname: ns2.example.org.
+          priority: 2
+  dns:
+    template:
+      options: []
+      replicas: 2
+  galera:
+    enabled: true
+    templates:
+      openstack:
+        replicas: 3
+        secret: osp-secret
+        storageRequest: 5G
+      openstack-cell1:
+        replicas: 3
+        secret: osp-secret
+        storageRequest: 5G
+  glance:
+    uniquePodNames: true
+    apiOverrides:
+      default:
+        route: {"haproxy.router.openshift.io/timeout": "60s"}
+    template:
+      databaseInstance: openstack
+      glanceAPIs:
+        default:
+          replicas: 0
+          networkAttachments:
+            - storage
+      storage:
+        storageClass: _replaced_
+        storageRequest: 10G
+  heat:
+    apiOverride:
+      route: {}
+    cnfAPIOverride:
+      route: {}
+    enabled: false
+    template:
+      databaseInstance: openstack
+      heatAPI:
+        replicas: 1
+      heatEngine:
+        replicas: 1
+      secret: osp-secret
+  horizon:
+    apiOverride:
+      route: {}
+    template:
+      replicas: 1
+      secret: osp-secret
+    enabled: true
+  ironic:
+    enabled: false
+    template:
+      databaseInstance: openstack
+      ironicAPI:
+        replicas: 1
+      ironicConductors:
+        - replicas: 1
+          storageRequest: 10G
+      ironicInspector:
+        replicas: 1
+      ironicNeutronAgent:
+        replicas: 1
+      secret: osp-secret
+  keystone:
+    apiOverride:
+      route: {}
+    template:
+      databaseInstance: openstack
+      secret: osp-secret
+      replicas: 3
+  manila:
+    apiOverride:
+      route: {"haproxy.router.openshift.io/timeout": "60s"}
+    enabled: false
+    template:
+      manilaAPI:
+        networkAttachments:
+          - internalapi
+        replicas: 1
+      manilaScheduler:
+        replicas: 1
+      manilaShares:
+        share1:
+          networkAttachments:
+            - storage
+          replicas: 1
+  memcached:
+    templates:
+      memcached:
+        replicas: 3
+  neutron:
+    apiOverride:
+      route: {}
+    template:
+      databaseInstance: openstack
+      networkAttachments:
+        - internalapi
+      secret: osp-secret
+      replicas: 3
+  nova:
+    apiOverride:
+      route: {}
+    template:
+      secret: osp-secret
+      apiServiceTemplate:
+        replicas: 3
+      metadataServiceTemplate:
+        replicas: 3
+      schedulerServiceTemplate:
+        replicas: 3
+      cellTemplates:
+        cell0:
+          cellDatabaseAccount: nova-cell0
+          cellDatabaseInstance: openstack
+          cellMessageBusInstance: rabbitmq
+          conductorServiceTemplate:
+            replicas: 1
+          hasAPIAccess: true
+        cell1:
+          cellDatabaseAccount: nova-cell1
+          cellDatabaseInstance: openstack-cell1
+          cellMessageBusInstance: rabbitmq-cell1
+          conductorServiceTemplate:
+            replicas: 1
+          hasAPIAccess: true
+  octavia:
+    enabled: false
+    template:
+      databaseInstance: openstack
+      octaviaAPI:
+        replicas: 1
+      octaviaHousekeeping: {}
+      octaviaWorker: {}
+      octaviaHealthManager: {}
+      secret: osp-secret
+  ovn:
+    template:
+      ovnController:
+        networkAttachment: tenant
+        nicMappings:
+          datacentre: _replaced_
+      ovnDBCluster:
+        ovndbcluster-nb:
+          dbType: NB
+          networkAttachment: internalapi
+          storageRequest: 10G
+          replicas: 3
+        ovndbcluster-sb:
+          dbType: SB
+          networkAttachment: internalapi
+          storageRequest: 10G
+          replicas: 3
+      ovnNorthd:
+        logLevel: info
+        nThreads: 1
+        replicas: 1
+        resources: {}
+        tls: {}
+  placement:
+    apiOverride:
+      route: {}
+    template:
+      databaseInstance: openstack
+      secret: osp-secret
+      replicas: 3
+  rabbitmq:
+    templates:
+      rabbitmq:
+        replicas: 3
+      rabbitmq-cell1:
+        replicas: 3
+  secret: osp-secret
+  storageClass: _replaced_
+  swift:
+    enabled: false
+    proxyOverride:
+      route: {}
+    template:
+      swiftProxy:
+        replicas: 1
+      swiftRing:
+        ringReplicas: 1
+      swiftStorage:
+        replicas: 1
+  telemetry:
+    enabled: false
+    template:
+      metricStorage:
+        enabled: false
+        monitoringStack:
+          alertingEnabled: true
+          scrapeInterval: 30s
+          storage:
+            strategy: persistent
+            retention: 24h
+            persistent:
+              pvcStorageRequest: 10Gi
+              pvcStorageClass: _replaced_
+      autoscaling:
+        enabled: false
+        aodh:
+          passwordSelectors:
+          databaseInstance: openstack
+          memcachedInstance: memcached
+          secret: osp-secret
+        heatInstance: heat
+      ceilometer:
+        enabled: false
+        secret: osp-secret
+      logging:
+        enabled: false
+        port: 10514