Merge remote-tracking branch 'upstream_martin/eip-net-seg' into merge…

…-ds-net-seg2
openshift · Dec 9, 2024 · ea86d0a · ea86d0a
2 parents 97a2e6b + 1e550f4
commit ea86d0a
Show file tree

Hide file tree

Showing 292 changed files with 38,408 additions and 4,520 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -442,7 +442,7 @@ jobs:
     env:
       JOB_NAME: "${{ matrix.target }}-${{ matrix.ha }}-${{ matrix.gateway-mode }}-${{ matrix.ipfamily }}-${{ matrix.disable-snat-multiple-gws }}-${{ matrix.second-bridge }}-${{ matrix.ic }}"
       OVN_HYBRID_OVERLAY_ENABLE: ${{ (matrix.target == 'control-plane' || matrix.target == 'control-plane-helm') && (matrix.ipfamily == 'ipv4' || matrix.ipfamily == 'dualstack' ) }}
-      OVN_MULTICAST_ENABLE:  "${{ matrix.target == 'control-plane' || matrix.target == 'control-plane-helm' }}"
+      OVN_MULTICAST_ENABLE:  "${{ matrix.target == 'control-plane' || matrix.target == 'control-plane-helm' || matrix.target == 'network-segmentation' }}"
       OVN_EMPTY_LB_EVENTS: "${{ matrix.target == 'control-plane' || matrix.target == 'control-plane-helm' }}"
       OVN_HA: "${{ matrix.ha == 'HA' }}"
       OVN_DISABLE_SNAT_MULTIPLE_GWS: "${{ matrix.disable-snat-multiple-gws == 'noSnatGW' }}"
@@ -453,6 +453,7 @@ jobs:
       KIND_IPV6_SUPPORT: "${{ matrix.ipfamily == 'IPv6' || matrix.ipfamily == 'dualstack' }}"
       ENABLE_MULTI_NET: "${{ matrix.target == 'multi-homing' || matrix.target == 'kv-live-migration' || matrix.target == 'network-segmentation' || matrix.target == 'tools' || matrix.target == 'multi-homing-helm' }}"
       ENABLE_NETWORK_SEGMENTATION: "${{ matrix.target == 'network-segmentation' || matrix.target == 'tools' || matrix.target == 'kv-live-migration'}}"
+      DISABLE_UDN_HOST_ISOLATION: "true"
       KIND_INSTALL_KUBEVIRT: "${{ matrix.target == 'kv-live-migration' }}"
       OVN_COMPACT_MODE: "${{ matrix.target == 'compact-mode' }}"
       OVN_DUMMY_GATEWAY_BRIDGE: "${{ matrix.target == 'compact-mode' }}"

diff --git a/README.md b/README.md
@@ -8,6 +8,7 @@
 [![Go Report Card][go-report-card-badge]][go-report-url]
 [![Go Doc][go-doc-badge]][go-doc-url]
 [![Static Badge][slack-badge]][slack-url]
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fovn-kubernetes%2Fovn-kubernetes.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fovn-kubernetes%2Fovn-kubernetes?ref=badge_shield)
 
 
 [apache2-badge]: https://img.shields.io/badge/License-Apache%202.0-blue.svg
@@ -45,7 +46,10 @@ Here are some links to help in your ovn-kubernetes journey:
 
 Everything is distributed under the terms of the [Apache License] (version 2.0).
 
+
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fovn-kubernetes%2Fovn-kubernetes.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fovn-kubernetes%2Fovn-kubernetes?ref=badge_large)
+
 ## Who uses OVN-Kubernetes?
 
 See our [Adopters](ADOPTERS.md). If your organization or project uses OVN-Kubernetes,
-please file a PR and update this list. Say hi on Slack too!
+please file a PR and update this list. Say hi on Slack too!
diff --git a/contrib/kind-common b/contrib/kind-common
@@ -356,11 +356,11 @@ install_kubevirt() {
         done
     fi
 
-    kubectl -n kubevirt patch kubevirt kubevirt --type=json --patch '[{"op":"add","path":"/spec/configuration/developerConfiguration","value":{"featureGates":[]}},{"op":"add","path":"/spec/configuration/developerConfiguration/featureGates/-","value":"NetworkBindingPlugins"}]'
-    
+    kubectl -n kubevirt patch kubevirt kubevirt --type=json --patch '[{"op":"add","path":"/spec/configuration/developerConfiguration","value":{"featureGates":[]}},{"op":"add","path":"/spec/configuration/developerConfiguration/featureGates/-","value":"NetworkBindingPlugins"},{"op":"add","path":"/spec/configuration/developerConfiguration/featureGates/-","value":"DynamicPodInterfaceNaming"}]'
+
     local kubevirt_stable_release_url=$(get_kubevirt_release_url "stable")
     local passt_binding_image="quay.io/kubevirt/network-passt-binding:${kubevirt_stable_release_url##*/}"
-    kubectl -n kubevirt patch kubevirt kubevirt --type=json --patch '[{"op":"add","path":"/spec/configuration/network","value":{}},{"op":"add","path":"/spec/configuration/network/binding","value":{"passt":{"computeResourceOverhead":{"requests":{"memory":"500Mi"}},"migration":{"method":"link-refresh"},"networkAttachmentDefinition":"default/primary-udn-kubevirt-binding","sidecarImage":"'"${passt_binding_image}"'"}}}]'
+    kubectl -n kubevirt patch kubevirt kubevirt --type=json --patch '[{"op":"add","path":"/spec/configuration/network","value":{}},{"op":"add","path":"/spec/configuration/network/binding","value":{"passt":{"computeResourceOverhead":{"requests":{"memory":"500Mi"}},"migration":{"method":"link-refresh"},"networkAttachmentDefinition":"default/primary-udn-kubevirt-binding","sidecarImage":"'"${passt_binding_image}"'"},"managedTap":{"domainAttachmentType":"managedTap","migration":{}}}}]'
 
     if [ ! -d "./bin" ]
     then

diff --git a/contrib/kind.sh b/contrib/kind.sh
@@ -748,7 +748,7 @@ create_kind_cluster() {
   jinjanate "${KIND_CONFIG}" -o "${KIND_CONFIG_LCL}"
 
   # Create KIND cluster. For additional debug, add '--verbosity <int>': 0 None .. 3 Debug
-  if kind get clusters | grep ovn; then
+  if kind get clusters | grep "${KIND_CLUSTER_NAME}"; then
     delete
   fi
 
@@ -901,6 +901,7 @@ install_ovn_single_node_zones() {
   fi
   run_kubectl apply -f ovnkube-control-plane.yaml
   run_kubectl apply -f ovnkube-single-node-zone.yaml
+  kubectl patch ds -n ovn-kubernetes ovnkube-node --type='json' -p='[{"op": "add", "path": "/spec/updateStrategy/rollingUpdate", "value": {"maxUnavailable": "100%"}}]'
 }
 
 label_ovn_multiple_nodes_zones() {

diff --git a/dist/images/Dockerfile.fedora b/dist/images/Dockerfile.fedora
@@ -27,7 +27,7 @@ RUN INSTALL_PKGS=" \
     python3-pip python3-pyyaml bind-utils procps-ng openssl numactl-libs firewalld-filesystem \
     libpcap hostname kubernetes-client util-linux \
     ovn ovn-central ovn-host python3-openvswitch tcpdump openvswitch-test python3-pyOpenSSL \
-    iptables iproute iputils strace socat koji \
+    iptables nftables iproute iputils strace socat koji \
     libreswan openvswitch-ipsec \
     " && \
     dnf install --best --refresh -y --setopt=tsflags=nodocs $INSTALL_PKGS && \

diff --git a/dist/images/Dockerfile.fedora.dev b/dist/images/Dockerfile.fedora.dev
@@ -64,7 +64,7 @@ FROM fedora:39
 
 # Install needed dependencies.
 RUN INSTALL_PKGS=" \
-    iptables iproute iputils hostname unbound-libs kubernetes-client kmod" && \
+    iptables nftables iproute iputils hostname unbound-libs kubernetes-client kmod" && \
     dnf install --best --refresh -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
     dnf clean all && rm -rf /var/cache/dnf/*
 

diff --git a/dist/images/Dockerfile.ubuntu b/dist/images/Dockerfile.ubuntu
@@ -8,11 +8,11 @@
 #
 # So this file will change over time.
 
-FROM ubuntu:24.04
+FROM ubuntu:24.10
 
 USER root
 
-RUN apt-get update && apt-get install -y iproute2 curl software-properties-common util-linux
+RUN apt-get update && apt-get install -y iproute2 curl software-properties-common util-linux nftables
 
 RUN curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
 

diff --git a/dist/images/ovnkube.sh b/dist/images/ovnkube.sh
@@ -2068,6 +2068,7 @@ ovnkube-controller-with-node() {
     --nodeport \
     --ovn-metrics-bind-address ${ovn_metrics_bind_address} \
     --pidfile ${OVN_RUNDIR}/ovnkube-controller-with-node.pid \
+    --disable-udn-host-isolation \
     --zone ${ovn_zone} &
 
   wait_for_event attempts=3 process_ready ovnkube-controller-with-node
@@ -2669,6 +2670,7 @@ ovn-node() {
         --nodeport \
         --ovn-metrics-bind-address ${ovn_metrics_bind_address} \
         --pidfile ${OVN_RUNDIR}/ovnkube.pid \
+        --disable-udn-host-isolation \
         --zone ${ovn_zone} &
 
   wait_for_event attempts=3 process_ready ovnkube

diff --git a/dist/templates/k8s.ovn.org_clusteruserdefinednetworks.yaml.j2 b/dist/templates/k8s.ovn.org_clusteruserdefinednetworks.yaml.j2
@@ -123,7 +123,7 @@ spec:
                           MTU is optional, if not provided, the globally configured value in OVN-Kubernetes (defaults to 1400) is used for the network.
                         format: int32
                         maximum: 65536
-                        minimum: 0
+                        minimum: 576
                         type: integer
                       role:
                         description: |-
@@ -184,7 +184,7 @@ spec:
                           MTU is optional, if not provided, the globally configured value in OVN-Kubernetes (defaults to 1400) is used for the network.
                         format: int32
                         maximum: 65536
-                        minimum: 0
+                        minimum: 576
                         type: integer
                       role:
                         description: |-

diff --git a/dist/templates/k8s.ovn.org_userdefinednetworks.yaml.j2 b/dist/templates/k8s.ovn.org_userdefinednetworks.yaml.j2
@@ -71,7 +71,7 @@ spec:
                       MTU is optional, if not provided, the globally configured value in OVN-Kubernetes (defaults to 1400) is used for the network.
                     format: int32
                     maximum: 65536
-                    minimum: 0
+                    minimum: 576
                     type: integer
                   role:
                     description: |-
@@ -132,7 +132,7 @@ spec:
                       MTU is optional, if not provided, the globally configured value in OVN-Kubernetes (defaults to 1400) is used for the network.
                     format: int32
                     maximum: 65536
-                    minimum: 0
+                    minimum: 576
                     type: integer
                   role:
                     description: |-

diff --git a/dist/templates/ovnkube-node.yaml.j2 b/dist/templates/ovnkube-node.yaml.j2
@@ -87,6 +87,10 @@ spec:
         - mountPath: /var/run/netns
           name: host-netns
           mountPropagation: Bidirectional
+        - mountPath: /run/systemd/private
+          name: run-systemd
+          subPath: private
+          readOnly: true
        {%- if ovnkube_app_name!="ovnkube-node-dpu-host" %}
         # ovnkube-node only mounts (non dpu related)
         - mountPath: /var/run/openvswitch/
@@ -426,6 +430,9 @@ spec:
       - name: host-netns
         hostPath:
           path: /var/run/netns
+      - name: run-systemd
+        hostPath:
+          path: /run/systemd
       {%- if ovnkube_app_name!="ovnkube-node-dpu-host" %}
       # non DPU related volumes
       - name: host-var-log-ovs

diff --git a/dist/templates/ovnkube-single-node-zone.yaml.j2 b/dist/templates/ovnkube-single-node-zone.yaml.j2
@@ -295,6 +295,10 @@ spec:
         - mountPath: /etc/ovn/
           name: host-var-lib-ovs
           readOnly: true
+        - mountPath: /run/systemd/private
+          name: run-systemd
+          subPath: private
+          readOnly: true
 
         resources:
           requests:
@@ -622,6 +626,9 @@ spec:
       - name: host-var-lib-ovs
         hostPath:
           path: /var/lib/openvswitch
+      - name: run-systemd
+        hostPath:
+          path: /run/systemd
 
       tolerations:
       - operator: "Exists"