OCPBUGS-37955,SDN-4930,OCPBUGS-42616,SDN-5031,OCPBUGS-38753: [DownstreamMerge] 10-8-24

.github/workflows/test.yml

@@ -17,7 +17,7 @@ concurrency:
 
 env:
   GO_VERSION: 1.22.0
-  K8S_VERSION: v1.30.2
+  K8S_VERSION: v1.31.0
   KIND_CLUSTER_NAME: ovn
   KIND_INSTALL_INGRESS: true
   KIND_ALLOW_SYSTEM_WRITES: true

.gitignore

@@ -5,3 +5,5 @@
 contrib/bin
 
 ovn-kubernetes-anp-test-report.yaml
+
+**/ginkgo.report

contrib/kind-common

@@ -321,7 +321,13 @@ is_nested_virt_enabled() {
 }
 
 install_kubevirt() {
-    local kubevirt_version="$(curl -L https://storage.googleapis.com/kubevirt-prow/release/kubevirt/kubevirt/stable.txt)"
+    # possible values:
+    # stable - install newest stable (default)
+    # vX.Y.Z - install specific stable (i.e v1.3.1)
+    # nightly - install newest nightly
+    # nightly tag - install specific nightly (i.e 20240910)
+    KUBEVIRT_VERSION=${KUBEVIRT_VERSION:-"stable"}
+
     for node in $(kubectl get node --no-headers  -o custom-columns=":metadata.name"); do
         $OCI_BIN exec -t $node bash -c "echo 'fs.inotify.max_user_watches=1048576' >> /etc/sysctl.conf"
         $OCI_BIN exec -t $node bash -c "echo 'fs.inotify.max_user_instances=512' >> /etc/sysctl.conf"
@@ -330,10 +336,10 @@ install_kubevirt() {
             kubectl label nodes $node node-role.kubernetes.io/worker="" --overwrite=true
         fi
     done
-    local kubevirt_release_url="https://github.com/kubevirt/kubevirt/releases/download/${kubevirt_version}"
 
-    echo "Deploy latest nighly build Kubevirt"
     if [ "$(kubectl get kubevirts -n kubevirt kubevirt -ojsonpath='{.status.phase}')" != "Deployed" ]; then
+      local kubevirt_release_url=$(get_kubevirt_release_url "$KUBEVIRT_VERSION")
+      echo "Deploying Kubevirt from $kubevirt_release_url"
       kubectl apply -f "${kubevirt_release_url}/kubevirt-operator.yaml"
       kubectl apply -f "${kubevirt_release_url}/kubevirt-cr.yaml"
       if ! is_nested_virt_enabled; then
@@ -352,7 +358,8 @@ install_kubevirt() {
 
     kubectl -n kubevirt patch kubevirt kubevirt --type=json --patch '[{"op":"add","path":"/spec/configuration/developerConfiguration","value":{"featureGates":[]}},{"op":"add","path":"/spec/configuration/developerConfiguration/featureGates/-","value":"NetworkBindingPlugins"}]'
 
-    local passt_binding_image="quay.io/kubevirt/network-passt-binding:${kubevirt_version}"
+    local kubevirt_stable_release_url=$(get_kubevirt_release_url "stable")
+    local passt_binding_image="quay.io/kubevirt/network-passt-binding:${kubevirt_stable_release_url##*/}"
     kubectl -n kubevirt patch kubevirt kubevirt --type=json --patch '[{"op":"add","path":"/spec/configuration/network","value":{}},{"op":"add","path":"/spec/configuration/network/binding","value":{"passt":{"computeResourceOverhead":{"requests":{"memory":"500Mi"}},"migration":{"method":"link-refresh"},"networkAttachmentDefinition":"default/primary-udn-kubevirt-binding","sidecarImage":"'"${passt_binding_image}"'"}}}]'
 
     if [ ! -d "./bin" ]
@@ -369,8 +376,9 @@ install_kubevirt() {
 
     pushd ./bin
        if [ ! -f ./virtctl ]; then
-           cli_name="virtctl-${kubevirt_version}-${OS_TYPE}-${ARCH}"
-           curl -LO "${kubevirt_release_url}/${cli_name}"
+           kubevirt_stable_release_url=$(get_kubevirt_release_url "stable")
+           cli_name="virtctl-${kubevirt_stable_release_url##*/}-${OS_TYPE}-${ARCH}"
+           curl -LO "${kubevirt_stable_release_url}/${cli_name}"
            mv ${cli_name} virtctl
            if_error_exit "Failed to download virtctl!"
        fi
@@ -394,7 +402,7 @@ install_kubevirt_ipam_controller() {
 }
 
 install_multus() {
-  local version="v4.1.0"
+  local version="v4.1.3"
   echo "Installing multus-cni $version daemonset ..."
   wget -qO- "https://raw.githubusercontent.com/k8snetworkplumbingwg/multus-cni/${version}/deployments/multus-daemonset.yml" |\
     sed -e "s|multus-cni:snapshot|multus-cni:${version}|g" |\
@@ -615,3 +623,29 @@ deploy_passt_binary() {
 
   run_kubectl rollout status -n kube-system daemonset/passt-binding-cni --timeout 2m
 }
+
+get_kubevirt_release_url() {
+    local VERSION="$1"
+
+    local kubevirt_version
+    local kubevirt_release_url
+
+    if [[ "$VERSION" == "stable" ]]; then
+        kubevirt_version=$(curl -sL https://storage.googleapis.com/kubevirt-prow/release/kubevirt/kubevirt/stable.txt)
+        kubevirt_release_url="https://github.com/kubevirt/kubevirt/releases/download/${kubevirt_version}"
+    elif [[ "$VERSION" == v* ]]; then
+        kubevirt_version="$VERSION"
+        kubevirt_release_url="https://github.com/kubevirt/kubevirt/releases/download/${kubevirt_version}"
+    elif [[ "$VERSION" == "nightly" ]]; then
+        kubevirt_version=$(curl -sL https://storage.googleapis.com/kubevirt-prow/devel/nightly/release/kubevirt/kubevirt/latest)
+        kubevirt_release_url="https://storage.googleapis.com/kubevirt-prow/devel/nightly/release/kubevirt/kubevirt/${kubevirt_version}"
+    elif [[ "$VERSION" =~ ^[0-9]{8}$ ]]; then
+        kubevirt_version="$VERSION"
+        kubevirt_release_url="https://storage.googleapis.com/kubevirt-prow/devel/nightly/release/kubevirt/kubevirt/${kubevirt_version}"
+    else
+        echo "Unsupported KUBEVIRT_VERSION value $VERSION (use either stable, vX.Y.Z, nightly or nightly tag)"
+        exit 1
+    fi
+
+    echo "$kubevirt_release_url"
+}

contrib/kind.sh

@@ -506,7 +506,7 @@ set_default_params() {
   fi
   RUN_IN_CONTAINER=${RUN_IN_CONTAINER:-false}
   KIND_IMAGE=${KIND_IMAGE:-kindest/node}
-  K8S_VERSION=${K8S_VERSION:-v1.30.2}
+  K8S_VERSION=${K8S_VERSION:-v1.31.1}
   OVN_GATEWAY_MODE=${OVN_GATEWAY_MODE:-shared}
   KIND_INSTALL_INGRESS=${KIND_INSTALL_INGRESS:-false}
   KIND_INSTALL_METALLB=${KIND_INSTALL_METALLB:-false}

contrib/kind.yaml.j2

@@ -31,6 +31,12 @@ kubeadmConfigPatches:
   controllerManager:
     extraArgs:
       "v": "{{ cluster_log_level }}"
+      # Disable service-lb-controller for now
+      # https://github.com/kubernetes/kubernetes/issues/128121
+      # Once the upstream issue is fixed we can remove this controller
+      # customization fully. Tracked with
+      # https://github.com/ovn-org/ovn-kubernetes/issues/4785
+      "controllers": "*,bootstrap-signer-controller,token-cleaner-controller,-service-lb-controller"
   scheduler:
     extraArgs:
       "v": "{{ cluster_log_level }}"

dist/images/.gitignore

@@ -3,6 +3,7 @@ ovn-kube-util
 ovnkube
 ovnkube-trace
 ovnkube-identity
+ovnkube-observ
 ovndbchecker
 hybrid-overlay-node
 git_info

dist/images/Dockerfile.fedora

@@ -15,7 +15,7 @@ USER root
 
 ENV PYTHONDONTWRITEBYTECODE yes
 
-ARG ovnver=ovn-24.03.90-7.fc41
+ARG ovnver=ovn-24.09.0-33.fc41
 # Automatically populated when using docker buildx
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM

dist/images/Dockerfile.ubuntu.arm64

@@ -0,0 +1,55 @@
+#
+# The standard name for this image is ovn-kube-ubuntu
+
+# Notes:
+# This is for a development build where the ovn-kubernetes utilities
+# are built in this Dockerfile and included in the image (instead of the deb package)
+#
+#
+# So this file will change over time.
+
+FROM ubuntu:24.10
+
+USER root
+
+RUN apt-get update && apt-get install -y iproute2 curl software-properties-common util-linux
+
+RUN curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
+
+# Install OVS and OVN packages.
+RUN apt-get update && apt-get install -y openvswitch-switch openvswitch-common ovn-central ovn-common ovn-host
+
+RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/arm64/kubectl" \
+    && install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+
+RUN mkdir -p /var/run/openvswitch
+
+# Built in ../../go_controller, then the binaries are copied here.
+# put things where they are in the pkg
+RUN mkdir -p /usr/libexec/cni/
+COPY ovnkube ovn-kube-util ovndbchecker hybrid-overlay-node ovnkube-identity ovnkube-observ /usr/bin/
+COPY ovn-k8s-cni-overlay /usr/libexec/cni/ovn-k8s-cni-overlay
+
+# ovnkube.sh is the entry point. This script examines environment
+# variables to direct operation and configure ovn
+COPY ovnkube.sh /root/
+COPY ovndb-raft-functions.sh /root/
+# override the pkg's ovn_k8s.conf with this local copy
+COPY ovn_k8s.conf /etc/openvswitch/ovn_k8s.conf
+
+# copy git commit number into image
+COPY git_info /root
+
+# iptables wrappers
+COPY ./iptables-scripts/iptables /usr/sbin/
+COPY ./iptables-scripts/iptables-save /usr/sbin/
+COPY ./iptables-scripts/iptables-restore /usr/sbin/
+COPY ./iptables-scripts/ip6tables /usr/sbin/
+COPY ./iptables-scripts/ip6tables-save /usr/sbin/
+COPY ./iptables-scripts/ip6tables-restore /usr/sbin/
+
+LABEL io.k8s.display-name="ovn-kubernetes" \
+      io.k8s.description="ovnkube ubuntu image" 
+
+WORKDIR /root
+ENTRYPOINT /root/ovnkube.sh

dist/images/daemonset.sh

@@ -94,6 +94,8 @@ OVN_ENABLE_OVNKUBE_IDENTITY="true"
 OVN_ENABLE_PERSISTENT_IPS=
 OVN_ENABLE_SVC_TEMPLATE_SUPPORT="true"
 OVN_ENABLE_DNSNAMERESOLVER="false"
+OVN_NOHOSTSUBNET_LABEL=""
+OVN_DISABLE_REQUESTEDCHASSIS="false"
 # IN_UPGRADE is true only if called by upgrade-ovn.sh during the upgrade test,
 # it will render only the parts in ovn-setup.yaml related to RBAC permissions.
 IN_UPGRADE=
@@ -358,6 +360,12 @@ while [ "$1" != "" ]; do
   --enable-observ)
     OVN_OBSERV_ENABLE=$VALUE
     ;;
+  --no-hostsubnet-label)
+    OVN_NOHOSTSUBNET_LABEL=$VALUE
+    ;;
+  --ovn_disable_requestedchassis)
+    OVN_DISABLE_REQUESTEDCHASSIS=$value
+    ;;
   *)
     echo "WARNING: unknown parameter \"$PARAM\""
     exit 1
@@ -551,6 +559,12 @@ echo "ovn_enable_dnsnameresolver: ${ovn_enable_dnsnameresolver}"
 ovn_observ_enable=${OVN_OBSERV_ENABLE}
 echo "ovn_observ_enable: ${ovn_observ_enable}"
 
+ovn_nohostsubnet_label=${OVN_NOHOSTSUBNET_LABEL}
+echo "ovn_nohostsubnet_label: ${ovn_nohostsubnet_label}"
+
+ovn_disable_requestedchassis=${OVN_DISABLE_REQUESTEDCHASSIS}
+echo "ovn_disable_requestedchassis: ${ovn_disable_requestedchassis}"
+
 ovn_image=${ovnkube_image} \
   ovnkube_compact_mode_enable=${ovnkube_compact_mode_enable} \
   ovn_image_pull_policy=${image_pull_policy} \
@@ -743,6 +757,8 @@ ovn_image=${ovnkube_image} \
   ovn_enable_svc_template_support=${ovn_enable_svc_template_support} \
   ovn_enable_dnsnameresolver=${ovn_enable_dnsnameresolver} \
   ovn_observ_enable=${ovn_observ_enable} \
+  ovn_nohostsubnet_label=${ovn_nohostsubnet_label} \
+  ovn_disable_requestedchassis=${ovn_disable_requestedchassis} \
   jinjanate ../templates/ovnkube-master.yaml.j2 -o ${output_dir}/ovnkube-master.yaml
 
 ovn_image=${ovnkube_image} \

dist/images/ovnkube.sh

@@ -313,6 +313,11 @@ ovn_enable_svc_template_support=${OVN_ENABLE_SVC_TEMPLATE_SUPPORT:-true}
 ovn_enable_dnsnameresolver=${OVN_ENABLE_DNSNAMERESOLVER:-false}
 # OVN_OBSERV_ENABLE - enable observability for ovnkube
 ovn_observ_enable=${OVN_OBSERV_ENABLE:-false}
+# OVN_NOHOSTSUBNET_LABEL - node label indicating nodes managing their own network
+ovn_nohostsubnet_label=${OVN_NOHOSTSUBNET_LABEL:-""}
+# OVN_DISABLE_REQUESTEDCHASSIS - disable requested-chassis option during pod creation
+# should be set to true when dpu nodes are in the cluster
+ovn_disable_requestedchassis=${OVN_DISABLE_REQUESTEDCHASSIS:-false}
 
 # Determine the ovn rundir.
 if [[ -f /usr/bin/ovn-appctl ]]; then
@@ -1267,6 +1272,17 @@ ovn-master() {
     ovn_observ_enable_flag="--enable-observability"
   fi
   echo "ovn_observ_enable_flag=${ovn_observ_enable_flag}"
+
+  nohostsubnet_label_option=
+  if [[ ${ovn_nohostsubnet_label} != "" ]]; then
+	  nohostsubnet_label_option="--no-hostsubnet-nodes=${ovn_nohostsubnet_label}"
+  fi
+
+  ovn_disable_requestedchassis_flag=
+  if [[ ${ovn_disable_requestedchassis} == "true" ]]; then
+	  ovn_disable_requestedchassis_flag="--disable-requestedchassis"
+  fi
+  echo "ovn_disable_requestedchassis_flag=${ovn_disable_requestedchassis_flag}"
 
   init_node_flags=
   if [[ ${ovnkube_compact_mode_enable} == "true" ]]; then
@@ -1320,6 +1336,8 @@ ovn-master() {
     ${ovn_v6_masquerade_subnet_opt} \
     ${persistent_ips_enabled_flag} \
     ${ovn_enable_dnsnameresolver_flag} \
+    ${nohostsubnet_label_option} \
+    ${ovn_disable_requestedchassis_flag} \
     --cluster-subnets ${net_cidr} --k8s-service-cidr=${svc_cidr} \
     --gateway-mode=${ovn_gateway_mode} ${ovn_gateway_opts} \
     --host-network-namespace ${ovn_host_network_namespace} \
@@ -2483,6 +2501,39 @@ ovn-node() {
     node_mgmt_port_netdev_flags="$node_mgmt_port_netdev_flags --ovnkube-node-mgmt-port-dp-resource-name ${ovnkube_node_mgmt_port_dp_resource_name}"
   fi
 
+  if [[ ${ovnkube_node_mode} == "dpu" ]]; then
+    # in the case of dpu mode we want the host K8s Node Name and not the DPU K8s Node Name
+    K8S_NODE=$(ovs-vsctl --if-exists get Open_vSwitch . external_ids:host-k8s-nodename | tr -d '\"')
+    if [[ ${K8S_NODE} == "" ]]; then
+      echo "Couldn't get the required Host K8s Nodename. Exiting..."
+      exit 1
+    fi
+    if [[ ${ovn_gateway_opts} == "" ]]; then
+      # get the gateway interface
+      gw_iface=$(ovs-vsctl --if-exists get Open_vSwitch . external_ids:ovn-gw-interface | tr -d \")
+      if [[ ${gw_iface} == "" ]]; then
+        echo "Couldn't get the required OVN Gateway Interface. Exiting..."
+        exit 1
+      fi
+      ovn_gateway_opts="--gateway-interface=${gw_iface} "
+
+      # get the gateway nexthop
+      gw_nexthop=$(ovs-vsctl --if-exists get Open_vSwitch . external_ids:ovn-gw-nexthop | tr -d \")
+      if [[ ${gw_nexthop} == "" ]]; then
+        echo "Couldn't get the required OVN Gateway NextHop. Exiting..."
+        exit 1
+      fi
+      ovn_gateway_opts+="--gateway-nexthop=${gw_nexthop} "
+    fi
+
+    # this is required if the DPU and DPU Host are in different subnets
+    if [[ ${ovn_gateway_router_subnet} == "" ]]; then
+      # get the gateway router subnet
+      ovn_gateway_router_subnet=$(ovs-vsctl --if-exists get Open_vSwitch . external_ids:ovn-gw-router-subnet | tr -d \")
+    fi
+
+  fi
+
   local ovn_node_ssl_opts=""
   if [[ ${ovnkube_node_mode} != "dpu-host" ]]; then
       [[ "yes" == ${OVN_SSL_ENABLE} ]] && {

dist/templates/k8s.ovn.org_adminpolicybasedexternalroutes.yaml.j2

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.4
   name: adminpolicybasedexternalroutes.k8s.ovn.org
 spec:
   group: k8s.ovn.org
@@ -85,11 +85,13 @@ spec:
                               items:
                                 type: string
                               type: array
+                              x-kubernetes-list-type: atomic
                           required:
                           - key
                           - operator
                           type: object
                         type: array
+                        x-kubernetes-list-type: atomic
                       matchLabels:
                         additionalProperties:
                           type: string
@@ -154,11 +156,13 @@ spec:
                                     items:
                                       type: string
                                     type: array
+                                    x-kubernetes-list-type: atomic
                                 required:
                                 - key
                                 - operator
                                 type: object
                               type: array
+                              x-kubernetes-list-type: atomic
                             matchLabels:
                               additionalProperties:
                                 type: string
@@ -205,11 +209,13 @@ spec:
                                     items:
                                       type: string
                                     type: array
+                                    x-kubernetes-list-type: atomic
                                 required:
                                 - key
                                 - operator
                                 type: object
                               type: array
+                              x-kubernetes-list-type: atomic
                             matchLabels:
                               additionalProperties:
                                 type: string