CORENET-6610: Add EVPN APIs

[kyrtapz]

No description provided.

[openshift-ci-robot]

@kyrtapz: This pull request references CORENET-6610 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Adds EVPN support gated by OVN_EVPN_ENABLE: new cluster-scoped VTEP CRD, EVPN fields and cross-field validations in ClusterUserDefinedNetwork (ipVRF/macVRF/vni/routeTarget/vtep), a topology.transport field, conditional RBAC for vteps, feature-gate wiring, and dependency bumps.

Changes

Cohort / File(s)	Summary
CRD Schema & API bindata/network/ovn-kubernetes/common/001-crd.yaml	Adds cluster-scoped VTEP CRD (group k8s.ovn.org, v1) with spec.cidrs, spec.mode, status conditions. Extends ClusterUserDefinedNetwork with spec.network.evpn (adds ipVRF, macVRF, vni, routeTarget, vtep) and topology.transport (NoOverlay/Geneve/EVPN). Adds extensive x-kubernetes-validations (cross-field, conditional based on OVN_EVPN_ENABLE, and topology/transport compatibility).
RBAC bindata/network/ovn-kubernetes/common/002-rbac-node.yaml, bindata/network/ovn-kubernetes/common/004-rbac-control-plane.yaml	Introduces template-guarded RBAC rules when OVN_EVPN_ENABLE is true: Node ClusterRole gains list/get/watch on vteps.k8s.ovn.org; control-plane gains list/get/watch on vteps and patch/update on vteps/status.
Render Data & Tests pkg/network/ovn_kubernetes.go, pkg/network/ovn_kubernetes_test.go	Adds OVN_EVPN_ENABLE boolean to render data (driven by featureGates.Enabled(apifeatures.FeatureGateEVPN)). Updates tests to enable the EVPN feature gate in relevant test configurations.
Dependencies go.mod	Bumps github.com/openshift/api and github.com/openshift/client-go pseudo-versions to newer revisions.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

✨ Finishing touches

• 📝 Generate docstrings

---

🧹 Recent nitpick comments

pkg/network/ovn_kubernetes_test.go (1)

4194-4202: Minor formatting inconsistency in struct field alignment.

The indentation for manifestDir, client, and featureGates fields differs from other test case definitions in this file. While this doesn't affect functionality, it may cause linter warnings.

♻️ Suggested fix for consistent formatting

 				conf: func() *operv1.NetworkSpec {
 					config := fakeNetworkConf()
 					config.DefaultNetwork.OVNKubernetesConfig.RouteAdvertisements = operv1.RouteAdvertisementsEnabled
 					return config
-				}, bootstrapResult: fakeBootstrapResultOVN,
-				manifestDir:        manifestDirOvn,
-				client:             cnofake.NewFakeClient(),
-				featureGates:       preDefUDNFeatureGates,
+				},
+				bootstrapResult: fakeBootstrapResultOVN,
+				manifestDir:     manifestDirOvn,
+				client:          cnofake.NewFakeClient(),
+				featureGates:    preDefUDNFeatureGates,

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between e9e1e43 and 27d1b8e.

📒 Files selected for processing (5)

• bindata/network/ovn-kubernetes/common/001-crd.yaml
• bindata/network/ovn-kubernetes/common/002-rbac-node.yaml
• bindata/network/ovn-kubernetes/common/004-rbac-control-plane.yaml
• pkg/network/ovn_kubernetes.go
• pkg/network/ovn_kubernetes_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/network/ovn_kubernetes.go
• bindata/network/ovn-kubernetes/common/004-rbac-control-plane.yaml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/network/ovn_kubernetes_test.go
• bindata/network/ovn-kubernetes/common/001-crd.yaml
• bindata/network/ovn-kubernetes/common/002-rbac-node.yaml

🔇 Additional comments (10)

pkg/network/ovn_kubernetes_test.go (6)

76-84: LGTM - EVPN feature gate correctly integrated into test defaults.

The FeatureGateEVPN is appropriately added to the disabled feature gates list in getDefaultFeatureGates(), consistent with the pattern used for other feature gates. This ensures EVPN features are opt-in during testing.

---

929-936: LGTM - EVPN added to known feature gates for test configuration.

The addition of FeatureGateEVPN to knownFeatureGates ensures the test framework properly handles this new feature gate when building enabled/disabled lists from test case inputs.

---

3830-3836: LGTM - Consistent EVPN feature gate placement in persistent IPs test.

The feature gate configuration maintains the expected pattern with EVPN in the disabled list.

---

4104-4108: LGTM - EVPN consistently disabled in noFeatureGates helper.

---

4118-4124: LGTM - EVPN consistently disabled in udnFeatureGate helper.

---

4132-4138: LGTM - EVPN consistently disabled in preDefUDNFeatureGates helper.

bindata/network/ovn-kubernetes/common/002-rbac-node.yaml (1)

212-221: LGTM - EVPN RBAC rule correctly implements conditional vteps access.

The new conditional RBAC block follows the established pattern (matching OVN_ROUTE_ADVERTISEMENTS_ENABLE above) and grants appropriate read-only permissions (list, get, watch) for the vteps resource. This aligns with the EVPN feature gate implementation described in the PR objectives.

bindata/network/ovn-kubernetes/common/001-crd.yaml (3)

4504-4518: Transport field enum and documentation look good.

---

4536-4558: EVPN gating validations are consistent with topology/role constraints.

---

5272-5424: VTEP CRD schema is clear and well‑validated.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kyrtapz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [kyrtapz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@bindata/network/ovn-kubernetes/common/001-crd.yaml`:
- Around line 3851-3864: The RT validation for 4-byte ASN global administrator
in both the ipVRF and macVRF EVPN routeTarget rule blocks erroneously only
checks that uint(self.split(':')[0]) <= 65535u; update the boolean expression in
the first rule to also enforce the documented upper bound by requiring
uint(self.split(':')[0]) <= 4294967295u (i.e., add this upper-bound check
alongside the existing checks or replace the 65535 limit with 4294967295 where
appropriate) so the rule rejects values greater than 4294967295; apply the same
change to both the ipVRF and macVRF routeTarget validation blocks.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between a4a0c72 and b608e2e.

⛔ Files ignored due to path filters (71)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/api/.ci-operator.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/.coderabbit.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/.golangci.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/AGENTS.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/Dockerfile.ocp is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/apiextensions/install.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/Makefile is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/register.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_version.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_feature.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_image_policy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_node.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_scheduling.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/console/v1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/console/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features/features.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features/util.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/install.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/types_machine.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/register.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/types_internalreleaseimage.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/types_osimagestream.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/types_pinnedimageset.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/types_console.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/types_ingress.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-OKD.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-OKD.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-TechPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (5)

• bindata/network/ovn-kubernetes/common/001-crd.yaml
• bindata/network/ovn-kubernetes/common/002-rbac-node.yaml
• bindata/network/ovn-kubernetes/common/004-rbac-control-plane.yaml
• go.mod
• pkg/network/ovn_kubernetes.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/network/ovn_kubernetes.go
• go.mod
• bindata/network/ovn-kubernetes/common/004-rbac-control-plane.yaml
• bindata/network/ovn-kubernetes/common/002-rbac-node.yaml
• bindata/network/ovn-kubernetes/common/001-crd.yaml

🔇 Additional comments (7)

go.mod (1)

105-105: LGTM!

The dependency update to github.com/openshift/api is required to bring in the new EVPN-related API types (VTEP CRD and EVPN configuration fields) used by this PR.

bindata/network/ovn-kubernetes/common/002-rbac-node.yaml (1)

212-221: LGTM!

The conditional RBAC rule follows the established pattern for feature-gated permissions. Granting read-only access (list/get/watch) to vteps for nodes is appropriate and follows the principle of least privilege.

bindata/network/ovn-kubernetes/common/004-rbac-control-plane.yaml (1)

255-271: LGTM!

The RBAC rules for the control plane appropriately include:

• Read access (list/get/watch) to vteps
• Write access (patch/update) to vteps/status for status reconciliation

This follows the same pattern as other feature-gated CRDs like routeadvertisements.

pkg/network/ovn_kubernetes.go (1)

344-344: LGTM!

The feature gate integration follows the established pattern used by other OVN feature gates in this file. The OVN_EVPN_ENABLE data key will control conditional rendering of EVPN-related CRDs and RBAC rules in the templates. FeatureGateEVPN is properly defined in the vendored github.com/openshift/api/features dependency.

bindata/network/ovn-kubernetes/common/001-crd.yaml (3)

4504-4518: Transport enum addition looks good.

Clear values and description fit the EVPN feature gate behavior.

---

4536-4558: EVPN topology/transport guardrails are well covered.

The validation rules align EVPN fields with Layer2/Layer3 primary semantics.

---

5272-5424: VTEP CRD schema and validations look solid.

The CIDR masking checks and mode defaulting are clear.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[openshift-ci]

@kyrtapz: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec	27d1b8e	link	true	/test e2e-metal-ipi-ovn-ipv6-ipsec
ci/prow/e2e-aws-ovn-serial-1of2	27d1b8e	link	true	/test e2e-aws-ovn-serial-1of2
ci/prow/security	27d1b8e	link	false	/test security
ci/prow/verify	27d1b8e	link	true	/test verify
ci/prow/4.22-upgrade-from-stable-4.21-e2e-aws-ovn-upgrade	27d1b8e	link	false	/test 4.22-upgrade-from-stable-4.21-e2e-aws-ovn-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.