This is to change POD and join subnet used with couple of net-attach-def
in unit tests to satisfy newly introduced subnet overlap check with
ClusterNetwork, ServiceNetwork, join switch and masquerade CIDR.

Signed-off-by: Arnab Ghosh <[email protected]>

UDN API referance generated using the following command:
  crd-ref-docs --source-path ./go-controller/pkg/crd/userdefinednetwork --config=crd-docs-config.yaml --renderer=markdown --output-path=./docs/api-reference/userdefinednetwork-api-spec.md

Signed-off-by: Or Mergi <[email protected]>

The new OVS version is used by the OVN observability.

Signed-off-by: Nadia Pinaeva <[email protected]>

Signed-off-by: Nadia Pinaeva <[email protected]>

Signed-off-by: Surya Seetharaman <[email protected]>

UDN: Add `MASQUERADE` IPTable Rules

status.

Signed-off-by: Nadia Pinaeva <[email protected]>

Signed-off-by: Surya Seetharaman <[email protected]>

OCPBUGS-38270: Dockerfile: Bump OVS to 3.4.0-1

UDN: allow multiple conditions from different fieldManagers to co-exist in the status.

…nagement-port

UDN: Add RPFilter Loose Mode for management port

Signed-off-by: Riccardo Ravaioli <[email protected]>

Everytime a UDN was created, we were adding the all remote nodes for
every network all over again, including the default network. This makes
the checks on the annotations network aware.

Signed-off-by: Tim Rozet <[email protected]>

Services controller:
- move it to base network controller
- start one services controller per primary network
- set up filter in the informer so that only endpointslices for the given network are considered
- pass switch and router names according to the network for a given node.

Move getActiveNetworkForNamespace to CommonNetworkControllerInfo, because the services controller only has access to CommonNetworkControllerInfo at initialization and needs to run getActiveNetworkForNamespace.

Make LBs and LB groups network scoped

Add network name & role to OVN external IDs. In a few places in the code we retrieve all logical switches, routers and load balancers to initialize the services controller or to delete stale entries. With one services controller per network, the OVN lookup must only return OVN elements in the network we're interested in. This is achieved by adding the network name and network role (default, primary, secondary) to the ExternalIDs field of logical switches, routers and load balancers.

Signed-off-by: Riccardo Ravaioli <[email protected]>

Signed-off-by: Riccardo Ravaioli <[email protected]>

Signed-off-by: Riccardo Ravaioli <[email protected]>

The existing unit tests for services in services_controller_test are now run for UDN as well.

At the same time, a cleanup of unit tests was needed, especially since there was a lot of repetition in the surrounding code, also with respect to global and test-specific variables between services_controller_test.go and lb_config_test.go

Finally, Test_ETPCluster_NodePort_Service_WithMultipleIPAddresses follows the exact same logic found in TestSyncServices, so let's move it there

Signed-off-by: Riccardo Ravaioli <[email protected]>

Allows the execution of the network segmentation tests that are in network_segmentation_*.go (e.g. services, endpoint slice mirrorring). For instance:

make control-plane WHAT="Network Segmentation: services"

Signed-off-by: Riccardo Ravaioli <[email protected]>

The test creates a client and nodeport service in a UDN backed by one pod and similarly
a nodeport service and a client in the default network.
We verify that:
- UDN client --> UDN service, with backend pod and client running on the same node, is possible through:
  + clusterIP
  + nodeIP:nodePort, where we only target the node where the client runs (*)

- UDN client --> UDN service, with backend pod and client running on different nodes, is possible through:
  + clusterIP
  + nodeIP:nodePort, where we only target the node where the client runs (*)

- default-network client --> UDN service is NOT possible through:
  + clusterIP
  + nodeIP:nodePort, where we only target the node where the client runs (*)

-  UDN service --> default-network client is NOT possible through:
  + clusterIP
  + nodeIP:nodePort, where we only target the node where the client runs (*)

(*) TODO connect to other nodes too once ovnkube-node fully supports UDN

TODO: use the same logic as in network_segmentation.go

Signed-off-by: Riccardo Ravaioli <[email protected]>

Signed-off-by: Jaime Caamaño Ruiz <[email protected]>

Remove tabs.

Signed-off-by: Nadia Pinaeva <[email protected]>

UDN L3 support for services

Use faked iptables in UDN gateway tests

Update Dockerfile.fedora to use pre-released 24.09 ovn rpm.

Fixes remote node checks to be network aware

Signed-off-by: Dumitru Ceara <[email protected]>

UDN layer 3 networks also have a join switch and gateway router.

Signed-off-by: Dumitru Ceara <[email protected]>

In the "delete" case we don't need the cookie, move the code that builds
the cookie after the section that checks and takes care of deletes.

Signed-off-by: Dumitru Ceara <[email protected]>

Signed-off-by: Dumitru Ceara <[email protected]>

… namespace active network

Signed-off-by: Dumitru Ceara <[email protected]>

Signed-off-by: Surya Seetharaman <[email protected]>

Signed-off-by: Surya Seetharaman <[email protected]>

Signed-off-by: Dumitru Ceara <[email protected]>

Signed-off-by: Surya Seetharaman <[email protected]>

Signed-off-by: Surya Seetharaman <[email protected]>

For each service change node port related flows to redirect traffic to
the OVN patch port that connects br-ex to the UDN's logical topology.

Signed-off-by: Dumitru Ceara <[email protected]>

Signed-off-by: Dumitru Ceara <[email protected]>

UDN: SGW: L2/L3 Add support for external -> service traffic.

docs, api-reference: Add doc for UDN API

UDN: Fix per pod SNATing

This is to validate whether POD and join subnet mentioned in a
net-attach-def with topology "layer2" and "layer3" does not overlap
with ClusterSubnets, ServiceCIDRs, join subnet and masquerade subnet.
It also considers excluded subnets mentioned in a net-attach-def.

Signed-off-by: Arnab Ghosh <[email protected]>

Signed-off-by: Martin Kennelly <[email protected]>

…ility

Signed-off-by: Martin Kennelly <[email protected]>

IPv6 link addresses behave differently than IPv4
addresses when a link is enslaved to a VRF device.
For IPv4, addresses assigned to the link are preserved
but for IPv6, non link local addresses are removed.
Therefore when a link is enslaved, this commit manually
readds the global IPv6 address.

Signed-off-by: Martin Kennelly <[email protected]>

Previous op was invalid.

Signed-off-by: Martin Kennelly <[email protected]>

Add subnet overlap check for POD and join subnets in net-attach-def

SDN-4930,OCPBUGS-38949: Downstream Merge 28th August

Rename load_balancer_ocphack_test.go as lb_config_ocphack_test.go

Signed-off-by: Riccardo Ravaioli <[email protected]>

Signed-off-by: Riccardo Ravaioli <[email protected]>

OCPBUGS-39157,SDN-4930: Downstream Merge Sept 4th