Resolve ovnkube node encap IP in startup script

[SchSeba]

Teach the ovnkube node wrapper to derive --encap-ip from /etc/ovnk/encap_interface, including host-mounted lookups and dual-stack addresses, while allowing OVN_ENCAP_IP to override the resolved value for per-node configuration.

Summary by CodeRabbit

• New Features
  • Enhanced network configuration by automatically detecting the first global IPv4/IPv6 address from a target interface and resolving --encap-ip using a local configuration file, with support for environment variable overrides.
  • Updated node startup to apply the resolved --encap-ip argument when launching ovnkube, improving correctness and flexibility for encapsulation address selection.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3da11ae6-b84e-4f1d-9a6f-4533b96fb653

📥 Commits

Reviewing files that changed from the base of the PR and between 55250eb and 71961a6.

📒 Files selected for processing (1)

• bindata/network/ovn-kubernetes/common/008-script-lib.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• bindata/network/ovn-kubernetes/common/008-script-lib.yaml

---

Walkthrough

Two shell helpers are added to resolve encapsulation IP, and start-ovnkube-node() now computes and passes the resulting --encap-ip flag to ovnkube.

Changes

Encapsulation IP Resolution

Layer / File(s)	Summary
Helper functions bindata/network/ovn-kubernetes/common/008-script-lib.yaml	get-first-interface-address() extracts the first global IPv4 or IPv6 address from an interface, and set-encap-ip-flag() builds the --encap-ip value from encap_interface data or OVN_ENCAP_IP.
Startup wiring bindata/network/ovn-kubernetes/common/008-script-lib.yaml	start-ovnkube-node() calls set-encap-ip-flag and includes ${ovn_encap_ip_flag} in the ovnkube command line.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	The new encap-IP logs print resolved IPs and OVN_ENCAP_IP in cleartext on startup, exposing internal network details in pod logs.	Redact the IP/interface values or move them to debug-only logs; keep startup messages generic and avoid echoing user-supplied config values.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the main change: resolving the ovnkube node encap IP during startup.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo It/Describe/Context/When titles exist in source, and the PR only changes a YAML script library, so there are no unstable test names to flag.
Test Structure And Quality	✅ Passed	No Ginkgo tests were added or changed; the PR only updates a shell startup library in YAML.
Microshift Test Compatibility	✅ Passed	PR only changes ovnkube startup shell script logic; no new It/Describe/Context tests or MicroShift-relevant APIs were added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; this PR only changes ovnkube startup scripts/manifests, so the SNO test check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Changed manifests are topology-gated (ExternalControlPlane/HyperShift) and use safe rollout settings; no unsafe hostname anti-affinity or PDB pattern was added.
Ote Binary Stdout Contract	✅ Passed	PR only changes the ovnkube startup shell script; no OTE main/TestMain/suite setup or stdout logger code was added.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the change only updates ovnkube startup shell logic in a bindata script.
No-Weak-Crypto	✅ Passed	The patch only adds encap-IP resolution logic; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons appear.
Container-Privileges	✅ Passed	PR only updates ovnkube-lib.sh to resolve encap IP; no container/K8s securityContext or privileged fields were added.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: SchSeba
Once this PR has been reviewed and has the lgtm label, please assign jcaamano for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@bindata/network/ovn-kubernetes/common/008-script-lib.yaml`:
- Around line 544-547: Normalize and trim whitespace from the OVN_ENCAP_IP
environment variable before constructing ovn_encap_ip_flag: create a trimmed
value (e.g., strip leading/trailing whitespace from OVN_ENCAP_IP), check that
the trimmed value is non-empty, then set
ovn_encap_ip_flag="--encap-ip=${TRIMMED_OVN_ENCAP_IP}" and log the trimmed
value; update uses of OVN_ENCAP_IP to reference the trimmed variable so
accidental surrounding whitespace won't produce an invalid or split --encap-ip
argument.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ed7676fc-f101-424f-bb21-db5380f271b0

📥 Commits

Reviewing files that changed from the base of the PR and between 5928824 and 55250eb.

📒 Files selected for processing (1)

• bindata/network/ovn-kubernetes/common/008-script-lib.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Normalize OVN_ENCAP_IP before building the flag.

At Line 544, OVN_ENCAP_IP is used verbatim. Accidental whitespace in env overrides can produce an invalid/split --encap-ip argument at runtime.

Suggested patch

-      if [[ -n "${OVN_ENCAP_IP}" ]]; then
-        log "encapip" "Using OVN_ENCAP_IP override ${OVN_ENCAP_IP}"
-        ovn_encap_ip_flag="--encap-ip=${OVN_ENCAP_IP}"
+      local encap_ip_override="${OVN_ENCAP_IP//[[:space:]]/}"
+      if [[ -n "${encap_ip_override}" ]]; then
+        log "encapip" "Using OVN_ENCAP_IP override ${encap_ip_override}"
+        ovn_encap_ip_flag="--encap-ip=${encap_ip_override}"
       fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if [[ -n "${OVN_ENCAP_IP}" ]]; then
	log "encapip" "Using OVN_ENCAP_IP override ${OVN_ENCAP_IP}"
	ovn_encap_ip_flag="--encap-ip=${OVN_ENCAP_IP}"
	fi
	local encap_ip_override="${OVN_ENCAP_IP//[[:space:]]/}"
	if [[ -n "${encap_ip_override}" ]]; then
	log "encapip" "Using OVN_ENCAP_IP override ${encap_ip_override}"
	ovn_encap_ip_flag="--encap-ip=${encap_ip_override}"
	fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bindata/network/ovn-kubernetes/common/008-script-lib.yaml` around lines 544 -
547, Normalize and trim whitespace from the OVN_ENCAP_IP environment variable
before constructing ovn_encap_ip_flag: create a trimmed value (e.g., strip
leading/trailing whitespace from OVN_ENCAP_IP), check that the trimmed value is
non-empty, then set ovn_encap_ip_flag="--encap-ip=${TRIMMED_OVN_ENCAP_IP}" and
log the trimmed value; update uses of OVN_ENCAP_IP to reference the trimmed
variable so accidental surrounding whitespace won't produce an invalid or split
--encap-ip argument.

[openshift-ci]

@SchSeba: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp	71961a6	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp
ci/prow/e2e-gcp-ovn	71961a6	link	true	/test e2e-gcp-ovn
ci/prow/e2e-aws-ovn-rhcos10-techpreview	71961a6	link	false	/test e2e-aws-ovn-rhcos10-techpreview
ci/prow/e2e-aws-ovn-upgrade-ipsec	71961a6	link	true	/test e2e-aws-ovn-upgrade-ipsec
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw	71961a6	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp-local-gw
ci/prow/e2e-aws-ovn-fdp-qe	71961a6	link	true	/test e2e-aws-ovn-fdp-qe
ci/prow/e2e-ovn-ipsec-step-registry	71961a6	link	true	/test e2e-ovn-ipsec-step-registry
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec	71961a6	link	true	/test e2e-metal-ipi-ovn-ipv6-ipsec

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[tssurya]

let's go with https://redhat-internal.slack.com/archives/CDCP2LA9L/p1782406251364439?thread_ts=1778514163.567789&cid=CDCP2LA9L