OCPBUGS-88733,OCPBUGS-88734: Branch Sync main to release-4.22 [06-16-2026]#3252
OCPBUGS-88733,OCPBUGS-88734: Branch Sync main to release-4.22 [06-16-2026]#3252openshift-pr-manager[bot] wants to merge 89 commits into
Conversation
Clean up leftover raft-related code that was missed by PR #6303 (Remove central mode support). The four shell variables (ovn_nb_raft_port, ovn_sb_raft_port, ovn_nb_raft_election_timer, ovn_sb_raft_election_timer) and their documentation comments are defined but never referenced anywhere in the codebase. Signed-off-by: Matteo Dallaglio <mdallagl@redhat.com>
The report was skipping : - indexing results (due to the rm of the perf-data) - capturing the baseline run and reporting the diff to the PR due to how I was capturing the PR #. Both issues are addressed. Signed-off-by: jtalerico <joe.talerico@gmail.com>
Signed-off-by: Lei Huang <leih@nvidia.com>
- Modify UDN/CUDN CRD schemas to allow adding multiple cluster-subents of the same IP family in Layer3 topology - Reconcile network controllers to add new subnets to NodeAllocator. Fixes #5377 Signed-off-by: Lei Huang <leih@nvidia.com>
This change adds test cases for: - Pods can perform east/west traffic between nodes on different CIDR - add subnet not affecting existing node subnet assignment - add bad subnet should not cause change on existing NAD Signed-off-by: Lei Huang <leih@nvidia.com>
Update ClusterNetworkConnect routing policy generation to create a single logical router policy per destination network and IP family. When a connected network has multiple same-family pod subnets, fold them into one OR match instead of creating multiple policies with the same DB identity. Signed-off-by: Lei Huang <huang.f.lei@gmail.com>
Add unit coverage for the case where a primary UDN gains a new subnet that overlaps an existing EgressFirewall CIDRSelector. The test verifies that the initial ACL does not exclude the new subnet, then updates the primary network subnets and confirms the reconciled ACL adds the pod-subnet exclusion so east/west traffic is not affected by the EgressFirewall rule. Signed-off-by: Lei Huang <huang.f.lei@gmail.com>
Update the OKEP to note that no RouteAdvertisement code change is required for Layer3 topology. FRR pod-subnet advertisements use node subnet annotations, not the NAD cluster subnet list directly, and node subnet annotation updates already trigger RA reconciliation. Signed-off-by: Lei Huang <huang.f.lei@gmail.com>
Add unit coverage for overlay mode route import when a primary UDN has multiple cluster subnets. Verify that a BGP route contained in an additional UDN subnet is ignored and not imported into OVN. This confirms the existing route import logic accounts for all network subnets when filtering pod-network routes in overlay mode. Signed-off-by: Lei Huang <huang.f.lei@gmail.com>
Queue advertised local nodes for reconciliation when a network subnet list changes. This ensures BGP Network Isolation ACLs are rebuilt when a primary Layer3 UDN gains an additional subnet. Add unit coverage for both the reconcile trigger and the advertised network isolation pass ACL update with the added subnet. Signed-off-by: Lei Huang <huang.f.lei@gmail.com>
Trigger local node reconciliation when Egress IP is enabled and a primary Layer3 UDN adds or removes cluster subnets. Add unit coverage for the subnet-change reconcile path and verify Egress IP route/no-reroute policy generation covers every primary Layer3 UDN subnet. Signed-off-by: Lei Huang <huang.f.lei@gmail.com>
Update primary Layer3 UDN/CUDN e2e coverage to use multi-subnet configuration where the test is not specifically validating single-subnet behavior. This broadens runtime coverage for existing network segmentation, service, egress firewall, egress IP, endpoint slice mirroring, and route advertisement flows. Signed-off-by: Lei Huang <huang.f.lei@gmail.com>
OVN-Kubernetes renames the simulated management representor to ovn-k8s-mp0 and preserves the original rep0-X name as the link alias. Fall back to alias lookup so DPU-mode restarts and Helm rollouts can find the representor after it has been renamed. Signed-off-by: Tim Rozet <trozet@nvidia.com>
Remove dead raft variable definitions from ovnkube.sh
Fix performance report
Set OVN_ROUTE_ADVERTISEMENTS_ENABLE in the single-node-zone DPU chart so DPU-mode ovnkube-controller receives the Helm route-advertisements feature setting. Signed-off-by: Tim Rozet <trozet@nvidia.com>
DPU-host mode updates advertised UDN isolation nftables for primary UDNs, but the base sets were only configured from the full-mode NodePort watcher path. That left DPU-host nodes without the advertised UDN subnet sets when NodePort was disabled. Move the setup into default node controller initialization for full and DPU-host mode, and keep the existing route advertisements feature gate. Add a DPU-host test that covers NodePort-disabled startup. Signed-off-by: Tim Rozet <trozet@nvidia.com>
Resolve simulated DPU representors by alias
When a VM's spec.template.spec.hostname is set, KubeVirt copies it into the vm.kubevirt.io/name label on virt-launcher pods instead of the actual VM name. OVN-K used this label to find pods belonging to a VM (e.g. during live migration, or to tag OVN topology elements for cleanup). Since multiple VMs can share the same hostname, the label can no longer uniquely identify a VM's pods -- with 3+ VMs sharing a hostname, the 3rd VM fails with "unexpected live migration state at pods". This change switches to the kubevirt.io/domain annotation, which always reflects the real VM name. Since annotations can't be used in label selectors, we optimize: if the domain name matches the vm.kubevirt.io/name label (the common case), we use the label for lookup; otherwise we fall back to iterating virt-launcher pods in the namespace and matching by annotation. Note: KubeVirt >= 1.7 introduces a vm.kubevirt.io/id label that reliably identifies the VM, but it is not added retroactively to pods created with older versions. If KubeVirt adds a mutating webhook for that in the future, we can use it as a further optimization. Assisted-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Enrique Llorente <ellorent@redhat.com>
Signed-off-by: Enrique Llorente <ellorent@redhat.com>
Replace the fake virt-launcher pod with a proper VMI using fedoraWithTestToolingVMI and l2bridge binding plugin. This is needed because now ovnk requires the same labels as IPAM controller, so now IPAM controller is activated by this tests and fails since there is no vm. This also allow us to remove dependency on nmstate build image quay.io/nmstate/c10s-nmstate-dev:latest Signed-off-by: Enrique Llorente <ellorent@redhat.com>
kubevirt: Support handling vm hostname field
Pass route advertisement flag to DPU nodes
Configure advertised UDN nftables on node init
P-UDN: support multiple cluster-subnets for Layer3 topology
Signed-off-by: Vicente Zepeda Mas <vzepedam@redhat.com>
Route import discovers the table to mirror by looking up the per-network VRF. DPU mode programs the UDN datapath on the DPU, but did not create that VRF, so advertised CUDNs had no table for BGP routes to land in and the existing import logic had nothing to read. Create a DPU-only UDN VRF with no enslaved management interface. Use a DPU-specific table range because there is no host management port index to derive the table from. Wire DPU mode to create and run the VRF manager while keeping the IP rule manager limited to full and DPU-host modes. Leave the DPU-host IP rules and management-port routes unchanged, and delete the VRF with the network. Signed-off-by: Tim Rozet <trozet@nvidia.com>
Instead of tests individually resolving where they get the agnhost image from, have that coordinated from the images e2e package. This also honors the upstream specific override. Other images shoudl follow the same approach in the future. Signed-off-by: Jaime Caamaño Ruiz <jcaamano@redhat.com>
Create UDN VRFs in DPU mode
Some multihoming tests were using fixed sleeps after creating network attachment definitions to give controllers time to catch up before creating pods or applying policies. These waits were added as temporary buffers and now just slow the suite down. This cleanup assumes the original production-side race is already addressed by PR #5705 (ovn-kubernetes/ovn-kubernetes#5705, "Fixes NAD Controller syncAll for networkID upgrade from node->NAD") and/or later by commit 5b01e17 ("Refactor NADController notifying into level driven reconciler"). Signed-off-by: Ihar Hrachyshka <ihrachyshka@nvidia.com> Assisted-by: Codex <noreply@openai.com>
openshift-ci-robot
added
the
jira/valid-bug
|
@qinqon: This pull request references Jira Issue OCPBUGS-88733, which is valid. The bug has been moved to the POST state. 7 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (core-networking-bot@redhat.com), skipping review request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
removed
the
jira/invalid-bug
|
/retitle OCPBUGS-88733,OCPBUGS-88734: Branch Sync main to release-4.22 [06-16-2026] |
openshift-ci
Bot
changed the title
openshift-ci-robot
added
jira/invalid-bug
|
@openshift-pr-manager[bot]: This pull request references Jira Issue OCPBUGS-88733, which is valid. The bug has been moved to the POST state. 7 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (core-networking-bot@redhat.com), skipping review request. The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-88734, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@qinqon: This pull request references Jira Issue OCPBUGS-88733, which is valid. The bug has been moved to the POST state. 7 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (core-networking-bot@redhat.com), skipping review request. This pull request references Jira Issue OCPBUGS-88734, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@qinqon: This pull request references Jira Issue OCPBUGS-88733, which is valid. 7 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (core-networking-bot@redhat.com), skipping review request. This pull request references Jira Issue OCPBUGS-88734, which is valid. The bug has been moved to the POST state. 7 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (core-networking-bot@redhat.com), skipping review request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/test e2e-aws-ovn-fdp-qe |
|
/test e2e-aws-ovn-shared-to-local-gateway-mode-migration |
|
/test e2e-aws-ovn-upgrade |
|
/test e2e-metal-ipi-ovn-ipv6 |
|
/payload-job periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-ovn |
|
/payload-job periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aks |
|
@jluhrsen: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/2c57d1c0-69a1-11f1-9cd4-44f9deec8329-0 |
|
@jluhrsen: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/2d589ff0-69a1-11f1-8c5e-f09ff0c98eb8-0 |
|
/payload-job periodic-ci-openshift-release-main-ci-4.22-e2e-azure-ovn-upgrade |
|
@jluhrsen: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/df45a2d0-69a1-11f1-990c-90262d401320-0 |
|
/test e2e-metal-ipi-ovn-ipv6 |
3 similar comments
|
/test e2e-metal-ipi-ovn-ipv6 |
|
/test e2e-metal-ipi-ovn-ipv6 |
|
/test e2e-metal-ipi-ovn-ipv6 |
|
@openshift-pr-manager[bot]: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/test e2e-metal-ipi-ovn-ipv6 |
19 participants
Automated branch sync: main to release-4.22.