net, evpn: add stretched L2 connectivity tests

[servolkov]

What this PR does / why we need it:

Add stretched L2 connectivity tests for EVPN, including live migration verification.

• Rename the misleadingly named "iperf3" container in the external FRR pod to "net-tools" and extract NET_TOOLS_CONTAINER_NAME constant
• Add container and netns parameters to PodTcpClient for running iperf3 in specific containers and network namespaces
• Add EVPN L2 endpoint emulation inside the external FRR pod (bridge, VXLAN, veth, netns) and implement stretched L2 connectivity and live migration tests

Which issue(s) this PR fixes:

Special notes for reviewer:

• Reference VM (vm_evpn_reference) is function-scoped — it is used by a single test, ensuring proper teardown and freeing a node for migration

jira-ticket: https://redhat.atlassian.net/browse/CNV-80611

Assisted-by: Claude Opus 4.6 noreply@anthropic.com

Summary by CodeRabbit

• Tests

  • Added test fixtures for EVPN bridge and L2 endpoint deployment.
  • Enabled stretched L2 connectivity tests with active TCP connection validation across IP families.
  • Added live migration test to verify connection preservation.

• Chores

  • Enhanced network testing infrastructure with improved container and network namespace support for traffic clients.

[coderabbitai]

Warning

Rate limit exceeded

@servolkov has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 20 minutes and 13 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1af7f1b9-e307-4d1f-889c-251b033c1698

📥 Commits

Reviewing files that changed from the base of the PR and between 047d4af and 89eec62.

📒 Files selected for processing (6)

• libs/net/traffic_generator.py
• tests/network/bgp/conftest.py
• tests/network/bgp/evpn/conftest.py
• tests/network/bgp/evpn/libevpn.py
• tests/network/bgp/evpn/test_evpn_connectivity.py
• tests/network/libs/bgp.py

📝 Walkthrough

Walkthrough

The PR extends traffic client support for network namespace execution, renames the external FRR pod's utility container from iperf3 to net-tools, and implements EVPN L2 stretched endpoint testing infrastructure with deployment helpers, test fixtures, and connectivity validation tests.

Changes

EVPN L2 Stretched Connectivity Testing

Layer / File(s)	Summary
Traffic Client Enhancement libs/net/traffic_generator.py	PodTcpClient accepts optional container and netns parameters. When netns is provided, the __enter__ method wraps the iperf3 invocation with ip netns exec {netns} to execute the client in a network namespace.
Container Naming & BGP Infrastructure tests/network/libs/bgp.py, tests/network/bgp/conftest.py	Introduces NET_TOOLS_CONTAINER_NAME constant and updates the external FRR pod's secondary container from hardcoded "iperf3" to NET_TOOLS_CONTAINER_NAME. Updates fixtures to pass the renamed container to TcpClient.
EVPN Endpoint Deployment Helpers tests/network/bgp/evpn/libevpn.py	Adds EvpnEndpoint dataclass and deployment functions: deploy_evpn_bridge() creates a shared bridge in the FRR pod; deploy_evpn_l2_endpoint() provisions a VXLAN device, veth pair, and netns with IP/interface setup; _build_l2_endpoint_commands() generates step-by-step provisioning commands; evpn_workloads_active_connections() and _evpn_workloads_connection() context managers orchestrate TCP client/server pairs. Removes unused cudn_evpn_subnets() helper.
EVPN Test Fixtures tests/network/bgp/evpn/conftest.py	Adds endpoint IP constants (EXTERNAL_L2_ENDPOINT_IPV4, EXTERNAL_L2_ENDPOINT_IPV6). Changes vm_evpn_reference scope from module to default. Adds function-scoped fixtures: evpn_bridge deploys the EVPN bridge; external_l2_endpoint derives worker IPs from OVN annotations and deploys the L2 endpoint with computed VTEP/endpoint IPs; evpn_stretched_l2_active_connections yields active connection pairs.
Test Implementation tests/network/bgp/evpn/test_evpn_connectivity.py	Removes hard-disable behavior from stretched-L2 connectivity tests. Updates test_stretched_l2_connectivity_udn_vm_and_external_provider to actively create/validate TCP connections using evpn_workloads_active_connections. Updates test_stretched_l2_connectivity_is_preserved_over_live_migration to perform live migration and re-validate TCP connectivity across the active connection pairs using per-IP subtests.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~35 minutes

The PR combines straightforward constant renaming with significant new EVPN infrastructure. Review effort is driven by: (1) understanding the new EVPN deployment command sequencing and state management via EvpnEndpoint; (2) validating the context manager cleanup patterns in evpn_workloads_active_connections(); (3) verifying fixture scope changes (particularly vm_evpn_reference moving from module to default scope) won't cause unexpected teardown timing; (4) confirming the netns parameter threading through traffic clients operates correctly. The changes are heterogeneous (deployment logic, fixtures, test assertions) but follow a coherent narrative around enabling L2 stretched endpoint testing.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 38.89% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding stretched L2 connectivity tests for EVPN, which aligns with the comprehensive changes across multiple files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description includes all required template sections with substantive content addressing the changes, motivation, and context.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 20 minutes and 13 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-virtualization-qe-bot-3]

Report bugs in Issues

Welcome! 🎉

This pull request will be automatically processed with the following features:

🔄 Automatic Actions

• Reviewer Assignment: Reviewers are automatically assigned based on the OWNERS file in the repository root
• Size Labeling: PR size labels (XS, S, M, L, XL, XXL) are automatically applied based on changes
• Issue Creation: A tracking issue is created for this PR and will be closed when the PR is merged or closed
• Branch Labeling: Branch-specific labels are applied to track the target branch
• Auto-verification: Auto-verified users have their PRs automatically marked as verified
• Labels: Enabled categories: branch, can-be-merged, cherry-pick, has-conflicts, hold, needs-rebase, size, verified, wip

📋 Available Commands

PR Status Management

• /wip - Mark PR as work in progress (adds WIP: prefix to title)
• /wip cancel - Remove work in progress status
• /hold - Block PR merging (approvers only)
• /hold cancel - Unblock PR merging
• /verified - Mark PR as verified
• /verified cancel - Remove verification status
• /reprocess - Trigger complete PR workflow reprocessing (useful if webhook failed or configuration changed)
• /regenerate-welcome - Regenerate this welcome message

Review & Approval

• /lgtm - Approve changes (looks good to me)
• /approve - Approve PR (approvers only)
• /assign-reviewers - Assign reviewers based on OWNERS file
• /assign-reviewer @username - Assign specific reviewer
• /check-can-merge - Check if PR meets merge requirements

Testing & Validation

• /retest tox - Run Python test suite with tox
• /retest build-container - Rebuild and test container image
• /retest verify-bugs-are-open - verify-bugs-are-open
• /retest all - Run all available tests

Container Operations

• /build-and-push-container - Build and push container image (tagged with PR number)
  • Supports additional build arguments: /build-and-push-container --build-arg KEY=value

Cherry-pick Operations

• /cherry-pick <branch> - Schedule cherry-pick to target branch when PR is merged
  • Multiple branches: /cherry-pick branch1 branch2 branch3

Label Management

• /<label-name> - Add a label to the PR
• /<label-name> cancel - Remove a label from the PR

✅ Merge Requirements

This PR will be automatically approved when the following conditions are met:

1. Approval: /approve from at least one approver
2. LGTM Count: Minimum 2 /lgtm from reviewers
3. Status Checks: All required status checks must pass
4. No Blockers: No wip, hold, has-conflicts labels and PR must be mergeable (no conflicts)
5. Verified: PR must be marked as verified

📊 Review Process

Approvers and Reviewers

Approvers:

• EdDev
• dshchedr
• myakove
• rnetser
• vsibirsk

Reviewers:

• Anatw
• EdDev
• RoniKishner
• azhivovk
• dshchedr
• frenzyfriday
• nirdothan
• orelmisan
• rnetser
• servolkov
• vsibirsk
• yossisegev

Available Labels

• hold
• verified
• wip
• lgtm
• approve

AI Features

• Cherry-Pick Conflict Resolution: Enabled (claude/claude-opus-4-6[1m])

💡 Tips

• WIP Status: Use /wip when your PR is not ready for review
• Verification: The verified label is removed on new commits unless the push is detected as a clean rebase
• Cherry-picking: Cherry-pick labels are processed when the PR is merged
• Container Builds: Container images are automatically tagged with the PR number
• Permission Levels: Some commands require approver permissions
• Auto-verified Users: Certain users have automatic verification and merge privileges

For more information, please refer to the project documentation or contact the maintainers.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@libs/net/traffic_generator.py`:
- Around line 175-183: The constructor PodTcpClient.__init__ in
libs/net/traffic_generator.py is missing the explicit return type annotation
required by mypy strict (ANN204); update the method signature for
PodTcpClient.__init__ to include the return type "-> None" (keeping all existing
parameter types unchanged) so the initializer explicitly declares it returns
None.

In `@tests/network/bgp/evpn/conftest.py`:
- Around line 199-223: The evpn_bridge and external_l2_endpoint fixtures
currently return without cleaning up, leaving br0, vxlan-l2, veth-l2-*, and
l2-ep behind; change both fixtures to use yield-based fixtures and perform
teardown after the yield: in evpn_bridge (which calls deploy_evpn_bridge) yield
control and then call the inverse cleanup to delete the bridge and related
interfaces on frr_external_pod, and in external_l2_endpoint (which calls
deploy_evpn_l2_endpoint) yield the EvpnEndpoint and then remove the deployed L2
endpoint, delete vxlan and veth interfaces and any created l2-ep state on
frr_external_pod and worker nodes; ensure you reference and use the same
identifiers (evpn_bridge, external_l2_endpoint, deploy_evpn_bridge,
deploy_evpn_l2_endpoint, frr_external_pod) so teardown targets the exact
resources created.

In `@tests/network/libs/bgp.py`:
- Around line 309-312: _acquire_dhcp_ipv4 currently calls dhclient in
NET_TOOLS_CONTAINER_NAME but runs the subsequent ip lookup with pod.execute()'s
default container, reintroducing a dependency on the FRR image; update the ip
command invocation in _acquire_dhcp_ipv4 to pass
container=NET_TOOLS_CONTAINER_NAME (same as the dhclient call) so iface_info is
collected from the net-tools container, referencing the pod.execute call,
NET_TOOLS_CONTAINER_NAME and iface_name inside the _acquire_dhcp_ipv4 function.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4519cb2f-c0e2-4e58-a937-4833ca362422

📥 Commits

Reviewing files that changed from the base of the PR and between 9ba4f41 and 047d4af.

📒 Files selected for processing (6)

• libs/net/traffic_generator.py
• tests/network/bgp/conftest.py
• tests/network/bgp/evpn/conftest.py
• tests/network/bgp/evpn/libevpn.py
• tests/network/bgp/evpn/test_evpn_connectivity.py
• tests/network/libs/bgp.py

[servolkov]

Change: address bot comments

[servolkov]

/verified

$ uv run pytest --cluster-sanity-skip-nodes-check --cluster-sanity-skip-storage-check --skip-deprecated-api-test --cluster-sanity-skip-check tests/network/bgp/
...
5 of 5 completed, 5 Pass, 0 Fail, 0 Skip, 0 XPass, 0 XFail, 0 Error, 0 ReRun

[openshift-virtualization-qe-bot-3]

@coderabbitai

Test execution plan request details

CRITICAL: You MUST post an inline review comment on the first changed line of the first file.
The inline comment should contain the Test Execution Plan with the smoke tests recommendation.
Do NOT submit a formal review - just post the inline comment directly.

As an expert software testing engineer, analyze all modified files in this PR and create a targeted test execution plan.
You will post an inline review comment with the test execution plan on the first changed file.
If you fail to run or post a comment, retry.

Analysis Requirements:

1. Examine code changes in each modified file
2. Identify affected code paths, functions, and classes
3. Analyze pytest-specific elements: fixtures (scope, dependencies), parametrization, markers, conftest changes
4. Trace test dependencies through imports, shared utilities, and fixture inheritance
5. Detect new tests introduced in the PR
6. Smoke Test Impact Analysis: Determine if any changes could affect smoke tests by checking:
   • Changes to files/functions used by tests marked with @pytest.mark.smoke
   • Changes to fixtures or utilities imported by smoke tests
   • Changes to conftest.py files that may affect smoke test execution
   • Changes to core infrastructure code (utilities/, libs/) that smoke tests depend on

Your deliverable:
Your change request comment will be based on the following requirements:

Test Execution Plan

• Run smoke tests: True / False (Based on your smoke test impact analysis - True if any changes may affect smoke tests)
• path/to/test_file.py - When the entire test file needs verification
• path/to/test_file.py::TestClass::test_method - When specific test(s) needed
• path/to/test_file.py::test_function - When specific test(s) needed
• -m marker - When specific marker(s) can be used to cover multiple cases.

Guidelines:

• Include only tests directly affected by the changes
• Use a full file path only if ALL tests in that file require verification
• Use file path + test name if only specific tests are needed
• If a test marker can cover multiple files/tests, provide the marker
• Balance coverage vs over-testing - Keep descriptions minimal

Hardware-Related Checks (SR-IOV, GPU, DPDK):

When PR modifies fixtures for hardware-specific resources:

• Collection Safety: Fixtures MUST have existence checks (return None when hardware unavailable)
• Test Plan: MUST verify both WITH and WITHOUT hardware:
  • Run affected tests on cluster WITH hardware
  • Verify collection succeeds on cluster WITHOUT hardware

CRITICAL WORKFLOW COMPLETION RULES:

When responding to this test execution plan request, you MUST follow these rules EXACTLY:

1. YOUR ONLY DELIVERABLE: Post an inline review comment containing the test execution plan on the first changed line
2. THEN STOP IMMEDIATELY - Do NOT generate any additional response
3. FALLBACK ONLY: If submitting the review fails after retrying, post as a regular PR comment
4. SILENCE = SUCCESS: After successfully submitting the review, your task is complete. No confirmation needed.

ABSOLUTE PROHIBITIONS (violating these creates empty/meaningless reviews):

• ❌ Do NOT post acknowledgment messages like "Test execution plan posted", "Review posted successfully", "I've successfully posted"
• ❌ Do NOT mention review IDs, URLs, or confirmation of posting in the PR thread
• ❌ Do NOT add any follow-up comments after submitting the review
• ❌ Do NOT reply to confirm task completion
• ❌ Do NOT explain what you did - just do it and stop

Remember: The pull request review is visible to users. Additional comments are redundant noise.

CRITICAL: Before setting "Run smoke tests: True", you MUST use shell scripts to:
- Trace the actual fixture dependency chain from smoke tests to changed fixtures
- Verify that smoke tests actually import/use changed utilities or functions
- Confirm the dependency path exists; do NOT assume based on scope or semantics
- Be conservative: Session-scoped fixtures or infrastructure-sounding names do NOT
automatically mean smoke test impact. Only flag smoke test impact when you can
demonstrate a concrete dependency path.
WRONG: "This session-scoped storage fixture might affect smoke tests"
RIGHT: "Smoke test X uses fixture Y, which depends on the changed fixture Z"

[coderabbitai]

Test Execution Plan

Run smoke tests: False

No concrete dependency path found from any smoke-marked test to changed files (libs/net/traffic_generator.py, tests/network/libs/bgp.py).

Tests to Run

• tests/network/bgp/evpn/test_evpn_connectivity.py::test_stretched_l2_connectivity_udn_vm_and_external_provider — newly enabled; validates external L2 endpoint TCP connectivity
• tests/network/bgp/evpn/test_evpn_connectivity.py::test_stretched_l2_connectivity_is_preserved_over_live_migration — newly enabled; validates connectivity survives live migration
• tests/network/bgp/test_bgp_connectivity.py — bgp/conftest.py changed (tcp_client_external_network now passes container=NET_TOOLS_CONTAINER_NAME); all BGP connectivity tests should be re-verified

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for smoke tests using PodTcpClient or related utilities
rg -n "smoke" tests/network/bgp/ -l 2>/dev/null || echo "No smoke tests in bgp dir"

# Check for smoke marks in any files that import PodTcpClient
rg -n "PodTcpClient" --type py -l
rg -n "pytest.mark.smoke" --type py -l | head -20

# Check if any smoke tests import from traffic_generator or bgp libs
rg -n "traffic_generator|from.*bgp import|NET_TOOLS_CONTAINER_NAME" --type py -l | head -20

# Get the PR diff to find the first changed file and first changed line
gh pr diff 4709 --repo RedHatQE/openshift-virtualization-tests | head -60

Length of output: 4170

---

🏁 Script executed:

#!/bin/bash
# Get the PR's latest commit SHA for the inline comment
gh pr view 4709 --repo RedHatQE/openshift-virtualization-tests --json headRefOid -q '.headRefOid'

# Get the list of smoke tests that import traffic_generator to confirm no dependency
rg -n "traffic_generator" --type py tests/ | grep -i smoke | head -10 || echo "No smoke test imports traffic_generator"

# Verify smoke test files don't import bgp lib
rg -n "from tests.network.libs.bgp import\|from tests.network.libs import bgp" --type py | grep -E "smoke|virt|storage|infra" | head -10 || echo "No cross-dependency found"

Length of output: 41

---

🏁 Script executed:

#!/bin/bash
gh api \
  --method POST \
  -H "Accept: application/vnd.github+json" \
  /repos/RedHatQE/openshift-virtualization-tests/pulls/4709/reviews \
  --field commit_id="89eec62315dae86986a0c626bb903385ee211b61" \
  --field event="COMMENT" \
  --field "comments[][path]"="libs/net/traffic_generator.py" \
  --field "comments[][position]"=5 \
  --field "comments[][body]"="## Test Execution Plan

**Run smoke tests: False**
> No concrete dependency path found from any smoke-marked test to changed files (\`libs/net/traffic_generator.py\`, \`tests/network/libs/bgp.py\`).

### Tests to Run

- \`tests/network/bgp/evpn/test_evpn_connectivity.py::test_stretched_l2_connectivity_udn_vm_and_external_provider\` — newly enabled; validates external L2 endpoint TCP connectivity
- \`tests/network/bgp/evpn/test_evpn_connectivity.py::test_stretched_l2_connectivity_is_preserved_over_live_migration\` — newly enabled; validates connectivity survives live migration
- \`tests/network/bgp/test_bgp_connectivity.py\` — \`bgp/conftest.py\` changed (\`tcp_client_external_network\` now passes \`container=NET_TOOLS_CONTAINER_NAME\`); all BGP connectivity tests should be re-verified"

Length of output: 1735

---