NO-JIRA: DownStream Merge [04-29-2026]#3168
NO-JIRA: DownStream Merge [04-29-2026]#3168openshift-pr-manager[bot] wants to merge 33 commits intomasterfrom
Conversation
Assisted-by: gpt-5.4 xhigh Signed-off-by: Ihar Hrachyshka <ihrachyshka@nvidia.com>
Assisted-by: gpt-5.4 xhigh Signed-off-by: Ihar Hrachyshka <ihrachyshka@nvidia.com>
This mode is used to replace namespace address set usage. it will not select hostnetwork pod IPs and will include config.Kubernetes.HostNetworkNamespace address set IPs when that namespace is matched with an empty pod selector. Update gress_policy: now address sets are always created during configuration, the previous exception was for namespace selector that didn't match any namespaces. Add HostNetworkNamespace update calls for addresssetManager. Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
This behaviour was long copied form the old netpol code, on restart we should EnsureAddressSet to preserve existing IPs, and then reconcile instead of setting ips to nil Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
It won't cause a random addr set creation anymore, unless explicitly used. Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
This is to stay in line with demo version. Signed-off-by: Ihar Hrachyshka <ihrachyshka@nvidia.com>
Fixes #6299 Signed-off-by: Ihar Hrachyshka <ihrachyshka@nvidia.com>
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
This was required to introduce a startup test, because fake address set factory is hard to initialize, and using proper db is better. The inial sync test now also checks updates for requested address sets. Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Also scan udn-layer2-node-gateway-router-lrp-tunnel-ids when discovering stale networks, since L2 primary UDNs with IC don't write node-subnets. Signed-off-by: Yun Zhou <yunz@nvidia.com>
Replace the last namespace address set usage in netpol with addressset manager
Bump frr to 10.6.0 to fix additional coredumps
Limits allocation of subnets and layer 2 tunnel ID for nodes based on if the node is active for a UDN. Removes udnPolicy interface that was a temporary bandaid until cluster manager had dynamic UDN support. Signed-off-by: Tim Rozet <trozet@nvidia.com>
The test was expecting that allocation should fail when the subnet is too small for the number of nodes, we expect the opposite behavior with Dynamic UDN. Signed-off-by: Tim Rozet <trozet@nvidia.com>
There is a race exposed with this test: when namespace without pods is being deleted, should delete NAD in that namespace where CM will create the NAD for a UDN, however the informer for the CM is not updated immediately. If during the window while it created the NAD, but has not updated the informer, a delete event comes for the namespace...then CM will see there is no NAD in the informer cache and skip deleting it. Which leaves it hanging around. As a fallback, this commit uses the k8s client to see if the NAD is truly deleted when it is missing from the informer cache during NAD deletion check. Fixes: #6281 Signed-off-by: Tim Rozet <trozet@nvidia.com>
NADs without CUDN/UDN ownership should be excluded from Dynamic UDN filtering. However, there was controller/node manager specific filtering that did not apply to cluster manager. Therefore cluster manager was not igorning bare NADs. This commit moves the logic into NodeHasNetwork to make it universal. Includes other fixes to unit tests where the wrong zone name was being used for controllers in tests. Signed-off-by: Tim Rozet <trozet@nvidia.com>
This commit addresses 2 issues: - EF was being applied before a pod was created. When EF is applied it checks for status to see it was applied. However with Dynamic UDN, if no node is active, this status will never be set. Updated the tests to create the source pod before applying the EF. - EF tests were using a primary NAD rather than a CUDN/UDN. Dynamic UDN ignores primary NADs not owned by CUDN/UDN. Change the tests to use a UDN so we can exercise the UDN path as originally intended. Signed-off-by: Tim Rozet <trozet@nvidia.com>
Status manager was waiting for all zones to report before reporting an overall status. This change adds a relevantZoneProvider which resourceManagers may implement to determine dynamically which zones it shoudl care about (active/inactive with dynamic UDN). Signed-off-by: Tim Rozet <trozet@nvidia.com>
Before we were just storing node, and acting as if all networks were active in the tests. Make it more aligned with real network manager and make it per network. Signed-off-by: Tim Rozet <trozet@nvidia.com>
cleanup stale L2 primary UDN tunnel ID annotations on restart
Bumps the go_modules group with 2 updates in the /go-controller directory: [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) and [github.com/moby/spdystream](https://github.com/moby/spdystream). Bumps the go_modules group with 1 update in the /test/conformance directory: [github.com/moby/spdystream](https://github.com/moby/spdystream). Bumps the go_modules group with 1 update in the /test/e2e directory: [github.com/moby/spdystream](https://github.com/moby/spdystream). Updates `github.com/go-jose/go-jose/v4` from 4.1.3 to 4.1.4 - [Commits](go-jose/go-jose@v4.1.3...v4.1.4) Updates `github.com/moby/spdystream` from 0.5.0 to 0.5.1 - [Commits](moby/spdystream@v0.5.0...v0.5.1) Updates `github.com/moby/spdystream` from 0.5.0 to 0.5.1 - [Commits](moby/spdystream@v0.5.0...v0.5.1) Updates `github.com/moby/spdystream` from 0.5.0 to 0.5.1 - [Commits](moby/spdystream@v0.5.0...v0.5.1) Updates `github.com/moby/spdystream` from 0.5.0 to 0.5.1 - [Commits](moby/spdystream@v0.5.0...v0.5.1) Updates `github.com/moby/spdystream` from 0.5.0 to 0.5.1 - [Commits](moby/spdystream@v0.5.0...v0.5.1) Updates `github.com/moby/spdystream` from 0.5.0 to 0.5.1 - [Commits](moby/spdystream@v0.5.0...v0.5.1) Updates `github.com/moby/spdystream` from 0.5.0 to 0.5.1 - [Commits](moby/spdystream@v0.5.0...v0.5.1) Updates `github.com/moby/spdystream` from 0.5.0 to 0.5.1 - [Commits](moby/spdystream@v0.5.0...v0.5.1) Updates `github.com/moby/spdystream` from 0.5.0 to 0.5.1 - [Commits](moby/spdystream@v0.5.0...v0.5.1) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v4 dependency-version: 4.1.4 dependency-type: indirect - dependency-name: github.com/moby/spdystream dependency-version: 0.5.1 dependency-type: indirect - dependency-name: github.com/moby/spdystream dependency-version: 0.5.1 dependency-type: indirect - dependency-name: github.com/moby/spdystream dependency-version: 0.5.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Without this, eBGP peers sharing the same ASN reject each other's routes due to AS-loop detection. Adding "allowas-in origin" per neighbor allows routes originated by same-ASN peers while still preventing actual routing loops. The directive is a no-op for iBGP and is applied unconditionally to support future dynamic ASN scenarios. Signed-off-by: Jaime Caamaño Ruiz <jcaamano@redhat.com>
e2e: fix a few image preload issues
Adds dynamic allocation for cluster manager
…-controller/go_modules-5c9d2901cb Bump the go_modules group across 3 directories with 2 updates
EVPN: add allowas-in origin for BGP neighbors
newClusterManagerNodeController was removed in c1e81f8, use nodecontroller.NewController instead. Signed-off-by: Patryk Diak <pdiak@redhat.com>
fix UDN unit test to use new node controller constructor
Seed the default-network pod annotation on the pod object before passing it to startWithDBSetup, instead of updating it via the API server after informers have already started. This eliminates a race where WatchPods reads the pod from the informer cache before it reflects the post-startup Update, causing the UDN controller to overwrite the 'default' annotation with only the secondary network. Fixes #6280 Signed-off-by: Enrique Llorente <ellorent@redhat.com>
test: fix layer2 UDN controller test flake in kubevirt live-migration
- go mod tidy Automated sync after downstream merge to keep openshift/go.mod in sync with transitive dependencies from go-controller and test/e2e.
|
/ok-to-test |
openshift-ci-robot
added
the
jira/valid-reference
|
@openshift-pr-manager[bot]: This pull request explicitly references no jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@openshift-pr-manager[bot]: trigger 5 job(s) of type blocking for the ci release of OCP 5.0
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/7adc0af0-43c7-11f1-948d-728ee689306a-0 trigger 13 job(s) of type blocking for the nightly release of OCP 5.0
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/7adc0af0-43c7-11f1-948d-728ee689306a-1 |
openshift-ci
Bot
added
the
ok-to-test
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: openshift-pr-manager[bot] The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
/test e2e-aws-ovn |
|
/payload-job periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-serial-2of2 |
|
@jluhrsen: trigger 2 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/ce5a1f50-43f4-11f1-89f4-c61ef1ba8429-0 |
|
@openshift-pr-manager[bot]: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/test e2e-aws-ovn-fdp-qe |
|
/payload-job periodic-ci-openshift-release-main-ci-5.0-upgrade-from-stable-4.22-e2e-azure-ovn-upgrade |
|
@jluhrsen: trigger 4 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/c6b47a90-4438-11f1-8dd3-31f74d7a655f-0 |
|
/test e2e-metal-ipi-ovn-dualstack-bgp |
|
@jluhrsen the upstream fix for the address set transaction issue merged: ovn-kubernetes/ovn-kubernetes#6310 /close |
|
@arkadeepsen: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
11 participants
Automated merge of upstream/master → master.
Note: This PR includes an automated sync of
openshift/go.modwith upstream dependencies (go mod tidy).