CORENET-6610: Add EVPN APIs

[kyrtapz]

NOTE: EVPN requires route advertisements to function, enabling or disabling it dynamically changes the CUDN CRD schema (adding/removing EVPN fields), which can invalidate existing CUDN resources that use EVPN transport.

We have decided to make the API static, we only disable EVPN flag in ovn-k based on the route advertisements being enabled.

Needs to wait for openshift/ovn-kubernetes#2953 (introduces the feature flag to ovn-k).

[openshift-ci-robot]

@kyrtapz: This pull request references CORENET-6610 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds EVPN support gated by OVN_EVPN_ENABLE: new cluster-scoped VTEP CRD, EVPN fields and cross-field validations in ClusterUserDefinedNetwork and topology, conditional RBAC for vteps, feature-gate wiring and tests, ovnkube startup flag injection, keepCRDs update, and two dependency bumps.

Changes

Cohort / File(s)	Summary
CRD Schema & API bindata/network/ovn-kubernetes/common/001-crd.yaml	Adds cluster-scoped VTEP CRD (k8s.ovn.org v1) and extends ClusterUserDefinedNetwork public spec with spec.network.evpn (ipVRF, macVRF, vni, routeTarget, vtep) and topology.transport; adds extensive x-kubernetes-validations gated by OVN_EVPN_ENABLE/OVN_EVPN_ENABLE_API.
RBAC bindata/network/ovn-kubernetes/common/002-rbac-node.yaml, bindata/network/ovn-kubernetes/common/004-rbac-control-plane.yaml	Adds Helm/template-guarded RBAC when OVN_EVPN_ENABLE is true: node role gets list,get,watch on vteps; control-plane gets list,get,watch on vteps and patch,update on vteps/status.
Startup flags & manifests bindata/network/ovn-kubernetes/common/008-script-lib.yaml, bindata/network/ovn-kubernetes/managed/ovnkube-control-plane.yaml, bindata/network/ovn-kubernetes/self-hosted/ovnkube-control-plane.yaml	Introduces evpn_enable_flag set when OVN_EVPN_ENABLE == "true" and injects --enable-evpn into ovnkube startup arguments.
Render wiring & feature gates pkg/network/ovn_kubernetes.go, pkg/network/ovn_kubernetes_test.go	Adds OVN_EVPN_ENABLE_API and OVN_EVPN_ENABLE render keys (one API-only from feature gate; one requiring feature gate + route-ads logic) and updates tests to include FeatureGateEVPN in relevant feature-gate sets.
Controller keep list pkg/controller/statusmanager/status_manager.go	Adds vteps.k8s.ovn.org to the keepCRDs set so the VTEP CRD is preserved.
Dependencies go.mod	Bumps github.com/openshift/api and github.com/openshift/client-go pseudo-versions.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@bindata/network/ovn-kubernetes/common/001-crd.yaml`:
- Around line 3851-3864: The RT validation for 4-byte ASN global administrator
in both the ipVRF and macVRF EVPN routeTarget rule blocks erroneously only
checks that uint(self.split(':')[0]) <= 65535u; update the boolean expression in
the first rule to also enforce the documented upper bound by requiring
uint(self.split(':')[0]) <= 4294967295u (i.e., add this upper-bound check
alongside the existing checks or replace the 65535 limit with 4294967295 where
appropriate) so the rule rejects values greater than 4294967295; apply the same
change to both the ipVRF and macVRF routeTarget validation blocks.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between a4a0c72 and b608e2e.

⛔ Files ignored due to path filters (71)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/api/.ci-operator.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/.coderabbit.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/.golangci.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/AGENTS.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/Dockerfile.ocp is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/apiextensions/install.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/Makefile is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/register.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_version.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_feature.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_image_policy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_node.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_scheduling.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/console/v1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/console/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features/features.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features/util.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/install.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/types_machine.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/types_machineconfignode.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/register.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/types_internalreleaseimage.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/types_osimagestream.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/types_pinnedimageset.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/types_console.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/types_ingress.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-OKD.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-OKD.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-TechPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (5)

• bindata/network/ovn-kubernetes/common/001-crd.yaml
• bindata/network/ovn-kubernetes/common/002-rbac-node.yaml
• bindata/network/ovn-kubernetes/common/004-rbac-control-plane.yaml
• go.mod
• pkg/network/ovn_kubernetes.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/network/ovn_kubernetes.go
• go.mod
• bindata/network/ovn-kubernetes/common/004-rbac-control-plane.yaml
• bindata/network/ovn-kubernetes/common/002-rbac-node.yaml
• bindata/network/ovn-kubernetes/common/001-crd.yaml

🔇 Additional comments (7)

go.mod (1)

105-105: LGTM!

The dependency update to github.com/openshift/api is required to bring in the new EVPN-related API types (VTEP CRD and EVPN configuration fields) used by this PR.

bindata/network/ovn-kubernetes/common/002-rbac-node.yaml (1)

212-221: LGTM!

The conditional RBAC rule follows the established pattern for feature-gated permissions. Granting read-only access (list/get/watch) to vteps for nodes is appropriate and follows the principle of least privilege.

bindata/network/ovn-kubernetes/common/004-rbac-control-plane.yaml (1)

255-271: LGTM!

The RBAC rules for the control plane appropriately include:

• Read access (list/get/watch) to vteps
• Write access (patch/update) to vteps/status for status reconciliation

This follows the same pattern as other feature-gated CRDs like routeadvertisements.

pkg/network/ovn_kubernetes.go (1)

344-344: LGTM!

The feature gate integration follows the established pattern used by other OVN feature gates in this file. The OVN_EVPN_ENABLE data key will control conditional rendering of EVPN-related CRDs and RBAC rules in the templates. FeatureGateEVPN is properly defined in the vendored github.com/openshift/api/features dependency.

bindata/network/ovn-kubernetes/common/001-crd.yaml (3)

4504-4518: Transport enum addition looks good.

Clear values and description fit the EVPN feature gate behavior.

---

4536-4558: EVPN topology/transport guardrails are well covered.

The validation rules align EVPN fields with Layer2/Layer3 primary semantics.

---

5272-5424: VTEP CRD schema and validations look solid.

The CIDR masking checks and mode defaulting are clear.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[openshift-ci-robot]

@kyrtapz: This pull request references CORENET-6610 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

NOTE: EVPN requires route advertisements to function, enabling or disabling it dynamically changes the CUDN CRD schema (adding/removing EVPN fields), which can invalidate existing CUDN resources that use EVPN transport.

Needs to wait for openshift/ovn-kubernetes#2953 (introduces the feature flag to ovn-k).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[kyrtapz]

@pliurh FYI: This will have to be changed in the future to accommodate no-overlay as well.

[pliurh]

cc @ricky-rav

[kyrtapz]

/retest-required

[kyrtapz]

/test ?

[openshift-ci-robot]

@kyrtapz: This pull request references CORENET-6610 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

We have decided to make the API static, we only disable EVPN flag in ovn-k based on the route advertisements being enabled. 

Needs to wait for https://github.com/openshift/ovn-kubernetes/pull/2953 (introduces the feature flag to ovn-k).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@kyrtapz: This pull request references CORENET-6610 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

NOTE: EVPN requires route advertisements to function, enabling or disabling it dynamically changes the CUDN CRD schema (adding/removing EVPN fields), which can invalidate existing CUDN resources that use EVPN transport.

We have decided to make the API static, we only disable EVPN flag in ovn-k based on the route advertisements being enabled.

Needs to wait for openshift/ovn-kubernetes#2953 (introduces the feature flag to ovn-k).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jcaamano]

Why not handle the logic just once in ovn_kubernetes.go?
Also check for local gateway mode as well?

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@bindata/network/ovn-kubernetes/common/001-crd.yaml`:
- Around line 3792-3793: The YAMLlint error is caused by raw Go template guards
like "{{- if .OVN_EVPN_ENABLE_API }}" and matching "{{- end }}" appearing as
plain YAML; update the template to comment out or neutralize each guard so
YAMLlint can parse the file (e.g., replace raw guards with commented versions)
for every occurrence including the guards around "evpn" (the "{{- if
.OVN_EVPN_ENABLE_API }}" / "{{- end }}" pair) and the other listed guard
locations; ensure you keep the original guard text commented so the template
logic is preserved for tooling that processes the template, or alternatively add
this file to YAMLlint exclusions if commenting is not acceptable.

[kyrtapz]

/test e2e-gcp-ovn-techpreview

[jcaamano]

If you have the chance to make another push, consider something along the lines of OVN_EVPN_ENABLE_CUDN_API

Don't bother if you don't need to make another push or you are happy enough with current name

[jcaamano]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jcaamano, kyrtapz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jcaamano,kyrtapz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kyrtapz]

This PR only affects techpreview
/label acknowledge-critical-fixes-only
/verified by https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_cluster-network-operator/2881/pull-ci-openshift-cluster-network-operator-master-e2e-gcp-ovn-techpreview/2023410684238237696

[openshift-ci-robot]

@kyrtapz: This PR has been marked as verified by https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_cluster-network-operator/2881/pull-ci-openshift-cluster-network-operator-master-e2e-gcp-ovn-techpreview/2023410684238237696.

Details

In response to this:

This PR only affects techpreview
/label acknowledge-critical-fixes-only
/verified by https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_cluster-network-operator/2881/pull-ci-openshift-cluster-network-operator-master-e2e-gcp-ovn-techpreview/2023410684238237696

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jcaamano]

/retest

[kyrtapz]

/retest-required

[kyrtapz]

/retest-required

[kyrtapz]

The failures are almost certainly unrelated to the changes since they only affect TP clusters.
Reached out here: https://redhat-external.slack.com/archives/C01C8502FMM/p1771334598833229

[kyrtapz]

https://redhat-internal.slack.com/archives/C01CQA76KMX/p1771336302007649
https://redhat-internal.slack.com/archives/C01CQA76KMX/p1771335440740109

/override ci/prow/hypershift-e2e-aks
/override ci/prow/e2e-aws-ovn-hypershift-conformance

[openshift-ci]

@kyrtapz: Overrode contexts on behalf of kyrtapz: ci/prow/e2e-aws-ovn-hypershift-conformance, ci/prow/hypershift-e2e-aks

Details

In response to this:

https://redhat-internal.slack.com/archives/C01CQA76KMX/p1771336302007649
https://redhat-internal.slack.com/archives/C01CQA76KMX/p1771335440740109

/override ci/prow/hypershift-e2e-aks
/override ci/prow/e2e-aws-ovn-hypershift-conformance

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@kyrtapz: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	93b77b1	link	false	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.