CNV-67916: hypershift, kubevirt, add enhancement for IP management

[qinqon]

This enhancement proposes adding static IP address management (IPAM) capabilities to HyperShift when using the KubeVirt provider and the KubeVirt nodepool is not attached to default pod network using a multus layer2 network to replace it.

The implementation enables operators to define IP pools and network configurations that are automatically allocated to virtual machines during cluster provisioning. This functionality addresses the need for predictable, static network configuration in environments where DHCP is not available or desirable, particularly in on-premises and edge deployments.

https://issues.redhat.com/browse/CNV-67916

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign derekwaynecarr for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• enhancements/hypershift/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@qinqon: This pull request references CNV-67916 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.21.0" version, but no target version was set.

In response to this:

This enhancement proposes adding static IP address management (IPAM) capabilities to HyperShift when using the KubeVirt provider and the KubeVirt nodepool is not attached to default pod network using a multus layer2 network to replace it.

The implementation enables operators to define IP pools and network configurations that are automatically allocated to virtual machines during cluster provisioning. This functionality addresses the need for predictable, static network configuration in environments where DHCP is not available or desirable, particularly in on-premises and edge deployments.

https://issues.redhat.com/browse/CNV-67916

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[qinqon]

/cc @maiqueb

[qinqon]

/cc @orenc1

[celebdor]

This should probably use hostedcluster_types things like CIDRBlock or ipNet, or maybe define a new one that can be CEL validated if it is really necessary to have ranges and single IPs

[qinqon]

This should probably use hostedcluster_types things like CIDRBlock or ipNet, or maybe define a new one that can be CEL validated if it is really necessary to have ranges and single IPs

Since this can be a cidr, ip range or single IP I cannot use those types, so this has to be a string slice, I will add a CEL validation.

[celebdor]

Won't it also be necessary to update the ignition generation for the the netconfig?

[qinqon]

Won't it also be necessary to update the ignition generation for the the netconfig?

The fact that we implmenet "IP allocation logic" using virtual machine cloud init network data it's implementation details, so it's part of the Cluster API Provider Kubevirt controller changes

[celebdor]

s/openshift/openstack/ ?

[qinqon]

s/openshift/openstack/ ?

Right, I will also add the it should unerstand either openstack or netplan depending of the kind of networkData we want to use either configdrive or nocloud

[celebdor]

Is this going to be a status condition on the NodePool?

[qinqon]

Is this going to be a status condition on the NodePool?

It should, I will add that

[maiqueb]

Thank you.

[maiqueb]

so the kubevirt VMs which are actually the hosted cluster nodes can be ipv6 nodes ?

do we support single stack ipv6 ? or only dual-stack ?

Just trying to figure out the test matrix we need to have later on.

[qinqon]

so the kubevirt VMs which are actually the hosted cluster nodes can be ipv6 nodes ?

do we support single stack ipv6 ? or only dual-stack ?

Just trying to figure out the test matrix we need to have later on.

For hyperhsift kubevirt we don't use KubeVirt DHCP mechanism we use OVN DHCPOptions instead this allow us to support single stack ipv4/ipv6 and dual stack.

[maiqueb]

but isn't this about localnet secondary interfaces ?

AFAICT we do not have OVN DHCPOpts for localnet secondaries - only on the pod network (masquerade or primary UDN attachments).

[qinqon]

but isn't this about localnet secondary interfaces ?

AFAICT we do not have OVN DHCPOpts for localnet secondaries - only on the pod network (masquerade or primary UDN attachments).

Right, I mixed things up, so since this is static IP assignment and we don't depend on KubeVirt DHCP capabilities we support sintle stack (both ipv4 and ipv6) and dual stack.

[maiqueb]

OK, that's aligned with my expectations.

OK, so the test matrix will be complex. Do we need to have anything in origin ?...

[qinqon]

OK, that's aligned with my expectations.

OK, so the test matrix will be complex. Do we need to have anything in origin ?...

At origin we test dual stack

[maiqueb]

I'm sorry, but I don't follow this.

[qinqon]

I'm sorry, but I don't follow this.

I will reword this

[maiqueb]

I'm forced to say one of the most confusing things to me (I'm not HCP savvy) was to differentiate between these two CRDs.

When I would - as a hosted cluster "owner" - use one of these versus the other ?

Which of these should I use and why ? Or do I need to use both ?

[qinqon]

I'm forced to say one of the most confusing things to me (I'm not HCP savvy) was to differentiate between these two CRDs.

When I would - as a hosted cluster "owner" - use one of these versus the other ?

Which of these should I use and why ? Or do I need to use both ?

At hypershift you use the NodePool CRD, KubevirtMachine is internal to hypershift.

[maiqueb]

why should this matter ? The way I see it, this would become an issue if the node pools are being used at the same time in the same node

[qinqon]

why should this matter ? The way I see it, this would become an issue if the node pools are being used at the same time in the same node

Nodepools cannot be used for the same node, since they are definining those nodes, issue is that one nodepool can contribute to the ip exhaustion of the other if they have overlapping subnets.

[maiqueb]

what I don't follow is how can one network have multiple node pools.

Can you point me towards documentation about the node pool ? What does it reflect, and how it relates to the network ?

[qinqon]

So the nodepool kubevirt specific api hass the additionalNetworks field, to specify the NAD name, this enhancement is adding the IPAM configuration at same API level, and a hosted cluster can have multiple nodepools, this means multiple kubevirt nodepools can have conflicting IPAM configuration, and that's what we want to detect.

[maiqueb]

is it realistic to include incorrect IP allocation in this metric ?

Asking because (in my own limited mental model) we could prevent this, instead of capturing it in a metric.

Couldn't we ?

[qinqon]

is it realistic to include incorrect IP allocation in this metric ?

Asking because (in my own limited mental model) we could prevent this, instead of capturing it in a metric.

Couldn't we ?

Agree since we are already using CEL to ensure propre IPs are configured at the addresses

[qinqon]

is it realistic to include incorrect IP allocation in this metric ?

Asking because (in my own limited mental model) we could prevent this, instead of capturing it in a metric.

Couldn't we ?

Agree since we are already using CEL to ensure propre IPs are configured at the addresses, I will remove it

[maiqueb]

not so fast - I'm not so sure this is this easy / there aren't impacts.

Let's say you're using static IPs, then you stop using it. You remove the NetworkConfig from the template spec.

1. Your existing nodes with static IPs will continue to function.
2. a new node will gets its IP via DHCP
3. what will prevent this new node from getting an IP which is already in use by the static IPs counter part ?

AFAIU, you don't have anything to map the static IPs from the node pool to the DHCP pool availability.

[qinqon]

not so fast - I'm not so sure this is this easy / there aren't impacts.

Let's say you're using static IPs, then you stop using it. You remove the NetworkConfig from the template spec.

1. Your existing nodes with static IPs will continue to function.
2. a new node will gets its IP via DHCP
3. what will prevent this new node from getting an IP which is already in use by the static IPs counter part ?

AFAIU, you don't have anything to map the static IPs from the node pool to the DHCP pool availability.

Even though I think we should not support this, it may work if NodePool is changed so bootstrap network config is removed and virtual machines are restarted.

[openshift-ci]

@qinqon: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/markdownlint	8287292	link	true	/test markdownlint

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.