Tests: Added go unit tests and E2E tests for Kube-OVN Non-Primary CNI mode (#5732)

* Add unit tests for VPC NAT gateway and network attachment functionalities

- Implemented tests for replacing endpoint addresses with secondary IPs in endpoint slices.
- Created new test file for pod-related functionalities, including checks for VPC NAT gateway annotations and network attachments.
- Added tests for retrieving subnet providers, ensuring correct behavior for valid and non-existent subnets.
- Enhanced network attachment utility tests to cover various scenarios, including valid and invalid JSON inputs.

Signed-off-by: Vishal Mohan <[email protected]>

* Add e2e tests and configurations for non-primary CNI functionality

- Implemented e2e tests for non-primary CNI, including VPC and logical network scenarios.
- Created test configurations for VPC simple and NAT gateway setups.
- Added YAML files for logical network and VPC resources to support dynamic KIND bridge network detection.
- Enhanced test framework to handle network interface creation and configuration processing.

Signed-off-by: Vishal Mohan <[email protected]>

* Enhance E2E tests for non-primary CNI with dynamic versioning and resource cleanup

- Introduced functions to dynamically determine Kube-OVN version and registry.
- Added a cleanup function to remove finalizers from Kube-OVN resources.
- Improved pod IP retrieval logic to handle both primary and non-primary CNI cases.
- Refactored the processConfigWithKindBridge function to use dynamic image tags.
- Enhanced test configurations to create a dedicated namespace and network attachment definitions for non-primary CNI testing.
- Updated YAML configurations to reflect new resource definitions and annotations for test pods.
- Improved error handling and resource readiness checks in tests.

Signed-off-by: Vishal Mohan <[email protected]>

* Clean up

Signed-off-by: Vishal Mohan <[email protected]>

* Fixed lint errors

Signed-off-by: Vishal Mohan <[email protected]>

* Add non-primary CNI E2E test workflow to build-x86-image.yaml

Signed-off-by: Vishal Mohan <[email protected]>

* Refactor non-primary CNI setup and enhance E2E tests with updated configurations

Signed-off-by: Vishal Mohan <[email protected]>

* reorder documents

Signed-off-by: Mengxin Liu <[email protected]>

---------

Signed-off-by: Vishal Mohan <[email protected]>
Signed-off-by: Mengxin Liu <[email protected]>
Co-authored-by: Vishal Mohan <[email protected]>
Co-authored-by: Mengxin Liu <[email protected]>

Author: 3 people

.github/workflows/build-x86-image.yaml

@@ -1564,6 +1564,162 @@ jobs:
         if: ${{ success() || (failure() && (steps.install.conclusion == 'failure' || steps.e2e.conclusion == 'failure')) }}
         run: make check-kube-ovn-pod-restarts
 
+  non-primary-cni-e2e:
+    name: Non-Primary CNI E2E
+    needs:
+      - build-kube-ovn
+      - build-e2e-binaries
+    runs-on: ubuntu-24.04
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        ip-family:
+          - ipv4
+    steps:
+      - uses: jlumbroso/[email protected]
+        with:
+          android: true
+          dotnet: true
+          haskell: true
+          docker-images: false
+          large-packages: false
+          tool-cache: false
+          swap-storage: false
+
+      - uses: actions/checkout@v5
+
+      - name: Create the default branch directory
+        if: (github.base_ref || github.ref_name) != github.event.repository.default_branch
+        run: mkdir -p test/e2e/source
+
+      - name: Check out the default branch
+        if: (github.base_ref || github.ref_name) != github.event.repository.default_branch
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          fetch-depth: 1
+          path: test/e2e/source
+
+      - name: Export E2E directory
+        run: |
+          if [ '${{ github.base_ref || github.ref_name }}' = '${{ github.event.repository.default_branch }}' ]; then
+            echo "E2E_DIR=." >> "$GITHUB_ENV"
+          else
+            echo "E2E_DIR=test/e2e/source" >> "$GITHUB_ENV"
+          fi
+
+      - name: Remove DNS search domain
+        run: |
+          sudo sed -i '/^search/d' /etc/resolv.conf
+          sudo systemctl restart docker
+
+      - uses: actions/setup-go@v6
+        id: setup-go
+        with:
+          go-version-file: ${{ env.E2E_DIR }}/go.mod
+          check-latest: true
+          cache: false
+
+      - name: Export Go full version
+        run: echo "GO_VERSION=${{ steps.setup-go.outputs.go-version }}" >> "$GITHUB_ENV"
+
+      - name: Go cache
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86-${{ hashFiles(format('{0}/**/go.sum', env.E2E_DIR)) }}
+          restore-keys: ${{ runner.os }}-e2e-go-${{ env.GO_VERSION }}-x86-
+
+      - name: Install kind
+        uses: helm/[email protected]
+        with:
+          version: ${{ env.KIND_VERSION }}
+          install_only: true
+
+      - name: Install ginkgo
+        working-directory: ${{ env.E2E_DIR }}
+        run: go install -v -mod=mod github.com/onsi/ginkgo/v2/ginkgo
+
+      - name: Download image
+        uses: actions/download-artifact@v5
+        with:
+          name: kube-ovn
+
+      - name: Download vpc-nat-gateway image
+        uses: actions/download-artifact@v5
+        with:
+          name: vpc-nat-gateway
+
+      - name: Load image
+        run: |
+          docker load --input kube-ovn.tar
+          docker load --input vpc-nat-gateway.tar
+
+      - name: Create kind cluster and install CNIs
+        id: install
+        env:
+          GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          pipx install jinjanator
+          make kind-ghcr-pull kind-install-multus-cilium-kubeovn-non-primary-${{ matrix.ip-family }}
+
+      - name: Run non-primary CNI e2e
+        id: e2e
+        working-directory: ${{ env.E2E_DIR }}
+        env:
+          E2E_BRANCH: ${{ github.base_ref || github.ref_name }}
+          E2E_IP_FAMILY: ${{ matrix.ip-family }}
+          E2E_NETWORK_MODE: overlay
+          KUBE_OVN_PRIMARY_CNI: "false"
+        run: make kube-ovn-non-primary-cni-e2e
+
+      - name: Collect k8s events
+        if: failure() && steps.e2e.conclusion == 'failure'
+        run: |
+          kubectl get events -A -o yaml > non-primary-cni-e2e-${{ matrix.ip-family }}-events.yaml
+          tar zcf non-primary-cni-e2e-${{ matrix.ip-family }}-events.tar.gz non-primary-cni-e2e-${{ matrix.ip-family }}-events.yaml
+
+      - name: Upload k8s events
+        uses: actions/upload-artifact@v4
+        if: failure() && steps.e2e.conclusion == 'failure'
+        with:
+          name: non-primary-cni-e2e-${{ matrix.ip-family }}-events
+          path: non-primary-cni-e2e-${{ matrix.ip-family }}-events.tar.gz
+
+      - name: Collect apiserver audit logs
+        if: failure() && steps.e2e.conclusion == 'failure'
+        run: |
+          docker cp kube-ovn-control-plane:/var/log/kubernetes/kube-apiserver-audit.log .
+          tar zcf non-primary-cni-e2e-${{ matrix.ip-family }}-audit-log.tar.gz kube-apiserver-audit.log
+
+      - name: Upload apiserver audit logs
+        uses: actions/upload-artifact@v4
+        if: failure() && steps.e2e.conclusion == 'failure'
+        with:
+          name: non-primary-cni-e2e-${{ matrix.ip-family }}-audit-log
+          path: non-primary-cni-e2e-${{ matrix.ip-family }}-audit-log.tar.gz
+
+      - name: kubectl ko log
+        if: failure() && steps.e2e.conclusion == 'failure'
+        working-directory: ${{ env.E2E_DIR }}
+        run: |
+          make kubectl-ko-log
+          mv kubectl-ko-log.tar.gz non-primary-cni-e2e-${{ matrix.ip-family }}-ko-log.tar.gz
+
+      - name: upload kubectl ko log
+        uses: actions/upload-artifact@v4
+        if: failure() && steps.e2e.conclusion == 'failure'
+        with:
+          name: non-primary-cni-e2e-${{ matrix.ip-family }}-ko-log
+          path: non-primary-cni-e2e-${{ matrix.ip-family }}-ko-log.tar.gz
+
+      - name: Check kube ovn pod restarts
+        if: ${{ success() || (failure() && (steps.install.conclusion == 'failure' || steps.e2e.conclusion == 'failure')) }}
+        run: make check-kube-ovn-pod-restarts
+
   chart-test:
     name: Chart Installation/Uninstallation Test
     needs: build-kube-ovn
@@ -3752,6 +3908,7 @@ jobs:
       - kube-ovn-ipsec-cert-mgr-e2e
       - kube-ovn-underlay-metallb-e2e
       - multus-conformance-e2e
+      - non-primary-cni-e2e
       - vpc-egress-gateway-e2e
       - ovn-vpc-nat-gw-conformance-e2e
       - iptables-vpc-nat-gw-conformance-e2e

Makefile

@@ -208,7 +208,9 @@ install-chart:
 		--set func.ENABLE_OVN_IPSEC=$(or $(ENABLE_OVN_IPSEC),false) \
 		--set func.ENABLE_TPROXY=$(or $(ENABLE_TPROXY),false) \
 		--set func.ENABLE_IC=$(shell kubectl get node --show-labels | grep -qw "ovn.kubernetes.io/ic-gw" && echo true || echo false) \
-		--set func.ENABLE_ANP=$(or $(ENABLE_ANP),false)
+		--set func.ENABLE_ANP=$(or $(ENABLE_ANP),false) \
+		--set cni_conf.NON_PRIMARY_CNI=$(or $(ENABLE_NON_PRIMARY_CNI),false) \
+		--set cni_conf.CNI_CONFIG_PRIORITY=$(or $(CNI_CONFIG_PRIORITY),01)
 
 .PHONY: upgrade-chart
 upgrade-chart:
@@ -237,17 +239,25 @@ upgrade-chart:
 		--set func.ENABLE_OVN_IPSEC=$(or $(ENABLE_OVN_IPSEC),false) \
 		--set func.ENABLE_TPROXY=$(or $(ENABLE_TPROXY),false) \
 		--set func.ENABLE_IC=$(shell kubectl get node --show-labels | grep -qw "ovn.kubernetes.io/ic-gw" && echo true || echo false) \
-		--set func.ENABLE_ANP=$(or $(ENABLE_ANP),false)
+		--set func.ENABLE_ANP=$(or $(ENABLE_ANP),false) \
+		--set cni_conf.NON_PRIMARY_CNI=$(or $(ENABLE_NON_PRIMARY_CNI),false) \
+		--set cni_conf.CNI_CONFIG_PRIORITY=$(or $(CNI_CONFIG_PRIORITY),01)
 	kubectl -n kube-system wait pod --for=condition=ready -l app=ovs --timeout=60s
 
 .PHONY: install-chart-v2
 install-chart-v2:
 	kubectl label node --overwrite -l node-role.kubernetes.io/control-plane kube-ovn/role=master
-	helm install kubeovn ./charts/kube-ovn-v2 --wait
+	helm install kubeovn ./charts/kube-ovn-v2 --wait \
+		--set global.images.kubeovn.tag=$(VERSION) \
+		--set cni.nonPrimaryCNI=$(or $(ENABLE_NON_PRIMARY_CNI),false) \
+		--set cni.configPriority=$(or $(CNI_CONFIG_PRIORITY),01)
 
 .PHONY: upgrade-chart-v2
 upgrade-chart-v2:
-	helm upgrade kubeovn ./charts/kube-ovn-v2 --wait
+	helm upgrade kubeovn ./charts/kube-ovn-v2 --wait \
+		--set global.images.kubeovn.tag=$(VERSION) \
+		--set cni.nonPrimaryCNI=$(or $(ENABLE_NON_PRIMARY_CNI),false) \
+		--set cni.configPriority=$(or $(CNI_CONFIG_PRIORITY),01)
 	kubectl -n kube-system wait pod --for=condition=ready -l app=ovs --timeout=60s
 
 .PHONY: uninstall

README.md

@@ -20,6 +20,7 @@ Kube-OVN, a [CNCF Sandbox Project](https://www.cncf.io/sandbox-projects/), integ
 - **Vlan/Underlay Support**: In addition to overlay network, Kube-OVN also supports underlay and vlan mode network for better performance and direct connectivity with physical network.
 - **Static IP Addresses for Workloads**: Allocate random or static IP addresses to workloads.
 - **Seamless VM LiveMigration**: Live migrate KubeVirt vm without network interruption.
+- **Non-Primary CNI Mode**: Kube-OVN can work as a secondary CNI alongside other primary CNIs (Cilium, Calico, etc.), providing additional network interfaces and advanced networking features via Network Attachment Definitions (NADs).
 - **Multi-Cluster Network**: Connect different Kubernetes/Openstack clusters into one L3 network.
 - **TroubleShooting Tools**: Handy tools to diagnose, trace, monitor and dump container network traffic to help troubleshoot complicate network issues.
 - **Prometheus & Grafana Integration**: Exposing network quality metrics like pod/node/service/dns connectivity/latency in Prometheus format.

docs/NON-PRIMARY-CNI-QUICKSTART.md

@@ -0,0 +1,134 @@
+# Quick Start: Kube-OVN Non-Primary CNI
+
+This guide provides a quick example of running Kube-OVN as a secondary CNI alongside Cilium.
+
+## Prerequisites
+
+- Kubernetes cluster with Cilium as primary CNI
+- Multus CNI installed
+- Helm 3.x
+
+## Step 1: Install Kube-OVN in Non-Primary Mode
+
+```bash
+helm install kube-ovn ./charts/kube-ovn-v2 \
+  --namespace kube-system \
+  --set cni.nonPrimaryCNI=true
+```
+
+## Step 2: Create a VPC and Subnet
+
+```yaml
+# vpc-secondary.yaml
+apiVersion: kubeovn.io/v1
+kind: Vpc
+metadata:
+  name: vpc-secondary
+spec:
+  namespaces:
+  - default
+---
+apiVersion: kubeovn.io/v1
+kind: Subnet
+metadata:
+  name: subnet-secondary
+spec:
+  vpc: vpc-secondary
+  cidr: "10.100.0.0/16"
+  gateway: "10.100.0.1"
+  provider: kube-ovn-secondary.default.ovn
+```
+
+Apply the configuration:
+```bash
+kubectl apply -f vpc-secondary.yaml
+```
+
+## Step 3: Create Network Attachment Definition
+
+```yaml
+# nad-secondary.yaml
+apiVersion: k8s.cni.cncf.io/v1
+kind: NetworkAttachmentDefinition
+metadata:
+  name: kube-ovn-secondary
+  namespace: default
+spec:
+  config: |
+    {
+      "cniVersion": "0.3.1",
+      "type": "kube-ovn",
+      "server_socket": "/run/openvswitch/kube-ovn-daemon.sock",
+      "provider": "kube-ovn-secondary.default.ovn"
+    }
+```
+
+Apply the NAD:
+```bash
+kubectl apply -f nad-secondary.yaml
+```
+
+## Step 4: Deploy a Multi-Network Pod
+
+```yaml
+# multi-network-pod.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: multi-network-pod
+  annotations:
+    k8s.v1.cni.cncf.io/networks: default/kube-ovn-secondary
+spec:
+  containers:
+  - name: app
+    image: nginx
+    ports:
+    - containerPort: 80
+```
+
+Deploy the pod:
+```bash
+kubectl apply -f multi-network-pod.yaml
+```
+
+## Step 5: Verify the Setup
+
+Check the pod has multiple interfaces:
+```bash
+kubectl exec multi-network-pod -- ip addr show
+```
+
+Expected output:
+```
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+    
+2: eth0@if123: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
+    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
+    inet 10.244.0.5/24 brd 10.244.0.255 scope global eth0  # Cilium interface
+    
+3: net1@if124: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
+    link/ether 00:00:00:ab:cd:ef brd ff:ff:ff:ff:ff:ff link-netnsid 0
+    inet 10.100.0.2/16 brd 10.100.255.255 scope global net1  # Kube-OVN interface
+```
+
+Check network status annotation:
+```bash
+kubectl get pod multi-network-pod -o jsonpath='{.metadata.annotations.k8s\.v1\.cni\.cncf\.io/networks-status}' | jq .
+```
+
+## Cleanup
+
+```bash
+kubectl delete pod multi-network-pod
+kubectl delete nad kube-ovn-secondary
+kubectl delete -f vpc-secondary.yaml
+helm uninstall kube-ovn -n kube-system
+```
+
+## Next Steps
+
+- See [NON-PRIMARY-CNI.md](NON-PRIMARY-CNI.md) for detailed documentation
+- Explore VPC NAT Gateway configuration for external connectivity
+- Configure security groups and QoS policies for secondary networks