Fix FRR pods unable to reach Kubernetes API during bootstrap

FRR pods use hostNetwork: true but were trying to reach the Kubernetes
API at the service IP (172.30.0.1), which kubelet auto-injects as
KUBERNETES_SERVICE_HOST. During bootstrap, this service IP is not
routable because the CNI (OVN-K) is not running yet, creating a
deadlock:

  CNO waits for FRR webhook -> FRR pods can't reach API at 172.30.0.1
  -> Service IP needs CNI routing -> CNI waits for FRR -> DEADLOCK

Add KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT environment
variables to FRR pods, overriding the kubelet-injected values with
the actual API server address (the API VIP, e.g., 192.168.111.5).

Since FRR pods use hostNetwork, they can reach the API VIP directly
via L2 without needing CNI routing, breaking the deadlock.

This follows the pattern used by other CNO hostNetwork components
(ovnkube-node, multus, sdn).

Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com>

Author: ricky-rav

bindata/network/frr-k8s/frr-k8s.yaml

@@ -100,6 +100,10 @@ spec:
         - --metrics-bind-address=127.0.0.1:7572
         - $(LOG_LEVEL)
         env:
+        - name: KUBERNETES_SERVICE_HOST
+          value: "{{.KUBERNETES_SERVICE_HOST}}"
+        - name: KUBERNETES_SERVICE_PORT
+          value: "{{.KUBERNETES_SERVICE_PORT}}"
         - name: FRR_CONFIG_FILE
           value: /etc/frr_reloader/frr.conf
         - name: FRR_RELOADER_PID_FILE
@@ -113,7 +117,7 @@ spec:
             configMapKeyRef:
               name: env-overrides
               key: frrk8s-loglevel
-              optional: true              
+              optional: true
         - name: NAMESPACE
           valueFrom:
             fieldRef:
@@ -259,6 +263,10 @@ spec:
         command:
         - /etc/frr_status/frr-status
         env:
+        - name: KUBERNETES_SERVICE_HOST
+          value: "{{.KUBERNETES_SERVICE_HOST}}"
+        - name: KUBERNETES_SERVICE_PORT
+          value: "{{.KUBERNETES_SERVICE_PORT}}"
         - name: NODE_NAME
           valueFrom:
             fieldRef:

bindata/network/frr-k8s/node-status-cleaner.yaml

@@ -30,6 +30,10 @@ spec:
         - --frrk8s-selector=component=frr-k8s
         - $(LOG_LEVEL)
         env:
+        - name: KUBERNETES_SERVICE_HOST
+          value: "{{.KUBERNETES_SERVICE_HOST}}"
+        - name: KUBERNETES_SERVICE_PORT
+          value: "{{.KUBERNETES_SERVICE_PORT}}"
         - name: NAMESPACE
           valueFrom:
             fieldRef:

pkg/network/render.go

@@ -235,7 +235,7 @@ func Render(operConf *operv1.NetworkSpec, clusterConf *configv1.NetworkSpec, man
 	}
 	objs = append(objs, o...)
 
-	o, err = renderAdditionalRoutingCapabilities(operConf, manifestDir, client)
+	o, err = renderAdditionalRoutingCapabilities(operConf, manifestDir, client, bootstrapResult)
 	if err != nil {
 		return nil, progressing, err
 	}
@@ -1074,7 +1074,7 @@ func isSupportedDualStackPlatform(platformType configv1.PlatformType) bool {
 	return dualStackPlatforms.Has(string(platformType))
 }
 
-func renderAdditionalRoutingCapabilities(conf *operv1.NetworkSpec, manifestDir string, client cnoclient.Client) ([]*uns.Unstructured, error) {
+func renderAdditionalRoutingCapabilities(conf *operv1.NetworkSpec, manifestDir string, client cnoclient.Client, bootstrapResult *bootstrap.BootstrapResult) ([]*uns.Unstructured, error) {
 	if conf == nil || conf.AdditionalRoutingCapabilities == nil {
 		return nil, nil
 	}
@@ -1087,6 +1087,16 @@ func renderAdditionalRoutingCapabilities(conf *operv1.NetworkSpec, manifestDir s
 			data.Data["KubeRBACProxyImage"] = os.Getenv("KUBE_RBAC_PROXY_IMAGE")
 			data.Data["ReleaseVersion"] = os.Getenv("RELEASE_VERSION")
 
+			// Add Kubernetes API server host/port for hostNetwork pods.
+			// During bootstrap, the service IP (172.30.0.1) is not routable because
+			// the CNI is not yet running. These env vars allow FRR pods to connect
+			// to the API server directly using the actual API server address.
+			if bootstrapResult != nil {
+				apiServer := bootstrapResult.Infra.APIServers[bootstrap.APIServerDefault]
+				data.Data["KUBERNETES_SERVICE_HOST"] = apiServer.Host
+				data.Data["KUBERNETES_SERVICE_PORT"] = apiServer.Port
+			}
+
 			// Fetch the webhook CA bundle from the ConfigMap created by OperatorPKI
 			caBundle := getFRRK8sWebhookCABundle(client)
 			data.Data["FRRK8sWebhookCABundle"] = caBundle

pkg/network/render_test.go

@@ -638,13 +638,13 @@ func Test_renderAdditionalRoutingCapabilities(t *testing.T) {
 					},
 				},
 			},
-			want:        22, // 19 original + 2 OperatorPKI (webhook + metrics) + 1 document separator
+			want:        21, // 19 original + 2 OperatorPKI (webhook + metrics)
 			expectedErr: nil,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := renderAdditionalRoutingCapabilities(tt.args.operConf, manifestDir, nil)
+			got, err := renderAdditionalRoutingCapabilities(tt.args.operConf, manifestDir, nil, fakeBootstrapResult())
 			if !reflect.DeepEqual(tt.expectedErr, err) {
 				t.Errorf("renderAdditionalRoutingCapabilities() err = %v, want %v", err, tt.expectedErr)
 			}