Fix FRR pods unable to reach Kubernetes API during bootstrap

FRR pods use hostNetwork: true but were trying to reach the Kubernetes
API at the service IP (172.30.0.1). During bootstrap, this service IP
is not routable because the CNI (OVN-K) is not running yet, creating
a deadlock:

  CNO waits for FRR webhook ready -> FRR pods can't reach API at
  172.30.0.1 -> Service IP needs CNI routing -> CNI waits for FRR
  webhook -> DEADLOCK

Add KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT environment
variables to FRR pods, following the pattern used by other CNO
hostNetwork components (OVN-K, multus, SDN). These env vars override
the default service IP with the actual API server address.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com>

Author: ricky-rav

bindata/network/frr-k8s/003-pki.yaml

@@ -7,7 +7,6 @@
 # Both webhook and metrics need OperatorPKI because the FRR DaemonSet
 # requires the metrics TLS secret to start, and service-ca is not
 # available during bootstrap (it depends on CNI being ready).
----
 apiVersion: network.operator.openshift.io/v1
 kind: OperatorPKI
 metadata:

bindata/network/frr-k8s/frr-k8s.yaml

@@ -100,6 +100,10 @@ spec:
         - --metrics-bind-address=127.0.0.1:7572
         - $(LOG_LEVEL)
         env:
+        - name: KUBERNETES_SERVICE_HOST
+          value: "{{.KUBERNETES_SERVICE_HOST}}"
+        - name: KUBERNETES_SERVICE_PORT
+          value: "{{.KUBERNETES_SERVICE_PORT}}"
         - name: FRR_CONFIG_FILE
           value: /etc/frr_reloader/frr.conf
         - name: FRR_RELOADER_PID_FILE
@@ -113,7 +117,7 @@ spec:
             configMapKeyRef:
               name: env-overrides
               key: frrk8s-loglevel
-              optional: true              
+              optional: true
         - name: NAMESPACE
           valueFrom:
             fieldRef:
@@ -259,6 +263,10 @@ spec:
         command:
         - /etc/frr_status/frr-status
         env:
+        - name: KUBERNETES_SERVICE_HOST
+          value: "{{.KUBERNETES_SERVICE_HOST}}"
+        - name: KUBERNETES_SERVICE_PORT
+          value: "{{.KUBERNETES_SERVICE_PORT}}"
         - name: NODE_NAME
           valueFrom:
             fieldRef:

bindata/network/frr-k8s/node-status-cleaner.yaml

@@ -30,6 +30,10 @@ spec:
         - --frrk8s-selector=component=frr-k8s
         - $(LOG_LEVEL)
         env:
+        - name: KUBERNETES_SERVICE_HOST
+          value: "{{.KUBERNETES_SERVICE_HOST}}"
+        - name: KUBERNETES_SERVICE_PORT
+          value: "{{.KUBERNETES_SERVICE_PORT}}"
         - name: NAMESPACE
           valueFrom:
             fieldRef:

bindata/network/frr-k8s/webhook.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: v1
 kind: Service
 metadata:
@@ -37,4 +36,3 @@ webhooks:
     resources:
     - frrconfigurations
   sideEffects: None
----

pkg/network/render.go

@@ -235,7 +235,7 @@ func Render(operConf *operv1.NetworkSpec, clusterConf *configv1.NetworkSpec, man
 	}
 	objs = append(objs, o...)
 
-	o, err = renderAdditionalRoutingCapabilities(operConf, manifestDir, client)
+	o, err = renderAdditionalRoutingCapabilities(operConf, manifestDir, client, bootstrapResult)
 	if err != nil {
 		return nil, progressing, err
 	}
@@ -1074,7 +1074,7 @@ func isSupportedDualStackPlatform(platformType configv1.PlatformType) bool {
 	return dualStackPlatforms.Has(string(platformType))
 }
 
-func renderAdditionalRoutingCapabilities(conf *operv1.NetworkSpec, manifestDir string, client cnoclient.Client) ([]*uns.Unstructured, error) {
+func renderAdditionalRoutingCapabilities(conf *operv1.NetworkSpec, manifestDir string, client cnoclient.Client, bootstrapResult *bootstrap.BootstrapResult) ([]*uns.Unstructured, error) {
 	if conf == nil || conf.AdditionalRoutingCapabilities == nil {
 		return nil, nil
 	}
@@ -1087,6 +1087,16 @@ func renderAdditionalRoutingCapabilities(conf *operv1.NetworkSpec, manifestDir s
 			data.Data["KubeRBACProxyImage"] = os.Getenv("KUBE_RBAC_PROXY_IMAGE")
 			data.Data["ReleaseVersion"] = os.Getenv("RELEASE_VERSION")
 
+			// Add Kubernetes API server host/port for hostNetwork pods.
+			// During bootstrap, the service IP (172.30.0.1) is not routable because
+			// the CNI is not yet running. These env vars allow FRR pods to connect
+			// to the API server directly using the actual API server address.
+			if bootstrapResult != nil {
+				apiServer := bootstrapResult.Infra.APIServers[bootstrap.APIServerDefault]
+				data.Data["KUBERNETES_SERVICE_HOST"] = apiServer.Host
+				data.Data["KUBERNETES_SERVICE_PORT"] = apiServer.Port
+			}
+
 			// Fetch the webhook CA bundle from the ConfigMap created by OperatorPKI
 			caBundle := getFRRK8sWebhookCABundle(client)
 			data.Data["FRRK8sWebhookCABundle"] = caBundle

pkg/network/render_test.go

@@ -638,13 +638,13 @@ func Test_renderAdditionalRoutingCapabilities(t *testing.T) {
 					},
 				},
 			},
-			want:        22, // 19 original + 2 OperatorPKI (webhook + metrics) + 1 document separator
+			want:        21, // 19 original + 2 OperatorPKI (webhook + metrics)
 			expectedErr: nil,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := renderAdditionalRoutingCapabilities(tt.args.operConf, manifestDir, nil)
+			got, err := renderAdditionalRoutingCapabilities(tt.args.operConf, manifestDir, nil, fakeBootstrapResult())
 			if !reflect.DeepEqual(tt.expectedErr, err) {
 				t.Errorf("renderAdditionalRoutingCapabilities() err = %v, want %v", err, tt.expectedErr)
 			}