CORENET-6100: [WIP] Add support for no-overlay mode

bindata/network/frr-k8s/003-pki.yaml

@@ -0,0 +1,26 @@
+# Request that the cluster network operator PKI controller
+# creates certificates for the FRR-k8s webhook and metrics.
+# This avoids dependency on service-ca operator during bootstrap,
+# which is critical because the webhook must be ready before OVN-Kubernetes
+# starts when RouteAdvertisements are enabled.
+#
+# Both webhook and metrics need OperatorPKI because the FRR DaemonSet
+# requires the metrics TLS secret to start, and service-ca is not
+# available during bootstrap (it depends on CNI being ready).
+apiVersion: network.operator.openshift.io/v1
+kind: OperatorPKI
+metadata:
+  name: frr-k8s-webhook
+  namespace: openshift-frr-k8s
+spec:
+  targetCert:
+    commonName: frr-k8s-webhook-service.openshift-frr-k8s.svc
+---
+apiVersion: network.operator.openshift.io/v1
+kind: OperatorPKI
+metadata:
+  name: frr-k8s-metrics
+  namespace: openshift-frr-k8s
+spec:
+  targetCert:
+    commonName: frr-k8s-monitor-service.openshift-frr-k8s.svc

bindata/network/frr-k8s/frr-k8s.yaml

@@ -51,7 +51,7 @@ spec:
         emptyDir: {}
       - name: metrics-certs
         secret:
-          secretName: frr-k8s-certs-secret
+          secretName: frr-k8s-metrics-cert
       initContainers:
       # Copies the initial config files with the right permissions to the shared volume.
       - name: cp-frr-files
@@ -100,6 +100,10 @@ spec:
         - --metrics-bind-address=127.0.0.1:7572
         - $(LOG_LEVEL)
         env:
+        - name: KUBERNETES_SERVICE_HOST
+          value: "{{.KUBERNETES_SERVICE_HOST}}"
+        - name: KUBERNETES_SERVICE_PORT
+          value: "{{.KUBERNETES_SERVICE_PORT}}"
         - name: FRR_CONFIG_FILE
           value: /etc/frr_reloader/frr.conf
         - name: FRR_RELOADER_PID_FILE
@@ -113,7 +117,7 @@ spec:
             configMapKeyRef:
               name: env-overrides
               key: frrk8s-loglevel
-              optional: true              
+              optional: true
         - name: NAMESPACE
           valueFrom:
             fieldRef:
@@ -259,6 +263,10 @@ spec:
         command:
         - /etc/frr_status/frr-status
         env:
+        - name: KUBERNETES_SERVICE_HOST
+          value: "{{.KUBERNETES_SERVICE_HOST}}"
+        - name: KUBERNETES_SERVICE_PORT
+          value: "{{.KUBERNETES_SERVICE_PORT}}"
         - name: NODE_NAME
           valueFrom:
             fieldRef:

bindata/network/frr-k8s/monitor.yaml

@@ -8,7 +8,6 @@ metadata:
     name: frr-k8s-monitor-service
   annotations:
     prometheus.io/scrape: "true"
-    service.beta.openshift.io/serving-cert-secret-name: frr-k8s-certs-secret
 spec:
   selector:
     app: frr-k8s
@@ -41,15 +40,13 @@ spec:
     port: metricshttps
     scheme: https
     tlsConfig:
-      caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
-      serverName: frr-k8s-monitor-service.openshift-frr-k8s.svc
+      insecureSkipVerify: true
   - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
     honorLabels: true
     port: frrmetricshttps
     scheme: https
     tlsConfig:
-      caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
-      serverName: frr-k8s-monitor-service.openshift-frr-k8s.svc
+      insecureSkipVerify: true
   jobLabel: app
   namespaceSelector:
     matchNames:

bindata/network/frr-k8s/node-status-cleaner.yaml

@@ -30,6 +30,10 @@ spec:
         - --frrk8s-selector=component=frr-k8s
         - $(LOG_LEVEL)
         env:
+        - name: KUBERNETES_SERVICE_HOST
+          value: "{{.KUBERNETES_SERVICE_HOST}}"
+        - name: KUBERNETES_SERVICE_PORT
+          value: "{{.KUBERNETES_SERVICE_PORT}}"
         - name: NAMESPACE
           valueFrom:
             fieldRef:
@@ -77,11 +81,14 @@ spec:
       - key: node-role.kubernetes.io/control-plane
         effect: NoSchedule
         operator: Exists
+      - key: node.kubernetes.io/not-ready
+        effect: NoSchedule
+        operator: Exists
       volumes:
       - name: cert
         secret:
           defaultMode: 420
-          secretName: frr-k8s-webhook-server-cert
+          secretName: frr-k8s-webhook-cert
       serviceAccountName: frr-k8s-daemon
       priorityClassName: system-cluster-critical
       terminationGracePeriodSeconds: 10

bindata/network/frr-k8s/webhook.yaml

@@ -1,28 +1,25 @@
----
 apiVersion: v1
 kind: Service
 metadata:
   name: frr-k8s-webhook-service
   namespace: openshift-frr-k8s
-  annotations:
-    service.beta.openshift.io/serving-cert-secret-name: frr-k8s-webhook-server-cert
 spec:
   ports:
   - port: 443
     targetPort: webhook
   selector:
     component: frr-k8s-statuscleaner
+{{- if .FRRK8sWebhookCABundle }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: frr-k8s-validating-webhook-configuration-ocp
-  annotations:
-    service.beta.openshift.io/inject-cabundle: "true"
 webhooks:
 - admissionReviewVersions:
   - v1
   clientConfig:
+    caBundle: "{{.FRRK8sWebhookCABundle}}"
     service:
       name: frr-k8s-webhook-service
       namespace: openshift-frr-k8s
@@ -40,4 +37,4 @@ webhooks:
     resources:
     - frrconfigurations
   sideEffects: None
----
+{{- end }}

bindata/network/ovn-kubernetes/managed/004-config.yaml

@@ -13,6 +13,9 @@ data:
     routable-mtu="{{.RoutableMTU}}"
     {{- end }}
     cluster-subnets="{{.OVN_cidr}}"
+    {{- if .DefaultNetworkTransport }}
+    transport="{{.DefaultNetworkTransport}}"
+    {{- end }}
     encap-port="{{.GenevePort}}"
     enable-lflow-cache=true
     lflow-cache-limit-kb=1048576
@@ -52,6 +55,26 @@ data:
     [gateway]
     mode={{.OVN_GATEWAY_MODE}}
     nodeport=true
+{{- if .NoOverlayEnabled }}
+
+    [no-overlay]
+    {{- if .NoOverlayOutboundSNAT }}
+    outbound-snat={{.NoOverlayOutboundSNAT}}
+    {{- end }}
+    {{- if .NoOverlayRouting }}
+    routing={{.NoOverlayRouting}}
+    {{- end }}
+{{- end }}
+{{- if .NoOverlayManagedEnabled }}
+
+    [bgp.managed]
+    {{- if .NoOverlayManagedASNumber }}
+    as-number={{.NoOverlayManagedASNumber}}
+    {{- end }}
+    {{- if .NoOverlayManagedTopology }}
+    topology={{.NoOverlayManagedTopology}}
+    {{- end }}
+{{- end }}
 {{- if .OVNHybridOverlayEnable }}
 
     [hybridoverlay]
@@ -95,6 +118,9 @@ data:
     routable-mtu="{{.RoutableMTU}}"
     {{- end }}
     cluster-subnets="{{.OVN_cidr}}"
+    {{- if .DefaultNetworkTransport }}
+    transport="{{.DefaultNetworkTransport}}"
+    {{- end }}
     encap-port="{{.GenevePort}}"
     enable-lflow-cache=true
     lflow-cache-limit-kb=1048576
@@ -140,6 +166,26 @@ data:
     [gateway]
     mode={{.OVN_GATEWAY_MODE}}
     nodeport=true
+{{- if .NoOverlayEnabled }}
+
+    [no-overlay]
+    {{- if .NoOverlayOutboundSNAT }}
+    outbound-snat={{.NoOverlayOutboundSNAT}}
+    {{- end }}
+    {{- if .NoOverlayRouting }}
+    routing={{.NoOverlayRouting}}
+    {{- end }}
+{{- end }}
+{{- if .NoOverlayManagedEnabled }}
+
+    [bgp.managed]
+    {{- if .NoOverlayManagedASNumber }}
+    as-number={{.NoOverlayManagedASNumber}}
+    {{- end }}
+    {{- if .NoOverlayManagedTopology }}
+    topology={{.NoOverlayManagedTopology}}
+    {{- end }}
+{{- end }}
 
 
 {{- if .OVNHybridOverlayEnable }}

bindata/network/ovn-kubernetes/self-hosted/004-config.yaml

@@ -13,6 +13,9 @@ data:
     routable-mtu="{{.RoutableMTU}}"
     {{- end }}
     cluster-subnets="{{.OVN_cidr}}"
+    {{- if .DefaultNetworkTransport }}
+    transport="{{.DefaultNetworkTransport}}"
+    {{- end }}
     encap-port="{{.GenevePort}}"
     enable-lflow-cache=true
     lflow-cache-limit-kb=1048576
@@ -62,6 +65,26 @@ data:
     [gateway]
     mode={{.OVN_GATEWAY_MODE}}
     nodeport=true
+{{- if .NoOverlayEnabled }}
+
+    [no-overlay]
+    {{- if .NoOverlayOutboundSNAT }}
+    outbound-snat={{.NoOverlayOutboundSNAT}}
+    {{- end }}
+    {{- if .NoOverlayRouting }}
+    routing={{.NoOverlayRouting}}
+    {{- end }}
+{{- end }}
+{{- if .NoOverlayManagedEnabled }}
+
+    [bgp.managed]
+    {{- if .NoOverlayManagedASNumber }}
+    as-number={{.NoOverlayManagedASNumber}}
+    {{- end }}
+    {{- if .NoOverlayManagedTopology }}
+    topology={{.NoOverlayManagedTopology}}
+    {{- end }}
+{{- end }}
 
     [logging]
     libovsdblogfile=/var/log/ovnkube/libovsdb.log

go.mod

@@ -102,7 +102,7 @@ require (
 )
 
 require (
-	github.com/openshift/api v0.0.0-20251106190826-ebe535b08719
+	github.com/openshift/api v0.0.0-20251204164930-cd2e40c5883a
 	github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235
 	github.com/openshift/library-go v0.0.0-20251107090138-0de9712313a5
 	github.com/openshift/machine-config-operator v0.0.1-0.20250724162154-ab14c8e2843b
@@ -174,3 +174,7 @@ require (
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )
+
+replace github.com/openshift/api => github.com/ricky-rav/api v0.0.0-20251215092810-0a87dc54a866
+
+replace github.com/openshift/client-go => github.com/ricky-rav/client-go v0.0.0-20251215095632-b5f208914736

go.sum

@@ -300,12 +300,8 @@ github.com/onsi/gomega v1.38.1 h1:FaLA8GlcpXDwsb7m0h2A9ew2aTk3vnZMlzFgg5tz/pk=
 github.com/onsi/gomega v1.38.1/go.mod h1:LfcV8wZLvwcYRwPiJysphKAEsmcFnLMK/9c+PjvlX8g=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/openshift/api v0.0.0-20251106190826-ebe535b08719 h1:KEwYyKaJniwhoyLB75tAMmJn9pMlk0PUlRfrsXYOhwM=
-github.com/openshift/api v0.0.0-20251106190826-ebe535b08719/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
 github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af h1:UiYYMi/CCV+kwWrXuXfuUSOY2yNXOpWpNVgHc6aLQlE=
 github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
-github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235 h1:9JBeIXmnHlpXTQPi7LPmu1jdxznBhAE7bb1K+3D8gxY=
-github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235/go.mod h1:L49W6pfrZkfOE5iC1PqEkuLkXG4W0BX4w8b+L2Bv7fM=
 github.com/openshift/library-go v0.0.0-20251107090138-0de9712313a5 h1:Gq8jCFgSrilZ2ZHjQleFZWlblikc1aaRZ0hqs+yvrP4=
 github.com/openshift/library-go v0.0.0-20251107090138-0de9712313a5/go.mod h1:OlFFws1AO51uzfc48MsStGE4SFMWlMZD0+f5a/zCtKI=
 github.com/openshift/machine-config-operator v0.0.1-0.20250724162154-ab14c8e2843b h1:LvoFr/2IEj0BWy7mKBdR7ueAHpMJGju1EkEIZrXa+DM=
@@ -335,6 +331,10 @@ github.com/prometheus/common v0.67.2/go.mod h1:63W3KZb1JOKgcjlIr64WW/LvFGAqKPj0a
 github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
 github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
+github.com/ricky-rav/api v0.0.0-20251215092810-0a87dc54a866 h1:/Czn5nnlZaR9XroaoyGrQCyEUV85CgriqAzj+NSR8yE=
+github.com/ricky-rav/api v0.0.0-20251215092810-0a87dc54a866/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
+github.com/ricky-rav/client-go v0.0.0-20251215095632-b5f208914736 h1:mf7IkH4wNGDi7/UmR2qJglol8p2VJYJBVfOEwH8eo4I=
+github.com/ricky-rav/client-go v0.0.0-20251215095632-b5f208914736/go.mod h1:3/X0BFj3dJqulKlLyo5RoWLQzQ4ccpJPklDB4331r2s=
 github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
 github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=