feat: detect and warn when OVN routingViaHost is not enabled#386
feat: detect and warn when OVN routingViaHost is not enabled#386Bobbins228 wants to merge 1 commit into
Conversation
Bobbins228
force-pushed
the
feat/rhaieng-5326-ovn-network-check
branch
from
7fba2b7 to
4db79bb
Compare
ChristianZaccaria
left a comment
ChristianZaccaria
left a comment
There was a problem hiding this comment.
Thanks for tackling this, we may need to reconsider the approach, please see comments below for more info.
| } | ||
|
|
||
| // 4.2. Check OVN network configuration (OpenShift only). | ||
| r.checkNetworkConfig(ctx, rt) |
There was a problem hiding this comment.
We should reconsider the approach here. For context, the network check is a cluster-level fact and not per-workload concern. It doesn't vary per agent or runtime, hence the agenruntime_controller shouldn't be responsible for performing this check.
Moreover, with the changes in agentruntime_controller, this would mean per N agents, you get N API calls on every reconcile which can be a lot.
Simpler approach: Do the check once at startup + log warning if necessary in main.go:
Startup check + log warning. Run CheckOVNNetworkConfig once in main.go right after NetworkOperatorCRDExists. Log a clear warning. Expected around <50 lines of code total, zero per-reconcile overhead, no per-CR conditions to maintain. Operators see it in the pod logs.
| } | ||
|
|
||
| // NetworkCheckResult represents the outcome of checking OVN network configuration. | ||
| type NetworkCheckResult struct { |
There was a problem hiding this comment.
We can remove the whole struct:
Since we probably won't propagate the conditions or messages to the AgentRuntime CR, we can remove them entirely, and just return a simple string to be logged by the operator.
Add a reconcile-time check to the AgentRuntime controller that reads network.operator.openshift.io/cluster on OpenShift clusters and surfaces a NetworkReady status condition when OVN-Kubernetes is present but routingViaHost is not configured. Without this setting, Istio ambient mode's ztunnel cannot intercept pod-to-pod traffic, silently bypassing mTLS and authorization policies. The check is automatically enabled via CRD discovery at startup (same pattern as TektonConfig) and only requires read-only RBAC on operator.openshift.io/networks. No cluster infrastructure is mutated. Closes: RHAIENG-5326 Spike: RHAIENG-4900 Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Bobbins228 <mcampbel@redhat.com>
Bobbins228
force-pushed
the
feat/rhaieng-5326-ovn-network-check
branch
from
4db79bb to
8d864c9
Compare
|
Addressed both review comments:
RBAC narrowed to just |
3 participants
Summary
Adds a startup-time network configuration check that detects when OVN-Kubernetes
routingViaHostis not enabled on OpenShift clusters. Without this setting, Istio ambient mode's ztunnel cannot intercept pod-to-pod traffic and mTLS/authorization policies are silently bypassed. The operator logs a warning at startup — no per-CR conditions, no per-reconcile overhead.Changes
network_check.go—NetworkOperatorCRDExists(CRD discovery at startup) andCheckOVNNetworkConfig(readsnetwork.operator.openshift.io/cluster, returns a warning string if misconfigured)cmd/main.go— runs the check once at startup after CRD discovery, logs warning if misconfiguredgetonoperator.openshift.io/networksinconfig/rbac/role.yamland Helm chartnetwork_check_test.go— 5 unit tests covering misconfigured OVN, correct config, non-OVN clusters, and missing resource