redhat-cop · albertoflorez · Jun 8, 2026 · Jun 8, 2026 · Jun 9, 2026 · Jun 9, 2026
@@ -4,6 +4,50 @@ This will not be overwritten by Docsible -->
 # 📃 Role overview
 
 This role performs network management in two modes: Manual and Automatic. It performs tasks that include gathering network information in the vCenter environment, migrate the Port Groups by creating NetworkAttachementDefinitions (NAD), and migrate distributed switches by creating NodeNetworkConfigurationPolicy (NNCP).
+
+## Network Bridge Modes
+
+This role supports three network bridge modes:
+
+### 1. linux-bridge
+
+Uses CNV bridge (cnv-bridge) for network attachment. This mode requires NNCP (NodeNetworkConfigurationPolicy) to configure the bridge on worker nodes.
+
+### 2. ovs-bridge
+
+Uses OVN-Kubernetes CNI overlay with `localnet` topology. This mode requires NNCP to configure the OVS bridge and localnet mapping on worker nodes.
+
+### 3. ovn-layer2
+
+Uses OVN-Kubernetes CNI overlay with `layer2` topology. This mode creates isolated layer2 networks without requiring NNCP or physical node network configuration.
+
+Example NAD for ovn-layer2 mode:
+
+```yaml
+apiVersion: k8s.cni.cncf.io/v1
+kind: NetworkAttachmentDefinition
+metadata:
+  annotations:
+    infra.openshift-virtualization-migration/source-portgroup: example-portgroup-name
+  name: example-network
+  namespace: example-namespace
+spec:
+  config: |-
+    {
+        "cniVersion": "0.3.1",
+        "name": "example-network",
+        "type": "ovn-k8s-cni-overlay",
+        "netAttachDefName": "example-namespace/example-network",
+        "topology": "layer2"
+    }
+```
+
+To use ovn-layer2 mode, set:
+
+```yaml
+network_mgmt_openshift_network_bridge_mode: ovn-layer2
+network_mgmt_ovn_topology: layer2
+```
 <!-- STATIC CONTENT END -->
 <!-- Everything below will be overwritten by Docsible -->
 <!-- DOCSIBLE START -->

@@ -23,13 +23,18 @@ network_mgmt_vcenter_datacenter: ''
 # title: OpenShift Network Bridge Mode
 # required: True
 # description: OpenShift Network Bridge Mode
-network_mgmt_openshift_network_bridge_mode: linux-bridge ## This can be 'linux-bridge' or 'ovs-bridge'
+network_mgmt_openshift_network_bridge_mode: linux-bridge ## This can be 'linux-bridge', 'ovs-bridge', or 'ovn-layer2'
 
 # title: OVN Bridge
 # required: True
 # description: Boolean value defines usage of OVN bridge
 network_mgmt_use_default_ovn_bridge: false
 
+# title: OVN Topology Type
+# required: False
+# description: OVN topology type for ovn-k8s-cni-overlay (only used with ovn-layer2 mode)
+network_mgmt_ovn_topology: layer2 ## layer2 or localnet
+
 # https://docs.openshift.com/container-platform/4.16/networking/k8s_nmstate/\
 # k8s-nmstate-updating-node-network-config.html
 # virt-example-bond-nncp_k8s_nmstate-updating-node-network-config

@@ -31,6 +31,7 @@
     - network_mgmt_openshift_node_network_ports | default([]) | length > 0
     - network_mgmt_vcenter_dvswitch | default('', true) | trim | length > 0
     - network_mgmt_vcenter_datacenter | default('', true) | trim | length > 0
+    - network_mgmt_openshift_network_bridge_mode != 'ovn-layer2'
 
 - name: automatic | Include tasks from automatic_nad.yml
   ansible.builtin.include_tasks:
@@ -44,4 +45,6 @@
       or
       (network_mgmt_nad_auto_bridge_name is defined and
       network_mgmt_nad_auto_bridge_name |length > 0)
+      or
+      network_mgmt_openshift_network_bridge_mode == 'ovn-layer2'
 ...
@@ -31,6 +31,21 @@
     that:
       - network_mgmt_manual_bridge_name is string
       - (network_mgmt_manual_bridge_name | default('') | length) > 0
+  when:
+    - network_mgmt_openshift_network_bridge_mode == 'linux-bridge'
+
+- name: manual | Validate ovn-layer2 NAD entries
+  ansible.builtin.assert:
+    that:
+      - "'name' in nad"
+      - nad.name is string
+      - nad.name | length > 0
+    fail_msg: "Each NAD entry must have a 'name' field for ovn-layer2 mode"
+  loop: "{{ network_mgmt_manual_nad_list }}"
+  when:
+    - network_mgmt_openshift_network_bridge_mode == 'ovn-layer2'
+  loop_control:
+    loop_var: nad
 
 ## Only create the NNCP if the bridge and the bond is defined, the template looks for the ports to put in the bond.
 - name: manual | Apply NodeNetworkConfigurationPolicy
@@ -51,6 +66,7 @@
       - nad.vlan.vlan_id is string or nad.vlan.vlan_id is integer
   loop: "{{ network_mgmt_manual_nad_list }}"
   when:
+    - network_mgmt_openshift_network_bridge_mode != 'ovn-layer2'
     - ('trunk' not in nad) or (not nad.trunk)
   loop_control:
     loop_var: nad
@@ -64,9 +80,10 @@
       - nad.vlan.vlan_id is iterable
       - nad.vlan.vlan_id is not string
       - "network_mgmt_openshift_network_bridge_mode == 'linux-bridge'"
-      ## Only allow trunks with linux-bridge not supported with ovs-bridge
+      ## Only allow trunks with linux-bridge not supported with ovs-bridge or ovn-layer2
   loop: "{{ network_mgmt_manual_nad_list }}"
   when:
+    - network_mgmt_openshift_network_bridge_mode != 'ovn-layer2'
     - "'trunk' in nad"
     - nad.trunk
   loop_control:

@@ -33,7 +33,7 @@ spec:
      "vlan": {{ nad.vlan.vlan_id | int }}
 {% endif %}
      }
-{% else %}
+{% elif network_mgmt_openshift_network_bridge_mode == 'ovs-bridge' %}
 spec:
   config: |
     {"cniVersion": "0.4.0",
@@ -46,4 +46,14 @@ spec:
      "physicalNetworkName": "{{ network_mgmt_manual_localnet_name }}",
      "netAttachDefName": "{{ nad.namespace | default(network_mgmt_nad_namespace) }}/{{ nad.name }}"
     }
+{% else %}
+spec:
+  config: |-
+    {
+        "cniVersion": "0.3.1",
+        "name": "{{ nad.name }}",
+        "type": "ovn-k8s-cni-overlay",
+        "netAttachDefName": "{{ nad.namespace | default(network_mgmt_nad_namespace) }}/{{ nad.name }}",
+        "topology": "{{ network_mgmt_ovn_topology }}"
+    }
 {% endif %}
@@ -0,0 +1,19 @@
+apiVersion: k8s.cni.cncf.io/v1
+kind: NetworkAttachmentDefinition
+metadata:
+  name: {{ portgroup.name | infra.openshift_virtualization_migration.rfc1123(network_mgmt_nad_name_prefix, "^[\d]+") }}
+  namespace: {{ network_mgmt_nad_namespace }}
+  annotations:
+    infra.openshift-virtualization-migration/source-portgroup: {{ portgroup.name }}
+    infra.openshift-virtualization-migration/source-switch: {{ portgroup.switch }}
+    infra.openshift-virtualization-migration/provider-hostname: {{ network_mgmt_vcenter_hostname }}
+    infra.openshift-virtualization-migration/provider-type: vmware
+spec:
+  config: |-
+    {
+        "cniVersion": "0.3.1",
+        "name": "{{ portgroup.name | infra.openshift_virtualization_migration.rfc1123(network_mgmt_nad_name_prefix, "^[\d]+") }}",
+        "type": "ovn-k8s-cni-overlay",
+        "netAttachDefName": "{{ network_mgmt_nad_namespace }}/{{ portgroup.name | infra.openshift_virtualization_migration.rfc1123(network_mgmt_nad_name_prefix, "^[\d]+") }}",
+        "topology": "{{ network_mgmt_ovn_topology }}"
+    }