CORENET-6609: Add EVPN featuregate

[kyrtapz]

Enhancement: https://github.com/openshift/enhancements/blob/85cfa504e4882a3e1c744d97697aae27b91c47bd/enhancements/network/ovn-kubernetes-evpn.md

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Hello @kyrtapz! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci-robot]

@kyrtapz: This pull request references CORENET-6609 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Enhancement: https://github.com/openshift/enhancements/blob/85cfa504e4882a3e1c744d97697aae27b91c47bd/enhancements/network/ovn-kubernetes-evpn.md

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request introduces the EVPN (Ethernet VPN) feature gate to the OpenShift API configuration. The changes include: defining the new FeatureGateEVPN in the features package with Networking/ovn-kubernetes as the Jira component, enabled in DevPreviewNoUpgrade and TechPreviewNoUpgrade states; updating the features documentation table; and adding EVPN entries to feature gate manifest files for both Hypershift and SelfManagedHA deployment configurations across Default, DevPreviewNoUpgrade, OKD, and TechPreviewNoUpgrade scenarios. Additional updates to the OpenAPI schema include new AcceptRisk definitions, conditionalUpdateRisks and riskNames fields, TLS profile descriptions, and expanded capability descriptions.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding an EVPN feature gate, which is the primary objective across all modified files.
Description check	✅ Passed	The description references the enhancement document that provides context for the EVPN feature gate addition, which is related to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 6ab113c and fa33dbe.

📒 Files selected for processing (11)

• features.md
• features/features.go
• openapi/openapi.json
• payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
• payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml
• payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml

🧰 Additional context used

🧬 Code graph analysis (1)

features/features.go (1)

config/v1/types_feature.go (2)

• DevPreviewNoUpgrade (49-49)
• TechPreviewNoUpgrade (45-45)

🔇 Additional comments (25)

payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml (1)

169-171: LGTM!

The EVPN feature gate is correctly added to the enabled list for TechPreviewNoUpgrade, maintaining alphabetical ordering between "DyanmicServiceEndpointIBMCloud" and "EtcdBackendQuota".

payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml (1)

154-156: LGTM!

The EVPN feature gate is correctly added to the enabled list for SelfManagedHA TechPreviewNoUpgrade, consistent with the Hypershift counterpart.

payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml (1)

154-156: LGTM!

The EVPN feature gate is correctly added to the enabled list for Hypershift DevPreviewNoUpgrade, maintaining alphabetical ordering.

payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml (1)

96-98: LGTM!

The EVPN feature gate is correctly added to the disabled list for SelfManagedHA Default, which is expected since EVPN is only enabled for DevPreviewNoUpgrade and TechPreviewNoUpgrade feature sets.

payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml (1)

139-141: LGTM!

The EVPN feature gate is correctly added to the enabled list for SelfManagedHA DevPreviewNoUpgrade, consistent with the Hypershift counterpart and the feature gate definition.

payload-manifests/featuregates/featureGate-Hypershift-Default.yaml (1)

96-98: LGTM!

The EVPN feature gate is correctly added to the disabled list for the Hypershift-Default configuration. The alphabetical ordering is maintained (after DyanmicServiceEndpointIBMCloud, before EtcdBackendQuota), and this is consistent with the feature gate definition in features/features.go where EVPN is only enabled in DevPreviewNoUpgrade and TechPreviewNoUpgrade.

payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml (1)

98-100: LGTM!

The EVPN feature gate is correctly added to the disabled list for SelfManagedHA-OKD, maintaining alphabetical order and consistency with the feature gate definition.

features.md (1)

43-43: LGTM!

The EVPN row is correctly added to the features table with the proper enabled/disabled states matching the enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade) configuration in features/features.go. Alphabetical ordering is maintained.

payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml (1)

98-100: LGTM!

The EVPN feature gate is correctly added to the disabled list for Hypershift-OKD, maintaining alphabetical order and consistency with the feature gate definition.

features/features.go (1)

214-220: LGTM!

The EVPN feature gate definition follows the established pattern consistently. The configuration properly enables the feature only in DevPreviewNoUpgrade and TechPreviewNoUpgrade feature sets, which aligns with all the manifest file updates and documentation changes in this PR. The enhancement PR (openshift/enhancements#1862) is merged and authored by the same person listed as the contact (jcaamano).

openapi/openapi.json (15)

5875-5886: LGTM - Well-structured list definition.

The conditionalUpdateRisks field is correctly configured as a map-type list with name as the key, which enables proper strategic merge patch behavior in Kubernetes. The 500-entry limit is documented in the description.

---

6094-6102: LGTM - Set type correctly enforces uniqueness.

The riskNames field appropriately uses x-kubernetes-list-type: "set" to ensure entries are unique, which aligns with the description requirement.

---

6129-6140: LGTM - Standard Kubernetes conditions pattern.

The conditions field correctly uses the standard io.k8s.apimachinery.pkg.apis.meta.v1.Condition type with map list type keyed by type, following Kubernetes conventions.

---

6351-6351: LGTM - Documentation improvement for minTLSVersion.

The description clarifies the purpose and usage with a helpful YAML example.

---

8537-8537: LGTM - Clear reference to Mozilla TLS guidelines.

---

8815-8815: LGTM - Consistent with other TLS profile descriptions.

---

9745-9745: LGTM - Consistent with other TLS profile descriptions.

---

11323-11323: LGTM - Duplicate of minTLSVersion description update.

---

11334-11351: LGTM - Comprehensive TLS profile documentation.

The descriptions clearly explain each profile's purpose, equivalent cipher configurations, and reference Mozilla Server Side TLS guidelines v5.0. The warning about custom profiles potentially being "catastrophic" is appropriately strong.

---

11639-11650: LGTM - Properly integrates with conditionalUpdateRisks.

The acceptRisks field is correctly configured as a map-type list. The 1000-entry limit being higher than conditionalUpdateRisks (500) is sensible since it "may contain entries that apply to current, previous or future updates."

---

11685-11685: LGTM - Clearer documentation of recorded risks.

---

28959-28959: LGTM - GuidedTour capability added to documentation.

---

29608-29608: LGTM - Consistent with the Capability.name description update.

---

4575-4587: Validation constraints defined in source but not reflected in OpenAPI schema.

The Go type AcceptRisk in config/v1/types_cluster_version.go includes kubebuilder validation markers (+kubebuilder:validation:MinLength=1 and +kubebuilder:validation:MaxLength=256) that enforce the 256 character limit and non-empty string requirement. However, these constraints are not present in the generated OpenAPI schema, which only specifies type: "string" without minLength or maxLength properties. The validation is enforced at the Go type level, but API clients consuming this schema will not have visibility into these constraints. Consider whether the OpenAPI generation should include these schema constraints for completeness.

---

4575-4587: The changes to openapi/openapi.json appear unrelated to the EVPN feature gate.

The PR title references "Add EVPN featuregate," but the changes in this file concern AcceptRisk/conditionalUpdateRisks (cluster update management), GuidedTour (console UI), and TLS documentation. The EVPN feature is only registered in features/features.go. Since openapi/openapi.json is auto-generated (see hack/update-openapi.sh), this file likely includes other pending schema changes regenerated alongside the EVPN feature gate addition.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[JoelSpeed]

/lgtm

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoelSpeed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kyrtapz]

/verified by e2e
https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_api/2649/pull-ci-openshift-api-master-e2e-aws-ovn-techpreview/2011781520234123264/artifacts/e2e-aws-ovn-techpreview/gather-extra/artifacts/featuregate.json

[openshift-ci-robot]

@kyrtapz: This PR has been marked as verified by e2e.

Details

In response to this:

/verified by e2e
https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_api/2649/pull-ci-openshift-api-master-e2e-aws-ovn-techpreview/2011781520234123264/artifacts/e2e-aws-ovn-techpreview/gather-extra/artifacts/featuregate.json

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 6ab113c and 2 for PR HEAD fa33dbe in total

[openshift-ci]

@kyrtapz: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.