OCPBUGS-82973: Frrk8s tls manifests

[fedepaol]

Aligning the frr-k8s manifests with openshift/frr#128, the 2 major changes are:

• frr-k8s no longer uses kube-rbac-proxy but rather exposes the https endpoints directly, aligning the bits with upstream
  new crd introduced
• the 2 other commits are for e2e passing downstream, as upstream has these assumptions already baked in

Summary by CodeRabbit

• New Features

  • Added FRRK8sConfiguration resource to configure FRR logging levels.

• Infrastructure Updates

  • Migrated metrics endpoints to HTTPS with certificate support.
  • Made log level and polling interval configurable via environment variables.
  • Removed intermediate proxy containers, with TLS now handled directly by service endpoints.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: b4584b0d-5f92-4a0b-b9a0-5591db8d9e8a

📥 Commits

Reviewing files that changed from the base of the PR and between 2043f29 and 86b9bb0.

📒 Files selected for processing (5)

• bindata/network/frr-k8s/001-crd.yaml
• bindata/network/frr-k8s/002-rbac.yaml
• bindata/network/frr-k8s/frr-k8s.yaml
• pkg/network/render.go
• pkg/network/render_test.go

💤 Files with no reviewable changes (1)

• pkg/network/render.go

---

Walkthrough

This pull request introduces a new FRRK8sConfiguration custom resource definition for managing FRR deployment settings, updates the metrics infrastructure from HTTP localhost endpoints to HTTPS on 0.0.0.0, removes the kube-rbac-proxy sidecar containers, and makes deployment configuration more flexible through environment variables sourced from a ConfigMap.

Changes

Cohort / File(s)	Summary
CRD & RBAC Configuration bindata/network/frr-k8s/001-crd.yaml, bindata/network/frr-k8s/002-rbac.yaml	Added new FRRK8sConfiguration v1beta1 CRD (namespaced) with logLevel enum spec and status subresource. Updated controller-gen annotation version to v0.17.3 across multiple CRDs. Modified disableMP field description to reference dualStackAddressFamily. Added ClusterRole permissions for read-only access to frrk8sconfigurations resource.
Deployment Manifest Changes bindata/network/frr-k8s/frr-k8s.yaml	Restructured metrics endpoints from localhost HTTP to 0.0.0.0 HTTPS: controller metrics moved from port 7572 to 9140 with TLS, frr-metrics from 7573 to 9141. Updated health probes (controller: /healthz//readyz on 7572; frr: HTTPS on 9141). Removed both kube-rbac-proxy sidecar containers. Added metrics-certs read-only volume mounts. Made frr-status container configurable via LOG_LEVEL and POLL_INTERVAL environment variables from optional env-overrides ConfigMap.
Render Logic Updates pkg/network/render.go, pkg/network/render_test.go	Removed KubeRBACProxyImage environment variable population from render data. Updated test expectation from 20 to 21 rendered objects.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 9 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Topology-Aware Scheduling Compatibility	⚠️ Warning	DaemonSet wildcard tolerations will schedule pods to arbiter nodes on TNA topology; Deployment control-plane tolerations cause pending pods on HyperShift; renderAdditionalRoutingCapabilities lacks topology information.	Modify DaemonSet tolerations for master/control-plane taints only, add worker tolerations to Deployment, pass bootstrapResult to renderAdditionalRoutingCapabilities for topology awareness.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Frrk8s tls manifests' accurately describes the main change—converting frr-k8s to use TLS-exposed endpoints instead of kube-rbac-proxy, introducing a new CRD, and updating related manifests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	The PR modifies only Go source files and YAML manifests; the test file render_test.go uses standard Go testing, not Ginkgo declarations.
Test Structure And Quality	✅ Passed	PR modifies standard Go tests with Gomega assertions, not Ginkgo tests. Custom check targets Ginkgo-specific patterns (It blocks, Describe, Context, BeforeEach/AfterEach). No Ginkgo tests were modified.
Microshift Test Compatibility	✅ Passed	This PR introduces only manifest file changes and modifications to existing unit tests, not new Ginkgo e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This pull request does not add any new Ginkgo e2e tests. The changes consist of YAML manifest updates for frr-k8s, a code change in pkg/network/render.go removing a field reference, and a unit test expectation update in pkg/network/render_test.go. The test file uses standard Go testing with Gomega assertions, not Ginkgo test patterns.
Ote Binary Stdout Contract	✅ Passed	PR does not violate OTE Binary Stdout Contract: cluster-network-operator is not an OTE test binary, no new stdout-writing code added to process-level functions, only removed environment variable reference, existing logging properly initialized.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests; changes are limited to Kubernetes manifests, environment variable removal, and unit test adjustments.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: inconsistent vendoring in :\n\tgithub.com/Masterminds/semver@v1.5.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/Masterminds/sprig/v3@v3.2.3: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/containernetworking/cni@v0.8.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/ghodss/yaml@v1.0.1-0.20190212211648-25d852aebe32: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/go-bindata/go-bindata@v3.1.2+incompatible: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/onsi/gomega@v1.39.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/ope

... [truncated 17356 characters] ...

ired in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/gengo/v2@v2.0.0-20251215205346-5ee0d033ba5b: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/kms@v0.35.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/kube-aggregator@v0.35.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/randfill@v1.0.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/structured-merge-diff/v6@v6.3.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\n\tTo ignore the vendor directory, use -mod=readonly or -mod=mod.\n\tTo sync the vendor directory, run:\n\t\tgo mod vendor\n"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@fedepaol: This pull request references Jira Issue OCPBUGS-82973, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Aligning the frr-k8s manifests with openshift/frr#128, the 2 major changes are:

• frr-k8s no longer uses kube-rbac-proxy but rather exposes the https endpoints directly, aligning the bits with upstream
  new crd introduced
• the 2 other commits are for e2e passing downstream, as upstream has these assumptions already baked in

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[fedepaol]

cc @jcaamano

[jcaamano]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fedepaol, jcaamano

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jcaamano]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[fedepaol]

/verified by ci

[openshift-ci-robot]

@fedepaol: This PR has been marked as verified by ci.

Details

In response to this:

/verified by ci

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 2043f29 and 2 for PR HEAD 86b9bb0 in total

[jcaamano]

/retest-required

[jcaamano]

/override ci/prow/e2e-aws-ovn-windows

because this is blocking our BGP workloads and I don't see a possible relation

[openshift-ci]

@jcaamano: Overrode contexts on behalf of jcaamano: ci/prow/e2e-aws-ovn-windows

Details

In response to this:

/override ci/prow/e2e-aws-ovn-windows

because this is blocking our BGP workloads and I don't see a possible relation

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@fedepaol: Jira Issue OCPBUGS-82973: Some pull requests linked via external trackers have merged:

• openshift/frr#128

The following pull request, linked via external tracker, has not merged:

• openshift/cluster-network-operator#2945 is open

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-82973 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

Details

In response to this:

Aligning the frr-k8s manifests with openshift/frr#128, the 2 major changes are:

• frr-k8s no longer uses kube-rbac-proxy but rather exposes the https endpoints directly, aligning the bits with upstream
  new crd introduced
• the 2 other commits are for e2e passing downstream, as upstream has these assumptions already baked in

Summary by CodeRabbit

• New Features

• Added FRRK8sConfiguration resource to configure FRR logging levels.

• Infrastructure Updates

• Migrated metrics endpoints to HTTPS with certificate support.

• Made log level and polling interval configurable via environment variables.

• Removed intermediate proxy containers, with TLS now handled directly by service endpoints.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@fedepaol: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azure-ovn-upgrade	86b9bb0	link	unknown	/test e2e-azure-ovn-upgrade
ci/prow/e2e-aws-ovn-rhcos10-techpreview	86b9bb0	link	false	/test e2e-aws-ovn-rhcos10-techpreview
ci/prow/e2e-aws-ovn-upgrade-ipsec	86b9bb0	link	unknown	/test e2e-aws-ovn-upgrade-ipsec
ci/prow/security	86b9bb0	link	false	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.