vtep: Add CiliumVTEPConfig CRD for dynamic VTEP configuration#44188
vtep: Add CiliumVTEPConfig CRD for dynamic VTEP configuration#44188parlakisik wants to merge 1 commit into
Conversation
maintainer-s-little-helper
Bot
added
the
dont-merge/needs-release-note-label
|
Commit a5880f3 does not match "(?m)^Signed-off-by:". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
maintainer-s-little-helper
Bot
added
the
dont-merge/needs-sign-off
maintainer-s-little-helper
Bot
removed
the
dont-merge/needs-sign-off
parlakisik
force-pushed
the
vtep_crd
branch
3 times, most recently
from
2f7acca to
c76eb18
Compare
parlakisik
force-pushed
the
vtep_crd
branch
5 times, most recently
from
35c1876 to
bf9c9d3
Compare
Introduce CiliumVTEPConfig CRD to replace static ConfigMap-based VTEP configuration. VTEP endpoints are assigned to nodes based on label selectors (nodeSelector), enabling per-zone or per-node VTEP targeting without agent restarts. Signed-off-by: Murat Parlakisik <parlakisik@gmail.com>
|
/test |
|
/test ci-l7 |
pchaigno
left a comment
pchaigno
left a comment
There was a problem hiding this comment.
Please split this into multiple commits to help with reviews.
|
I'll note that cilium/design-cfps#92 is open for discussion as a prerequisite before adopting this proposal. This is also related to #41332, which I have now closed due to the feedback in this post. I know @parlakisik was made aware of this feedback on that PR, but I don't know the degree to which the same feedback applies to this proposal. |
|
This pull request has been automatically marked as stale because it |
github-actions
Bot
added
the
stale
|
This pull request has not seen any activity since it was marked stale. |
3 participants
Introduce CiliumVTEPConfig CRD for dynamic VTEP management
Replace static CLI flag-based VTEP configuration with a CiliumVTEPConfig custom resource, enabling
dynamic updates without Cilium agent restarts.
CiliumVTEPConfig CRD
Cluster-scoped resource (shortName: cvtep) with kubebuilder validation, status subresource, and max 8
endpoints per node (BPF map limit).
Per-node VTEP assignment via nodeSelector
Different nodes can use different VTEP endpoints based on label selectors (e.g., per availability
zone). Multiple CiliumVTEPConfig objects can coexist; each Cilium agent evaluates selectors against its
own node labels. Configs without nodeSelector apply to all nodes. Conflicting CIDRs on the same node
are detected and rejected with error status.
VTEPReconciler
Watches CRD events, evaluates nodeSelector matching, updates BPF LPM trie map entries, manages Linux
routing table entries, and reports per-endpoint sync status back to the CRD.
Per-endpoint status tracking
Each endpoint reports synced state, lastSyncTime, and errors via CRD status conditions, visible through
kubectl get cvtep.
BPF map changes
Migrated from HashMap to LPM Trie for longest-prefix-match support. Added List() and DeleteByCIDR()
methods for reconciliation.
Removed CLI flags
Removed --vtep-endpoint, --vtep-cidr, --vtep-mac, --vtep-mask, --vtep-sync-interval flags in favor of
CRD-based configuration.
CI integration
Added conformance test workflow (conformance-vtep.yaml) with Kind cluster, VTEP responder containers,
and integration test suite. Registered in Ariane orchestrator with image build dependency.