feat: enable OVN kube identity in DPF Helm charts and fix DPU bootstrap identity flow

- Wire global.enableOvnKubeIdentity across DPF OVN manifests and enable OVN_ENABLE_OVNKUBE_IDENTITY for host and DPU paths.
- Add ovnkube-identity resources in DPF charts (SA/RBAC/webhooks/daemonset) for CSR approval and admission checks.
- Implement DPU bootstrap kubeconfig generation with host-API impersonation and required RBAC for DPU service accounts.
- Ensure DPU OVN containers get K8S_NODE_DPU with normalized node input to avoid empty or mismatched cert-manager node names.

Author: hareeshpc

helm/ovn-kubernetes-dpf/templates/common.yaml

@@ -87,6 +87,16 @@ rules:
   - egressservices
   - adminpolicybasedexternalroutes
   verbs: [ "get", "list", "watch" ]
+{{- if eq (hasKey .Values.global "enableOvnKubeIdentity" | ternary .Values.global.enableOvnKubeIdentity false) true }}
+- apiGroups: ["certificates.k8s.io"]
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+{{- end }}
 - apiGroups: [""]
   resources:
   - events
@@ -129,4 +139,4 @@ rules:
   verbs:
   - get
   - create
-{{- end }}
+{{- end }}

helm/ovn-kubernetes-dpf/templates/dpu-manifests.yaml

@@ -1,3 +1,5 @@
+{{- $identityEnabled := hasKey .Values.global "enableOvnKubeIdentity" | ternary .Values.global.enableOvnKubeIdentity false -}}
+{{- $useSecretBootstrap := and $identityEnabled (ne (default "" .Values.dpuManifests.kubernetesSecretName) "") -}}
 {{- if .Values.dpuManifests.enabled }}
 ---
 apiVersion: v1
@@ -53,9 +55,15 @@ roleRef:
   kind: ClusterRole
   apiGroup: rbac.authorization.k8s.io
 subjects:
+{{- if eq (hasKey .Values.global "enableOvnKubeIdentity" | ternary .Values.global.enableOvnKubeIdentity false) true }}
+- kind: Group
+  name: system:ovn-nodes
+  apiGroup: rbac.authorization.k8s.io
+{{- else }}
 - kind: ServiceAccount
   name: {{ include "ovn-kubernetes.fullname" . }}-node
   namespace: {{ .Release.Namespace }}
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -80,9 +88,15 @@ roleRef:
   kind: Role
   apiGroup: rbac.authorization.k8s.io
 subjects:
+{{- if eq (hasKey .Values.global "enableOvnKubeIdentity" | ternary .Values.global.enableOvnKubeIdentity false) true }}
+- kind: Group
+  name: system:ovn-nodes
+  apiGroup: rbac.authorization.k8s.io
+{{- else }}
 - kind: ServiceAccount
   name: {{ include "ovn-kubernetes.fullname" . }}-node
   namespace: {{ .Release.Namespace }}
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -176,6 +190,55 @@ spec:
       automountServiceAccountToken: false
       # DPU CNI provisioner
       initContainers:
+      {{- if $useSecretBootstrap }}
+      - name: ovnkube-bootstrap-kubeconfig
+        image: {{ .Values.dpuManifests.image.repository }}:{{ .Values.dpuManifests.image.tag }}
+        imagePullPolicy: {{ .Values.dpuManifests.image.pullPolicy }}
+        command:
+        - /bin/sh
+        - -ec
+        - |
+          cat <<EOF >/host-kubernetes/kubelet.conf
+          apiVersion: v1
+          kind: Config
+          clusters:
+          - cluster:
+              certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+              server: ${K8S_APISERVER}
+            name: host-cluster
+          contexts:
+          - context:
+              cluster: host-cluster
+              user: ovn-dpu-bootstrap
+            name: ovn-dpu-bootstrap
+          current-context: ovn-dpu-bootstrap
+          users:
+          - name: ovn-dpu-bootstrap
+            user:
+              tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+              as: system:node:${K8S_NODE_DPU%%-mt*}
+              as-groups:
+              - system:nodes
+              - system:authenticated
+          EOF
+          chmod 0600 /host-kubernetes/kubelet.conf
+        env:
+        - name: K8S_NODE_DPU
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: K8S_APISERVER
+          valueFrom:
+            configMapKeyRef:
+              name: {{ include "ovn-kubernetes.fullname" . }}-config
+              key: k8s_apiserver
+        volumeMounts:
+        - mountPath: /host-kubernetes
+          name: host-kubeconfig
+        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: tenant-cluster-access-secret
+          readOnly: true
+      {{- end }}
       {{- if not .Values.dpuManifests.externalDHCP }}
       - name: ipallocator
         image: {{ .Values.dpuManifests.imagedpf.repository }}:{{ .Values.dpuManifests.imagedpf.tag }}
@@ -501,7 +564,12 @@ spec:
       - name: doca-ovnkube-controller
         image: {{ .Values.dpuManifests.image.repository }}:{{ .Values.dpuManifests.image.tag }}
         imagePullPolicy: {{ .Values.dpuManifests.image.pullPolicy }}
-        command: ["/root/ovnkube.sh", "ovnkube-controller-with-node"]
+        command:
+        - /bin/sh
+        - -ec
+        - |
+          export K8S_NODE_DPU="${K8S_NODE_DPU%%-mt*}"
+          exec /root/ovnkube.sh ovnkube-controller-with-node
         securityContext:
           runAsUser: 0
           privileged: true
@@ -604,6 +672,10 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: K8S_NODE_DPU
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
         - name: K8S_NODE_IP
           valueFrom:
             fieldRef:
@@ -702,7 +774,7 @@ spec:
         - name: OVN_ENABLE_MULTI_EXTERNAL_GATEWAY
           value: "false"
         - name: OVN_ENABLE_OVNKUBE_IDENTITY
-          value: "false"
+          value: {{ hasKey .Values.global "enableOvnKubeIdentity" | ternary .Values.global.enableOvnKubeIdentity false | quote }}
         - name: OVN_DISABLE_REQUESTEDCHASSIS
           value: {{ default "false" .Values.dpuManifests.ovnDisableRequestedchassis | quote }}
         - name: OVN_ENABLE_SVC_TEMPLATE_SUPPORT
@@ -726,7 +798,12 @@ spec:
       - name: ovn-controller
         image: {{ .Values.dpuManifests.image.repository }}:{{ .Values.dpuManifests.image.tag }}
         imagePullPolicy: {{ .Values.dpuManifests.image.pullPolicy }}
-        command: ["/root/ovnkube.sh", "ovn-controller"]
+        command:
+        - /bin/sh
+        - -ec
+        - |
+          export K8S_NODE_DPU="${K8S_NODE_DPU%%-mt*}"
+          exec /root/ovnkube.sh ovn-controller
         securityContext:
           runAsUser: 0
           capabilities:
@@ -761,6 +838,10 @@ spec:
             configMapKeyRef:
               name: {{ include "ovn-kubernetes.fullname" . }}-config
               key: k8s_apiserver
+        - name: K8S_NODE_DPU
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
         - name: OVN_KUBERNETES_NAMESPACE
           valueFrom:
             fieldRef:
@@ -845,8 +926,12 @@ spec:
         hostPath:
           path: /var/run/dbus
       - name: host-kubeconfig
+      {{- if $useSecretBootstrap }}
+        emptyDir: {}
+      {{- else }}
         hostPath:
           path: /etc/kubernetes/
+      {{- end }}
       - name: host-kubelet
         hostPath:
           path: /var/lib/kubelet

helm/ovn-kubernetes-dpf/templates/host-with-dpu-manifests.yaml

@@ -15,9 +15,15 @@ roleRef:
   kind: ClusterRole
   apiGroup: rbac.authorization.k8s.io
 subjects:
+{{- if eq (hasKey .Values.global "enableOvnKubeIdentity" | ternary .Values.global.enableOvnKubeIdentity false) true }}
+- kind: Group
+  name: system:ovn-nodes
+  apiGroup: rbac.authorization.k8s.io
+{{- else }}
 - kind: ServiceAccount
   name: {{ include "ovn-kubernetes.fullname" . }}-node-dpu-host
   namespace: {{ .Release.Namespace }}
+{{- end }}
 - kind: ServiceAccount
   name: {{ .Values.nodeWithDPUManifests.dpuServiceAccountName }}
   namespace: {{ .Values.nodeWithDPUManifests.dpuServiceAccountNamespace }}
@@ -37,6 +43,45 @@ subjects:
 - kind: ServiceAccount
   name: {{ .Values.nodeWithDPUManifests.dpuServiceAccountName }}
   namespace: {{ .Values.nodeWithDPUManifests.dpuServiceAccountNamespace }}
+{{- if eq (hasKey .Values.global "enableOvnKubeIdentity" | ternary .Values.global.enableOvnKubeIdentity false) true }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "ovn-kubernetes.fullname" . }}-node-dpu-host-impersonator
+rules:
+- apiGroups: [""]
+  resources:
+  - users
+  verbs:
+  - impersonate
+- apiGroups: [""]
+  resources:
+  - groups
+  resourceNames:
+  - system:nodes
+  - system:authenticated
+  verbs:
+  - impersonate
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "ovn-kubernetes.fullname" . }}-node-dpu-host-impersonator
+roleRef:
+  name: {{ include "ovn-kubernetes.fullname" . }}-node-dpu-host-impersonator
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.nodeWithDPUManifests.dpuServiceAccountName }}
+  namespace: {{ .Values.nodeWithDPUManifests.dpuServiceAccountNamespace }}
+{{- if ne (default "" .Values.dpuManifests.kubernetesSecretName) "" }}
+- kind: ServiceAccount
+  name: {{ .Values.dpuManifests.kubernetesSecretName }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -48,9 +93,15 @@ roleRef:
   kind: Role
   apiGroup: rbac.authorization.k8s.io
 subjects:
+{{- if eq (hasKey .Values.global "enableOvnKubeIdentity" | ternary .Values.global.enableOvnKubeIdentity false) true }}
+- kind: Group
+  name: system:ovn-nodes
+  apiGroup: rbac.authorization.k8s.io
+{{- else }}
 - kind: ServiceAccount
   name: {{ include "ovn-kubernetes.fullname" . }}-node-dpu-host
   namespace: {{ .Release.Namespace }}
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -255,7 +306,7 @@ spec:
         - name: OVN_EX_GW_NETWORK_INTERFACE
           value: ""
         - name: OVN_ENABLE_OVNKUBE_IDENTITY
-          value: "false"
+          value: {{ hasKey .Values.global "enableOvnKubeIdentity" | ternary .Values.global.enableOvnKubeIdentity false | quote }}
         - name: OVN_ENABLE_INTERCONNECT
           value: "true"
         - name: OVNKUBE_NODE_MODE

helm/ovn-kubernetes-dpf/templates/host-without-dpu-manifests.yaml

@@ -15,9 +15,15 @@ roleRef:
   kind: ClusterRole
   apiGroup: rbac.authorization.k8s.io
 subjects:
+{{- if eq (hasKey .Values.global "enableOvnKubeIdentity" | ternary .Values.global.enableOvnKubeIdentity false) true }}
+- kind: Group
+  name: system:ovn-nodes
+  apiGroup: rbac.authorization.k8s.io
+{{- else }}
 - kind: ServiceAccount
   name: {{ include "ovn-kubernetes.fullname" . }}-node
   namespace: {{ .Release.Namespace }}
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -42,9 +48,15 @@ roleRef:
   kind: Role
   apiGroup: rbac.authorization.k8s.io
 subjects:
+{{- if eq (hasKey .Values.global "enableOvnKubeIdentity" | ternary .Values.global.enableOvnKubeIdentity false) true }}
+- kind: Group
+  name: system:ovn-nodes
+  apiGroup: rbac.authorization.k8s.io
+{{- else }}
 - kind: ServiceAccount
   name: {{ include "ovn-kubernetes.fullname" . }}-node
   namespace: {{ .Release.Namespace }}
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -491,7 +503,7 @@ spec:
         - name: OVN_ENABLE_MULTI_EXTERNAL_GATEWAY
           value: "false"
         - name: OVN_ENABLE_OVNKUBE_IDENTITY
-          value: "false"
+          value: {{ hasKey .Values.global "enableOvnKubeIdentity" | ternary .Values.global.enableOvnKubeIdentity false | quote }}
         - name: OVN_ENABLE_SVC_TEMPLATE_SUPPORT
           value: "false"
         - name: OVN_ENABLE_DNSNAMERESOLVER