fix: skip NetworkUnavailable condition in non-primary CNI mode

When kube-ovn is configured as a non-primary CNI, the daemon should
not set the NetworkUnavailable node condition - that's the responsibility
of the primary CNI.

This commit:
- Adds --non-primary-cni-mode flag to daemon configuration
- Skips setting NetworkUnavailable condition in configureNodeNic()
  when running in non-primary CNI mode
- Skips loopOvn0Check() entirely in non-primary mode
- Updates Helm charts to pass the flag to the daemon

Fixes: #6194

Signed-off-by: Damir Nugmanov <damir_nug@mail.ru>

Author: dnugmanov

charts/kube-ovn-v2/templates/agent/agent-daemonset.yaml

@@ -143,6 +143,7 @@ spec:
           - --ovs-vsctl-concurrency={{ .Values.performance.ovsVsctlConcurrency }}
           - --secure-serving={{- .Values.features.enableSecureServing }}
           - --enable-ovn-ipsec={{- .Values.features.enableOvnIpsec }}
+          - --non-primary-cni-mode={{- .Values.cni.nonPrimaryCNI }}
         securityContext:
           runAsGroup: 0
           runAsUser: 0

charts/kube-ovn/templates/ovncni-ds.yaml

@@ -125,6 +125,7 @@ spec:
           - --secure-serving={{- .Values.func.SECURE_SERVING }}
           - --enable-ovn-ipsec={{- .Values.func.ENABLE_OVN_IPSEC }}
           - --set-vxlan-tx-off={{- .Values.func.SET_VXLAN_TX_OFF }}
+          - --non-primary-cni-mode={{- .Values.cni_conf.NON_PRIMARY_CNI }}
         securityContext:
           runAsUser: 0
           privileged: false

pkg/daemon/config.go

@@ -83,6 +83,7 @@ type Configuration struct {
 	OVSVsctlConcurrency       int32
 	SetVxlanTxOff             bool
 	LogPerm                   string
+	EnableNonPrimaryCNI       bool
 
 	// TLS configuration for secure serving
 	TLSMinVersion   string
@@ -145,6 +146,7 @@ func ParseFlags() *Configuration {
 		argTLSMinVersion   = pflag.String("tls-min-version", "", "The minimum TLS version to use for secure serving. Supported values: TLS10, TLS11, TLS12, TLS13. If not set, the default is used based on the Go version.")
 		argTLSMaxVersion   = pflag.String("tls-max-version", "", "The maximum TLS version to use for secure serving. Supported values: TLS10, TLS11, TLS12, TLS13. If not set, the default is used based on the Go version.")
 		argTLSCipherSuites = pflag.StringSlice("tls-cipher-suites", nil, "Comma-separated list of TLS cipher suite names to use for secure serving (e.g., 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'). Names must match Go's crypto/tls package. See Go documentation for available suites. If not set, defaults are used. Users are responsible for selecting secure cipher suites.")
+		argNonPrimaryCNI   = pflag.Bool("non-primary-cni-mode", false, "Use Kube-OVN in non primary cni mode. When true, skip setting NetworkUnavailable node condition")
 	)
 
 	// mute info log for ipset lib
@@ -215,6 +217,7 @@ func ParseFlags() *Configuration {
 		CertManagerIPSecCert:      *argCertManagerIPSecCert,
 		CertManagerIssuerName:     *argCertManagerIssuerName,
 		IPSecCertDuration:         *argOVNIPSecCertDuration,
+		EnableNonPrimaryCNI:       *argNonPrimaryCNI,
 	}
 
 	return config

pkg/daemon/init.go

@@ -87,7 +87,7 @@ func InitNodeGateway(config *Configuration) error {
 		klog.Errorf("failed to get ip %s with mask %s, %v", ip, joinCIDR, err)
 		return err
 	}
-	return configureNodeNic(config.KubeClient, config.NodeName, portName, ipAddr, gw, joinCIDR, mac, config.MTU)
+	return configureNodeNic(config.KubeClient, config.NodeName, portName, ipAddr, gw, joinCIDR, mac, config.MTU, config.EnableNonPrimaryCNI)
 }
 
 func InitMirror(config *Configuration) error {

pkg/daemon/ovs_linux.go

@@ -630,7 +630,7 @@ func waitNetworkReady(nic, ipAddr, gateway string, preferARP, verbose bool, maxR
 	return nil
 }
 
-func configureNodeNic(cs kubernetes.Interface, nodeName, portName, ip, gw, joinCIDR string, macAddr net.HardwareAddr, mtu int) error {
+func configureNodeNic(cs kubernetes.Interface, nodeName, portName, ip, gw, joinCIDR string, macAddr net.HardwareAddr, mtu int, enableNonPrimaryCNI bool) error {
 	ipStr := util.GetIPWithoutMask(ip)
 	raw, err := ovs.Exec(ovs.MayExist, "add-port", "br-int", util.NodeNic, "--",
 		"set", "interface", util.NodeNic, "type=internal", "--",
@@ -718,17 +718,25 @@ func configureNodeNic(cs kubernetes.Interface, nodeName, portName, ip, gw, joinC
 
 	// ping ovn0 gw to activate the flow
 	klog.Infof("wait %s gw ready", util.NodeNic)
-	status := corev1.ConditionFalse
-	reason := "JoinSubnetGatewayReachable"
-	message := fmt.Sprintf("ping check to gateway ip %s succeeded", gw)
 	if err = waitNetworkReady(util.NodeNic, ip, gw, false, true, gatewayCheckMaxRetry, nil); err != nil {
 		klog.Errorf("failed to init %s check: %v", util.NodeNic, err)
-		status = corev1.ConditionTrue
-		reason = "JoinSubnetGatewayUnreachable"
-		message = fmt.Sprintf("ping check to gateway ip %s failed", gw)
 	}
-	if err := util.SetNodeNetworkUnavailableCondition(cs, nodeName, status, reason, message); err != nil {
-		klog.Errorf("failed to set node network unavailable condition: %v", err)
+
+	// Only set NetworkUnavailable condition when running as primary CNI
+	if !enableNonPrimaryCNI {
+		status := corev1.ConditionFalse
+		reason := "JoinSubnetGatewayReachable"
+		message := fmt.Sprintf("ping check to gateway ip %s succeeded", gw)
+		if err != nil {
+			status = corev1.ConditionTrue
+			reason = "JoinSubnetGatewayUnreachable"
+			message = fmt.Sprintf("ping check to gateway ip %s failed", gw)
+		}
+		if setErr := util.SetNodeNetworkUnavailableCondition(cs, nodeName, status, reason, message); setErr != nil {
+			klog.Errorf("failed to set node network unavailable condition: %v", setErr)
+		}
+	} else {
+		klog.Infof("running in non-primary CNI mode, skipping NetworkUnavailable condition update")
 	}
 
 	return err
@@ -737,6 +745,11 @@ func configureNodeNic(cs kubernetes.Interface, nodeName, portName, ip, gw, joinC
 // If OVS restart, the ovn0 port will down and prevent host to pod network,
 // Restart the kube-ovn-cni when this happens
 func (c *Controller) loopOvn0Check() {
+	// Skip ovn0 check when running as non-primary CNI
+	if c.config.EnableNonPrimaryCNI {
+		return
+	}
+
 	link, err := netlink.LinkByName(util.NodeNic)
 	if err != nil {
 		util.LogFatalAndExit(err, "failed to get node nic %s", util.NodeNic)