fix(controller): clean orphaned attachment IPs on KubeVirt NAD hotplug (#6519)

* fix(controller): clean orphaned attachment IPs on KubeVirt NAD hotplug

When KubeVirt VEP #140 (LiveUpdateNADRef) changes a VM's secondary
network NAD reference, the old attachment IP CR and OVN LSP were never
released because keepIPCR=true (VMI still alive). This caused IP leaks
and orphaned OVN logical switch ports.

Add getVMOrphanedAttachmentPorts() to detect attachment networks on
a VM pod that are no longer in the VM's spec.template.spec.networks.
In the keepIPCR=true branch of handleDeletePod, selectively delete
orphaned attachment LSPs and release their IPs, while preserving the
shared primary network LSP and other unchanged attachment IPs.

Only vm.Spec.Template.Spec.Networks is used as the authoritative source
(not template annotations) because VEP #140 modifies spec.networks
and template annotations may not be synced.

Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>

* fix(controller): also clean stale attachment IPs on new VM pod creation

Address review feedback: the orphaned attachment cleanup in
handleDeletePod only works when the NAD change happens before pod
deletion. In the stop→patch NAD→start workflow, the old pod deletion
is processed before the NAD patch, so stale IPs are missed.

Add cleanStaleVMAttachmentIPs() in reconcileAllocateSubnets to detect
and remove attachment LSPs/IPs that belong to the VM but are not part
of the current pod's networks. This ensures stale resources are cleaned
regardless of operation ordering.

Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>

* fix(controller): address review feedback on stale IP cleanup robustness

1. cleanStaleVMAttachmentIPs now calls getPodKubeovnNets internally
   (after pod re-fetch) instead of relying on needAllocatePodNets,
   which only contained nets needing allocation and would incorrectly
   flag already-allocated nets as stale.

2. In keepIPCR=true branch, iterate vmOrphanedPorts directly and get
   subnet name from IP CR spec instead of depending on podNets, which
   could be nil if getPodKubeovnNets fails.

3. Use ipClient.WaitToBeReady for new attachment IP assertion to avoid
   timing-dependent failures.

4. Add ExpectNotEmpty guard before primary IP comparison.

Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>

* fix(controller): skip IP cleanup when stale LSP deletion fails

If DeleteLogicalSwitchPort fails in cleanStaleVMAttachmentIPs, skip
the corresponding IP CR deletion and IPAM release to avoid IP conflicts
where an address is reused while its OVN port still exists.

Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>

* fix(controller): use map for orphaned ports lookup and add Patch retry

- Change vmOrphanedPorts from []string to map[string]bool for O(1)
  lookup instead of O(n) slices.Contains in the port cleanup loop.
- Add PollUntilContextTimeout retry to VMClient.Patch following the
  same pattern as other framework clients (handleWaitingAPIError).

Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>

* ci: install multus before kubevirt e2e tests

The new kubevirt attachment network e2e tests require Multus CRD
(NetworkAttachmentDefinition) to be available. Add kind-install-multus
before kind-install-kubevirt in CI workflows.

Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>

* fix(controller): compare OVN ports against VM spec for orphan detection

Refactor getVMOrphanedAttachmentPorts to compare OVN's actual existing
ports against the VM spec's desired ports, instead of reading stale
pod annotations via getPodAttachmentNet. The pod being deleted may not
have accurate NAD info, while OVN DB is the source of truth for what
ports actually exist.

The function now:
- Takes the existing OVN ports list (already fetched in handleDeletePod)
- Builds expected ports from vm.Spec.Template.Spec.Networks (same
  pattern as gc.go getVMLsps)
- Returns ports in OVN but not in the expected set as orphaned

Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>

* refactor(controller): simplify orphaned port cleanup code

- Merge two loops in handleDeletePod keepIPCR branch into one: LSP
  deletion and IP cleanup now happen in the same iteration over ports.
- Combine two iterations over VM spec.networks in
  getVMOrphanedAttachmentPorts into a single pass.
- Add early exit in cleanStaleVMAttachmentIPs when OVN has no ports,
  avoiding expensive getPodKubeovnNets call.
- Reorder cleanStaleVMAttachmentIPs to query OVN first (cheap) before
  pod network parsing (expensive).
- Use ipCR.Spec.Subnet consistently instead of port.ExternalIDs["ls"]
  for subnet name in cleanStaleVMAttachmentIPs.

Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>

---------

Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: oilbeater

.github/workflows/build-x86-image.yaml

@@ -1154,6 +1154,7 @@ jobs:
           E2E_NETWORK_MODE: ${{ matrix.mode }}
         run: |
           make kube-ovn-conformance-e2e
+          make kind-install-multus
           make kind-install-kubevirt
           make kube-ovn-kubevirt-e2e
 

.github/workflows/scheduled-e2e.yaml

@@ -754,6 +754,7 @@ jobs:
           version=$(grep -E '^VERSION="v([0-9]+\.){2}[0-9]+"$' dist/images/install.sh | head -n1 | awk -F= '{print $2}' | tr -d '"')
           docker pull kubeovn/kube-ovn:$version
           VERSION=$version make kind-install
+          VERSION=$version make kind-install-multus
           VERSION=$version make kind-install-kubevirt
 
       - name: Run E2E

pkg/controller/pod.go

@@ -728,6 +728,14 @@ func (c *Controller) reconcileAllocateSubnets(pod *v1.Pod, needAllocatePodNets [
 		return nil, err
 	}
 
+	// Clean stale attachment IPs/LSPs from previous NAD references when a new
+	// VM pod starts. This handles the stop→patch NAD→start workflow where the
+	// old pod deletion was processed before the NAD change.
+	// Called after pod re-fetch so getPodKubeovnNets sees current annotations.
+	if isVMPod && c.config.EnableKeepVMIP {
+		c.cleanStaleVMAttachmentIPs(pod, podName)
+	}
+
 	// Check if pod is a vpc nat gateway. Annotation set will have subnet provider name as prefix
 	isVpcNatGw, vpcGwName := c.checkIsPodVpcNatGw(pod)
 	if isVpcNatGw {
@@ -1049,6 +1057,7 @@ func (c *Controller) handleDeletePod(key string) (err error) {
 
 	var keepIPCR, isOwnerRefToDel, isOwnerRefDeleted bool
 	var ipcrToDelete []string
+	var vmOrphanedPorts map[string]bool
 	isStsPod, stsName, stsUID := isStatefulSetPod(pod)
 	if isStsPod {
 		if !pod.DeletionTimestamp.IsZero() {
@@ -1105,19 +1114,54 @@ func (c *Controller) handleDeletePod(key string) (err error) {
 				keepIPCR = false
 			}
 		}
+		// Detect orphaned attachment ports from NAD hotplug (KubeVirt VEP #140).
+		// Compare OVN's actual ports against VM spec's desired ports.
+		// These are cleaned selectively in the keepIPCR=true branch to avoid
+		// deleting shared primary network LSPs during live migration.
+		if keepIPCR {
+			vmOrphanedPorts = c.getVMOrphanedAttachmentPorts(pod.Namespace, vmName, ports)
+		}
 	}
 
 	podNets, err := c.getPodKubeovnNets(pod)
 	if err != nil {
 		klog.Errorf("failed to get kube-ovn nets of pod %s: %v", podKey, err)
 	}
 	if keepIPCR {
-		// always remove lsp from port groups
 		for _, port := range ports {
-			klog.Infof("remove lsp %s from all port groups", port.Name)
-			if err = c.OVNNbClient.RemovePortFromPortGroups(port.Name); err != nil {
-				klog.Errorf("failed to remove lsp %s from all port groups: %v", port.Name, err)
-				return err
+			if vmOrphanedPorts[port.Name] {
+				// Orphaned attachment LSP from NAD hotplug: delete and release its IP.
+				klog.Infof("delete orphaned vm attachment lsp %s", port.Name)
+				if err := c.OVNNbClient.DeleteLogicalSwitchPort(port.Name); err != nil {
+					klog.Errorf("failed to delete orphaned lsp %s: %v", port.Name, err)
+					return err
+				}
+				ipCR, err := c.ipsLister.Get(port.Name)
+				if err != nil {
+					if !k8serrors.IsNotFound(err) {
+						klog.Errorf("failed to get ip %s: %v", port.Name, err)
+					}
+					continue
+				}
+				if ipCR.Labels[util.IPReservedLabel] != "true" {
+					klog.Infof("delete orphaned vm attachment ip CR %s", ipCR.Name)
+					if err := c.config.KubeOvnClient.KubeovnV1().IPs().Delete(context.Background(), ipCR.Name, metav1.DeleteOptions{}); err != nil {
+						if !k8serrors.IsNotFound(err) {
+							klog.Errorf("failed to delete ip %s: %v", ipCR.Name, err)
+							return err
+						}
+					}
+					if subnetName := ipCR.Spec.Subnet; subnetName != "" {
+						c.ipam.ReleaseAddressByNic(podKey, port.Name, subnetName)
+						c.updateSubnetStatusQueue.Add(subnetName)
+					}
+				}
+			} else {
+				klog.Infof("remove lsp %s from all port groups", port.Name)
+				if err = c.OVNNbClient.RemovePortFromPortGroups(port.Name); err != nil {
+					klog.Errorf("failed to remove lsp %s from all port groups: %v", port.Name, err)
+					return err
+				}
 			}
 		}
 	} else {
@@ -2407,6 +2451,129 @@ func shouldCleanPodNet(c *Controller, pod *v1.Pod, ownerRefName, ownerRefSubnet,
 	return false
 }
 
+// getVMOrphanedAttachmentPorts finds OVN ports that belong to the VM but are
+// no longer desired by the VM's current spec (e.g., KubeVirt NAD hotplug).
+// It compares OVN's actual ports (existingPorts) against the VM spec's desired
+// ports, rather than relying on pod annotations which may be stale or incomplete.
+func (c *Controller) getVMOrphanedAttachmentPorts(namespace, vmName string, existingPorts []ovnnb.LogicalSwitchPort) map[string]bool {
+	vm, err := c.config.KubevirtClient.VirtualMachine(namespace).Get(context.Background(), vmName, metav1.GetOptions{})
+	if err != nil {
+		klog.Errorf("failed to get vm %s/%s for orphaned port detection: %v", namespace, vmName, err)
+		return nil
+	}
+
+	if vm.Spec.Template == nil {
+		return nil
+	}
+
+	// Build expected port names from VM spec in a single pass (pattern from gc.go:1108-1145)
+	expectedPorts := make(map[string]bool)
+	defaultMultus := false
+	hasMultusNetwork := false
+	for _, network := range vm.Spec.Template.Spec.Networks {
+		if network.Multus == nil {
+			continue
+		}
+		if network.Multus.Default {
+			defaultMultus = true
+		}
+		if network.Multus.NetworkName != "" {
+			hasMultusNetwork = true
+			items := strings.Split(network.Multus.NetworkName, "/")
+			if len(items) != 2 {
+				items = []string{namespace, items[0]}
+			}
+			provider := fmt.Sprintf("%s.%s.%s", items[1], items[0], util.OvnProvider)
+			expectedPorts[ovs.PodNameToPortName(vmName, namespace, provider)] = true
+		}
+	}
+	if !defaultMultus {
+		expectedPorts[ovs.PodNameToPortName(vmName, namespace, util.OvnProvider)] = true
+	}
+
+	// If VM spec has no multus networks, skip detection to avoid
+	// false positives for VMs that only use template annotations.
+	if !hasMultusNetwork {
+		return nil
+	}
+
+	// Find orphaned: ports in OVN but not in expected
+	orphanedPorts := make(map[string]bool)
+	for _, port := range existingPorts {
+		if !expectedPorts[port.Name] {
+			klog.Infof("OVN port %s for vm %s/%s is not in VM spec, marking as orphaned",
+				port.Name, namespace, vmName)
+			orphanedPorts[port.Name] = true
+		}
+	}
+
+	if len(orphanedPorts) == 0 {
+		return nil
+	}
+	return orphanedPorts
+}
+
+// cleanStaleVMAttachmentIPs removes IP CRs and OVN LSPs that belong to
+// this VM but are not part of the current pod's networks. This handles
+// the stop→patch NAD→start workflow where the old pod deletion was
+// processed before the NAD change, leaving stale attachment resources.
+func (c *Controller) cleanStaleVMAttachmentIPs(pod *v1.Pod, podName string) {
+	podKey := fmt.Sprintf("%s/%s", pod.Namespace, podName)
+
+	// List existing LSPs first (cheap OVN query) to bail out early if none exist
+	ports, err := c.OVNNbClient.ListNormalLogicalSwitchPorts(true, map[string]string{"pod": podKey})
+	if err != nil {
+		klog.Errorf("failed to list lsps of vm %s for stale cleanup: %v", podKey, err)
+		return
+	}
+	if len(ports) == 0 {
+		return
+	}
+
+	// Build current port names from the pod's full network list
+	podNets, err := c.getPodKubeovnNets(pod)
+	if err != nil {
+		klog.Errorf("failed to get kube-ovn nets of pod %s for stale cleanup: %v", podKey, err)
+		return
+	}
+	currentPorts := make(map[string]bool, len(podNets)+1)
+	for _, podNet := range podNets {
+		currentPorts[ovs.PodNameToPortName(podName, pod.Namespace, podNet.ProviderName)] = true
+	}
+	currentPorts[ovs.PodNameToPortName(podName, pod.Namespace, util.OvnProvider)] = true
+
+	for _, port := range ports {
+		if currentPorts[port.Name] {
+			continue
+		}
+		klog.Infof("cleaning stale vm attachment lsp %s (not in current pod networks)", port.Name)
+		if err := c.OVNNbClient.DeleteLogicalSwitchPort(port.Name); err != nil {
+			klog.Errorf("failed to delete stale lsp %s, skipping IP cleanup to avoid inconsistency: %v", port.Name, err)
+			continue
+		}
+
+		ipCR, err := c.ipsLister.Get(port.Name)
+		if err != nil {
+			if !k8serrors.IsNotFound(err) {
+				klog.Errorf("failed to get ip %s: %v", port.Name, err)
+			}
+			continue
+		}
+		if ipCR.Labels[util.IPReservedLabel] != "true" {
+			klog.Infof("deleting stale vm attachment ip CR %s", ipCR.Name)
+			if err := c.config.KubeOvnClient.KubeovnV1().IPs().Delete(context.Background(), ipCR.Name, metav1.DeleteOptions{}); err != nil {
+				if !k8serrors.IsNotFound(err) {
+					klog.Errorf("failed to delete ip %s: %v", ipCR.Name, err)
+				}
+			}
+			if subnetName := ipCR.Spec.Subnet; subnetName != "" {
+				c.ipam.ReleaseAddressByNic(podKey, port.Name, subnetName)
+				c.updateSubnetStatusQueue.Add(subnetName)
+			}
+		}
+	}
+}
+
 func isVMPod(pod *v1.Pod) (bool, string) {
 	for _, owner := range pod.OwnerReferences {
 		// The name of vmi is consistent with vm's name.

test/e2e/framework/virtual-machine.go

@@ -9,6 +9,8 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
 	k8sframework "k8s.io/kubernetes/test/e2e/framework"
 	v1 "kubevirt.io/api/core/v1"
 	"kubevirt.io/client-go/kubecli"
@@ -176,6 +178,46 @@ func (c *VMClient) WaitToDisappear(name string, _, timeout time.Duration) error
 	return nil
 }
 
+// Patch patches the vm with the given patch data, retrying on transient API errors.
+func (c *VMClient) Patch(name string, patchType types.PatchType, data []byte) *v1.VirtualMachine {
+	ginkgo.GinkgoHelper()
+	var patchedVM *v1.VirtualMachine
+	err := wait.PollUntilContextTimeout(context.Background(), poll, timeout, true, func(ctx context.Context) (bool, error) {
+		vm, err := c.VirtualMachineInterface.Patch(ctx, name, patchType, data, metav1.PatchOptions{})
+		if err != nil {
+			return handleWaitingAPIError(err, false, "patch vm %q", name)
+		}
+		patchedVM = vm
+		return true, nil
+	})
+	ExpectNoError(err, "failed to patch vm %s", name)
+	return patchedVM.DeepCopy()
+}
+
+// MakeVMWithMultusNetwork creates a VM with an additional multus secondary network using bridge binding.
+func MakeVMWithMultusNetwork(name, image, size string, runStrategy *v1.VirtualMachineRunStrategy, multusNetworkName string) *v1.VirtualMachine {
+	vm := MakeVM(name, image, size, runStrategy)
+	vm.Spec.Template.Spec.Domain.Devices.Interfaces = append(
+		vm.Spec.Template.Spec.Domain.Devices.Interfaces,
+		v1.Interface{
+			Name:                   "multus-net",
+			InterfaceBindingMethod: v1.InterfaceBindingMethod{Bridge: &v1.InterfaceBridge{}},
+		},
+	)
+	vm.Spec.Template.Spec.Networks = append(
+		vm.Spec.Template.Spec.Networks,
+		v1.Network{
+			Name: "multus-net",
+			NetworkSource: v1.NetworkSource{
+				Multus: &v1.MultusNetwork{
+					NetworkName: multusNetworkName,
+				},
+			},
+		},
+	)
+	return vm
+}
+
 func MakeVM(name, image, size string, runStrategy *v1.VirtualMachineRunStrategy) *v1.VirtualMachine {
 	vm := &v1.VirtualMachine{
 		ObjectMeta: metav1.ObjectMeta{