Add generic IPvlan support with Alibaba HPN cloud provider

Introduce a configurable IPvlan driver that creates IPvlan slave
interfaces in the pod namespace while keeping the parent netdev on
the host. The implementation supports L2/L3/L3S modes, bridge/private/
vepa flags, and three addressing strategies (none, static,
parentIPv6PrefixPodIPv4).

Key changes:
- Expand IPVlanConfig API with mode, flag, addressing, and route/
  neighbor copy options
- Add IPvlan validation in the config validation pipeline
- Implement idempotent attach: detect existing target interface in
  pod netns on retry, tolerate EEXIST on address assignment
- Use deterministic temp names (parentName_iv) serialized by mutex
- Support user-configured routes with full Scope/Table/Source fields,
  sorted link-scope-first for gateway reachability
- Fail-fast on neighbor resolution errors instead of silently
  degrading connectivity
- Make route/neighbor copy from parent opt-in via config
- Decouple RDMA discovery from IPvlan config
- Add Alibaba Cloud provider that auto-detects HPN instances and
  generates the IPvlan preset for bond devices with global IPv6

Signed-off-by: Hongqi Yu <yuhongqi.yhq@alibaba-inc.com>

Author: Bowser1704

pkg/apis/constants.go

@@ -33,4 +33,9 @@ const (
 	// VRFTableOffset is the offset used for VRF routing tables to avoid ID collisions
 	// with reserved tables (0, 253, 254, 255) and to identify DRANET managed tables.
 	VRFTableOffset = 1000
+
+	// IPvlan addressing strategy constants.
+	IPVlanAddrNone                    = "none"
+	IPVlanAddrStatic                  = "static"
+	IPVlanAddrParentIPv6PrefixPodIPv4 = "parentIPv6PrefixPodIPv4"
 )

pkg/apis/types.go

@@ -86,6 +86,13 @@ type InterfaceConfig struct {
 	// If provided, the interface will be enslaved to a VRF device with this name.
 	// This enables grouping multiple network interfaces into the same VRF.
 	VRF *VRFConfig `json:"vrf,omitempty"`
+
+	// IPVlan, when set, instructs the driver to create an IPvlan slave interface
+	// from the parent netdev instead of moving the host netdev into the Pod's
+	// network namespace. The parent netdev remains in the host namespace.
+	// This is used for HPN (High-Performance Networking) fabrics where the
+	// parent netdev must retain its identity and address on the fabric.
+	IPVlan *IPVlanConfig `json:"ipvlan,omitempty"`
 }
 
 // VRFConfig represents the configuration for a Virtual Routing and Forwarding domain.
@@ -100,6 +107,32 @@ type VRFConfig struct {
 	Table *int `json:"table,omitempty"`
 }
 
+// IPVlanConfig specifies that the driver should create an IPvlan slave interface
+// rather than moving the host netdev into the Pod namespace.
+type IPVlanConfig struct {
+	// Mode is the kernel IPvlan mode: "l2" (default), "l3", or "l3s".
+	Mode string `json:"mode,omitempty"`
+	// Flag is the kernel IPvlan flag, only applicable in L2 mode:
+	// "bridge" (default for L2), "private", or "vepa".
+	Flag string `json:"flag,omitempty"`
+	// Addressing controls how IP addresses are assigned to the slave.
+	// When nil, defaults to IPVlanAddrParentIPv6PrefixPodIPv4 for backward compatibility.
+	Addressing *IPVlanAddressConfig `json:"addressing,omitempty"`
+	// CopyRoutesFromParent, when true, copies IPv6 routes from the parent
+	// interface into the pod namespace.
+	CopyRoutesFromParent *bool `json:"copyRoutesFromParent,omitempty"`
+	// CopyNeighborsFromParent, when true, pre-resolves gateway neighbors
+	// from the parent's NDP table into the pod namespace.
+	CopyNeighborsFromParent *bool `json:"copyNeighborsFromParent,omitempty"`
+}
+
+// IPVlanAddressConfig describes how IP addresses are assigned to an IPvlan slave.
+type IPVlanAddressConfig struct {
+	// Type controls the addressing strategy.
+	// Supported values: IPVlanAddrNone, IPVlanAddrStatic, IPVlanAddrParentIPv6PrefixPodIPv4.
+	Type string `json:"type"`
+}
+
 // RouteConfig represents a network route configuration.
 type RouteConfig struct {
 	// Destination is the target network in CIDR format (e.g., "0.0.0.0/0", "10.0.0.0/8").

pkg/apis/validation.go

@@ -181,6 +181,42 @@ func validateInterfaceConfig(cfg *InterfaceConfig, fieldPath string) (allErrors
 		allErrors = append(allErrors, validateVRFConfig(cfg.VRF, fieldPath+".vrf")...)
 	}
 
+	if cfg.IPVlan != nil {
+		allErrors = append(allErrors, validateIPVlanConfig(cfg.IPVlan, cfg, fieldPath+".ipvlan")...)
+	}
+
+	return allErrors
+}
+
+func validateIPVlanConfig(cfg *IPVlanConfig, iface *InterfaceConfig, fieldPath string) (allErrors []error) {
+	validModes := map[string]bool{"": true, "l2": true, "l3": true, "l3s": true}
+	if !validModes[cfg.Mode] {
+		allErrors = append(allErrors, fmt.Errorf("%s.mode: unsupported value %q, must be one of: l2, l3, l3s", fieldPath, cfg.Mode))
+	}
+
+	effectiveMode := cfg.Mode
+	if effectiveMode == "" {
+		effectiveMode = "l2"
+	}
+
+	validFlags := map[string]bool{"": true, "bridge": true, "private": true, "vepa": true}
+	if !validFlags[cfg.Flag] {
+		allErrors = append(allErrors, fmt.Errorf("%s.flag: unsupported value %q, must be one of: bridge, private, vepa", fieldPath, cfg.Flag))
+	}
+	if cfg.Flag != "" && effectiveMode != "l2" {
+		allErrors = append(allErrors, fmt.Errorf("%s.flag: only valid in l2 mode, got mode=%q", fieldPath, effectiveMode))
+	}
+
+	if cfg.Addressing != nil {
+		validTypes := map[string]bool{IPVlanAddrNone: true, IPVlanAddrStatic: true, IPVlanAddrParentIPv6PrefixPodIPv4: true}
+		if !validTypes[cfg.Addressing.Type] {
+			allErrors = append(allErrors, fmt.Errorf("%s.addressing.type: unsupported value %q, must be one of: %s, %s, %s", fieldPath, cfg.Addressing.Type, IPVlanAddrNone, IPVlanAddrStatic, IPVlanAddrParentIPv6PrefixPodIPv4))
+		}
+		if cfg.Addressing.Type == IPVlanAddrStatic && len(iface.Addresses) == 0 {
+			allErrors = append(allErrors, fmt.Errorf("%s.addressing.type=static requires interface.addresses to be set", fieldPath))
+		}
+	}
+
 	return allErrors
 }
 
@@ -300,7 +336,8 @@ func ValidateRDMAOnlyConfig(raw *runtime.RawExtension) []error {
 		config.Interface.MTU != nil || config.Interface.HardwareAddr != nil ||
 		config.Interface.DHCP != nil || config.Interface.GSOMaxSize != nil ||
 		config.Interface.GROMaxSize != nil || config.Interface.GSOIPv4MaxSize != nil ||
-		config.Interface.GROIPv4MaxSize != nil || config.Interface.DisableEBPFPrograms != nil {
+		config.Interface.GROIPv4MaxSize != nil || config.Interface.DisableEBPFPrograms != nil ||
+		config.Interface.IPVlan != nil {
 		allErrors = append(allErrors, fmt.Errorf("interface configuration is not supported for RDMA-only devices (no network interface present)"))
 	}
 	if len(config.Routes) > 0 {

pkg/apis/validation_test.go

@@ -567,3 +567,110 @@ func TestValidateNeighborConfig(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateIPVlanConfig(t *testing.T) {
+	tests := []struct {
+		name      string
+		cfg       *IPVlanConfig
+		iface     *InterfaceConfig
+		expectErr bool
+		errCount  int
+	}{
+		{
+			name:  "valid l2 bridge with parentIPv6PrefixPodIPv4",
+			cfg:   &IPVlanConfig{Mode: "l2", Flag: "bridge", Addressing: &IPVlanAddressConfig{Type: IPVlanAddrParentIPv6PrefixPodIPv4}},
+			iface: &InterfaceConfig{},
+		},
+		{
+			name:  "valid l3 with none addressing",
+			cfg:   &IPVlanConfig{Mode: "l3", Addressing: &IPVlanAddressConfig{Type: IPVlanAddrNone}},
+			iface: &InterfaceConfig{},
+		},
+		{
+			name:  "valid l3s with none addressing",
+			cfg:   &IPVlanConfig{Mode: "l3s", Addressing: &IPVlanAddressConfig{Type: IPVlanAddrNone}},
+			iface: &InterfaceConfig{},
+		},
+		{
+			name:  "valid empty mode defaults to l2",
+			cfg:   &IPVlanConfig{},
+			iface: &InterfaceConfig{},
+		},
+		{
+			name:  "valid static with addresses",
+			cfg:   &IPVlanConfig{Mode: "l2", Addressing: &IPVlanAddressConfig{Type: IPVlanAddrStatic}},
+			iface: &InterfaceConfig{Addresses: []string{"10.0.0.1/24"}},
+		},
+		{
+			name:      "invalid mode",
+			cfg:       &IPVlanConfig{Mode: "ipv6"},
+			iface:     &InterfaceConfig{},
+			expectErr: true,
+			errCount:  1,
+		},
+		{
+			name:      "invalid flag",
+			cfg:       &IPVlanConfig{Flag: "unknown"},
+			iface:     &InterfaceConfig{},
+			expectErr: true,
+			errCount:  1,
+		},
+		{
+			name:      "flag on l3 mode",
+			cfg:       &IPVlanConfig{Mode: "l3", Flag: "bridge"},
+			iface:     &InterfaceConfig{},
+			expectErr: true,
+			errCount:  1,
+		},
+		{
+			name:      "static without addresses",
+			cfg:       &IPVlanConfig{Addressing: &IPVlanAddressConfig{Type: IPVlanAddrStatic}},
+			iface:     &InterfaceConfig{},
+			expectErr: true,
+			errCount:  1,
+		},
+		{
+			name:      "unknown addressing type",
+			cfg:       &IPVlanConfig{Addressing: &IPVlanAddressConfig{Type: "unknown"}},
+			iface:     &InterfaceConfig{},
+			expectErr: true,
+			errCount:  1,
+		},
+		{
+			name:      "multiple errors: invalid mode + invalid flag + flag on non-l2",
+			cfg:       &IPVlanConfig{Mode: "bad", Flag: "also-bad"},
+			iface:     &InterfaceConfig{},
+			expectErr: true,
+			errCount:  3,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			errs := validateIPVlanConfig(tt.cfg, tt.iface, "interface.ipvlan")
+			if (len(errs) > 0) != tt.expectErr {
+				t.Errorf("validateIPVlanConfig() got errors: %v, want error=%v", errs, tt.expectErr)
+			}
+			if tt.expectErr && len(errs) != tt.errCount {
+				t.Errorf("validateIPVlanConfig() got %d errors (%v), want %d", len(errs), errs, tt.errCount)
+			}
+		})
+	}
+}
+
+func TestValidateRDMAOnlyConfig_RejectsIPVlan(t *testing.T) {
+	raw := newRawExtensionFromString(t, `{"interface":{"ipvlan":{"mode":"l2"}}}`)
+	errs := ValidateRDMAOnlyConfig(raw)
+	if len(errs) == 0 {
+		t.Fatal("expected error for IPvlan on RDMA-only device, got none")
+	}
+	found := false
+	for _, e := range errs {
+		if strings.Contains(e.Error(), "interface configuration is not supported for RDMA-only devices") {
+			found = true
+		}
+	}
+	if !found {
+		t.Errorf("expected 'interface configuration is not supported' error, got: %v", errs)
+	}
+}