MGMT-21694: Request for 3rd Party CNI or NO CNI option for Assisted Installer #8594
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@rivkyrizel: This pull request references MGMT-21694 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are limited based on label configuration. 🚫 Excluded labels (none allowed) (1)
Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests (beta)
Comment |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
added
the
size/L
rivkyrizel
force-pushed
the
MGMT-21694
branch
from
c5a8f28 to
364fe03
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: rivkyrizel The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
rivkyrizel
force-pushed
the
MGMT-21694
branch
from
364fe03 to
6f00f68
Compare
|
|
||
| Enterprise customers often require certified third-party CNIs for regulatory compliance, existing infrastructure integration, or advanced networking capabilities. Currently, these customers must install with OVN-K and then manually replace it post-installation—an unsupported, error-prone process that increases deployment time and complexity. | ||
|
|
||
| OpenShift supports multiple certified CNI providers through its certification program. IPI and UPI installation methods already enable these CNIs through documented procedures (see [Installing a cluster on bare metal with network customizations](https://docs.openshift.com/container-platform/latest/installing/installing_bare_metal/installing-bare-metal-network-customizations.html) and individual CNI vendor documentation). Assisted Installer should provide the same flexibility, allowing customers to benefit from simplified deployment workflows while using their required networking solution. |
There was a problem hiding this comment.
The link is not working - I didn't find this section
There was a problem hiding this comment.
I wasn’t able to locate the installation instructions for OCP with UPI/IPI, so I’ve removed the link from the document for now.
|
|
||
| #### API Changes | ||
|
|
||
| Extend the cluster creation API to accept CNI selection through a new `network_type` field in `ClusterCreateParams`. The field will support the following values: |
There was a problem hiding this comment.
network_type is not a new field. We will extend the options
| - Third-party CNIs require `user_managed_networking: true` (cluster-managed networking supports OVN-K and OpenShiftSDN only) | ||
| - API validates CNI against support matrix (platform, OCP version, topology) | ||
| - Returns HTTP 400 with descriptive error for unsupported combinations | ||
| - `network_type: None` requires custom manifests to be uploaded via the manifests API |
There was a problem hiding this comment.
Does only network_type: none require a custom manifest or also Calicoand others?
| Add new validation that blocks installation if a third-party CNI is selected but no custom manifests have been uploaded. The validation will check for the presence of manifests and display an error message directing users to upload CNI manifests before proceeding. | ||
|
|
||
| **Manifest Generation:** | ||
| Modify install-config generation to skip OVN-K-specific configuration when a third-party CNI is selected. The CNI will be configured via custom manifests provided by the user through the existing manifests API. |
There was a problem hiding this comment.
Please add the mapping between the network_type enum and the value in the install-config
| Basic validation will be performed on uploaded manifests to ensure they are valid YAML/JSON and contain Kubernetes resource definitions. However, CNI-specific semantic validation (e.g., verifying Cilium operator configuration) is out of scope. Invalid manifests will cause installation failures during cluster bootstrapping, which is acceptable as users are responsible for providing correct CNI configurations. | ||
|
|
||
| **Feature Support Levels:** | ||
| Update the feature support levels API to expose CNI support per platform and OCP version, enabling the UI to dynamically show or hide CNI options based on cluster configuration. |
There was a problem hiding this comment.
@eliorerz, please review. I'm not sure we need this if we have a new network Provider Abstraction
| ## Drawbacks | ||
|
|
||
| **Increased Complexity** | ||
| Supporting multiple CNIs increases the testing matrix, documentation scope, and potential support burden. |
There was a problem hiding this comment.
Also, we will need to maintain CNI versions and test only the latest certified CNI version
|
|
||
| ## Summary | ||
|
|
||
| Assisted Installer currently enforces OVN-Kubernetes (OVN-K) as the only supported Container Network Interface (CNI) for all cluster installations. This enhancement enables first-class support for Red Hat certified third-party CNI plugins, allowing customers to install OpenShift clusters with Cisco ACI, Isovalent Cilium, or Tigera Calico without post-installation workarounds. |
There was a problem hiding this comment.
If the users are required to create and upload the custom manifests for the CNI themselves, I wouldn't call it first-class support.
This is supported today, via install-config override. The support this enhancement is proposing is that now users can set the networkType field directly from the API.
| - Tigera Calico (Calico Core) | ||
| - Validate CNI compatibility with platform, OCP version, and cluster topology | ||
| - Provide clear guidance and documentation links for CNI-specific configuration | ||
| - Support both REST API and Kube-API modes (InfraEnv/Agent CRs) |
There was a problem hiding this comment.
This configuration belongs in the AgentClusterInstall CR and not in the infraEnv/Agent
|
|
||
| ### Goals | ||
|
|
||
| - Enable installation of OpenShift clusters without OVN-Kubernetes |
There was a problem hiding this comment.
I don't think we can complete the installation without a CNI
| - `CiscoACI` | ||
| - `Cilium` | ||
| - `Calico` | ||
| - `None` (no CNI installed, user must provide manifests) |
There was a problem hiding this comment.
The user will need to provide manifests for all of these
| Assisted Installer will not manage specific CNI versions (e.g., Cilium 1.17 vs 1.18). The CNI version is determined by the manifests provided by the user. Assisted Installer only validates that the selected CNI type is compatible with the OCP version and platform. Users obtain version-specific manifests from CNI vendors and upload them via the custom manifests API. | ||
|
|
||
| Validation requirements: | ||
| - Third-party CNIs require `user_managed_networking: true` (cluster-managed networking supports OVN-K and OpenShiftSDN only) |
There was a problem hiding this comment.
I'm not sure why this is related.
cluster managed networking is relevant for the kube-api and ingress VIPs/DNS.
Why it's related to the CNI?
rivkyrizel
force-pushed
the
MGMT-21694
branch
from
6f00f68 to
36e2ac7
Compare
5 participants
Add enhancement proposal for third-party CNI support in Assisted Installer
List all the issues related to this PR
What environments does this code impact?
How was this code tested?
Checklist
docs, README, etc)Reviewers Checklist