feat: Add MetalLB configuration for LoadBalancer service exposure

Author: linoyaslan

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.24 AS builder
+FROM golang:1.25 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 

api/v1alpha1/dpfhcpprovisioner_types.go

@@ -105,6 +105,7 @@ type DPFHCPProvisionerSpec struct {
 	// Must be a routable IP in the management cluster network
 	// This field is immutable.
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="virtualIP is immutable"
+	// +kubebuilder:validation:XValidation:rule="self == '' || isIP(self)",message="virtualIP must be a valid IP address"
 	// +immutable
 	// +optional
 	VirtualIP string `json:"virtualIP,omitempty"`
@@ -194,6 +195,10 @@ const (
 
 	// DPUClusterInUse indicates whether the DPUCluster is already in use by another DPFHCPProvisioner.
 	DPUClusterInUse string = "DPUClusterInUse"
+
+	// MetalLBConfigured indicates whether MetalLB resources (IPAddressPool and L2Advertisement)
+	// have been successfully created and are in sync with the DPFHCPProvisioner spec.
+	MetalLBConfigured string = "MetalLBConfigured"
 )
 
 // Condition reasons for DPFHCPProvisioner Ready status.

cmd/main.go

@@ -40,13 +40,16 @@ import (
 	dpuprovisioningv1alpha1 "github.com/nvidia/doca-platform/api/provisioning/v1alpha1"
 	hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1"
 	provisioningv1alpha1 "github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/api/v1alpha1"
+	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/common"
 	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller"
 	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller/bluefield"
 	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller/dpucluster"
 	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller/finalizer"
 	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller/hostedcluster"
 	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller/kubeconfiginjection"
+	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller/metallb"
 	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller/secrets"
+	metallbv1beta1 "go.universe.tf/metallb/api/v1beta1"
 	// +kubebuilder:scaffold:imports
 )
 
@@ -61,6 +64,7 @@ func init() {
 	utilruntime.Must(provisioningv1alpha1.AddToScheme(scheme))
 	utilruntime.Must(dpuprovisioningv1alpha1.AddToScheme(scheme))
 	utilruntime.Must(hyperv1.AddToScheme(scheme))
+	utilruntime.Must(metallbv1beta1.AddToScheme(scheme))
 	// +kubebuilder:scaffold:scheme
 }
 
@@ -212,48 +216,60 @@ func main() {
 		os.Exit(1)
 	}
 
+	client := mgr.GetClient()
+	recorder := mgr.GetEventRecorderFor(common.ControllerName)
+	scheme := mgr.GetScheme()
+
 	// Initialize BlueField Image Resolver
-	imageResolver := bluefield.NewImageResolver(mgr.GetClient(), mgr.GetEventRecorderFor("dpfhcpprovisioner-controller"))
+	imageResolver := bluefield.NewImageResolver(client, recorder)
 
 	// Initialize DPUCluster Validator
-	dpuClusterValidator := dpucluster.NewValidator(mgr.GetClient(), mgr.GetEventRecorderFor("dpfhcpprovisioner-controller"))
+	dpuClusterValidator := dpucluster.NewValidator(client, recorder)
 
 	// Initialize Secrets Validator
-	secretsValidator := secrets.NewValidator(mgr.GetClient(), mgr.GetEventRecorderFor("dpfhcpprovisioner-controller"))
+	secretsValidator := secrets.NewValidator(client, recorder)
 
 	// Initialize Secret Manager for HostedCluster lifecycle
-	secretManager := hostedcluster.NewSecretManager(mgr.GetClient(), mgr.GetScheme())
+	secretManager := hostedcluster.NewSecretManager(client, scheme)
 
 	// Initialize HostedCluster Manager
-	hostedClusterManager := hostedcluster.NewHostedClusterManager(mgr.GetClient(), mgr.GetScheme())
+	hostedClusterManager := hostedcluster.NewHostedClusterManager(client, scheme)
 
 	// Initialize NodePool Manager
-	nodePoolManager := hostedcluster.NewNodePoolManager(mgr.GetClient(), mgr.GetScheme())
+	nodePoolManager := hostedcluster.NewNodePoolManager(client, scheme)
 
 	// Initialize Kubeconfig Injector
-	kubeconfigInjector := kubeconfiginjection.NewKubeconfigInjector(mgr.GetClient(), mgr.GetEventRecorderFor("dpfhcpprovisioner-controller"))
+	kubeconfigInjector := kubeconfiginjection.NewKubeconfigInjector(client, recorder)
+
+	// Initialize MetalLB Manager
+	metalLBManager := metallb.NewMetalLBManager(client, recorder)
 
 	// Initialize Finalizer Manager with pluggable cleanup handlers
 	// Handlers are executed in registration order
-	finalizerManager := finalizer.NewManager(mgr.GetClient(), mgr.GetEventRecorderFor("dpfhcpprovisioner-controller"))
+	finalizerManager := finalizer.NewManager(client, recorder)
 
-	// Register cleanup handlers in order (dependent resources first)
+	// Register cleanup handlers in order (dependent resources first, dependencies last)
 	// 1. Kubeconfig injection cleanup (removes kubeconfig from DPUCluster namespace)
-	finalizerManager.RegisterHandler(kubeconfiginjection.NewCleanupHandler(mgr.GetClient(), mgr.GetEventRecorderFor("dpfhcpprovisioner-controller")))
-	// 2. HostedCluster cleanup (removes HostedCluster, NodePool, and secrets)
-	finalizerManager.RegisterHandler(hostedcluster.NewCleanupHandler(mgr.GetClient(), mgr.GetEventRecorderFor("dpfhcpprovisioner-controller")))
+	finalizerManager.RegisterHandler(kubeconfiginjection.NewCleanupHandler(client, recorder))
+	// 2. HostedCluster cleanup (removes HostedCluster, NodePool, services, and secrets)
+	//    Must run before MetalLB cleanup because LoadBalancer services depend on IPAddressPool
+	finalizerManager.RegisterHandler(hostedcluster.NewCleanupHandler(client, recorder))
+	// 3. MetalLB cleanup (removes IPAddressPool and L2Advertisement)
+	//    Must run after HostedCluster cleanup to avoid deleting IPs while services still exist
+	finalizerManager.RegisterHandler(metallb.NewCleanupHandler(client, recorder))
 
 	// Initialize Status Syncer for HostedCluster status mirroring
-	statusSyncer := hostedcluster.NewStatusSyncer(mgr.GetClient())
+	statusSyncer := hostedcluster.NewStatusSyncer(client)
 
 	if err := (&controller.DPFHCPProvisionerReconciler{
-		Client:               mgr.GetClient(),
-		Scheme:               mgr.GetScheme(),
-		Recorder:             mgr.GetEventRecorderFor("dpfhcpprovisioner-controller"),
+		Client:               client,
+		Scheme:               scheme,
+		Recorder:             recorder,
 		ImageResolver:        imageResolver,
 		DPUClusterValidator:  dpuClusterValidator,
 		SecretsValidator:     secretsValidator,
 		SecretManager:        secretManager,
+		MetalLBManager:       metalLBManager,
 		HostedClusterManager: hostedClusterManager,
 		NodePoolManager:      nodePoolManager,
 		FinalizerManager:     finalizerManager,

config/crd/bases/provisioning.dpu.hcp.io_dpfhcpprovisioners.yaml

@@ -178,6 +178,8 @@ spec:
                 x-kubernetes-validations:
                 - message: virtualIP is immutable
                   rule: self == oldSelf
+                - message: virtualIP must be a valid IP address
+                  rule: self == '' || isIP(self)
             required:
             - baseDomain
             - dpuClusterRef

config/rbac/role.yaml

@@ -73,6 +73,19 @@ rules:
   - nodepools/status
   verbs:
   - get
+- apiGroups:
+  - metallb.io
+  resources:
+  - ipaddresspools
+  - l2advertisements
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - provisioning.dpu.hcp.io
   resources:

go.mod

@@ -1,20 +1,19 @@
 module github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator
 
-go 1.24.4
-
-toolchain go1.24.11
+go 1.25
 
 require (
 	github.com/nvidia/doca-platform v0.0.0-20251115082520-81369e955c6c
 	github.com/onsi/ginkgo/v2 v2.27.2
 	github.com/onsi/gomega v1.38.2
 	github.com/openshift/hypershift v0.1.71
 	github.com/openshift/hypershift/api v0.0.0-20251229083354-c1d28e31a05d
+	go.universe.tf/metallb v0.15.3
 	k8s.io/api v0.34.2
 	k8s.io/apimachinery v0.34.2
 	k8s.io/client-go v0.34.2
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
-	sigs.k8s.io/controller-runtime v0.21.0
+	sigs.k8s.io/controller-runtime v0.22.3
 )
 
 require (

go.sum

@@ -189,6 +189,8 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+go.universe.tf/metallb v0.15.3 h1:jmTFharsaP9yBW0p/giOahfuVNTBIvwQqxx2eYxM6fc=
+go.universe.tf/metallb v0.15.3/go.mod h1:bvvGwZSz20f/PH1wn1D8GRHsNXXA6ZaYtxTAzyZsQAA=
 go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
 go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
@@ -278,8 +280,8 @@ k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8
 k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.32.0 h1:XotDXzqvJ8Nx5eiZZueLpTuafJz8SiodgOemI+w87QU=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.32.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
-sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytIGcJS8=
-sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM=
+sigs.k8s.io/controller-runtime v0.22.3 h1:I7mfqz/a/WdmDCEnXmSPm8/b/yRTy6JsKKENTijTq8Y=
+sigs.k8s.io/controller-runtime v0.22.3/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=

helm/dpf-hcp-provisioner-operator/templates/clusterrole.yaml

@@ -134,3 +134,18 @@ rules:
   - nodepools/status
   verbs:
   - get
+
+# MetalLB permissions (for LoadBalancer service exposure)
+- apiGroups:
+  - metallb.io
+  resources:
+  - ipaddresspools
+  - l2advertisements
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch

internal/common/constants.go

@@ -21,4 +21,25 @@ const (
 	// DPFHCPProvisionerName is the resource kind name used in logs, metrics, events, etc.
 	// If the CR is renamed, update this constant once and it propagates everywhere.
 	DPFHCPProvisionerName = "dpfhcpprovisioner"
+
+	// ControllerName is the name used for event recorders
+	ControllerName = "dpfhcpprovisioner-controller"
+)
+
+// Label keys for cross-namespace resource ownership tracking
+const (
+	// LabelDPFHCPProvisionerName is the label key for the DPFHCPProvisioner name
+	// Used to track resources owned by a specific DPFHCPProvisioner across namespaces
+	LabelDPFHCPProvisionerName = "dpfhcpprovisioner.dpu.hcp.io/name"
+
+	// LabelDPFHCPProvisionerNamespace is the label key for the DPFHCPProvisioner namespace
+	// Used to track resources owned by a specific DPFHCPProvisioner across namespaces
+	LabelDPFHCPProvisionerNamespace = "dpfhcpprovisioner.dpu.hcp.io/namespace"
+)
+
+// Namespace constants
+const (
+	// OpenshiftOperatorsNamespace is the namespace for OpenShift operator resources
+	// Used for MetalLB resources and other operator-managed resources
+	OpenshiftOperatorsNamespace = "openshift-operators"
 )

internal/controller/dpfhcpprovisioner_controller.go

@@ -45,6 +45,7 @@ import (
 	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller/finalizer"
 	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller/hostedcluster"
 	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller/kubeconfiginjection"
+	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller/metallb"
 	"github.com/rh-ecosystem-edge/dpf-hcp-provisioner-operator/internal/controller/secrets"
 )
 
@@ -57,6 +58,7 @@ type DPFHCPProvisionerReconciler struct {
 	DPUClusterValidator  *dpucluster.Validator
 	SecretsValidator     *secrets.Validator
 	SecretManager        *hostedcluster.SecretManager
+	MetalLBManager       *metallb.MetalLBManager
 	HostedClusterManager *hostedcluster.HostedClusterManager
 	NodePoolManager      *hostedcluster.NodePoolManager
 	FinalizerManager     *finalizer.Manager
@@ -83,6 +85,8 @@ const (
 // +kubebuilder:rbac:groups=hypershift.openshift.io,resources=hostedclusters/status,verbs=get
 // +kubebuilder:rbac:groups=hypershift.openshift.io,resources=nodepools,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=hypershift.openshift.io,resources=nodepools/status,verbs=get
+// +kubebuilder:rbac:groups=metallb.io,resources=ipaddresspools,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=metallb.io,resources=l2advertisements,verbs=get;list;watch;create;update;patch;delete
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
@@ -176,6 +180,16 @@ func (r *DPFHCPProvisionerReconciler) Reconcile(ctx context.Context, req ctrl.Re
 	// Recompute phase after validations to ensure HostedCluster creation only proceeds if all validations pass
 	r.updatePhaseFromConditions(&cr)
 
+	// Feature: MetalLB Configuration
+	// Configure MetalLB resources (IPAddressPool and L2Advertisement) when LoadBalancer exposure is needed
+	log.V(1).Info("Configuring MetalLB resources")
+	if result, err := r.MetalLBManager.ConfigureMetalLB(ctx, &cr); err != nil || result.Requeue || result.RequeueAfter > 0 {
+		if err != nil {
+			log.Error(err, "MetalLB configuration failed")
+		}
+		return result, err
+	}
+
 	// Feature: Copy Secrets to clusters namespace
 	// Only run during Pending phase (all validations must pass first)
 	// Note: We only check for Pending (not Failed) to prevent secret operations when validations fail
@@ -603,7 +617,24 @@ func conditionsEqual(oldConds, newConds []metav1.Condition) bool {
 func (r *DPFHCPProvisionerReconciler) computeReadyCondition(ctx context.Context, cr *provisioningv1alpha1.DPFHCPProvisioner) {
 	log := logf.FromContext(ctx)
 
-	// Requirement 1: HostedCluster must be available
+	// Requirement 1: MetalLB must be configured (if required)
+	// This is only required when exposing services through LoadBalancer
+	// Checked first because MetalLB configuration happens before HostedCluster creation
+	if cr.ShouldExposeThroughLoadBalancer() {
+		metalLBConfigured := meta.FindStatusCondition(cr.Status.Conditions, provisioningv1alpha1.MetalLBConfigured)
+		if metalLBConfigured == nil || metalLBConfigured.Status != metav1.ConditionTrue {
+			meta.SetStatusCondition(&cr.Status.Conditions, metav1.Condition{
+				Type:    provisioningv1alpha1.Ready,
+				Status:  metav1.ConditionFalse,
+				Reason:  "MetalLBNotConfigured",
+				Message: "Waiting for MetalLB configuration to complete",
+			})
+			log.V(1).Info("Not ready: MetalLB not configured")
+			return
+		}
+	}
+
+	// Requirement 2: HostedCluster must be available
 	// This is set by the StatusSyncer after mirroring HostedCluster status
 	hcAvailable := meta.FindStatusCondition(cr.Status.Conditions, provisioningv1alpha1.HostedClusterAvailable)
 	if hcAvailable == nil || hcAvailable.Status != metav1.ConditionTrue {
@@ -617,7 +648,7 @@ func (r *DPFHCPProvisionerReconciler) computeReadyCondition(ctx context.Context,
 		return
 	}
 
-	// Requirement 2: Kubeconfig must be injected
+	// Requirement 3: Kubeconfig must be injected
 	// This is set by the KubeconfigInjector after successful injection
 	kubeconfigInjected := meta.FindStatusCondition(cr.Status.Conditions, provisioningv1alpha1.KubeConfigInjected)
 	if kubeconfigInjected == nil || kubeconfigInjected.Status != metav1.ConditionTrue {