[DO NOT MERGE] Test: Revert "Remove dead OVN_MULTI_NETWORK_ENABLE template variable"

[weliang1]

This reverts commit 411921c.

Summary by CodeRabbit

• Bug Fixes
  • Multi-networking is now enabled by default, with support for explicit disabling via configuration.
  • Added multicast enablement to the rendered feature set, with behavior aligned across node modes.
  • In dpu-host mode, node startup now automatically disables incompatible feature flags (including egress-related and policy/segmentation features).
• Documentation
  • Documented OVN_NODE_MODE and clarified which features are enabled/disabled per node mode.
• Tests
  • Updated config rendering and bootstrap/test expectations to match the new multi-network, multicast, and dpu-host behavior.

[coderabbitai]

Walkthrough

OVN_MULTI_NETWORK_ENABLE is now set to true by default in the Go rendering logic. Configuration templates conditionally emit enable-multi-network=true based on this variable, and add enable-multicast=true unconditionally. The node startup script introduces per-node feature disabling via the OVN_NODE_MODE environment variable, particularly for DPU host mode, which gates egress features, multicast, and multi-external-gateway support. Control-plane manifests expand their feature-flag arguments to match. Tests are updated to reflect the new multicast default and remove obsolete DPU lease configuration validation.

Changes

OVN Multi-Network Default Enable with Per-Node Feature Gating

Layer / File(s)	Summary
Go rendering and multi-network default pkg/network/ovn_kubernetes.go	OVN_MULTI_NETWORK_ENABLE is initialized to true by default and set to false only when conf.DisableMultiNetwork is true; OVN_MULTI_NETWORK_POLICY_ENABLE enablement is updated to require multi-network to be enabled.
Config templates with conditional multi-network and multicast bindata/network/ovn-kubernetes/managed/004-config.yaml, bindata/network/ovn-kubernetes/self-hosted/004-config.yaml	enable-multi-network=true is conditionally rendered in managed and self-hosted ovnkube.conf templates based on OVN_MULTI_NETWORK_ENABLE; hostedcluster template refactors to explicit if/else but outputs enable-multi-network=true either way. enable-multicast=true is added to the [ovnkubernetesfeature] section across all variants.
Node startup script with OVN_NODE_MODE per-node feature gating bindata/network/ovn-kubernetes/common/008-script-lib.yaml	The start-ovnkube-node script adds initialization of egress, multicast, multi-external-gateway, multi-network, and network-segmentation flags. DPU host mode (when OVN_NODE_MODE=dpu-host) disables egress, multicast, and multi-external-gateway features while clearing init_ovnkube_controller. Multi-network and network-segmentation flags are conditionally set based on OVN_NODE_MODE. The ovnkube command-line argument list is expanded to wire all feature flags including preconfigured UDN addresses, network connect, multi/admin network policy, and DNS name resolver enablement.
Control-plane feature flag expansion bindata/network/ovn-kubernetes/managed/ovnkube-control-plane.yaml, bindata/network/ovn-kubernetes/self-hosted/ovnkube-control-plane.yaml	Both managed and self-hosted ovnkube-control-plane manifests now initialize and conditionally pass additional feature-flag variables (DNS name resolver, multi-network, network segmentation, network connect, preconfigured UDN addresses) to /usr/bin/ovnkube. Multi-network and admin network policy conditionals are added. The exec argument list is expanded to include egress-related flags, multi-external-gateway, and all newly constructed toggles, replacing the prior narrower set.
Test fixtures and expected output updates pkg/network/ovn_kubernetes_test.go	All test bootstrap fixtures remove explicit DpuNodeLeaseRenewInterval and DpuNodeLeaseDuration assignments. TestRenderedOVNKubernetesConfig expectations are updated to add enable-multicast=true to the [ovnkubernetesfeature] section for most scenarios; the DisableMultiNetwork + multi-network policies case omits this line. TestDpuLeaseConfig test and extractDaemonSetEnvVars helper are deleted.
Architecture and per-node configuration documentation README.md, docs/architecture.md, docs/operands.md, docs/ovn_node_mode.md	README documents DPU host mode feature disabling. docs/architecture.md adds Per-Node Configuration section describing how OVN_NODE_MODE enables per-node gating. docs/operands.md explains node modes and startup script behavior. docs/ovn_node_mode.md expands significantly with behavior-by-mode specifications, manifest changes, implementation details (including OVN_NODE_MODE injection and script conditionals), feature-flag mapping tables, testing expectations, and migration notes describing the shift from ConfigMap-based to script-based enforcement.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• pperiyasamy
• taanyas
• tssurya

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 30.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the PR as a test revert of a previous commit about OVN_MULTI_NETWORK_ENABLE template variable removal.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This repository uses standard Go testing (func Test...) with testing.T, not Ginkgo. No Ginkgo test definitions (It(), Describe(), Context(), etc.) exist in the codebase, so the check is not applica...
Test Structure And Quality	✅ Passed	No Ginkgo tests found in PR. Modified files include YAML configs, standard Go unit tests (testing.T), and docs. Check is not applicable.
Microshift Test Compatibility	✅ Passed	This PR contains no new Ginkgo e2e tests. It's a revert of a previous commit affecting OVN Kubernetes configuration, using only standard Go unit tests (not Ginkgo framework). The custom check is no...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes are limited to YAML configurations, Go source code, and documentation. The only test modifications are in unit tests (pkg/network/ovn_kubernete...
Topology-Aware Scheduling Compatibility	✅ Passed	This PR is a revert that does not introduce any NEW scheduling constraints. All existing manifests maintain their original topology configurations: self-hosted control-plane uses `node-role.kuberne...
Ote Binary Stdout Contract	✅ Passed	This PR is for cluster-network-operator, which is not an OTE (OpenShift Tests Extension) binary. The check applies to OTE binaries that communicate with openshift-tests via JSON; this repository co...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It is a revert PR modifying YAML manifests, configuration, production code, unit tests (standard testing.T), and documentation only.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or constant-time comparison issues found. Only SHA256 (secure) is used for config hashing.
Container-Privileges	✅ Passed	The PR introduces no new privilege escalation issues. Only one hostNetwork: true setting found in self-hosted control-plane manifest - standard justified usage for network control components.
No-Sensitive-Data-In-Logs	✅ Passed	No passwords, tokens, API keys, PII, session IDs, or sensitive credentials are being exposed in logs. Echo statements output only operational metadata (timestamps, node names). Secret file paths ar...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: weliang1
Once this PR has been reviewed and has the lgtm label, please assign tssurya for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@bindata/network/ovn-kubernetes/common/008-script-lib.yaml`:
- Around line 607-616: The multi_network_enabled_flag variable is being
unconditionally overwritten on line 614 within the second condition block that
checks if OVN_NODE_MODE is not "dpu-host", which erases the conditional logic
from lines 609-611. Fix this by removing the incorrect assignment of
multi_network_enabled_flag on line 614 (it should only assign
network_segmentation_enabled_flag in that block). Additionally, the comment
indicates that neither the multi_network_enabled_flag nor
network_segmentation_enabled_flag variables are being included in the final
ovnkube command arguments, so add both flags to the exec args for the ovnkube
process to ensure the computed values are actually applied.

In `@bindata/network/ovn-kubernetes/managed/004-config.yaml`:
- Around line 43-45: The conditional logic for enable-multi-network is inverted,
causing the feature to be enabled when it should be disabled. In the template
section at lines 43-45 and the similar section at lines 133-138, remove the
`not` operator from the condition `{{- if not .OVN_MULTI_NETWORK_ENABLE }}` so
it becomes `{{- if .OVN_MULTI_NETWORK_ENABLE }}`. This ensures that
`enable-multi-network=true` is only rendered when the feature is actually
intended to be enabled, allowing DisableMultiNetwork to properly override the
setting.

In `@bindata/network/ovn-kubernetes/self-hosted/004-config.yaml`:
- Around line 49-51: The conditional logic is inverted in the template around
the enable-multi-network configuration. The current condition `{{- if not
.OVN_MULTI_NETWORK_ENABLE }}` causes enable-multi-network=true to be set only
when the feature flag is false, which breaks the intended behavior. Remove the
`not` operator from the if statement so that enable-multi-network=true is
applied when .OVN_MULTI_NETWORK_ENABLE is true.

In `@pkg/network/ovn_kubernetes_test.go`:
- Around line 714-753: The test case with desc "disabled multi-network" and
disableMultiNet set to true has a contradictory expected output that still
contains enable-multi-network=true in the ovnkubernetesfeature section. Change
the enable-multi-network value in the expected output from true to false for
this test case to align with the test's intent to validate the disabled
multi-network behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ac9a095e-2109-4eed-94ec-0325ebe1397d

📥 Commits

Reviewing files that changed from the base of the PR and between c376140 and ce08349.

📒 Files selected for processing (5)

• bindata/network/ovn-kubernetes/common/008-script-lib.yaml
• bindata/network/ovn-kubernetes/managed/004-config.yaml
• bindata/network/ovn-kubernetes/self-hosted/004-config.yaml
• pkg/network/ovn_kubernetes.go
• pkg/network/ovn_kubernetes_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

enable-multi-network rendering currently defeats the disable override

These template branches render enable-multi-network=true when .OVN_MULTI_NETWORK_ENABLE is false (and in hostedcluster, effectively in both branches), so DisableMultiNetwork=true does not actually disable the feature.

Suggested fix

-    {{- if not .OVN_MULTI_NETWORK_ENABLE }}
-    enable-multi-network=true
-    {{- end }}
+    enable-multi-network={{.OVN_MULTI_NETWORK_ENABLE}}
...
-{{- if .OVN_MULTI_NETWORK_ENABLE }}
-    enable-multi-network=true
-{{- end }}
-    {{- if not .OVN_MULTI_NETWORK_ENABLE }}
-    enable-multi-network=true
-    {{- end }}
+    enable-multi-network={{.OVN_MULTI_NETWORK_ENABLE}}

Also applies to: 133-138

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bindata/network/ovn-kubernetes/managed/004-config.yaml` around lines 43 - 45,
The conditional logic for enable-multi-network is inverted, causing the feature
to be enabled when it should be disabled. In the template section at lines 43-45
and the similar section at lines 133-138, remove the `not` operator from the
condition `{{- if not .OVN_MULTI_NETWORK_ENABLE }}` so it becomes `{{- if
.OVN_MULTI_NETWORK_ENABLE }}`. This ensures that `enable-multi-network=true` is
only rendered when the feature is actually intended to be enabled, allowing
DisableMultiNetwork to properly override the setting.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Conditional is inverted for multi-network enablement

enable-multi-network=true is emitted only when .OVN_MULTI_NETWORK_ENABLE is false, which inverts the intended behavior and breaks DisableMultiNetwork.

Suggested fix

-    {{- if not .OVN_MULTI_NETWORK_ENABLE }}
-    enable-multi-network=true
-    {{- end }}
+    enable-multi-network={{.OVN_MULTI_NETWORK_ENABLE}}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	{{- if not .OVN_MULTI_NETWORK_ENABLE }}
	enable-multi-network=true
	{{- end }}
	enable-multi-network={{.OVN_MULTI_NETWORK_ENABLE}}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bindata/network/ovn-kubernetes/self-hosted/004-config.yaml` around lines 49 -
51, The conditional logic is inverted in the template around the
enable-multi-network configuration. The current condition `{{- if not
.OVN_MULTI_NETWORK_ENABLE }}` causes enable-multi-network=true to be set only
when the feature flag is false, which breaks the intended behavior. Remove the
`not` operator from the if statement so that enable-multi-network=true is
applied when .OVN_MULTI_NETWORK_ENABLE is true.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@bindata/network/ovn-kubernetes/common/008-script-lib.yaml`:
- Around line 548-550: The enable_multicast_flag variable is conditionally
cleared for dpu-host mode (lines 563-565), but this control is bypassed because
line 769 unconditionally passes the --enable-multicast argument directly instead
of using the enable_multicast_flag variable. Fix this by replacing the hardcoded
--enable-multicast argument at line 769 with a reference to the
enable_multicast_flag variable, ensuring that the mode-specific disable for
dpu-host actually takes effect.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 14ef1f8a-1392-43c7-8ae2-5216cf1c1cb6

📥 Commits

Reviewing files that changed from the base of the PR and between ce08349 and a086a1e.

📒 Files selected for processing (10)

• README.md
• bindata/network/ovn-kubernetes/common/008-script-lib.yaml
• bindata/network/ovn-kubernetes/managed/004-config.yaml
• bindata/network/ovn-kubernetes/managed/ovnkube-control-plane.yaml
• bindata/network/ovn-kubernetes/self-hosted/004-config.yaml
• bindata/network/ovn-kubernetes/self-hosted/ovnkube-control-plane.yaml
• docs/architecture.md
• docs/operands.md
• docs/ovn_node_mode.md
• pkg/network/ovn_kubernetes_test.go

✅ Files skipped from review due to trivial changes (4)

• docs/operands.md
• docs/architecture.md
• README.md
• docs/ovn_node_mode.md

🚧 Files skipped from review as they are similar to previous changes (2)

• bindata/network/ovn-kubernetes/self-hosted/004-config.yaml
• bindata/network/ovn-kubernetes/managed/004-config.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

DPU-host multicast disable is bypassed by an unconditional CLI arg.

enable_multicast_flag is cleared for dpu-host (Lines 563-565), but Line 769 still always passes --enable-multicast, so the mode-specific disable never takes effect.

Suggested fix

       exec /usr/bin/ovnkube \
         ${init_ovnkube_controller} \
         --init-node "${K8S_NODE}" \
@@
         ${dns_name_resolver_enabled_flag} \
         ${network_observability_enabled_flag} \
         ${enable_multicast_flag} \
         --zone ${K8S_NODE} \
         ${enable_interconnect_flag} \
-        --enable-multicast \
         --acl-logging-rate-limit "{{.OVNPolicyAuditRateLimit}}" \

Also applies to: 563-565, 766-770

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bindata/network/ovn-kubernetes/common/008-script-lib.yaml` around lines 548 -
550, The enable_multicast_flag variable is conditionally cleared for dpu-host
mode (lines 563-565), but this control is bypassed because line 769
unconditionally passes the --enable-multicast argument directly instead of using
the enable_multicast_flag variable. Fix this by replacing the hardcoded
--enable-multicast argument at line 769 with a reference to the
enable_multicast_flag variable, ensuring that the mode-specific disable for
dpu-host actually takes effect.

[openshift-ci]

@weliang1: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw	a086a1e	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp-local-gw
ci/prow/5.0-upgrade-from-stable-4.22-e2e-azure-ovn-upgrade	a086a1e	link	false	/test 5.0-upgrade-from-stable-4.22-e2e-azure-ovn-upgrade
ci/prow/e2e-aws-ovn-upgrade	a086a1e	link	true	/test e2e-aws-ovn-upgrade
ci/prow/unit	a086a1e	link	true	/test unit
ci/prow/5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade	a086a1e	link	false	/test 5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp	a086a1e	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp
ci/prow/e2e-gcp-ovn	a086a1e	link	true	/test e2e-gcp-ovn
ci/prow/e2e-aws-ovn-upgrade-ipsec	a086a1e	link	true	/test e2e-aws-ovn-upgrade-ipsec
ci/prow/5.0-upgrade-from-stable-4.22-e2e-aws-ovn-upgrade	a086a1e	link	false	/test 5.0-upgrade-from-stable-4.22-e2e-aws-ovn-upgrade
ci/prow/e2e-ovn-ipsec-step-registry	a086a1e	link	true	/test e2e-ovn-ipsec-step-registry
ci/prow/e2e-aws-ovn-rhcos10-techpreview	a086a1e	link	false	/test e2e-aws-ovn-rhcos10-techpreview
ci/prow/e2e-gcp-ovn-upgrade	a086a1e	link	true	/test e2e-gcp-ovn-upgrade
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec	a086a1e	link	true	/test e2e-metal-ipi-ovn-ipv6-ipsec
ci/prow/e2e-azure-ovn-upgrade	a086a1e	link	true	/test e2e-azure-ovn-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.