Skip to content

[PMREQ-810]: L2 support phase 1: Add Network CRD and RBAC for L2 VM mobility#4719

Draft
fasaxc wants to merge 5 commits into
tigera:masterfrom
fasaxc:l2-prod
Draft

[PMREQ-810]: L2 support phase 1: Add Network CRD and RBAC for L2 VM mobility#4719
fasaxc wants to merge 5 commits into
tigera:masterfrom
fasaxc:l2-prod

Conversation

@fasaxc

@fasaxc fasaxc commented Apr 20, 2026

Copy link
Copy Markdown
Member

Summary

Unblocks the WIP calico-private branch wt-l2-prod-cni (PMREQ-810 L2 VM mobility) by:

  • Bundling the new projectcalico.org/v3.Network CRD into the enterprise CRD imports tree.
  • Granting each Calico component the minimum RBAC verbs it needs for the new resource.

Verb matrix added:

Component Verbs File
calico-node (Felix) get/list/watch pkg/render/node.go
calico-cni-plugin get pkg/render/node.go
calico-typha get/list/watch pkg/render/typha.go
calico-apiserver full CRUD pkg/render/apiserver.go
non-cluster-host Felix get/list/watch pkg/render/nonclusterhost/nonclusterhost.go

calico-kube-controllers is intentionally left out: the finalizer controller is Phase 2 per the design.

Caveat — draft until calico-private lands

config/enterprise_versions.yml is temporarily pointed at the wt-l2-prod-cni branch so make fetch-enterprise-crds finds the new CRD. Reset to master once wt-l2-prod-cni merges into tigera/calico-private:master. Keeping this as a draft PR until then.

Test plan

  • make format-check
  • make static-checks
  • make test-crds (validates the bundled CRD serialises)
  • make ut UT_DIR=./pkg/render focused on Node / Typha / API server / nonclusterhost suites — all pass
  • Reset enterprise_versions.yml back to master once wt-l2-prod-cni merges
  • Smoke test against a kind cluster (operator installs the new CRD and Felix/CNI/typha start cleanly)

Related

  • Design: tigera/designs/2026/PMREQ-810-L2_VM_Mobility/
  • Calico-private branch: wt-l2-prod-cni (already includes the operator-SA update RBAC for the CRD in manifests/ocp/02-role-tigera-operator.yaml)

@marvin-tigera marvin-tigera added this to the v1.43.0 milestone Apr 20, 2026
@fasaxc fasaxc changed the title PMREQ-810: Add Network CRD and RBAC for L2 VM mobility [PMREQ-810]: L2 support phase 1: Add Network CRD and RBAC for L2 VM mobility Apr 22, 2026
@fasaxc fasaxc force-pushed the l2-prod branch 2 times, most recently from b3a971b to acb2e66 Compare May 1, 2026 10:04
Master already carries the Network resource (added with the VRF
work) and the matching RBAC for calico-node, calico-cni-plugin,
calico-typha, calico-apiserver, and non-cluster-host Felix.  This
commit adds the L2 Bridge spec fields by refreshing the enterprise
CRD bundle from the calico-private wt-l2-prod-cni branch, which
has been rebased onto master so it carries both spec.vrf and
spec.l2Bridge.

config/enterprise_versions.yml is temporarily pointed at the
wt-l2-prod-cni branch.  Reset to "master" once wt-l2-prod-cni
merges into calico-private master.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@radTuti radTuti modified the milestones: v1.43.0, v1.44.0 Jun 12, 2026
fasaxc and others added 4 commits June 22, 2026 12:27
Refreshes pkg/imports/crds/enterprise from the monorepo phase-1e branch.
Adds IPPool L2Workload allowedUse (enum + CEL validation rules), L2 bridge
Network CRD fields, WAF/applicationlayer CRDs, and felix/kube-controllers
config additions. Fixes API-server rejection of IPPools with allowedUses:
[L2Workload].

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Updates the Network CRD (v1 + v3) from the calico-private
wt-l2-prod-cni worktree after its latest sync with master.
ECK bundle and other CRDs are unchanged (worktree's master sync
already matches operator master).

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants