Mellanox · killianmuldoon · Oct 27, 2025 · Oct 27, 2025 · Oct 27, 2025 · Oct 27, 2025
diff --git a/.github/workflows/build-images.yaml b/.github/workflows/build-images.yaml
@@ -15,6 +15,7 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME_UBUNTU: ghcr.io/mellanox/ovn-kubernetes-dpf
   IMAGE_NAME_FEDORA: ghcr.io/mellanox/ovn-kubernetes-dpf-fedora
+  IMAGE_NAME_DPF_UTILS: ghcr.io/mellanox/ovn-kubernetes-dpf-utils
 
 jobs:
   build-ubuntu:
@@ -135,3 +136,61 @@ jobs:
           cache-to: type=gha,mode=max
           provenance: false
 
+  build-dpf-utils:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+          fetch-depth: 0
+
+      - name: Determine tag
+        id: tag
+        run: |
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            TAG=${GITHUB_REF#refs/tags/}
+          else
+            TAG=v25.7.1-${GITHUB_SHA::7}
+          fi
+          echo "tag=${TAG}" >> $GITHUB_OUTPUT
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (labels only)
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_NAME_DPF_UTILS }}
+
+      - name: Build and push DPF Utils image
+        uses: docker/build-push-action@v5
+        with:
+          context: ./dpf-utils
+          file: ./dpf-utils/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ env.IMAGE_NAME_DPF_UTILS }}:${{ steps.tag.outputs.tag }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            builder_image=quay.io/projectquay/golang:1.24
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: false
+
diff --git a/.github/workflows/test-and-lint.yaml b/.github/workflows/test-and-lint.yaml
@@ -0,0 +1,45 @@
+name: Test and Lint DPF Utils
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'dpf-utils/**'
+      - '.github/workflows/test-dpf-utils.yaml'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'dpf-utils/**'
+      - '.github/workflows/test-dpf-utils.yaml'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.24'
+
+      - name: Run tests
+        run: make test
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.24'
+
+      - name: Run linter
+        run: make lint
+
diff --git a/Makefile b/Makefile
@@ -36,6 +36,7 @@ help: ## Display this help.
 
 REGISTRY ?= example.com
 OVNKUBERNETES_IMAGE ?= $(REGISTRY)/ovn-kubernetes-dpf
+DPF_UTILS_IMAGE ?= $(REGISTRY)/ovn-kubernetes-dpf-utils
 
 .PHONY: docker-build-ubuntu
 docker-build-ubuntu:
@@ -55,6 +56,15 @@ docker-build-fedora:
 		--load \
 		-f Dockerfile.ovn-kubernetes.fedora .
 
+.PHONY: docker-build-dpf-utils
+docker-build-dpf-utils: ## Build DPF utilities image
+	docker buildx build \
+		--build-arg builder_image=${GO_IMAGE} \
+		-t $(DPF_UTILS_IMAGE):$(TAG) \
+		--load \
+		-f dpf-utils/Dockerfile \
+		dpf-utils/
+
 .PHONY: docker-push-ubuntu
 docker-push-ubuntu: ## Push Ubuntu image to registry
 	docker push $(OVNKUBERNETES_IMAGE):$(TAG)
@@ -63,6 +73,22 @@ docker-push-ubuntu: ## Push Ubuntu image to registry
 docker-push-fedora: ## Push Fedora image to registry
 	docker push $(OVNKUBERNETES_IMAGE):$(TAG)-fedora
 
+.PHONY: docker-push-dpf-utils
+docker-push-dpf-utils: ## Push DPF utilities image to registry
+	docker push $(DPF_UTILS_IMAGE):$(TAG)
+
+##@ DPF Utils Targets
+
+DPF_UTILS_DIR = dpf-utils
+
+.PHONY: lint
+lint: golangci-lint ## Run linter for DPF utilities
+	cd $(DPF_UTILS_DIR) && $(GOLANGCI_LINT) run --timeout=5m ./...
+
+.PHONY: test
+test: ## Run tests for DPF utilities
+	cd $(DPF_UTILS_DIR) && go test -v -coverprofile=coverage.out -covermode=atomic ./...
+
 ##@ Helm Chart Targets
 
 HELM_CHART_DIR ?= helm/ovn-kubernetes-dpf
@@ -72,15 +98,15 @@ HELM_OUTPUT_DIR ?= _output/helm
 helm-build: yq
 	@mkdir -p $(HELM_OUTPUT_DIR)
 	@cp $(HELM_CHART_DIR)/values.yaml.tmpl $(HELM_CHART_DIR)/values.yaml
-	@$(YQ) eval -i '.ovn-kubernetes-resource-injector.controllerManager.webhook.image.repository = "$(OVNKUBERNETES_IMAGE)"' $(HELM_CHART_DIR)/values.yaml
+	@$(YQ) eval -i '.ovn-kubernetes-resource-injector.controllerManager.webhook.image.repository = "$(DPF_UTILS_IMAGE)"' $(HELM_CHART_DIR)/values.yaml
 	@$(YQ) eval -i '.ovn-kubernetes-resource-injector.controllerManager.webhook.image.tag = "$(TAG)"' $(HELM_CHART_DIR)/values.yaml
 	@$(YQ) eval -i '.nodeWithDPUManifests.image.repository = "$(OVNKUBERNETES_IMAGE)"' $(HELM_CHART_DIR)/values.yaml
 	@$(YQ) eval -i '.nodeWithDPUManifests.image.tag = "$(TAG)"' $(HELM_CHART_DIR)/values.yaml
 	@$(YQ) eval -i '.nodeWithoutDPUManifests.image.repository = "$(OVNKUBERNETES_IMAGE)"' $(HELM_CHART_DIR)/values.yaml
 	@$(YQ) eval -i '.nodeWithoutDPUManifests.image.tag = "$(TAG)"' $(HELM_CHART_DIR)/values.yaml
 	@$(YQ) eval -i '.dpuManifests.image.repository = "$(OVNKUBERNETES_IMAGE)"' $(HELM_CHART_DIR)/values.yaml
 	@$(YQ) eval -i '.dpuManifests.image.tag = "$(TAG)"' $(HELM_CHART_DIR)/values.yaml
-	@$(YQ) eval -i '.dpuManifests.imagedpf.repository = "$(OVNKUBERNETES_IMAGE)"' $(HELM_CHART_DIR)/values.yaml
+	@$(YQ) eval -i '.dpuManifests.imagedpf.repository = "$(DPF_UTILS_IMAGE)"' $(HELM_CHART_DIR)/values.yaml
 	@$(YQ) eval -i '.dpuManifests.imagedpf.tag = "$(TAG)"' $(HELM_CHART_DIR)/values.yaml
 	@$(YQ) eval -i '.controlPlaneManifests.image.repository = "$(OVNKUBERNETES_IMAGE)"' $(HELM_CHART_DIR)/values.yaml
 	@$(YQ) eval -i '.controlPlaneManifests.image.tag = "$(TAG)"' $(HELM_CHART_DIR)/values.yaml
@@ -103,6 +129,8 @@ helm-clean:
 TOOLSDIR ?= $(CURDIR)/hack/tools/bin
 YQ_VERSION ?= v4.45.1
 export YQ ?= $(TOOLSDIR)/yq-$(YQ_VERSION)
+GOLANGCI_LINT_VERSION ?= v1.62.2
+export GOLANGCI_LINT ?= $(TOOLSDIR)/golangci-lint-$(GOLANGCI_LINT_VERSION)
 
 define go-install-tool
 @[ -f $(1) ] || { \
@@ -120,4 +148,9 @@ $(TOOLSDIR):
 .PHONY: yq
 yq: $(YQ) ## Download yq locally if necessary
 $(YQ): | $(TOOLSDIR)
-	$(call go-install-tool,$(YQ),github.com/mikefarah/yq/v4,$(YQ_VERSION))
+	$(call go-install-tool,$(YQ),github.com/mikefarah/yq/v4,$(YQ_VERSION))
+
+.PHONY: golangci-lint
+golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary
+$(GOLANGCI_LINT): | $(TOOLSDIR)
+	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint,$(GOLANGCI_LINT_VERSION))
diff --git a/dpf-utils/.gitignore b/dpf-utils/.gitignore
@@ -0,0 +1,3 @@
+/ovnkubernetesresourceinjector
+/ipallocator
+/dpucniprovisioner
diff --git a/dpf-utils/Dockerfile b/dpf-utils/Dockerfile
@@ -0,0 +1,113 @@
+ARG builder_image
+
+FROM --platform=${BUILDPLATFORM} ${builder_image} AS builder
+
+ARG TARGETARCH
+ARG gcflags
+ARG ldflags
+
+WORKDIR /workspace
+
+ARG ipallocator_dir
+COPY ./ ./
+COPY go.mod go.mod
+COPY go.sum go.sum
+
+RUN --mount=type=cache,target=/go/pkg/mod \
+    go mod download
+
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -trimpath \
+    -ldflags="${ldflags}"  \
+    -gcflags="${gcflags}" \
+    -o ipallocator ./cmd/ipallocator
+
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -trimpath \
+    -ldflags="${ldflags}"  \
+    -gcflags="${gcflags}" \
+    -o dpucniprovisioner ./cmd/dpucniprovisioner
+
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -trimpath \
+    -ldflags="${ldflags}"  \
+    -gcflags="${gcflags}" \
+    -o ovnkubernetesresourceinjector ./cmd/ovnkubernetesresourceinjector
+
+# Create source code archive excluding .gocache, and test files.
+# Skipping `.gocache` since it contains pre-compiled versions of packages and other build artifacts for speeding up subsequent builds
+RUN mkdir src && \
+    find . -name '*.go' \
+      -not -path "./hack/*" \
+      -not -path "./.gocache/*" \
+      -not -name "*_test.go" \
+      -exec cp --parents {} src/ \; && \
+    tar -czf source-code.tar.gz src
+
+# Build the final image
+FROM nvcr.io/nvidia/doca/canonical:ubuntu24.04
+
+ARG TARGETARCH
+
+USER root
+
+ARG ubuntu_mirror=http://archive.ubuntu.com/ubuntu/
+
+# Dependencies for installing OVN (Netplan, systemd and udev required by dpucniprovisioner).
+ARG PACKAGES="openvswitch-switch netplan.io udev systemd dnsmasq"
+
+RUN dpkg -l | awk '/^ii/{print $2"="$3}' | sort > /initial-dpkg-list.txt
+
+RUN find /etc/apt/sources.list* -type f -exec sed -i \
+      -e "s|http://archive.ubuntu.com/ubuntu/|${ubuntu_mirror}|g" \
+      -e "s|http://security.ubuntu.com/ubuntu/|${ubuntu_mirror}|g" '{}' \;
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends ${PACKAGES} && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN dpkg -l | awk '/^ii/{print $2"="$3}' | sort > /after-ovn-dpkg-list.txt
+
+RUN mkdir -p /var/run/openvswitch
+
+RUN mkdir -p /usr/libexec/cni/
+COPY --from=builder /workspace/ipallocator /ipallocator
+COPY --from=builder /workspace/dpucniprovisioner /cniprovisioner
+COPY --from=builder /workspace/ovnkubernetesresourceinjector /ovnkubernetesresourceinjector
+
+# Get all the source code
+RUN mkdir -p /src
+WORKDIR /src
+
+# Copy source code from builder stage
+COPY --from=builder /workspace/source-code.tar.gz ovn-kubernetes-source-code.tar.gz
+
+# Download source code for apt packages.
+# Starting from Ubuntu 24.04 shifted to the new deb822 format for source management.
+# Enable `deb-src` to be able to fetch sources using `apt-get source`
+ARG PACKAGE_SOURCES
+RUN test "${PACKAGE_SOURCES}" = "false" || ( \
+      sed -i 's/^# deb-src/deb-src/g' /etc/apt/sources.list /etc/apt/sources.list.d/* && \
+      sed -i 's/^Types: deb$/Types: deb deb-src/g' /etc/apt/sources.list.d/*.sources && \
+      apt-get update && \
+      apt-get source --download-only ${PACKAGES} && \
+      comm -23 /after-ovn-dpkg-list.txt /initial-dpkg-list.txt | xargs -r apt-get source --download-only && \
+      apt-get clean && \
+      rm -f /initial-dpkg-list.txt /after-ovn-dpkg-list.txt && \
+      rm -rf /var/lib/apt/lists/* && \
+      cd / && \
+      tar -cf source-code.tar /src && \
+      rm -rf /src \
+    )
+
+LABEL io.k8s.display-name="ovn-kubernetes dpf utilities" \
+      io.k8s.description="ovn-kubernetes dpf utilities ubuntu image"
+
+WORKDIR /root