feat: Cisco NXOS VPCs

Multi-Chassis Link Aggregation (MC-LAG) is quite vendor and platform
specific. We don't see much intersection in their respective
configuration to justify a common API type. Instead, we move forward
with a platform specific API exclusive to Cisco NXOS devices.

This commit adds new types, controller, and provider to configure
virtual Port Channels (vPCs) via the operator.

Implementation note: Consider the following information about the YANG
model for configuring a vPC:
* each vPC configured in the domain appears in the tree in this
  location: `vpc-items/inst-items/dom-items/if-items/If-list[id=30]`
(where `30` is the vPC ID)
* the peer-link interface is configured here:
  `vpc-items/inst-items/dom-items/keepalive-items/peerlink-items[id=po10]`

The interfaces will be added to the vPC config by the LAG provider and
not by this controller.  Hence, if we apply a gNMI Replace operation on
the xpath returned by VPC.XPath() we would remove any existing vPC
interfaces. A gNMI Update operation will not modify the configuration
introduced by the LAG provider.

Author: nikatza

PROJECT

@@ -176,4 +176,12 @@ resources:
   kind: VLAN
   path: github.com/ironcore-dev/network-operator/api/core/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: cisco.networking.metal.ironcore.dev
+  group: nx
+  kind: VPC
+  path: github.com/ironcore-dev/network-operator/api/cisco/nx/v1alpha1
 version: "3"

Tiltfile

@@ -12,6 +12,11 @@ allow_k8s_contexts(['minikube', 'kind-network'])
 load('ext://cert_manager', 'deploy_cert_manager')
 deploy_cert_manager(version='v1.18.2')
 
+# # Add webhook configuration
+k8s_yaml(kustomize('./config/webhook'))
+k8s_yaml(kustomize('./config/certmanager'))
+
+
 docker_build('controller:latest', '.', ignore=['**/*/zz_generated.deepcopy.go', 'config/crd/bases/*'], only=[
     'api/', 'cmd/', 'hack/', 'internal/', 'go.mod', 'go.sum', 'Makefile',
 ])
@@ -22,7 +27,7 @@ local_resource('controller-gen', 'make generate', ignore=['**/*/zz_generated.dee
 
 docker_build('ghcr.io/ironcore-dev/gnmi-test-server:latest', './test/gnmi')
 
-provider = os.getenv('PROVIDER', 'openconfig')
+provider = os.getenv('PROVIDER', 'cisco-nxos-gnmi')
 
 manager = kustomize('config/develop')
 manager = str(manager).replace('--provider=openconfig', '--provider={}'.format(provider))
@@ -39,65 +44,77 @@ def device_yaml():
     return encode_yaml_stream(decoded)
 
 k8s_yaml(device_yaml())
-k8s_resource(new_name='leaf1', objects=['leaf1:device', 'secret-basic-auth:secret'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+k8s_resource(new_name='leaf1', objects=['leaf1:device', 'secret-basic-auth:secret'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=True)
 
 k8s_yaml('./config/samples/v1alpha1_interface.yaml')
-k8s_resource(new_name='lo0', objects=['lo0:interface'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
-k8s_resource(new_name='lo1', objects=['lo1:interface'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
-k8s_resource(new_name='eth1-1', objects=['eth1-1:interface'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
-k8s_resource(new_name='eth1-2', objects=['eth1-2:interface'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+# k8s_resource(new_name='lo0', objects=['lo0:interface'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+# k8s_resource(new_name='lo1', objects=['lo1:interface'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+# k8s_resource(new_name='eth1-1', objects=['eth1-1:interface'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+# k8s_resource(new_name='eth1-2', objects=['eth1-2:interface'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 k8s_resource(new_name='eth1-10', objects=['eth1-10:interface'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
-k8s_resource(new_name='po10', objects=['po-10:interface'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+k8s_resource(new_name='eth1-30', objects=['eth1-30:interface'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+k8s_resource(new_name='eth1-31', objects=['eth1-31:interface'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+k8s_resource(new_name='eth1-32', objects=['eth1-32:interface'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 k8s_resource(new_name='svi-10', objects=['svi-10:interface'], resource_deps=['vlan-10'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
-k8s_resource(new_name='eth1-30', objects=['eth1-30:interface'], resource_deps=['vrf-vpc-keepalive'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+k8s_resource(new_name='po1', objects=['po1:interface'],  trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+k8s_resource(new_name='po2', objects=['po2:interface'],  trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+
+#resource_deps=['eth1-31', 'eth1-32'],
 
-k8s_yaml('./config/samples/v1alpha1_banner.yaml')
-k8s_resource(new_name='banner', objects=['banner:banner'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
-k8s_yaml('./config/samples/v1alpha1_user.yaml')
-k8s_resource(new_name='user', objects=['user:user', 'user-password:secret', 'user-ssh-key:secret'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+# k8s_yaml('./config/samples/v1alpha1_banner.yaml')
+# k8s_resource(new_name='banner', objects=['banner:banner'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
-k8s_yaml('./config/samples/v1alpha1_dns.yaml')
-k8s_resource(new_name='dns', objects=['dns:dns'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+# k8s_yaml('./config/samples/v1alpha1_user.yaml')
+# k8s_resource(new_name='user', objects=['user:user', 'user-password:secret', 'user-ssh-key:secret'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
-k8s_yaml('./config/samples/v1alpha1_ntp.yaml')
-k8s_resource(new_name='ntp', objects=['ntp:ntp'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+# k8s_yaml('./config/samples/v1alpha1_dns.yaml')
+# k8s_resource(new_name='dns', objects=['dns:dns'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
-k8s_yaml('./config/samples/v1alpha1_acl.yaml')
-k8s_resource(new_name='acl', objects=['acl:accesscontrollist'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+# k8s_yaml('./config/samples/v1alpha1_ntp.yaml')
+# k8s_resource(new_name='ntp', objects=['ntp:ntp'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
-k8s_yaml('./config/samples/v1alpha1_certificate.yaml')
-k8s_resource(new_name='trustpoint', objects=['network-operator:issuer', 'network-operator-ca:certificate', 'trustpoint:certificate'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+# k8s_yaml('./config/samples/v1alpha1_acl.yaml')
+# k8s_resource(new_name='acl', objects=['acl:accesscontrollist'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
-k8s_yaml('./config/samples/v1alpha1_snmp.yaml')
-k8s_resource(new_name='snmp', objects=['snmp:snmp'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+# k8s_yaml('./config/samples/v1alpha1_certificate.yaml')
+# k8s_resource(new_name='trustpoint', objects=['network-operator:issuer', 'network-operator-ca:certificate', 'trustpoint:certificate'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
-k8s_yaml('./config/samples/v1alpha1_syslog.yaml')
-k8s_resource(new_name='syslog', objects=['syslog:syslog'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+# k8s_yaml('./config/samples/v1alpha1_snmp.yaml')
+# k8s_resource(new_name='snmp', objects=['snmp:snmp'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
-k8s_yaml('./config/samples/v1alpha1_managementaccess.yaml')
-k8s_resource(new_name='managementaccess', objects=['managementaccess:managementaccess'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+# k8s_yaml('./config/samples/v1alpha1_syslog.yaml')
+# k8s_resource(new_name='syslog', objects=['syslog:syslog'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
-k8s_yaml('./config/samples/v1alpha1_isis.yaml')
-k8s_resource(new_name='isis-underlay', objects=['underlay:isis'], resource_deps=['lo0', 'lo1', 'eth1-1', 'eth1-2'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+# k8s_yaml('./config/samples/v1alpha1_isis.yaml')
+# k8s_resource(new_name='isis-underlay', objects=['underlay:isis'], resource_deps=['lo0', 'lo1', 'eth1-1', 'eth1-2'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+# k8s_yaml('./config/samples/v1alpha1_managementaccess.yaml')
+# k8s_resource(new_name='managementaccess', objects=['managementaccess:managementaccess'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+
+# k8s_yaml('./config/samples/v1alpha1_isis.yaml')
+# k8s_resource(new_name='underlay', objects=['underlay:isis'], resource_deps=['lo0', 'lo1', 'eth1-1', 'eth1-2'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
 k8s_yaml('./config/samples/v1alpha1_vrf.yaml')
-k8s_resource(new_name='vrf-admin', objects=['vrf-cc-admin:vrf'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
-k8s_resource(new_name='vrf-001', objects=['vrf-cc-prod-001:vrf'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
-k8s_resource(new_name='vrf-vpc-keepalive', objects=['vpc-keepalive:vrf'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+# k8s_resource(new_name='vrf-admin', objects=['vrf-cc-admin:vrf'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+k8s_resource(new_name='vrf-vpckeepalive', objects=['vrf-vpckeepalive:vrf'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+
+# k8s_yaml('./config/samples/v1alpha1_pim.yaml')
+# k8s_resource(new_name='pim', objects=['pim:pim'], resource_deps=['lo0', 'lo1', 'eth1-1', 'eth1-2'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
-k8s_yaml('./config/samples/v1alpha1_pim.yaml')
-k8s_resource(new_name='pim', objects=['pim:pim'], resource_deps=['lo0', 'lo1', 'eth1-1', 'eth1-2'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+#k8s_yaml('./config/samples/v1alpha1_bgp.yaml')
+#k8s_resource(new_name='bgp', objects=['bgp:bgp'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
-k8s_yaml('./config/samples/v1alpha1_bgp.yaml')
-k8s_resource(new_name='bgp', objects=['bgp:bgp'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+#k8s_yaml('./config/samples/v1alpha1_bgppeer.yaml')
+# k8s_resource(new_name='peer-spine1', objects=['leaf1-spine1:bgppeer'], resource_deps=['bgp', 'lo0'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+# k8s_resource(new_name='peer-spine2', objects=['leaf1-spine2:bgppeer'], resource_deps=['bgp', 'lo0'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
-k8s_yaml('./config/samples/v1alpha1_bgppeer.yaml')
-k8s_resource(new_name='peer-spine1', objects=['leaf1-spine1:bgppeer'], resource_deps=['bgp', 'lo0'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
-k8s_resource(new_name='peer-spine2', objects=['leaf1-spine2:bgppeer'], resource_deps=['bgp', 'lo0'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+k8s_yaml('./config/samples/cisco/nx/v1alpha1_vpc.yaml')
+# we cannot add a resource dependency to the interfaces here, otherwise we create a deadlock as the multichassis ID depends
+# on the vPC being created first, and the vPC requires the interfaces to be present.
+k8s_resource(new_name='vpc', objects=['leaf1-vpc:vpc'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
-k8s_yaml('./config/samples/v1alpha1_ospf.yaml')
-k8s_resource(new_name='ospf-underlay', objects=['underlay:ospf'], resource_deps=['lo0', 'lo1', 'eth1-1', 'eth1-2'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+#k8s_yaml('./config/samples/v1alpha1_ospf.yaml')
+#k8s_resource(new_name='ospf-underlay', objects=['underlay:ospf'], resource_deps=['lo0', 'lo1', 'eth1-1', 'eth1-2'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
 k8s_yaml('./config/samples/v1alpha1_vlan.yaml')
 k8s_resource(new_name='vlan-10', objects=['vlan-10:vlan'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)

api/cisco/nx/v1alpha1/groupversion_info.go

@@ -22,3 +22,14 @@ var (
 	// AddToScheme adds the types in this group-version to the given scheme.
 	AddToScheme = SchemeBuilder.AddToScheme
 )
+
+// WatchLabel is a label that can be applied to any Network API object.
+//
+// Controllers which allow for selective reconciliation may check this label and proceed
+// with reconciliation of the object only if this label and a configured value is present.
+const WatchLabel = "nx.cisco.networking.metal.ironcore.dev/watch-filter"
+
+// FinalizerName is the identifier used by the controllers to perform cleanup before a resource is deleted.
+// It is added when the resource is created and ensures that the controller can handle teardown logic
+// (e.g., deleting external dependencies) before Kubernetes finalizes the deletion.
+const FinalizerName = "nx.cisco.networking.metal.ironcore.dev/finalizer"