vtep: Add CiliumVTEPConfig CRD for dynamic VTEP configuration#44188
Draft
parlakisik wants to merge 1 commit into
Draft
vtep: Add CiliumVTEPConfig CRD for dynamic VTEP configuration#44188parlakisik wants to merge 1 commit into
parlakisik wants to merge 1 commit into
Conversation
maintainer-s-little-helper
Bot
added
the
dont-merge/needs-release-note-label
|
Commit a5880f3 does not match "(?m)^Signed-off-by:". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
maintainer-s-little-helper
Bot
added
the
dont-merge/needs-sign-off
maintainer-s-little-helper
Bot
removed
the
dont-merge/needs-sign-off
parlakisik
force-pushed
the
vtep_crd
branch
3 times, most recently
from
2f7acca to
c76eb18
Compare
parlakisik
force-pushed
the
vtep_crd
branch
5 times, most recently
from
35c1876 to
bf9c9d3
Compare
Introduce CiliumVTEPConfig CRD to replace static ConfigMap-based VTEP configuration. VTEP endpoints are assigned to nodes based on label selectors (nodeSelector), enabling per-zone or per-node VTEP targeting without agent restarts. Signed-off-by: Murat Parlakisik <parlakisik@gmail.com>
Contributor
Author
|
/test |
Contributor
Author
|
/test ci-l7 |
pchaigno
requested changes
Apr 27, 2026
Member
pchaigno
left a comment
pchaigno
left a comment
There was a problem hiding this comment.
Please split this into multiple commits to help with reviews.
Member
|
I'll note that cilium/design-cfps#92 is open for discussion as a prerequisite before adopting this proposal. This is also related to #41332, which I have now closed due to the feedback in this post. I know @parlakisik was made aware of this feedback on that PR, but I don't know the degree to which the same feedback applies to this proposal. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduce CiliumVTEPConfig CRD for dynamic VTEP management
Replace static CLI flag-based VTEP configuration with a CiliumVTEPConfig custom resource, enabling
dynamic updates without Cilium agent restarts.
CiliumVTEPConfig CRD
Cluster-scoped resource (shortName: cvtep) with kubebuilder validation, status subresource, and max 8
endpoints per node (BPF map limit).
Per-node VTEP assignment via nodeSelector
Different nodes can use different VTEP endpoints based on label selectors (e.g., per availability
zone). Multiple CiliumVTEPConfig objects can coexist; each Cilium agent evaluates selectors against its
own node labels. Configs without nodeSelector apply to all nodes. Conflicting CIDRs on the same node
are detected and rejected with error status.
VTEPReconciler
Watches CRD events, evaluates nodeSelector matching, updates BPF LPM trie map entries, manages Linux
routing table entries, and reports per-endpoint sync status back to the CRD.
Per-endpoint status tracking
Each endpoint reports synced state, lastSyncTime, and errors via CRD status conditions, visible through
kubectl get cvtep.
BPF map changes
Migrated from HashMap to LPM Trie for longest-prefix-match support. Added List() and DeleteByCIDR()
methods for reconciliation.
Removed CLI flags
Removed --vtep-endpoint, --vtep-cidr, --vtep-mac, --vtep-mask, --vtep-sync-interval flags in favor of
CRD-based configuration.
CI integration
Added conformance test workflow (conformance-vtep.yaml) with Kind cluster, VTEP responder containers,
and integration test suite. Registered in Ariane orchestrator with image build dependency.