net, evpn: add routed L3 connectivity tests

[servolkov]

What this PR does / why we need it:

Add L3 endpoint emulation on the external FRR pod: VRF + SVI on the shared bridge, BGP VRF config for Type-5 route advertisement, IP forwarding, and route convergence wait before traffic.

Implement stretched L3 connectivity and live migration tests.

Make BGP ASN constants public in bgp.py (CLUSTER_FRR_ASN, EXTERNAL_FRR_ASN) for reuse by EVPN L3 FRR configuration.

Which issue(s) this PR fixes:

Special notes for reviewer:

jira-ticket: https://redhat.atlassian.net/browse/CNV-84400

Assisted-by: Claude Opus 4.6 noreply@anthropic.com

Summary by CodeRabbit

• Tests

  • Enabled comprehensive testing for routed EVPN connectivity between virtual machines and external BGP network providers.
  • Activated testing to verify routed EVPN connectivity is preserved during virtual machine live migration operations.

• Chores

  • Expanded test infrastructure for EVPN Layer 3 endpoint deployment and lifecycle management.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8c033300-1c51-40e8-a946-e4f73eb1e13b

📥 Commits

Reviewing files that changed from the base of the PR and between 267f965 and 51bd9a8.

📒 Files selected for processing (4)

• tests/network/bgp/evpn/conftest.py
• tests/network/bgp/evpn/libevpn.py
• tests/network/bgp/evpn/test_evpn_connectivity.py
• tests/network/libs/bgp.py

---

📝 Walkthrough

Walkthrough

This PR adds Layer 3 routed EVPN endpoint support to the EVPN connectivity test suite. It introduces L3 infrastructure deployment functions that create Linux VRF/SVI/veth pairs with FRR BGP configuration inside the external FRR pod, defines L3-specific network constants, refactors BGP ASN constants for better visibility, creates test fixtures that wire endpoints to VM workloads, and implements two previously-stubbed routed L3 connectivity tests including live-migration validation.

Changes

L3 EVPN Endpoint Support

Layer / File(s)	Summary
L3 Configuration Constants tests/network/bgp/evpn/conftest.py, tests/network/bgp/evpn/libevpn.py	External L3 endpoint/gateway IPv4/IPv6 CIDRs and L3-specific VRF/VLAN/VNI/netns/veth interface identifiers.
BGP ASN Constants & Configuration tests/network/libs/bgp.py	Extract CLUSTER_FRR_ASN and EXTERNAL_FRR_ASN into public Final constants and update BGP router/EVPN configuration generation to reference new names.
L3 Endpoint Deployment Functions tests/network/bgp/evpn/libevpn.py	Public deploy_evpn_l3_endpoint() and teardown_evpn_l3_endpoint() orchestrate VRF/SVI/veth/netns creation, FRR configuration, and cleanup via helper functions.
L3 Infrastructure Helpers tests/network/bgp/evpn/libevpn.py	_build_l3_endpoint_commands() generates VRF/SVI/veth/route setup shell commands; _configure_external_frr_l3_vrf() applies FRR EVPN L3 config with RD/RT; _wait_for_l3_vrf_routes() waits for BGP routes with retry.
Test Fixtures tests/network/bgp/evpn/conftest.py	external_l3_endpoint fixture deploys/tears down L3 endpoint; evpn_routed_l3_active_connections creates TCP client/server pairs between VM and L3 endpoint.
L3 Connectivity Tests tests/network/bgp/evpn/test_evpn_connectivity.py	test_routed_l3_connectivity_udn_vm_and_external_provider verifies TCP connectivity per IP version; test_routed_l3_connectivity_is_preserved_over_live_migration re-validates connections after VM live migration.

---

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'net, evpn: add routed L3 connectivity tests' accurately and concisely summarizes the main change: implementing L3 connectivity tests for EVPN, which is evident from the file changes and test implementations.
Description check	✅ Passed	The PR description covers the key aspects of the changeset: L3 endpoint emulation setup, test implementations, and public constant changes, with appropriate Jira ticket reference provided.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-virtualization-qe-bot-5]

Report bugs in Issues

Welcome! 🎉

This pull request will be automatically processed with the following features:

🔄 Automatic Actions

• Reviewer Assignment: Reviewers are automatically assigned based on the OWNERS file in the repository root
• Size Labeling: PR size labels (XS, S, M, L, XL, XXL) are automatically applied based on changes
• Issue Creation: A tracking issue is created for this PR and will be closed when the PR is merged or closed
• Branch Labeling: Branch-specific labels are applied to track the target branch
• Auto-verification: Auto-verified users have their PRs automatically marked as verified
• Labels: Enabled categories: branch, can-be-merged, cherry-pick, has-conflicts, hold, needs-rebase, size, verified, wip

📋 Available Commands

PR Status Management

• /wip - Mark PR as work in progress (adds WIP: prefix to title)
• /wip cancel - Remove work in progress status
• /hold - Block PR merging (approvers only)
• /hold cancel - Unblock PR merging
• /verified - Mark PR as verified
• /verified cancel - Remove verification status
• /reprocess - Trigger complete PR workflow reprocessing (useful if webhook failed or configuration changed)
• /regenerate-welcome - Regenerate this welcome message

Review & Approval

• /lgtm - Approve changes (looks good to me)
• /approve - Approve PR (approvers only)
• /assign-reviewers - Assign reviewers based on OWNERS file
• /assign-reviewer @username - Assign specific reviewer
• /check-can-merge - Check if PR meets merge requirements

Testing & Validation

• /retest tox - Run Python test suite with tox
• /retest build-container - Rebuild and test container image
• /retest verify-bugs-are-open - verify-bugs-are-open
• /retest all - Run all available tests

Container Operations

• /build-and-push-container - Build and push container image (tagged with PR number)
  • Supports additional build arguments: /build-and-push-container --build-arg KEY=value

Cherry-pick Operations

• /cherry-pick <branch> - Schedule cherry-pick to target branch when PR is merged
  • Multiple branches: /cherry-pick branch1 branch2 branch3

Label Management

• /<label-name> - Add a label to the PR
• /<label-name> cancel - Remove a label from the PR

✅ Merge Requirements

This PR will be automatically approved when the following conditions are met:

1. Approval: /approve from at least one approver
2. LGTM Count: Minimum 2 /lgtm from reviewers
3. Status Checks: All required status checks must pass
4. No Blockers: No wip, hold, has-conflicts labels and PR must be mergeable (no conflicts)
5. Verified: PR must be marked as verified

📊 Review Process

Approvers and Reviewers

Approvers:

• EdDev

Reviewers:

• Anatw
• EdDev
• azhivovk
• frenzyfriday
• nirdothan
• orelmisan
• servolkov
• yossisegev

Available Labels

• hold
• verified
• wip
• lgtm
• approve

AI Features

• Cherry-Pick Conflict Resolution: Enabled (claude/claude-opus-4-6[1m])

💡 Tips

• WIP Status: Use /wip when your PR is not ready for review
• Verification: The verified label is removed on new commits unless the push is detected as a clean rebase
• Cherry-picking: Cherry-pick labels are processed when the PR is merged
• Container Builds: Container images are automatically tagged with the PR number
• Permission Levels: Some commands require approver permissions
• Auto-verified Users: Certain users have automatic verification and merge privileges

For more information, please refer to the project documentation or contact the maintainers.

[servolkov]

/verified

$ uv run pytest --cluster-sanity-skip-nodes-check --cluster-sanity-skip-storage-check --skip-deprecated-api-test --cluster-sanity-skip-check tests/network/bgp/ -k routed_l3
...
TEST: test_routed_l3_connectivity_udn_vm_and_external_provider STATUS: PASSED
TEST: test_routed_l3_connectivity_is_preserved_over_live_migration STATUS: PASSED
...
2 of 2 completed, 2 Pass, 0 Fail, 0 Skip, 0 XPass, 0 XFail, 0 Error, 0 ReRun

[openshift-virtualization-qe-bot-3]

@coderabbitai

Test execution plan request details

CRITICAL: You MUST post an inline review comment on the first changed line of the first file.
The inline comment should contain the Test Execution Plan with the smoke tests recommendation.
Do NOT submit a formal review - just post the inline comment directly.

As an expert software testing engineer, analyze all modified files in this PR and create a targeted test execution plan.
You will post an inline review comment with the test execution plan on the first changed file.
If you fail to run or post a comment, retry.

Analysis Requirements:

1. Examine code changes in each modified file
2. Identify affected code paths, functions, and classes
3. Analyze pytest-specific elements: fixtures (scope, dependencies), parametrization, markers, conftest changes
4. Trace test dependencies through imports, shared utilities, and fixture inheritance
5. Detect new tests introduced in the PR
6. Smoke Test Impact Analysis: Determine if any changes could affect smoke tests by checking:
   • Changes to files/functions used by tests marked with @pytest.mark.smoke
   • Changes to fixtures or utilities imported by smoke tests
   • Changes to conftest.py files that may affect smoke test execution
   • Changes to core infrastructure code (utilities/, libs/) that smoke tests depend on

Your deliverable:
Your change request comment will be based on the following requirements:

Test Execution Plan

• Run smoke tests: True / False (Based on your smoke test impact analysis - True if any changes may affect smoke tests)
• path/to/test_file.py - When the entire test file needs verification
• path/to/test_file.py::TestClass::test_method - When specific test(s) needed
• path/to/test_file.py::test_function - When specific test(s) needed
• -m marker - When specific marker(s) can be used to cover multiple cases.

Guidelines:

• Include only tests directly affected by the changes
• Use a full file path only if ALL tests in that file require verification
• Use file path + test name if only specific tests are needed
• If a test marker can cover multiple files/tests, provide the marker
• Balance coverage vs over-testing - Keep descriptions minimal

Hardware-Related Checks (SR-IOV, GPU, DPDK):

When PR modifies fixtures for hardware-specific resources:

• Collection Safety: Fixtures MUST have existence checks (return None when hardware unavailable)
• Test Plan: MUST verify both WITH and WITHOUT hardware:
  • Run affected tests on cluster WITH hardware
  • Verify collection succeeds on cluster WITHOUT hardware

CRITICAL WORKFLOW COMPLETION RULES:

When responding to this test execution plan request, you MUST follow these rules EXACTLY:

1. YOUR ONLY DELIVERABLE: Post an inline review comment containing the test execution plan on the first changed line
2. THEN STOP IMMEDIATELY - Do NOT generate any additional response
3. FALLBACK ONLY: If submitting the review fails after retrying, post as a regular PR comment
4. SILENCE = SUCCESS: After successfully submitting the review, your task is complete. No confirmation needed.

ABSOLUTE PROHIBITIONS (violating these creates empty/meaningless reviews):

• ❌ Do NOT post acknowledgment messages like "Test execution plan posted", "Review posted successfully", "I've successfully posted"
• ❌ Do NOT mention review IDs, URLs, or confirmation of posting in the PR thread
• ❌ Do NOT add any follow-up comments after submitting the review
• ❌ Do NOT reply to confirm task completion
• ❌ Do NOT explain what you did - just do it and stop

Remember: The pull request review is visible to users. Additional comments are redundant noise.

CRITICAL: Before setting "Run smoke tests: True", you MUST use shell scripts to:
- Trace the actual fixture dependency chain from smoke tests to changed fixtures
- Verify that smoke tests actually import/use changed utilities or functions
- Confirm the dependency path exists; do NOT assume based on scope or semantics
- Be conservative: Session-scoped fixtures or infrastructure-sounding names do NOT
automatically mean smoke test impact. Only flag smoke test impact when you can
demonstrate a concrete dependency path.
WRONG: "This session-scoped storage fixture might affect smoke tests"
RIGHT: "Smoke test X uses fixture Y, which depends on the changed fixture Z"

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for smoke test markers in EVPN test files and libs/bgp.py
echo "=== Smoke tests in EVPN directory ==="
rg -rn "pytest.mark.smoke" tests/network/bgp/ --type py

echo "=== Smoke tests using bgp.py functions ==="
rg -rn "pytest.mark.smoke" tests/network/ --type py -l

echo "=== Check if bgp.py is imported by smoke-marked tests ==="
rg -rn "from.*bgp import|import.*bgp" tests/network/ --type py -C1

echo "=== Get first changed file and first changed line from PR diff ==="
gh pr diff 4776 --name-only | head -5

echo "=== Full diff for first changed file ==="
gh pr diff 4776 -- tests/network/bgp/evpn/conftest.py 2>/dev/null | head -60

echo "=== Check CLUSTER_FRR_ASN / EXTERNAL_FRR_ASN usages ==="
rg -rn "CLUSTER_FRR_ASN\|EXTERNAL_FRR_ASN" tests/ --type py

echo "=== Check all tests that use evpn fixtures ==="
rg -rn "external_l3_endpoint\|evpn_routed_l3" tests/ --type py

echo "=== Get PR commit SHA for inline comment ==="
gh pr view 4776 --json headRefOid -q '.headRefOid'

echo "=== Check files changed in PR and line numbers ==="
gh api repos/RedHatQE/openshift-virtualization-tests/pulls/4776/files --jq '.[] | {filename, additions, deletions, patch}' 2>/dev/null | head -100

Length of output: 15542

---

🏁 Script executed:

#!/bin/bash
# Post inline review comment on first changed line of tests/network/bgp/evpn/conftest.py (line 24)
gh api \
  repos/RedHatQE/openshift-virtualization-tests/pulls/4776/comments \
  -X POST \
  -f commit_id="51bd9a81d0f4561ff0cc8e8b39351dcfed8043ee" \
  -f path="tests/network/bgp/evpn/conftest.py" \
  -f line=24 \
  -f side="RIGHT" \
  -f body="## Test Execution Plan

**Run smoke tests: False**
> Verified: no \`@pytest.mark.smoke\` markers exist in \`tests/network/bgp/\`, and no smoke tests import from \`tests/network/libs/bgp.py\` — no concrete dependency path to changed files.

---

### Tests to run

\`\`\`
tests/network/bgp/evpn/test_evpn_connectivity.py::test_routed_l3_connectivity_udn_vm_and_external_provider
tests/network/bgp/evpn/test_evpn_connectivity.py::test_routed_l3_connectivity_is_preserved_over_live_migration
\`\`\`

**Why:** Both tests were previously disabled via \`.__test__ = False\` and are now fully implemented and activated in this PR. All supporting fixtures (\`external_l3_endpoint\`, \`evpn_routed_l3_active_connections\`) and infrastructure (\`deploy_evpn_l3_endpoint\`, \`teardown_evpn_l3_endpoint\`, \`_configure_external_frr_l3_vrf\`) are new and require direct verification.

The \`bgp.py\` ASN constant rename (\`_CLUSTER_FRR_ASN\` → \`CLUSTER_FRR_ASN\`, \`_EXTERNAL_FRR_ASN\` → \`EXTERNAL_FRR_ASN\`) is a refactor only — existing EVPN L2 tests cover the regression surface for that change:

\`\`\`
-m evpn
\`\`\`
_(covers all EVPN tests including stretched L2 which exercises the renamed constants via \`generate_frr_conf\` / \`create_evpn_frr_configuration\`)_"

Length of output: 676

---

🏁 Script executed:

#!/bin/bash
gh api \
  repos/RedHatQE/openshift-virtualization-tests/pulls/4776/comments \
  -X POST \
  -f commit_id="51bd9a81d0f4561ff0cc8e8b39351dcfed8043ee" \
  -f path="tests/network/bgp/evpn/conftest.py" \
  -F line=24 \
  -f side="RIGHT" \
  -f subject_type="line" \
  -f body="## Test Execution Plan

**Run smoke tests: False**
> Verified: no \`@pytest.mark.smoke\` markers exist in \`tests/network/bgp/\`, and no smoke tests import from \`tests/network/libs/bgp.py\` — no concrete dependency path to changed files.

---

### Tests to run

\`\`\`
tests/network/bgp/evpn/test_evpn_connectivity.py::test_routed_l3_connectivity_udn_vm_and_external_provider
tests/network/bgp/evpn/test_evpn_connectivity.py::test_routed_l3_connectivity_is_preserved_over_live_migration
\`\`\`

**Why:** Both tests were previously disabled via \`.__test__ = False\` and are now fully implemented and activated in this PR. All supporting fixtures (\`external_l3_endpoint\`, \`evpn_routed_l3_active_connections\`) and infrastructure (\`deploy_evpn_l3_endpoint\`, \`teardown_evpn_l3_endpoint\`, \`_configure_external_frr_l3_vrf\`) are new and require direct verification.

The \`bgp.py\` ASN constant rename (\`_CLUSTER_FRR_ASN\` → \`CLUSTER_FRR_ASN\`, \`_EXTERNAL_FRR_ASN\` → \`EXTERNAL_FRR_ASN\`) is a refactor only — existing EVPN L2 tests cover the regression surface for that change:

\`\`\`
-m evpn
\`\`\`
_(covers all EVPN tests including stretched L2 which exercises the renamed constants via \`generate_frr_conf\` / \`create_evpn_frr_configuration\`)_"

Length of output: 593

---

🏁 Script executed:

#!/bin/bash
gh api \
  repos/RedHatQE/openshift-virtualization-tests/pulls/4776/comments \
  -X POST \
  -f commit_id="51bd9a81d0f4561ff0cc8e8b39351dcfed8043ee" \
  -f path="tests/network/bgp/evpn/conftest.py" \
  -F position=5 \
  -f body="## Test Execution Plan

**Run smoke tests: False**
> Verified: no \`@pytest.mark.smoke\` markers exist in \`tests/network/bgp/\`, and no smoke tests import from \`tests/network/libs/bgp.py\` — no concrete dependency path to changed files.

---

### Tests to run

\`\`\`
tests/network/bgp/evpn/test_evpn_connectivity.py::test_routed_l3_connectivity_udn_vm_and_external_provider
tests/network/bgp/evpn/test_evpn_connectivity.py::test_routed_l3_connectivity_is_preserved_over_live_migration
\`\`\`

**Why:** Both tests were previously disabled via \`.__test__ = False\` and are now fully implemented and activated in this PR. All supporting fixtures (\`external_l3_endpoint\`, \`evpn_routed_l3_active_connections\`) and infrastructure (\`deploy_evpn_l3_endpoint\`, \`teardown_evpn_l3_endpoint\`, \`_configure_external_frr_l3_vrf\`) are new and require direct verification.

The \`bgp.py\` ASN constant rename (\`_CLUSTER_FRR_ASN\` → \`CLUSTER_FRR_ASN\`, \`_EXTERNAL_FRR_ASN\` → \`EXTERNAL_FRR_ASN\`) is a refactor only — existing EVPN L2 tests cover the regression surface for that change:

\`\`\`
-m evpn
\`\`\`
_(covers all EVPN tests including stretched L2 which exercises the renamed constants via \`generate_frr_conf\` / \`create_evpn_frr_configuration\`)_" \
  --jq '.id'

Length of output: 11

---

[EdDev]

Very nice!

See inline about a potential problem, take it into account, although I think you intend to use this only for BM.
Feel free to resolve if you know about this.

/approve

[EdDev]

This may fail on single stack IPv4 setups (e.g. PSI). But I am not 100% sure,.

[servolkov]

single-stack means CNI configuration, not kernel limitation, right? the current setup is Linux kernel-level, the change is harmless on single-stack clusters per my understanding.

But if we have kernel-level limitations on single-stack clusters, so...

BTW, bgp/evpn tests work only on BM environments.

[servolkov]

I asked Claude to explore our deployment scripts, short recap: "Findings: IPv6 is not disabled at boot time for IPv4 single-stack clusters. IPv6 remains enabled at the kernel level on nodes even in IPv4 single-stack clusters."

Anyway, in a follow-up I will adjust the code to avoid future possible discrepancies.