feat: custom DHCP relay source interface

[edipascale]

No description provided.

[github-actions]

🚀 Temp artifacts published: v0-006df36f1 🚀

[github-actions]

🚀 Temp artifacts published: v0-06251f167 🚀

[github-actions]

🚀 Temp artifacts published: v0-6a101c614 🚀

[github-actions]

🚀 Temp artifacts published: v0-4e15df5d3 🚀

[github-actions]

🚀 Temp artifacts published: v0-60d874cc1 🚀

[github-actions]

🚀 Temp artifacts published: v0-6a98cd9e2 🚀

[edipascale]

@Frostman this appears to work fine now, in that I see the DHCP packets sent to a server in another VPC. However we should probably decide what exactly the user should be able to configure when using DHCP relay, e.g.:

• source interface: @mrbojangles3 was of the opinion that it's best not to expose this, if I understood him right
• link-select: does not work if source interface is not specified (BCM SONiC will not accept that config), so it's linked to the previous item
• vrf-select: right now I am always keeping it on but maybe that is not what customers want

[Copilot]

Pull request overview

Adds support for selecting a DHCP relay “source VRF” (via a referenced VPC) when configuring DHCP relay behavior, plumbing this through the VPC API → agent planning → BCM OpenConfig rendering, and documenting/exposing the new field in CRDs.

Changes:

• Add relayVPC to VPCDHCP (API + CRDs + docs) and validate its usage/existence.
• Extend dozer DHCP relay spec with an optional vrf and render/unmarshal it in BCM OpenConfig DHCP relay config.
• Update BCM planning to omit the relay source interface for non-control-plane relay, and optionally set relay VRF derived from relayVPC.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pkg/agent/dozer/dozer.go	Extends internal dozer DHCP relay spec with optional VRF.
pkg/agent/dozer/bcm/spec_dhcp.go	Plumbs new VRF field into OpenConfig marshal/unmarshal for DHCP relay.
pkg/agent/dozer/bcm/plan.go	Sets relay source interface conditionally and derives relay VRF from relayVPC.
api/vpc/v1beta1/vpc_types.go	Adds relayVPC to the API and validates correct usage + referenced VPC existence.
config/crd/bases/vpc.githedgehog.com_vpcs.yaml	Exposes relayVPC in the VPC CRD schema.
config/crd/bases/agent.githedgehog.com_agents.yaml	Exposes relayVPC in the Agent CRD schema (embedded VPC DHCP config).
docs/api.md	Documents the new relayVPC field in VPCDHCP.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

New RelayVPC validation branches are added (rejecting relayVPC without relay, and verifying the referenced VPC exists via kube.Get), but there are currently no unit tests covering VPC.Validate. Since this package already uses fake-client validation tests for other resources, consider adding tests to cover the new RelayVPC cases (missing relay, not-found VPC, success path).

[Copilot]

When RelayVPC is set, the plan derives a relay VRF name but doesn't verify that VRF is actually present in spec.VRFs for this agent. If the relay VPC isn't configured on this switch, this can generate a DHCP relay config that references a non-existent VRF and fail during apply. Consider validating spec.VRFs[vpcVrfName(subnet.DHCP.RelayVPC)] exists (similar to the static external WithinVPC check) or ensuring the relay VPC VRF is planned on-demand.

Suggested change

	relayVRF = pointer.To(vpcVrfName(subnet.DHCP.RelayVPC))
	relayVRFName := vpcVrfName(subnet.DHCP.RelayVPC)
	if _, ok := spec.VRFs[relayVRFName]; !ok {
	return errors.Errorf("DHCP relay VPC %s is not configured on this switch (missing VRF %s)", subnet.DHCP.RelayVPC, relayVRFName)
	}
	relayVRF = pointer.To(relayVRFName)

[Copilot]

Same issue as above in the L3Flat planning path: RelayVPC-derived VRF is used without checking that the VRF exists in spec.VRFs for this agent, which can yield invalid relay-agent config if the relay VPC isn't otherwise planned on this switch. Add a presence check (or plan the VRF) before setting relayVRF.

Suggested change

	relayVRF = pointer.To(vpcVrfName(subnet.DHCP.RelayVPC))
	vrfName := vpcVrfName(subnet.DHCP.RelayVPC)
	if _, ok := spec.VRFs[vrfName]; ok {
	relayVRF = pointer.To(vrfName)
	} else {
	slog.Warn("DHCP relay VRF not found in spec.VRFs; skipping relayVRF assignment",
	"vpc", vpcName,
	"subnet", subnetName,
	"relayVPC", subnet.DHCP.RelayVPC,
	"vrf", vrfName,
	)
	}

[Frostman]

@Frostman this appears to work fine now, in that I see the DHCP packets sent to a server in another VPC. However we should probably decide what exactly the user should be able to configure when using DHCP relay, e.g.:

• source interface: @mrbojangles3 was of the opinion that it's best not to expose this, if I understood him right
• link-select: does not work if source interface is not specified (BCM SONiC will not accept that config), so it's linked to the previous item
• vrf-select: right now I am always keeping it on but maybe that is not what customers want

link/vrf-select is just extra metadata on the request, so it should be fine
as for the source interface it's a bit more interesting - the main question would be if server running in other vpc would be able to reply to the request and it'll be relayed back to the client correctly

[edipascale]

@Frostman this appears to work fine now, in that I see the DHCP packets sent to a server in another VPC. However we should probably decide what exactly the user should be able to configure when using DHCP relay, e.g.:

• source interface: @mrbojangles3 was of the opinion that it's best not to expose this, if I understood him right
• link-select: does not work if source interface is not specified (BCM SONiC will not accept that config), so it's linked to the previous item
• vrf-select: right now I am always keeping it on but maybe that is not what customers want

link/vrf-select is just extra metadata on the request, so it should be fine as for the source interface it's a bit more interesting - the main question would be if server running in other vpc would be able to reply to the request and it'll be relayed back to the client correctly

from the broadcom user guide, that shouldn't matter:

If you do not specify the source interface, the source IP address in the relayed packet is automatically determined based on the outgoing interface. The system chooses the first address (IPv4 or IPv6) configured on the interface which falls in the same network as the destination address or next hop router.

So the request will have the SAG address of the VPC, as confirmed by my testing:

core@server-02 ~ $ sudo tcpdump -ni enp2s1.1002 udp port 67 or port 68
dropped privs to pcap
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp2s1.1002, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:24:09.971594 IP 10.0.2.1.67 > 10.0.2.2.67: BOOTP/DHCP, Request from 0c:20:12:fe:03:01, length 348