feat: Virtual Tunnel End-Points (VTEPs)

* Adds generic support for VXLAN Tunnel End Point (VTEP). The core type
  `VTEP` requires at least two loopback interfaces on the same device,
and an optional field for Multicastgroup.
* The type `VTEP` has an admission webhook to validate that the provided
  multicast prefix is indeed a multicast prefix. This check is here
limited to checking if first and last addresses are in a multicast
group.
* Adds a Cisco NXOS specfic type `cisco.nx.v1alpha1.VTEPConfig` that can
  be referenced in `ProviderConfigRef`.
* Multicast prefix checks require extending the `IPPrefix` type with two
  methods that provide the first and the last IP in the prefix.
* The `VTEPConfig` also modifies Cisco wide system settings along with
  NVE settings.

Author: nikatza

.golangci.yaml

@@ -130,8 +130,6 @@ linters:
         - github.com/mdlayher/arp
         # for github.com/sapcc/vpa_butler
         - k8s.io/client-go
-        # for CVE-2025-22868
-        - golang.org/x/oauth2
       toolchain-forbidden: true
       go-version-pattern: 1\.\d+(\.0)?$
     gosec:

PROJECT

@@ -176,4 +176,27 @@ resources:
   kind: VLAN
   path: github.com/ironcore-dev/network-operator/api/core/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: networking.metal.ironcore.dev
+  kind: VTEP
+  path: github.com/ironcore-dev/network-operator/api/core/v1alpha1
+  version: v1alpha1
+  webhooks:
+    validation: true
+    webhookVersion: v1
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: cisco.networking.metal.ironcore.dev
+  group: nx
+  kind: VTEPConfig
+  controller: false
+  path: github.com/ironcore-dev/network-operator/api/cisco/nx/v1alpha1
+  version: v1alpha1
+  webhooks:
+    validation: true
+    webhookVersion: v1
 version: "3"

Tiltfile

@@ -102,6 +102,11 @@ k8s_resource(new_name='ospf-underlay', objects=['underlay:ospf'], resource_deps=
 k8s_yaml('./config/samples/v1alpha1_vlan.yaml')
 k8s_resource(new_name='vlan-10', objects=['vlan-10:vlan'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
+k8s_yaml('./config/samples/v1alpha1_vtep.yaml')
+k8s_yaml('./config/samples/cisco/nx/v1alpha1_vtepconfig.yaml')
+k8s_resource(new_name='vtep1', objects=['vtep1:vtep'], trigger_mode=TRIGGER_MODE_MANUAL, resource_deps=['lo0', 'lo1'], auto_init=False)
+k8s_resource(new_name='vtep1-cfg', objects=['vtep1-cfg:vtepconfig'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+
 print('🚀 network-operator development environment')
 print('👉 Edit the code inside the api/, cmd/, or internal/ directories')
 print('👉 Tilt will automatically rebuild and redeploy when changes are detected')

api/cisco/nx/v1alpha1/groupversion_info.go

@@ -22,3 +22,8 @@ var (
 	// AddToScheme adds the types in this group-version to the given scheme.
 	AddToScheme = SchemeBuilder.AddToScheme
 )
+
+// Reasons that are specific to [VTEPConfig] objects.
+const (
+	VTEPConfigAlreadyExistsReason = "VTEPConfigAlreadyExists"
+)

api/cisco/nx/v1alpha1/vtepconfig_types.go

@@ -0,0 +1,84 @@
+// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	v1alpha1 "github.com/ironcore-dev/network-operator/api/core/v1alpha1"
+)
+
+// +kubebuilder:rbac:groups=nx.cisco.networking.metal.ironcore.dev,resources=vtepconfigs,verbs=get;list;watch
+
+// VTEPConfig defines the Cisco-specific configuration of a VTEP/NVE
+type VTEPConfigSpec struct {
+	// AdvertiseVirtualMAC controls if the VTEP should advertise a virtual MAC address
+	// +optional
+	// +kubebuilder:default=false
+	AdvertiseVirtualMAC *bool `json:"advertiseVirtualMAC,omitempty"`
+
+	// HoldDownTime defines the duration for which the switch suppresses the advertisement of the NVE loopback address.
+	// +optional
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=1500
+	// +kubebuilder:default=180
+	HoldDownTime uint16 `json:"holdDownTime,omitempty"`
+
+	// InfraVLANs specifies VLANs used by all SVI interfaces for uplink and vPC peer-links in VXLAN as infra-VLANs.
+	// The total number of VLANs configured must not exceed 512.
+	// Elements in the list must not overlap with each other.
+	// +optional
+	// +kubebuilder:validation:MaxItems=10
+	InfraVLANs []VLANListItem `json:"infraVLANs,omitempty"`
+}
+
+// VLANListItem represents a single VLAN ID or a range start-end. If ID is set, rangeMin and rangeMax must be absent. If ID is absent, both rangeMin
+// and rangeMax must be set.
+// +kubebuilder:validation:XValidation:rule="!has(self.rangeMax) || self.rangeMax > self.rangeMin",message="rangeMax must be greater than rangeMin"
+// +kubebuilder:validation:XValidation:rule="has(self.id) || (has(self.rangeMin) && has(self.rangeMax))",message="either ID or both rangeMin and rangeMax must be set"
+// +kubebuilder:validation:XValidation:rule="!has(self.id) || (!has(self.rangeMin) && !has(self.rangeMax))",message="rangeMin and rangeMax must be omitted when ID is set"
+type VLANListItem struct {
+	// +optional
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=3967
+	ID uint16 `json:"id,omitempty"`
+	// +optional
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=3967
+	RangeMin uint16 `json:"rangeMin,omitempty"`
+	// +optional
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=3967
+	RangeMax uint16 `json:"rangeMax,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=vtepconfigs
+// +kubebuilder:resource:singular=vtepconfig
+
+// VTEPConfig is the Schema for the VTEP API
+type VTEPConfig struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty,omitzero"`
+
+	// spec defines the desired state of VTEP
+	// +required
+	Spec VTEPConfigSpec `json:"spec"`
+}
+
+// +kubebuilder:object:root=true
+
+// VTEPList contains a list of VTEP
+type VTEPConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []VTEPConfig `json:"items"`
+}
+
+// init registers the VTEPConfig type with the core v1alpha1 scheme and sets
+// itself as a dependency for the VTEP core type.
+func init() {
+	v1alpha1.RegisterVTEPDependency(GroupVersion.WithKind("VTEPConfig"))
+	SchemeBuilder.Register(&VTEPConfig{}, &VTEPConfigList{})
+}

api/cisco/nx/v1alpha1/zz_generated.deepcopy.go

@@ -105,6 +105,9 @@ const (
 
 	// WaitingForDependenciesReason indicates that the resource is waiting for its dependencies to be ready.
 	WaitingForDependenciesReason = "WaitingForDependencies"
+
+	// IncompatibleProviderConfigRef indicates that the referenced provider configuration is not compatible with the target platform.
+	IncompatibleProviderConfigRef = "IncompatibleProviderConfigRef"
 )
 
 // Reasons that are specific to [Interface] objects.

api/core/v1alpha1/groupversion_info.go

@@ -38,7 +38,7 @@ type TypedLocalObjectReference struct {
 	// +required
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:MaxLength=253
-	//+kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/)?([a-z0-9]([-a-z0-9]*[a-z0-9])?)$`
+	// +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/)?([a-z0-9]([-a-z0-9]*[a-z0-9])?)$`
 	APIVersion string `json:"apiVersion"`
 }