net, evpn: refactor helpers for independent endpoint deployment

[servolkov]

What this PR does / why we need it:

Separate shared EVPN infrastructure (bridge VLAN/VNI mappings, L3 VRF) from per-endpoint setup so multiple endpoints can coexist independently.

• Move VLAN/VNI mappings into deploy_evpn_bridge (shared, created once)
• Extract deploy_evpn_l3_vrf/teardown_evpn_l3_vrf from L3 endpoint
• Use uuid-suffixed netns/veth names for endpoint isolation
• Teardown functions take EvpnEndpoint instead of raw pod/vni args
• Update test_source_provider_migration to use new signatures

Which issue(s) this PR fixes:

Special notes for reviewer:

jira-ticket:

NONE

Summary by CodeRabbit

Release Notes

• Tests
  • Refactored EVPN test infrastructure to separate L3 VRF provisioning from endpoint provisioning for improved test modularity.
  • Enhanced endpoint isolation using unique namespace naming for each endpoint in test scenarios.
  • Updated test fixture dependencies and simplified function signatures for cleaner test setup and teardown flows.

[coderabbitai]

📝 Walkthrough

Walkthrough

Refactors EVPN endpoint deployment in libevpn.py to use UUID-based per-endpoint netns/veth naming for both L2 and L3 flows. Splits L3 VRF provisioning into a dedicated deploy_evpn_l3_vrf/teardown_evpn_l3_vrf pair with a _build_l3_vrf_commands helper. Removes VNI parameters from endpoint deploy/teardown signatures. Updates conftest.py with a new external_l3_vrf fixture and threads all signature changes through test_evpn_connectivity.py.

Changes

EVPN endpoint lifecycle refactor

Layer / File(s)	Summary
Bridge and VLAN/VNI command wiring for L2+L3 tests/network/bgp/evpn/libevpn.py	deploy_evpn_bridge gains explicit l2_vni/l3_vni parameters; _build_bridge_commands adds per-VLAN VNI mapping and tunnel_info id entries for both _L2_VID and _L3_VID.
UUID netns-per-endpoint L2 deploy/teardown tests/network/bgp/evpn/libevpn.py	deploy_evpn_l2_endpoint drops vni param and generates a unique netns via UUID, returning EvpnEndpoint; teardown_evpn_l2_endpoint accepts EvpnEndpoint and deletes only that endpoint's netns and veth; _build_l2_endpoint_commands now returns (commands, netns).
L3 VRF extraction into _build_l3_vrf_commands + deploy/teardown_evpn_l3_vrf tests/network/bgp/evpn/libevpn.py	_build_l3_vrf_commands(vni) centralizes sysctl/VRF/SVI creation commands; deploy_evpn_l3_vrf uses it and configures external FRR BGP; teardown_evpn_l3_vrf removes shared VRF artifacts independently of endpoint lifecycle.
UUID netns-per-endpoint L3 deploy/teardown tests/network/bgp/evpn/libevpn.py	deploy_evpn_l3_endpoint drops vni param, attaches pod-side veth into shared _L3_VRF_NAME with gateway IPs, assigns endpoint IPs in a UUID-named netns with default routes, and returns EvpnEndpoint; teardown_evpn_l3_endpoint removes only that endpoint's netns/veth.
Fixture wiring: external_l3_vrf + updated bridge/endpoint fixtures tests/network/bgp/evpn/conftest.py	Imports deploy/teardown_evpn_l3_vrf; bridge fixture passes l2_vni/l3_vni; external_l2_endpoint and external_l3_endpoint drop VNI args and teardown via EvpnEndpoint; new module-scoped external_l3_vrf fixture is added and external_l3_endpoint depends on it.
test_source_provider_migration updated tests/network/bgp/evpn/test_evpn_connectivity.py	Replaces cudn_evpn_layer2 with external_l2_endpoint; teardown and redeploy of the L2 endpoint use the new EvpnEndpoint-based signatures without explicit vni.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• net, evpn: refactor helpers for independent endpoint deployment - 5248 #5249: Directly tracks this refactoring — UUID-based per-endpoint netns, separation of L3 VRF from endpoint provisioning, and removal of VNI params from endpoint signatures are exactly what this PR implements.

Possibly related PRs

• RedHatQE/openshift-virtualization-tests#4817: Originally introduced deploy_evpn_l2_endpoint/teardown_evpn_l2_endpoint, external_l2_endpoint fixture, and the test_source_provider_migration test that this PR now updates with the new EvpnEndpoint-based signatures.

Suggested reviewers

• vsibirsk
• RoniKishner
• nirdothan
• EdDev

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately describes the main change: refactoring EVPN helpers to support independent endpoint deployment.
Description check	✅ Passed	The description covers all required sections with clear, specific information about what changed and why, though the 'Special notes for reviewer' section is empty.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stp Link Required	✅ Passed	No new test files or new test functions were added in this PR; only existing functions and fixtures were modified. STP link requirement does not apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Linked repositories: Your configuration references 1 linked repositories, but your current plan allows 0. Analyzed ``, skipped RedHatQE/openshift-virtualization-tests-design-docs.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-virtualization-qe-bot-2]

Report bugs in Issues

Welcome! 🎉

This pull request will be automatically processed with the following features:

🔄 Automatic Actions

• Reviewer Assignment: Reviewers are automatically assigned based on the OWNERS file in the repository root
• Size Labeling: PR size labels (XS, S, M, L, XL, XXL) are automatically applied based on changes
• Issue Creation: A tracking issue is created for this PR and will be closed when the PR is merged or closed
• Branch Labeling: Branch-specific labels are applied to track the target branch
• Auto-verification: Auto-verified users have their PRs automatically marked as verified
• Labels: Enabled categories: branch, can-be-merged, cherry-pick, has-conflicts, hold, needs-rebase, size, verified, wip

📋 Available Commands

PR Status Management

• /wip - Mark PR as work in progress (adds WIP: prefix to title)
• /wip cancel - Remove work in progress status
• /hold - Block PR merging (approvers only)
• /hold cancel - Unblock PR merging
• /verified - Mark PR as verified
• /verified cancel - Remove verification status
• /reprocess - Trigger complete PR workflow reprocessing (useful if webhook failed or configuration changed)
• /regenerate-welcome - Regenerate this welcome message
• /security-override - Set security check runs to pass (maintainers only)
• /security-override cancel - Re-run security checks

Review & Approval

• /lgtm - Approve changes (looks good to me)
• /approve - Approve PR (approvers only)
• /assign-reviewers - Assign reviewers based on OWNERS file
• /assign-reviewer @username - Assign specific reviewer
• /check-can-merge - Check if PR meets merge requirements

Testing & Validation

• /retest tox - Run Python test suite with tox
• /retest build-container - Rebuild and test container image
• /retest verify-bugs-are-open - verify-bugs-are-open
• /retest all - Run all available tests

Container Operations

• /build-and-push-container - Build and push container image (tagged with PR number)
  • Supports additional build arguments: /build-and-push-container --build-arg KEY=value

Cherry-pick Operations

• /cherry-pick <branch> - Schedule cherry-pick to target branch when PR is merged
  • Multiple branches: /cherry-pick branch1 branch2 branch3
• /cherry-pick-retry <branch> - Retry a failed cherry-pick (merged PRs only)

Branch Management

• /rebase - Rebase this PR branch onto its base branch

Label Management

• /<label-name> - Add a label to the PR
• /<label-name> cancel - Remove a label from the PR

✅ Merge Requirements

This PR will be automatically approved when the following conditions are met:

1. Approval: /approve from at least one approver
2. LGTM Count: Minimum 2 /lgtm from reviewers
3. Status Checks: All required status checks must pass
4. No Blockers: No wip, hold, has-conflicts labels and PR must be mergeable (no conflicts)
5. Verified: PR must be marked as verified

📊 Review Process

Approvers and Reviewers

Approvers:

• EdDev
• rnetser

Reviewers:

• Anatw
• EdDev
• azhivovk
• frenzyfriday
• nirdothan
• orelmisan
• rnetser
• servolkov
• yossisegev

Available Labels

• hold
• verified
• wip
• lgtm
• approve

AI Features

• Cherry-Pick Conflict Resolution: Enabled (claude/claude-opus-4-6[1m])

Security Checks

• Suspicious Path Detection: Monitors paths: .claude/, .vscode/, .cursor/, .devcontainer/, .pi/, .github/workflows/, .github/actions/
• Committer Identity Check: Verifies last committer matches PR author
• Mandatory: Security checks block merge (use /security-override to bypass — maintainers only)

💡 Tips

• WIP Status: Use /wip when your PR is not ready for review
• Verification: The verified label is removed on new commits unless the push is detected as a clean rebase
• Cherry-picking: Cherry-pick labels are processed when the PR is merged
• Container Builds: Container images are automatically tagged with the PR number
• Permission Levels: Some commands require approver permissions
• Auto-verified Users: Certain users have automatic verification and merge privileges

For more information, please refer to the project documentation or contact the maintainers.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tests/network/bgp/evpn/test_evpn_connectivity.py (1)

215-231: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

HIGH: new_l2_endpoint is created but never torn down

After switching to endpoint-object teardown, this test removes the old endpoint but does not clean the newly deployed new_l2_endpoint. That leaves endpoint lifecycle asymmetric and risks stale netns/veth artifacts in the FRR pod.

Suggested fix

     new_l2_endpoint = deploy_evpn_l2_endpoint(
         pod=frr_external_pod.pod,
         endpoint_ips=[_L2_ENDPOINT_IPV4, _L2_ENDPOINT_IPV6],
     )
-
-    assert_evpn_workloads_connectivity(
-        target_vm=vm_evpn_target,
-        ref_vm=vm_source_provider,
-        l2_endpoint=new_l2_endpoint,
-        l3_endpoint=external_l3_endpoint,
-        subtests=subtests,
-    )
+    try:
+        assert_evpn_workloads_connectivity(
+            target_vm=vm_evpn_target,
+            ref_vm=vm_source_provider,
+            l2_endpoint=new_l2_endpoint,
+            l3_endpoint=external_l3_endpoint,
+            subtests=subtests,
+        )
+    finally:
+        teardown_evpn_l2_endpoint(endpoint=new_l2_endpoint)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/network/bgp/evpn/test_evpn_connectivity.py` around lines 215 - 231, The
test creates new_l2_endpoint by calling deploy_evpn_l2_endpoint() but never
cleans it up, leaving the endpoint lifecycle asymmetric and risking stale
artifacts in the FRR pod. After the assert_evpn_workloads_connectivity() call
completes, add a teardown_evpn_l2_endpoint(endpoint=new_l2_endpoint) call to
properly clean up the newly deployed endpoint and maintain symmetric resource
management consistent with how external_l2_endpoint is torn down at the
beginning.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/network/bgp/evpn/libevpn.py`:
- Around line 214-218: The UUID suffix generation using uuid.uuid4().hex[:3]
only provides 4096 unique combinations. To improve collision resistance for
potential higher parallelism or longer-lived namespaces in future test
scenarios, extend the hex suffix length from 3 characters to 4 or 5 characters
in the suffix assignment. This change requires modifying only the string slicing
operation where the suffix is generated (uuid.uuid4().hex[:3]) to use a longer
substring, which will then be propagated to all the dependent variables like
netns, veth_pod, and veth_ep that use this suffix.

---

Outside diff comments:
In `@tests/network/bgp/evpn/test_evpn_connectivity.py`:
- Around line 215-231: The test creates new_l2_endpoint by calling
deploy_evpn_l2_endpoint() but never cleans it up, leaving the endpoint lifecycle
asymmetric and risking stale artifacts in the FRR pod. After the
assert_evpn_workloads_connectivity() call completes, add a
teardown_evpn_l2_endpoint(endpoint=new_l2_endpoint) call to properly clean up
the newly deployed endpoint and maintain symmetric resource management
consistent with how external_l2_endpoint is torn down at the beginning.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 817e2f6a-73c7-454e-a8cc-4d135427ab67

📥 Commits

Reviewing files that changed from the base of the PR and between 6730968 and 7d5c838.

📒 Files selected for processing (3)

• tests/network/bgp/evpn/conftest.py
• tests/network/bgp/evpn/libevpn.py
• tests/network/bgp/evpn/test_evpn_connectivity.py