feat: Cisco NXOS VPCs

Multi-Chassis Link Aggregation (MC-LAG) is quite vendor and platform
specific. We don't see much intersection in their respective
configuration to justify a common API type. Instead, we move forward
with a platform specific API exclusive to Cisco NXOS devices.

This commit adds new types, controller, and provider to configure
virtual Port Channels (vPCs) via the operator.

Implementation note: Consider the following information about the YANG
model for configuring a vPC:
* each vPC configured in the domain appears in the tree in this
  location: `vpc-items/inst-items/dom-items/if-items/If-list[id=30]`
(where `30` is the vPC ID)
* the peer-link interface is configured here:
  `vpc-items/inst-items/dom-items/keepalive-items/peerlink-items[id=po10]`

The interfaces will be added to the vPC config by the LAG provider and
not by this controller.  Hence, if we apply a gNMI Replace operation on
the xpath returned by VPC.XPath() we would remove any existing vPC
interfaces. A gNMI Update operation will not modify the configuration
introduced by the LAG provider.

Author: nikatza

PROJECT

@@ -118,4 +118,13 @@ resources:
   kind: ISIS
   path: github.com/ironcore-dev/network-operator/api/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: cloud.sap
+  group: networking
+  kind: NXOSVPC
+  path: github.com/ironcore-dev/network-operator/api/v1alpha1
+  version: v1alpha1
 version: "3"

Tiltfile

@@ -78,6 +78,10 @@ k8s_resource(new_name='managementaccess', objects=['managementaccess:managementa
 k8s_yaml('./config/samples/v1alpha1_isis.yaml')
 k8s_resource(new_name='underlay', objects=['underlay:isis'], resource_deps=['lo0', 'lo1', 'eth1-1', 'eth1-2'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
+# TODO: add resource_deps=['po1', 'po2'] when port-channel resource is implemented
+k8s_yaml('./config/samples/v1alpha1_nxosvpc.yaml')
+k8s_resource(new_name='vpc', objects=['nxosvpc:nxosvpc'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+
 print('🚀 network-operator development environment')
 print('👉 Edit the code inside the api/, cmd/, or internal/ directories')
 print('👉 Tilt will automatically rebuild and redeploy when changes are detected')

api/v1alpha1/nxosvpc_types.go

@@ -0,0 +1,157 @@
+// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// NXOSVPCSpec defines the desired state of NXOSVPC (Cisco's NXOS Virtual Port Channel)
+type NXOSVPCSpec struct {
+	// DeviceName is the name of the Device this object belongs to. The Device object must exist in the same namespace.
+	// Immutable.
+	// +required
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="DeviceRef is immutable"
+	DeviceRef LocalObjectReference `json:"deviceRef"`
+
+	// DomainID is the vPC domain ID.
+	// +required
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=1000
+	DomainID uint16 `json:"domainId"`
+
+	// AdminState is the administrative state of the vPC domain.
+	// +required
+	// +kubebuilder:default="enabled"
+	// +kubebuilder:validation:Enum=enabled;disabled
+	AdminState string `json:"adminState"`
+
+	// RolePriority is the role priority for this vPC domain.
+	// +required
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=65535
+	RolePriority uint16 `json:"rolePriority"`
+
+	// SystemPriority is the system priority for this vPC domain.
+	// +required
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=65535
+	SystemPriority uint16 `json:"systemPriority"`
+
+	// DelayRestoreSVI is the delay in bringing up bringing-up the interface-vlan
+	// +required
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=3600
+	DelayRestoreSVI uint16 `json:"delayRestoreSVI"`
+
+	// DelayRestoreVPC is the delay in bringing up the vPC links after restoring the peer-link
+	// +required
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=3600
+	DelayRestoreVPC uint16 `json:"delayRestoreVPC"`
+
+	// +required
+	FastConvergence AdminSt `json:"fastConvergence"`
+
+	// +required
+	Peer Peer `json:"peer"`
+}
+
+// AdminSt represents administrative state (enabled/disabled)
+type AdminSt struct {
+	// +required
+	Enabled bool `json:"enabled"`
+}
+
+type Peer struct {
+	// +required
+	KeepAlive KeepAlive `json:"keepalive"`
+
+	// +required
+	AutoRecovery AutoRecovery `json:"autoRecovery"`
+
+	// +required
+	Switch AdminSt `json:"switch"`
+
+	// +required
+	Gateway AdminSt `json:"gateway"`
+
+	// Router defines layer3 peer-router settings
+	// +required
+	Router AdminSt `json:"router"`
+}
+
+type KeepAlive struct {
+	// Destination is the destination IP address
+	// +required
+	Destination string `json:"destination"`
+
+	// Source is the source IP address
+	// +required
+	Source string `json:"source"`
+
+	// +optional
+	VRF string `json:"vrf,omitempty"`
+}
+
+// AutoRecovery holds autorecovery settings.
+// +kubebuilder:validation:XValidation:rule="self.enabled ? has(self.reloadDelay) : !has(self.reloadDelay)",message="reloadDelay must be set when enabled and absent when disabled"
+type AutoRecovery struct {
+	// +required
+	Enabled bool `json:"enabled,omitempty"`
+
+	// +optional
+	// +kubebuilder:validation:Minimum=60
+	// +kubebuilder:validation:Maximum=3600
+	ReloadDelay uint32 `json:"reloadDelay,omitempty"`
+}
+
+// NXOSVPCStatus defines the observed state of NXOSVPC.
+type NXOSVPCStatus struct {
+	// The conditions are a list of status objects that describe the state of the VPC.
+	//+listType=map
+	//+listMapKey=type
+	//+patchStrategy=merge
+	//+patchMergeKey=type
+	//+optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:path=nxosvpcs
+// +kubebuilder:resource:singular=nxosvpc
+// +kubebuilder:resource:shortName=vpc
+// +kubebuilder:printcolumn:name="Domain",type=string,JSONPath=`.spec.domainId`
+// +kubebuilder:printcolumn:name="AdminState",type=string,JSONPath=`.spec.adminState`
+// +kubebuilder:printcolumn:name="Device",type=string,JSONPath=`.spec.deviceRef.name`
+// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status`
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+
+// NXOSVPC is the Schema for the nxosvpcs API
+type NXOSVPC struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec defines the desired state of NXOSVPC
+	// +required
+	Spec NXOSVPCSpec `json:"spec,omitempty"`
+
+	// status defines the observed state of NXOSVPC
+	// +optional
+	Status NXOSVPCStatus `json:"status,omitempty,omitzero"`
+}
+
+// +kubebuilder:object:root=true
+
+// NXOSVPCList contains a list of NXOSVPC
+type NXOSVPCList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []NXOSVPC `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&NXOSVPC{}, &NXOSVPCList{})
+}

api/v1alpha1/zz_generated.deepcopy.go

@@ -337,6 +337,17 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "ISIS")
 		os.Exit(1)
 	}
+
+	if err := (&controller.NXOSVPCReconciler{
+		Client:           mgr.GetClient(),
+		Scheme:           mgr.GetScheme(),
+		Recorder:         mgr.GetEventRecorderFor("nxosvpc-controller"),
+		WatchFilterValue: watchFilterValue,
+		Provider:         prov,
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "NXOSVPC")
+		os.Exit(1)
+	}
 	// +kubebuilder:scaffold:builder
 
 	if metricsCertWatcher != nil {