# =============================================================================
# NetworkAttachmentDefinition — PROD VLAN 57 bridge
# =============================================================================
# Purpose: makes KubeVirt VMs reachable on the PROD VLAN (10.0.57.0/24)
# alongside the existing pod network. Required for ci1 to bridge onto PROD
# (e.g. to provision/scrape edge1, edge2, kiosks, Pis on the same L2 segment).
#
# **DEPLOY GATE — Phase 1.5 host work required first**:
#   On every RKE2 node (rke2-server, rke2-agent1, rke2-agent2):
#     1. Switch port (UniFi USL16LP) trunks VLAN 57 to the node — usually
#        already true since BLUEJAY-WS reaches 10.0.57.x services. Verify
#        with `ip link show enp86s0.57` after configuring sub-interface, OR
#        `tcpdump -ni enp86s0 vlan 57` and ping a known PROD host.
#     2. Linux bridge `br-prod` enslaving `enp86s0.57` (VLAN sub-interface).
#        NetworkManager profile examples in the runbook below.
#     3. Verify Multus DaemonSet `kube-multus-ds` is Ready on all nodes.
#
# Without those, applying this NAD has no effect except to register the CRD.
# A VM that requests this NAD with no bridge present will fail with:
#   `error adding pod kubevirt-vms_ci1 to CNI network "prod-vlan57": failed to
#    plumb VLAN: open /sys/class/net/br-prod/master: no such file or directory`
#
# Configuration notes:
#   - cniVersion 0.3.1 to match Multus daemon-config.json
#   - mtu 1500 (matches enp86s0 default; bump if jumbo frames configured)
#   - bridge name `br-prod` is convention; if Puppet picks a different name
#     (e.g. `br57`, `br-vlan57`), edit BOTH this NAD and the ci1.yaml
#     interface block. Keep them in sync.
#   - vlan: 0 because the host bridge already strips VLAN tag (br-prod sits
#     on top of `enp86s0.57`). If we instead used a VLAN-aware bridge with
#     trunk port, set vlan: 57 here. Current convention is VLAN-stripped at
#     the sub-interface, so the bridge passes untagged frames.
#
# Apply:
#   kubectl --kubeconfig $env:USERPROFILE\.kube\rke2.yaml apply -f apps/kubevirt-vms/prod-vlan57-nad.yaml
#
# Then update ci1.yaml networks: stanza to:
#   - name: prod-net
#     multus:
#       networkName: kubevirt-vms/prod-vlan57
# and the interface block from `masquerade` to `bridge`.
# =============================================================================

---
# Namespace must exist already (created by ci1.yaml's first document).
# This file imports a NAD into that same namespace.
apiVersion: k8s.cni.cncf.io/v1
kind: NetworkAttachmentDefinition
metadata:
  name: prod-vlan57
  namespace: kubevirt-vms
  annotations:
    bluejay.iamworkin.lan/host-bridge: "br-prod (enslaves enp86s0.57)"
    bluejay.iamworkin.lan/cidr: "10.0.57.0/24"
    bluejay.iamworkin.lan/gateway: "10.0.57.1"
    bluejay.iamworkin.lan/dns: "10.0.56.1 (pfSense Unbound)"
spec:
  config: |
    {
      "cniVersion": "0.3.1",
      "name": "prod-vlan57",
      "type": "bridge",
      "bridge": "br-prod",
      "ipam": {},
      "mtu": 1500,
      "vlan": 0,
      "promiscMode": true,
      "preserveDefaultVlan": false
    }