id: T022
name: NovaNET Control-Plane Hooks
goal: Deepen NovaNET with DHCP, gateway/routing, and full ACL rule translation for production-ready overlay networking
status: complete
priority: P1
owner: peerA (strategy) + peerB (implementation)
created: 2025-12-08
depends_on: [T019]

context: |
  T019 established NovaNET with OVN integration (mock/real modes):
  - Logical Switch (VPC) lifecycle
  - Logical Switch Port create/delete
  - Basic ACL create/delete

  Missing for production use:
  - DHCP: VMs need automatic IP assignment within subnets
  - Gateway router: External connectivity (SNAT/DNAT, floating IPs)
  - BGP: Route advertisement for external reachability
  - ACL deepening: Current ACL is basic "allow-related"; need full rule translation

  POR.md Next: "T022 NovaNET spec deepening + control-plane hooks (DHCP/BGP/ACL)"

acceptance:
  - DHCP options configured on OVN logical switches
  - Gateway router for external connectivity (SNAT at minimum)
  - ACL rules properly translate SecurityGroupRule → OVN ACL (protocol, port, CIDR)
  - Integration test validates DHCP + gateway flow
  - cargo test passes

steps:
  - step: S1
    name: DHCP Options Integration
    done: OVN DHCP options configured per subnet, VMs receive IP via DHCP
    status: complete
    owner: peerB
    outputs:
      - path: novanet/crates/novanet-types/src/dhcp.rs
        note: DhcpOptions type with defaults (63L, 2 tests)
      - path: novanet/crates/novanet-server/src/ovn/client.rs
        note: DHCP methods - create/delete/bind (3 methods, 3 tests)
      - path: novanet/crates/novanet-server/src/ovn/mock.rs
        note: Mock DHCP support for testing
      - path: novanet/crates/novanet-types/src/subnet.rs
        note: Added dhcp_options field to Subnet
    notes: |
      OVN native DHCP support:
      - ovn-nbctl dhcp-options-create <cidr>
      - Set options: router, dns_server, lease_time
      - Associate with logical switch ports

      Implementation:
      1. Add DhcpOptions type to novanet-types
      2. Extend OvnClient with configure_dhcp_options()
      3. Wire subnet creation to auto-configure DHCP
      4. Unit test with mock OVN state

  - step: S2
    name: Gateway Router + SNAT
    done: Logical router connects VPC to external network, SNAT for outbound traffic
    status: complete
    owner: peerB
    outputs:
      - path: novanet/crates/novanet-server/src/ovn/client.rs
        note: Router methods (create/delete/add_port/snat) +410L, 7 tests
      - path: novanet/crates/novanet-server/src/ovn/mock.rs
        note: Mock router state tracking (MockRouter, MockSnatRule)
    notes: |
      Implemented:
      - create_logical_router(name) -> UUID
      - add_router_port(router_id, switch_id, cidr, mac) -> port_id
      - configure_snat(router_id, external_ip, logical_ip_cidr)
      - delete_logical_router(router_id) with cascade cleanup

      OVN command flow:
      1. lr-add <router>
      2. lrp-add <router> <port> <mac> <network>
      3. lsp-add <switch> <port> (switch side)
      4. lsp-set-type <port> router
      5. lr-nat-add <router> snat <external-ip> <logical-cidr>

      Tests: 39/39 passing (7 new router tests)
      Traffic flow: VM → gateway (router port) → SNAT → external

  - step: S3
    name: ACL Rule Translation
    done: SecurityGroupRule fully translated to OVN ACL (protocol, port range, CIDR)
    status: complete
    owner: peerB
    outputs:
      - path: novanet/crates/novanet-server/src/ovn/acl.rs
        note: ACL translation module (428L, 10 tests)
    notes: |
      Implemented:
      - build_acl_match(): SecurityGroupRule → OVN match expression
      - build_port_match(): port ranges (single, range, min-only, max-only, any)
      - rule_direction_to_ovn(): ingress→to-lport, egress→from-lport
      - calculate_priority(): specificity-based priority (600-1000)
      - Full docstrings with examples

      OVN ACL format:
        ovn-nbctl acl-add <switch> <direction> <priority> "<match>" <action>

      Match examples:
        "tcp && tcp.dst == 80"
        "ip4.src == 10.0.0.0/8"
        "icmp4"

  - step: S4
    name: BGP Integration (Optional)
    done: External route advertisement via BGP (or defer with design doc)
    status: deferred
    priority: P2
    owner: peerB
    notes: |
      Deferred to P2 - not required for MVP-Beta. Options for future:
      A) OVN + FRRouting integration (ovn-bgp-agent)
      B) Dedicated BGP daemon (gobgp, bird)
      C) Static routing for initial implementation

  - step: S5
    name: Integration Test
    done: E2E test validates DHCP → IP assignment → gateway → external reach
    status: complete
    owner: peerB
    outputs:
      - path: novanet/crates/novanet-server/tests/control_plane_integration.rs
        note: E2E control-plane integration tests (534L, 9 tests)
    notes: |
      Implemented:
      - Full control-plane flow: VPC → Subnet+DHCP → Port → SecurityGroup → ACL → Router → SNAT
      - Multi-tenant isolation validation
      - Mock OVN state verification at each step
      - 9 comprehensive test scenarios covering all acceptance criteria

blockers: []

evidence: []

notes: |
  Priority within T022:
  - P0: S1 (DHCP), S3 (ACL) - Required for VM network bootstrap
  - P1: S2 (Gateway) - Required for external connectivity
  - P2: S4 (BGP) - Design-only acceptable; implementation can defer

  OVN reference:
  - https://docs.ovn.org/en/latest/ref/ovn-nb.5.html
  - DHCP_Options, Logical_Router, NAT tables