Add conserve mode for VPC offerings

[nvazquez]

Description

Documentation PR: apache/cloudstack-documentation#631

This PR extends the conserve mode for VPCs tiers added on the previous PRs: #8309, #10744 by allowing:

• If conserve_mode = true for network offering (for VPC tier): the public IPs can be used by multiple services (Lb, PortForwarding) - This behaviour already exists since 4.19 (except for Source NAT IP of the VPC)
• With this PR, the public IP used for Source NAT can be reused for multiple services (it was previously restricted to Source NAT only) when VPC conserve_mode = true and network_offering for VPC tier = true

This PR also introduces the following changes:

• Introduce conserve mode for VPC offerings:
  • When a VPC is created from a VPC offering using conserve mode = true: public IP rules can be created on different VPC tiers (when conserve mode = false, the rules are restricted to a single VPC tier).
• All the existing VPC offerings will keep conserve mode = false
• VPC offerings can be created with conserve mode (default value = false on the VPC offering creation)

Fixes: #8317

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

• Create a VPC Offering with Conserve mode enabled selecting:
  • Conserve mode = True
  • Services: Dns, Dhcp, Vpn, UserData, StaticNat, SourceNat, NetworkACL, Portforwarding, Lb as VpcVirtualRouter
• Create VPC selecting the previous VPC Offering
• Create VPC tiers with the default isolated network offering for VPC and deploy VMs on each tier
• Observe the Source NAT IP address can be used for multiple services, create different rules
• Acquire new Public IP address and create rules across different VPC tiers for the same Public IP address

How did you try to break this feature and the system with this change?

[nvazquez]

@blueorangutan package

[blueorangutan]

@nvazquez a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 3.66%. Comparing base (1b0a036) to head (9cf2747).
⚠️ Report is 191 commits behind head on main.

❗ There is a different number of reports uploaded between BASE (1b0a036) and HEAD (9cf2747). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (1b0a036)	HEAD (9cf2747)
unittests	1	0

Additional details and impacted files

@@              Coverage Diff              @@
##               main   #12487       +/-   ##
=============================================
- Coverage     17.84%    3.66%   -14.19%     
=============================================
  Files          5929      454     -5475     
  Lines        531084    38563   -492521     
  Branches      64914     7132    -57782     
=============================================
- Hits          94783     1414    -93369     
+ Misses       425686    36961   -388725     
+ Partials      10615      188    -10427     

Flag	Coverage Δ
uitests	3.66% <ø> (+0.08%)	⬆️
unittests	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 16471

[nvazquez]

@blueorangutan package

[blueorangutan]

@nvazquez a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✔️ debian ✖️ suse15. SL-JID 16473

[nvazquez]

@blueorangutan package

[blueorangutan]

@nvazquez a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✖️ debian ✔️ suse15. SL-JID 16475

[nvazquez]

@blueorangutan test keepEnv

[blueorangutan]

@nvazquez a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-15239)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 55566 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12487-t15239-kvm-ol8.zip
Smoke tests completed. 147 look OK, 3 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_03_deploy_and_scale_kubernetes_cluster	Failure	26.70	test_kubernetes_clusters.py
test_02_list_cpvm_vm	Failure	0.03	test_ssvm.py
test_04_cpvm_internals	Failure	0.04	test_ssvm.py
test_01_redundant_vpc_site2site_vpn	Failure	392.36	test_vpc_vpn.py

[nvazquez]

@blueorangutan package

[blueorangutan]

@nvazquez a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[weizhouapache]

@nvazquez
any doc PR linked ?

[blueorangutan]

[SF] Trillian test result (tid-15531)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 54970 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12487-t15531-kvm-ol8.zip
Smoke tests completed. 147 look OK, 4 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_LoginApiDomain	Error	7.77	test_accounts.py
ContextSuite context=TestListIdsParams>:teardown	Error	1.17	test_list_ids_parameter.py
test_01_snapshot_root_disk	Error	6.04	test_snapshots.py
test_02_list_snapshots_with_removed_data_store	Error	49.85	test_snapshots.py
test_02_list_snapshots_with_removed_data_store	Error	49.85	test_snapshots.py
ContextSuite context=TestSnapshotStandaloneBackup>:teardown	Error	28.80	test_snapshots.py
test_01_snapshot_usage	Error	30.00	test_usage.py
test_01_vpn_usage	Error	1.09	test_usage.py

[nvazquez]

Thanks @weizhouapache - I have addressed your comments. Documentation PR is: apache/cloudstack-documentation#631

@blueorangutan package

[blueorangutan]

@nvazquez a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16964

[nvazquez]

@blueorangutan package

[blueorangutan]

@nvazquez a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16965

[nvazquez]

@blueorangutan test

[blueorangutan]

@nvazquez a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian Build Failed (tid-15539)

[nvazquez]

@blueorangutan test

[blueorangutan]

@nvazquez a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[weizhouapache]

@nvazquez
it looks like the test did not run in simulator CI

Currently running test: smoke/test_vpc_conserve_mode


==== Marvin Init Started ====

=== Marvin Parse Config Successful ===

=== Marvin Setting TestData Successful===

==== Log Folder Path: /tmp/MarvinLogs/Feb_26_2026_22_15_49_3S0AQC All logs will be available here ====

=== Marvin Init Logging Successful===

==== Marvin Init Successful ====
=== Final results are now copied to: /tmp/MarvinLogs/test_suite_KATO2X ===

[weizhouapache]

code lgtm

please fix the test failures if any @nvazquez

[blueorangutan]

[SF] Trillian test result (tid-15540)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 54384 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr12487-t15540-kvm-ol8.zip
Smoke tests completed. 147 look OK, 4 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_LoginApiDomain	Error	5.53	test_accounts.py
ContextSuite context=TestListIdsParams>:teardown	Error	1.10	test_list_ids_parameter.py
test_01_snapshot_root_disk	Error	4.79	test_snapshots.py
test_02_list_snapshots_with_removed_data_store	Error	52.58	test_snapshots.py
test_02_list_snapshots_with_removed_data_store	Error	52.58	test_snapshots.py
ContextSuite context=TestSnapshotStandaloneBackup>:teardown	Error	33.28	test_snapshots.py
test_01_snapshot_usage	Error	28.72	test_usage.py
test_01_vpn_usage	Error	1.07	test_usage.py

[RosiKyu]

@blueorangutan package

[RosiKyu]

@blueorangutan test

[blueorangutan]

@RosiKyu a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests