Remove the restriction that an ACNP referred ClusterGroup must be created before the ACNP

[Dyanngg]

This is the second of two PRs that relaxes admission validations for ClusterGroup references. This PR removes the restriction that a ClusterGroup must exist before it can be referred to in Antrea ClusterNetworkPolicies. It also allows a ClusterGroup to be deleted even if it is still referred to by an ACNP.

This PR also refactors the way test resources are created in testSteps of antreapolicy_test.go. Since resource creation/deletion dependencies are no longer enforced, e2e testcases can simply use an ordered list of test resources specification to test different scenarios (i.e. ACNP is created before its referred CG and vice versa).

[codecov-commenter]

Codecov Report

Merging #2478 (9a44855) into main (1d148ad) will decrease coverage by 1.23%.
The diff coverage is 33.33%.

@@            Coverage Diff             @@
##             main    #2478      +/-   ##
==========================================
- Coverage   60.58%   59.34%   -1.24%     
==========================================
  Files         286      287       +1     
  Lines       23096    23107      +11     
==========================================
- Hits        13993    13714     -279     
- Misses       7644     7956     +312     
+ Partials     1459     1437      -22     

Flag	Coverage Δ
e2e-tests	∅ <ø> (?)
kind-e2e-tests	45.37% <0.00%> (-2.26%)	⬇️
unit-tests	41.51% <33.33%> (+0.08%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...g/controller/networkpolicy/clusternetworkpolicy.go	65.11% <ø> (-0.02%)	⬇️
pkg/controller/networkpolicy/validate.go	21.51% <ø> (+0.95%)	⬆️
pkg/controller/networkpolicy/clustergroup.go	67.59% <33.33%> (+1.85%)	⬆️
...g/agent/apiserver/handlers/featuregates/handler.go	0.00% <0.00%> (-82.36%)	⬇️
...kg/apiserver/registry/system/supportbundle/rest.go	19.54% <0.00%> (-55.18%)	⬇️
pkg/support/dump_others.go	0.00% <0.00%> (-51.73%)	⬇️
pkg/support/dump.go	8.13% <0.00%> (-49.60%)	⬇️
...g/agent/apiserver/handlers/addressgroup/handler.go	0.00% <0.00%> (-40.00%)	⬇️
...agent/apiserver/handlers/appliedtogroup/handler.go	0.00% <0.00%> (-40.00%)	⬇️
pkg/apiserver/handlers/loglevel/handler.go	0.00% <0.00%> (-38.47%)	⬇️
... and 48 more

[abhiraut]

we have been triggering CNP updates from workers.. is it possible to do so in syncInternalGroup?

[Dyanngg]

It will be very tricky to do so in syncInternalGroup, in case of deletion. If a group key is processed by syncInternalGroup, the controller would expect the internal group still exist in the internal group store, otherwise it won't do anything. So in this case, if we want to rely on syncInternalGroup for parent group syncs, we would need to delete the internal group from the internal store after syncInternalGroup. However, at the time of parent group sync we also want to ensure that the childGroup is deleted from internal store, so that we don't include outdated members. Since this process is async, it's hard for us to ensure that syncInternalGroup of the parent happens after the internal group deletion.

[abhiraut]

hmm im worried this comes in the path of the synchronous Delete handlers and may cause perf issue. maybe add a TODO comment here to explain why its done here now and perhaps we should look in to moving this to the workers. let me also dig deeper if we can have an alternative here..

[abhiraut]

you plan to add a TODO here? more important than ParentGroup my comment is on the triggerCNPUpdates; as that's the one i presume would be time consuming

[Dyanngg]

Thanks for the reminder. Added TODO.

[Dyanngg]

/test-all

[Dyanngg]

/test-all

[Dyanngg]

rebased /test-all

[Dyanngg]

/test-all

[antoninbas]

Are we still planning to merge this for v1.3? If yes, @abhiraut could you rebase and @tnqn do you want to take a look?

[abhiraut]

yup. i will take care of this PR .. let us first merge the static ipblock PR #2577 and then I will rebase all conflicts together

[abhiraut]

Are we still planning to merge this for v1.3? If yes, @abhiraut could you rebase and @tnqn do you want to take a look?

done

[abhiraut]

/test-all

[tnqn]

The call is unnecessary.

If we want to rely on syncInternalGroup for ACNP syncs, the internal group needs to be deleted from the internal store after syncInternalGroup.

I don't think we need to defer deleting internal group to syncInternalGroup. triggerCNPUpdates actually just requires the group name. The association is stored in CNP store, instead of group store.

However, at the time of ACNP sync, we also want to ensure that the group is deleted from internal store already, so that we don't include outdated members. Since this process is async, there's no guarantee which happens first.

It doesn't matter whether the group is deleted from internal store already when processing ACNP. The only thing we need to ensure is triggering CNP update after syncInternalGroup, so that its data will be correct eventually.

Of course, we need to ensure c.triggerParentGroupSync() and c.triggerCNPUpdates() are called in syncInternalGroup regardless of the existence of the internal group. deferred calls can work. I don't think they really need to return error.

func (c *NetworkPolicyController) syncInternalGroup(key string) error {
	defer c.triggerCNPUpdates(key)
	defer c.triggerParentGroupSync(key)
	
	// Retrieve the internal Group corresponding to this key.
        ...
}

[tnqn]

Same as triggerCNPUpdates. Calling it in syncInternalGroup should be good enough. The method doesn't really require the whole group but just the group name.

[abhiraut]

thanks for the review Quan! let me evaluate and push a change based on that

[tnqn]

LGTM, just one nit

[tnqn]

nit: Not introduced by this PR, but it should return earlier upon error, just like triggerCNPUpdates, though the following processing is safe to run in this particular case.

[abhiraut]

done

[tnqn]

LGTM

[tnqn]

/test-all