Fix triggerCNPUpdates panic

[tnqn]

When a ClusterGroup is created, updated, or deleted, triggerCNPUpdates
will be called to update ClusterNetworkPolicies that reference to it.
However, a ClusterNetworkPolicy may have not been processed by addCNP
when they are found in the informer cache, which means its internal
NetworkPolicy doesn't exist yet. triggerCNPUpdates would panic if it
assumes the internal NetworkPolicy always exist and uses the returned
value directly.

This patch fixes it by checking existence first before using the
returned internal NetworkPolicy.

Signed-off-by: Quan Tian qtian@vmware.com

Fixes #2769

[tnqn]

/test-all

[codecov-commenter]

Codecov Report

Merging #2768 (f656ab2) into main (0867867) will decrease coverage by 6.07%.
The diff coverage is 46.51%.

@@            Coverage Diff             @@
##             main    #2768      +/-   ##
==========================================
- Coverage   59.37%   53.29%   -6.08%     
==========================================
  Files         285      285              
  Lines       23033    23028       -5     
==========================================
- Hits        13675    12273    -1402     
- Misses       7907     9408    +1501     
+ Partials     1451     1347     -104     

Flag	Coverage Δ
kind-e2e-tests	32.39% <0.00%> (-14.14%)	⬇️
unit-tests	41.55% <46.51%> (+0.55%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...g/controller/networkpolicy/clusternetworkpolicy.go	68.84% <40.00%> (+3.72%)	⬆️
...ntroller/networkpolicy/networkpolicy_controller.go	71.60% <45.94%> (-9.31%)	⬇️
pkg/controller/networkpolicy/clustergroup.go	75.62% <100.00%> (+8.02%)	⬆️
pkg/controller/types/networkpolicy.go	0.00% <0.00%> (-100.00%)	⬇️
pkg/agent/controller/networkpolicy/packetin.go	4.50% <0.00%> (-67.50%)	⬇️
pkg/apis/controlplane/v1beta2/helper.go	33.33% <0.00%> (-66.67%)	⬇️
...formers/externalversions/security/v1alpha1/tier.go	0.00% <0.00%> (-64.29%)	⬇️
...ers/externalversions/core/v1alpha2/clustergroup.go	0.00% <0.00%> (-64.29%)	⬇️
...s/externalversions/core/v1alpha2/externalentity.go	0.00% <0.00%> (-64.29%)	⬇️
...xternalversions/security/v1alpha1/networkpolicy.go	0.00% <0.00%> (-64.29%)	⬇️
... and 82 more

[tnqn]

/test-e2e

[GraysonWu]

Would this be possible:
addCNP has already processed the CNP to an internalNP, just hasn't added this internalNP to the internalNetworkPolicyStore. In this case, reprocessCNP will skip processing this CNP and addCNP will just add the "old" internalNP to internalNetworkPolicyStore.

[tnqn]

Good catch! The issue exists regardless of the patch, and not only between triggerCNPUpdate and CNP eventHandlers, but also Namespace eventHandlers and CNP eventHandlers. I tried to fix it in this PR but didn't figure out a simple way: long code would need to be scoped into critical area and code would become quite redundant and hard to maintain. I was wondering if we should move internal NetworkPolicy creation and update to workers and all event handlers should just trigger them, but I know we didn't do that before was because of some reason, perhaps for the reference of AddressGroups and AppliedToGroups.

Maybe we should have a separate issue to discuss the race condition. @abhiraut @GraysonWu

[abhiraut]

opened issue to track this #2794

[tnqn]

thanks @abhiraut