replace port_group function call with ovnClient (#2608)

Co-authored-by: liguo <li.guo@99cloud.net>
kubeovn · Apr 7, 2023 · 1e8e382 · 1e8e382
1 parent 9b57740
commit 1e8e382
Show file tree

Hide file tree

Showing 7 changed files with 105 additions and 344 deletions.
diff --git a/pkg/controller/gc.go b/pkg/controller/gc.go
@@ -546,26 +546,29 @@ func (c *Controller) gcLoadBalancer() error {
 
 func (c *Controller) gcPortGroup() error {
 	klog.Infof("start to gc network policy")
-	var npNames []string
+
+	npNames := make(map[string]struct{})
+
 	if c.config.EnableNP {
 		nps, err := c.npsLister.List(labels.Everything())
 		if err != nil {
 			klog.Errorf("failed to list network policy, %v", err)
 			return err
 		}
 
-		npNames = make([]string, 0, len(nps))
 		for _, np := range nps {
-			npNames = append(npNames, fmt.Sprintf("%s/%s", np.Namespace, np.Name))
+			npNames[fmt.Sprintf("%s/%s", np.Namespace, np.Name)] = struct{}{}
 		}
+
 		// append node port group to npNames to avoid gc node port group
 		nodes, err := c.nodesLister.List(labels.Everything())
 		if err != nil {
 			klog.Errorf("failed to list nodes, %v", err)
 			return err
 		}
+
 		for _, node := range nodes {
-			npNames = append(npNames, fmt.Sprintf("%s/%s", "node", node.Name))
+			npNames[fmt.Sprintf("%s/%s", "node", node.Name)] = struct{}{}
 		}
 
 		// append overlay subnets port group to npNames to avoid gc distributed subnets port group
@@ -578,22 +581,30 @@ func (c *Controller) gcPortGroup() error {
 			if subnet.Spec.Vpc != util.DefaultVpc || (subnet.Spec.Vlan != "" && !subnet.Spec.LogicalGateway) || subnet.Name == c.config.NodeSwitch || subnet.Spec.GatewayType != kubeovnv1.GWDistributedType {
 				continue
 			}
+
 			for _, node := range nodes {
-				npNames = append(npNames, fmt.Sprintf("%s/%s", subnet.Name, node.Name))
+				npNames[fmt.Sprintf("%s/%s", subnet.Name, node.Name)] = struct{}{}
 			}
 		}
 	}
 
-	pgs, err := c.ovnLegacyClient.ListNpPortGroup()
+	// list all np port groups which externalIDs[np]!=""
+	pgs, err := c.ovnClient.ListPortGroups(map[string]string{networkPolicyKey: ""})
 	if err != nil {
-		klog.Errorf("failed to list port-group, %v", err)
+		klog.Errorf("list np port group: %v", err)
 		return err
 	}
+
 	for _, pg := range pgs {
-		if !c.config.EnableNP || !util.IsStringIn(fmt.Sprintf("%s/%s", pg.NpNamespace, pg.NpName), npNames) {
+		np := strings.Split(pg.ExternalIDs[networkPolicyKey], "/")
+		npNamespace := np[0]
+		npName := np[1]
+
+		if _, ok := npNames[fmt.Sprintf("%s/%s", npNamespace, npName)]; !c.config.EnableNP || !ok {
 			klog.Infof("gc port group %s", pg.Name)
-			if err := c.handleDeleteNp(fmt.Sprintf("%s/%s", pg.NpNamespace, pg.NpName)); err != nil {
-				klog.Errorf("failed to gc np %s/%s, %v", pg.NpNamespace, pg.NpName, err)
+
+			if err := c.handleDeleteNp(fmt.Sprintf("%s/%s", npNamespace, npName)); err != nil {
+				klog.Errorf("gc np %s/%s, %v", npNamespace, npName, err)
 				return err
 			}
 		}

diff --git a/pkg/controller/network_policy.go b/pkg/controller/network_policy.go
@@ -185,27 +185,31 @@ func (c *Controller) handleUpdateNp(key string) error {
 	// TODO: ovn acl doesn't support address_set name with '-', now we replace '-' by '.'.
 	// This may cause conflict if two np with name test-np and test.np. Maybe hash is a better solution,
 	// but we do not want to lost the readability now.
-	pgName := strings.Replace(fmt.Sprintf("%s.%s", npName, np.Namespace), "-", ".", -1)
-	ingressAllowAsNamePrefix := strings.Replace(fmt.Sprintf("%s.%s.ingress.allow", npName, np.Namespace), "-", ".", -1)
-	ingressExceptAsNamePrefix := strings.Replace(fmt.Sprintf("%s.%s.ingress.except", npName, np.Namespace), "-", ".", -1)
-	egressAllowAsNamePrefix := strings.Replace(fmt.Sprintf("%s.%s.egress.allow", npName, np.Namespace), "-", ".", -1)
-	egressExceptAsNamePrefix := strings.Replace(fmt.Sprintf("%s.%s.egress.except", npName, np.Namespace), "-", ".", -1)
-
-	if err = c.ovnLegacyClient.CreateNpPortGroup(pgName, np.Namespace, npName); err != nil {
-		klog.Errorf("failed to create port group for np %s, %v", key, err)
+	pgName := strings.Replace(fmt.Sprintf("%s.%s", np.Name, np.Namespace), "-", ".", -1)
+	ingressAllowAsNamePrefix := strings.Replace(fmt.Sprintf("%s.%s.ingress.allow", np.Name, np.Namespace), "-", ".", -1)
+	ingressExceptAsNamePrefix := strings.Replace(fmt.Sprintf("%s.%s.ingress.except", np.Name, np.Namespace), "-", ".", -1)
+	egressAllowAsNamePrefix := strings.Replace(fmt.Sprintf("%s.%s.egress.allow", np.Name, np.Namespace), "-", ".", -1)
+	egressExceptAsNamePrefix := strings.Replace(fmt.Sprintf("%s.%s.egress.except", np.Name, np.Namespace), "-", ".", -1)
+
+	// delete existing pg to update acl
+	if err = c.ovnClient.DeletePortGroup(pgName); err != nil {
+		klog.Errorf("delete port group %s before networkpolicy update process: %v", pgName, err)
+	}
+
+	if err = c.ovnClient.CreatePortGroup(pgName, map[string]string{networkPolicyKey: np.Namespace + "/" + np.Name}); err != nil {
+		klog.Errorf("create port group for np %s: %v", key, err)
 		return err
 	}
 
 	namedPortMap := c.namedPort.GetNamedPortByNs(np.Namespace)
 	ports, err := c.fetchSelectedPorts(np.Namespace, &np.Spec.PodSelector)
 	if err != nil {
-		klog.Errorf("failed to fetch ports, %v", err)
+		klog.Errorf("fetch ports belongs to np %s: %v", key, err)
 		return err
 	}
 
-	err = c.ovnLegacyClient.SetPortsToPortGroup(pgName, ports)
-	if err != nil && !strings.Contains(err.Error(), "not found") {
-		klog.Errorf("failed to set port group, %v", err)
+	if err := c.ovnClient.PortGroupAddPorts(pgName, ports...); err != nil {
+		klog.Errorf("add ports to port group %s: %v", pgName, err)
 		return err
 	}
 
@@ -248,7 +252,7 @@ func (c *Controller) handleUpdateNp(key string) error {
 	}
 
 	var ingressAclCmd []string
-	exist, err := c.ovnLegacyClient.PortGroupExists(pgName)
+	exist, err := c.ovnClient.PortGroupExists(pgName)
 	if err != nil {
 		klog.Errorf("failed to query np %s port group, %v", key, err)
 		return err
@@ -391,7 +395,7 @@ func (c *Controller) handleUpdateNp(key string) error {
 	}
 
 	var egressAclCmd []string
-	exist, err = c.ovnLegacyClient.PortGroupExists(pgName)
+	exist, err = c.ovnClient.PortGroupExists(pgName)
 	if err != nil {
 		klog.Errorf("failed to query np %s port group, %v", key, err)
 		return err
@@ -539,9 +543,9 @@ func (c *Controller) handleDeleteNp(key string) error {
 		npName = "np" + name
 	}
 
-	pgName := strings.Replace(fmt.Sprintf("%s.%s", npName, namespace), "-", ".", -1)
-	if err := c.ovnLegacyClient.DeletePortGroup(pgName); err != nil {
-		klog.Errorf("failed to delete np %s port group, %v", key, err)
+	pgName := strings.Replace(fmt.Sprintf("%s.%s", name, namespace), "-", ".", -1)
+	if err = c.ovnClient.DeletePortGroup(pgName); err != nil {
+		klog.Errorf("delete np %s port group: %v", key, err)
 	}
 
 	svcAsNames, err := c.ovnLegacyClient.ListNpAddressSet(namespace, npName, "service")

diff --git a/pkg/controller/node.go b/pkg/controller/node.go
@@ -336,8 +336,8 @@ func (c *Controller) handleAddNode(key string) error {
 
 	// ovn acl doesn't support address_set name with '-', so replace '-' by '.'
 	pgName := strings.Replace(node.Annotations[util.PortNameAnnotation], "-", ".", -1)
-	if err := c.ovnLegacyClient.CreateNpPortGroup(pgName, "node", key); err != nil {
-		klog.Errorf("failed to create port group %s for node %s: %v", pgName, key, err)
+	if err = c.ovnClient.CreatePortGroup(pgName, map[string]string{networkPolicyKey: "node" + "/" + key}); err != nil {
+		klog.Errorf("create port group %s for node %s: %v", pgName, key, err)
 		return err
 	}
 
@@ -461,10 +461,11 @@ func (c *Controller) handleDeleteNode(key string) error {
 
 	// ovn acl doesn't support address_set name with '-', so replace '-' by '.'
 	pgName := strings.Replace(portName, "-", ".", -1)
-	if err := c.ovnLegacyClient.DeletePortGroup(pgName); err != nil {
-		klog.Errorf("failed to delete port group %s for node, %v", portName, err)
+	if err := c.ovnClient.DeletePortGroup(pgName); err != nil {
+		klog.Errorf("delete port group %s for node: %v", portName, err)
 		return err
 	}
+
 	if err := c.deletePolicyRouteForNode(key); err != nil {
 		klog.Errorf("failed to delete policy route for node %s: %v", key, err)
 		return err
@@ -917,53 +918,26 @@ func (c *Controller) fetchPodsOnNode(nodeName string, pods []*v1.Pod) ([]string,
 	return ports, nil
 }
 
-func (c *Controller) checkPodsChangedOnNode(pgName string, nameIdMap map[string]string, pgPorts, ports []string) (bool, error) {
-	for _, port := range ports {
-		if portId, ok := nameIdMap[port]; ok {
-			if !util.IsStringIn(portId, pgPorts) {
-				klog.Infof("pod on node changed, new added port %v should add to node port group %v", port, pgName)
-				return true, nil
-			}
-		}
-	}
-
-	return false, nil
-}
-
 func (c *Controller) CheckNodePortGroup() {
 	if err := c.checkAndUpdateNodePortGroup(); err != nil {
-		klog.Errorf("failed to check node port-group status, %v", err)
+		klog.Errorf("check node port group status: %v", err)
 	}
 }
 
-var lastNpExists = make(map[string]bool)
-
 func (c *Controller) checkAndUpdateNodePortGroup() error {
 	klog.V(3).Infoln("start to check node port-group status")
 	np, _ := c.npsLister.List(labels.Everything())
 	networkPolicyExists := len(np) != 0
 
 	nodes, err := c.nodesLister.List(labels.Everything())
 	if err != nil {
-		klog.Errorf("failed to list nodes, %v", err)
+		klog.Errorf("list nodes: %v", err)
 		return err
 	}
 
 	pods, err := c.podsLister.List(labels.Everything())
 	if err != nil {
-		klog.Errorf("failed to list pods, %v", err)
-		return err
-	}
-
-	nameIdMap, _, err := c.ovnLegacyClient.ListLspForNodePortgroup()
-	if err != nil {
-		klog.Errorf("failed to list lsp info, %v", err)
-		return err
-	}
-
-	namePortsMap, err := c.ovnLegacyClient.ListPgPortsForNodePortgroup()
-	if err != nil {
-		klog.Errorf("failed to list port-group info, %v", err)
+		klog.Errorf("list pods, %v", err)
 		return err
 	}
 
@@ -983,32 +957,14 @@ func (c *Controller) checkAndUpdateNodePortGroup() error {
 		}
 		nodeIP := strings.Trim(fmt.Sprintf("%s,%s", nodeIPv4, nodeIPv6), ",")
 
-		ports, err := c.fetchPodsOnNode(node.Name, pods)
+		nodePorts, err := c.fetchPodsOnNode(node.Name, pods)
 		if err != nil {
-			klog.Errorf("failed to fetch pods for node %v, %v", node.Name, err)
+			klog.Errorf("fetch pods for node %v: %v", node.Name, err)
 			return err
 		}
 
-		changed, err := c.checkPodsChangedOnNode(pgName, nameIdMap, namePortsMap[pgName], ports)
-		if err != nil {
-			klog.Errorf("failed to check pod status for node %v, %v", node.Name, err)
-			continue
-		}
-
-		if lastNpExists[node.Name] != networkPolicyExists {
-			klog.Infof("networkpolicy num changed when check nodepg %v", pgName)
-			changed = true
-		}
-
-		if !changed {
-			klog.V(3).Infof("pods on node %v do not changed", node.Name)
-			continue
-		}
-		lastNpExists[node.Name] = networkPolicyExists
-
-		err = c.ovnLegacyClient.SetPortsToPortGroup(pgName, ports)
-		if err != nil {
-			klog.Errorf("failed to set port group for node %v, %v", node.Name, err)
+		if err := c.ovnClient.PortGroupAddPorts(pgName, nodePorts...); err != nil {
+			klog.Errorf("add ports to port group %s: %v", pgName, err)
 			return err
 		}
 
@@ -1123,7 +1079,7 @@ func (c *Controller) checkPolicyRouteExistForNode(nodeName, cidr, nexthop string
 func (c *Controller) deletePolicyRouteForNode(nodeName string) error {
 	subnets, err := c.subnetsLister.List(labels.Everything())
 	if err != nil {
-		klog.Errorf("failed to get subnets %v", err)
+		klog.Errorf("get subnets: %v", err)
 		return err
 	}
 
@@ -1134,14 +1090,14 @@ func (c *Controller) deletePolicyRouteForNode(nodeName string) error {
 
 		if subnet.Spec.GatewayType == kubeovnv1.GWDistributedType {
 			pgName := getOverlaySubnetsPortGroupName(subnet.Name, nodeName)
-			if err = c.ovnLegacyClient.DeletePortGroup(pgName); err != nil {
-				klog.Errorf("failed to delete port group for subnet %s and node %s, %v", subnet.Name, nodeName, err)
+			if err = c.ovnClient.DeletePortGroup(pgName); err != nil {
+				klog.Errorf("delete port group for subnet %s and node %s: %v", subnet.Name, nodeName, err)
 				return err
 			}
 
 			klog.Infof("delete policy route for distributed subnet %s, node %s", subnet.Name, nodeName)
 			if err = c.deletePolicyRouteForDistributedSubnet(subnet, nodeName); err != nil {
-				klog.Errorf("failed to delete policy route for subnet %s and node %s, %v", subnet.Name, nodeName, err)
+				klog.Errorf("delete policy route for subnet %s and node %s: %v", subnet.Name, nodeName, err)
 				return err
 			}
 		}

diff --git a/pkg/controller/pod.go b/pkg/controller/pod.go
@@ -990,7 +990,6 @@ func (c *Controller) handleUpdatePodSecurity(key string) error {
 	}
 	return nil
 }
-
 func (c *Controller) syncKubeOvnNet(pod *v1.Pod, podNets []*kubeovnNet) error {
 	podName := c.getNameByPod(pod)
 	key := fmt.Sprintf("%s/%s", pod.Namespace, podName)

diff --git a/pkg/controller/security_group.go b/pkg/controller/security_group.go
@@ -167,12 +167,19 @@ func (c *Controller) processNextDeleteSgWorkItem() bool {
 }
 
 func (c *Controller) initDenyAllSecurityGroup() error {
-	if err := c.ovnLegacyClient.CreateSgPortGroup(util.DenyAllSecurityGroup); err != nil {
+	pgName := ovs.GetSgPortGroupName(util.DenyAllSecurityGroup)
+	if err := c.ovnClient.CreatePortGroup(pgName, map[string]string{
+		"type": "security_group",
+		sgKey:  util.DenyAllSecurityGroup,
+	}); err != nil {
+		klog.Errorf("create port group for sg %s: %v", util.DenyAllSecurityGroup, err)
 		return err
 	}
+
 	if err := c.ovnLegacyClient.CreateSgDenyAllACL(); err != nil {
 		return err
 	}
+
 	c.addOrUpdateSgQueue.Add(util.DenyAllSecurityGroup)
 	return nil
 }
@@ -182,7 +189,7 @@ func (c *Controller) updateDenyAllSgPorts() error {
 	// list all lsp which security_groups is not empty
 	lsps, err := c.ovnClient.ListNormalLogicalSwitchPorts(true, map[string]string{sgsKey: ""})
 	if err != nil {
-		klog.Errorf("failed to find logical port, %v", err)
+		klog.Errorf("list logical switch ports with security_groups is not empty: %v", err)
 		return err
 	}
 
@@ -254,9 +261,15 @@ func (c *Controller) handleAddOrUpdateSg(key string) error {
 		return err
 	}
 
-	if err = c.ovnLegacyClient.CreateSgPortGroup(sg.Name); err != nil {
-		return fmt.Errorf("failed to create sg port_group %s, %v", key, err.Error())
+	pgName := ovs.GetSgPortGroupName(sg.Name)
+	if err := c.ovnClient.CreatePortGroup(pgName, map[string]string{
+		"type": "security_group",
+		sgKey:  sg.Name,
+	}); err != nil {
+		klog.Errorf("create port group for sg %s: %v", sg.Name, err)
+		return err
 	}
+
 	if err = c.ovnLegacyClient.CreateSgAssociatedAddressSet(sg.Name); err != nil {
 		return fmt.Errorf("failed to create sg associated address_set %s, %v", key, err.Error())
 	}
@@ -378,7 +391,13 @@ func (c *Controller) patchSgStatus(sg *kubeovnv1.SecurityGroup) {
 func (c *Controller) handleDeleteSg(key string) error {
 	c.sgKeyMutex.Lock(key)
 	defer c.sgKeyMutex.Unlock(key)
-	return c.ovnLegacyClient.DeleteSgPortGroup(key)
+
+	if err := c.ovnClient.DeleteSecurityGroup(key); err != nil {
+		klog.Errorf("delete sg %s: %v", key, err)
+		return err
+	}
+
+	return nil
 }
 
 func (c *Controller) syncSgLogicalPort(key string) error {
@@ -420,14 +439,16 @@ func (c *Controller) syncSgLogicalPort(key string) error {
 		}
 	}
 
-	if err = c.ovnLegacyClient.SetPortsToPortGroup(sg.Status.PortGroup, ports); err != nil {
-		klog.Errorf("failed to set port to sg, %v", err)
+	if err := c.ovnClient.PortGroupAddPorts(sg.Status.PortGroup, ports...); err != nil {
+		klog.Errorf("add ports to port group %s: %v", sg.Status.PortGroup, err)
 		return err
 	}
+
 	if err = c.ovnLegacyClient.SetAddressesToAddressSet(v4s, ovs.GetSgV4AssociatedName(key)); err != nil {
 		klog.Errorf("failed to set address_set, %v", err)
 		return err
 	}
+
 	if err = c.ovnLegacyClient.SetAddressesToAddressSet(v6s, ovs.GetSgV6AssociatedName(key)); err != nil {
 		klog.Errorf("failed to set address_set, %v", err)
 		return err