OCPBUGS-1750: Trim ACL names according to RFC1123

[tssurya]

Cherry picks #1281 and c204519
First cherry-pick had to be modified to use libovsdbops.BuildACL instead of ovn.BuildACL since we are missing 44ad754 in 4.11
Second cherry-pick had a very minor conflict outlined in the commit message.

[openshift-ci]

@tssurya: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

In response to this:

OCPBUGS 1750: Trim ACL names according to RFC1123

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@tssurya: This pull request references Jira Issue OCPBUGS-1750, which is invalid:

• expected the bug to target the "4.11.z" version, but no target version was set
• expected Jira Issue OCPBUGS-1750 to depend on a bug targeting a version in 4.12.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Cherry picks #1281 and c204519
Second cherry-pick had a very minor conflict outlined in the commit message.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

@tssurya: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

In response to this:

OCPBUGS-1750: Trim ACL names according to RFC1123

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tssurya]

/jira refresh

[openshift-ci-robot]

@tssurya: This pull request references Jira Issue OCPBUGS-1750, which is invalid:

• expected Jira Issue OCPBUGS-1750 to depend on a bug targeting a version in 4.12.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tssurya]

/jira refresh

[openshift-ci-robot]

@tssurya: This pull request references Jira Issue OCPBUGS-1750, which is invalid:

• expected dependent Jira Issue OCPBUGS-1705 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), but it is POST instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tssurya]

/hold

[openshift-ci-robot]

@tssurya: This pull request references Jira Issue OCPBUGS-1750, which is invalid:

• expected dependent Jira Issue OCPBUGS-1705 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), but it is POST instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Cherry picks #1281 and c204519
First cherry-pick had to be modified to use libovsdbops.BuildACL instead of ovn.BuildACL since we are missing 44ad754 in 4.11
Second cherry-pick had a very minor conflict outlined in the commit message.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

@tssurya: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

In response to this:

OCPBUGS-1750: Trim ACL names according to RFC1123

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tssurya]

/retest

[tssurya]

/jira refresh

[openshift-ci-robot]

@tssurya: This pull request references Jira Issue OCPBUGS-1750, which is invalid:

• expected dependent Jira Issue OCPBUGS-1705 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tssurya]

/hold cancel

[tssurya]

/assign @trozet
/assign @jcaamano

[jcaamano]

@tssurya Why do we need https://github.com/openshift/ovn-kubernetes/commit/c20451998bcc62ef5281d1316110ed44219386b9?
It doesn't really do much other than accommodating for the limitation of the libovsdb test server that does not handle referential integrity. So it should only be relevant for unit tests.

[tssurya]

@tssurya Why do we need https://github.com/openshift/ovn-kubernetes/commit/c20451998bcc62ef5281d1316110ed44219386b9? It doesn't really do much other than accommodating for the limitation of the libovsdb test server that does not handle referential integrity. So it should only be relevant for unit tests.

There is a place in the code: https://github.com/openshift/ovn-kubernetes/pull/1282/files#diff-cc83e19af1c257d5a09b711d5977d8f8c20beb34b7b5d3eb37b2f2c53ded1bf7L143 where we were calling DeleteACLs directly which would complain against the referential integrity violation. Nadia's PR will help with that and keep things consistent. SInce 4.11 will be around for some time, I don't want people stepping on the DeleteACLs function and forgetting to individually remove things from PGs and that PR adds that part: https://github.com/openshift/ovn-kubernetes/pull/1282/files#diff-ee54e95b45c5a079454546fed94fcef68b13d9dc6cd14e192585fe2465bcaefcR170 whereby calling DeleteACLs will auto-delete the the acls from PGs and switches.

[tssurya]

So it should only be relevant for unit tests.

Not sure if I follow this part, any place in code like efw or policies that call DeleteACLs - this will be relevant for all that right?

[jcaamano]

@tssurya Why do we need https://github.com/openshift/ovn-kubernetes/commit/c20451998bcc62ef5281d1316110ed44219386b9? It doesn't really do much other than accommodating for the limitation of the libovsdb test server that does not handle referential integrity. So it should only be relevant for unit tests.

There is a place in the code: https://github.com/openshift/ovn-kubernetes/pull/1282/files#diff-cc83e19af1c257d5a09b711d5977d8f8c20beb34b7b5d3eb37b2f2c53ded1bf7L143 where we were calling DeleteACLs directly which would complain against the referential integrity violation. Nadia's PR will help with that and keep things consistent. SInce 4.11 will be around for some time, I don't want people stepping on the DeleteACLs function and forgetting to individually remove things from PGs and that PR adds that part: https://github.com/openshift/ovn-kubernetes/pull/1282/files#diff-ee54e95b45c5a079454546fed94fcef68b13d9dc6cd14e192585fe2465bcaefcR170 whereby calling DeleteACLs will auto-delete the the acls from PGs and switches.

Ok. So comments about this:

• That was because using DeleteACLs there is not the best thing to do. The call to use should be DeleteACLsFromPortGroup directly. The server will garbage-collect the ACLs once they are removed form the port groups. On some places we would call DeleteACLs after DeleteACLsFromPortGroup to counter the fact that the test server does not do the garbage collection; on other places we would account for the leftover ACLs in the tests. Arguably the other best alternative would have been to remove the ACLs inside DeleteACLsFromPortGroup instead of the other way around; and not having a DeleteACLs at all to avoid the confusion. Anyway we will live with it for now.
• This seems like separate fix. Even if we use this PR, should we track it with a different bug so that people that encounters the issue is aware that this is now fixed?

[jcaamano]

How difficult would be to cherry pick ovn.BuildACL as well or how probable it is that is cherry-picked in the future?
The reason I ask is because if ovn.BuildACL is back-ported in the future, most likely the call to libovsdbops.BuildACL that is done here will be missed and not changed to ovn.BuildACL

[anuragthehatter]

QE testing passed on this PR covering all corner cases

/label qe-approved

[anuragthehatter]

/label cherry-pick-approved

[jcaamano]

/retest

[tssurya]

/test e2e-hypershift

[openshift-ci]

@tssurya: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-openstack-ovn	4d5d7d6	link	false	/test e2e-openstack-ovn
ci/prow/e2e-hypershift	4d5d7d6	link	false	/test e2e-hypershift

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[flavio-fernandes]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: flavio-fernandes, jcaamano, tssurya

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [jcaamano]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[flavio-fernandes]

/jira refresh

[openshift-ci-robot]

@flavio-fernandes: This pull request references Jira Issue OCPBUGS-1750, which is invalid:

• expected dependent Jira Issue OCPBUGS-1705 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), but it is POST instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tssurya]

/jira refresh

[openshift-ci-robot]

@tssurya: This pull request references Jira Issue OCPBUGS-1750, which is invalid:

• expected dependent Jira Issue OCPBUGS-1705 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tssurya]

/jira refresh

[openshift-ci-robot]

@tssurya: This pull request references Jira Issue OCPBUGS-1750, which is valid. The bug has been moved to the POST state.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.11.z) matches configured target version for branch (4.11.z)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
• dependent bug Jira Issue OCPBUGS-1705 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE))
• dependent Jira Issue OCPBUGS-1705 targets the "4.12.0" version, which is one of the valid target versions: 4.12.0
• bug has dependents

Requesting review from QA contact:
/cc @anuragthehatter

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tssurya]

/jira refresh

[openshift-ci-robot]

@tssurya: This pull request references Jira Issue OCPBUGS-1750, which is valid.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.11.z) matches configured target version for branch (4.11.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• dependent bug Jira Issue OCPBUGS-1705 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE))
• dependent Jira Issue OCPBUGS-1705 targets the "4.12.0" version, which is one of the valid target versions: 4.12.0
• bug has dependents

Requesting review from QA contact:
/cc @anuragthehatter

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@tssurya: All pull requests linked via external trackers have merged:

• openshift/ovn-kubernetes#1282

Jira Issue OCPBUGS-1750 has been moved to the MODIFIED state.

In response to this:

Cherry picks #1281 and c204519
First cherry-pick had to be modified to use libovsdbops.BuildACL instead of ovn.BuildACL since we are missing 44ad754 in 4.11
Second cherry-pick had a very minor conflict outlined in the commit message.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.