Skip to content

ACL Indexes Merge Downstream: 31st May 2023#1684

Closed
tssurya wants to merge 18 commits intoopenshift:masterfrom
tssurya:acl-indexes-merge-downstream
Closed

ACL Indexes Merge Downstream: 31st May 2023#1684
tssurya wants to merge 18 commits intoopenshift:masterfrom
tssurya:acl-indexes-merge-downstream

Conversation

@tssurya
Copy link
Contributor

@tssurya tssurya commented May 26, 2023
edited
Loading

npinaeva and others added 17 commits April 3, 2023 12:54
@npinaeva
update all fields on CreateOrUpdateACLsOps, especially for nil values,
11b7e2f 
which mean reset, not ignore.
When acls are updated on initial sync (by handling add events) if
namespace log levels were reset, acls should also be updated with nil
Severity.

Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
@npinaeva
rename aclType to aclPipelineType, add aclDirection type to separate
18dcd72 
intention from implementation.

Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
@npinaeva
Start using new ExternalIDs for ACLs. Multicast.
f89913e 
Add new BuildACLFromDbIDs function, that should be the only one used in
the end of acls indexes update.

Add 2 owner Types for global and namespaced multicast resources.
Generate ACL name based on dbIDs, don't include owner information to
save some symbols. Add (objectIDs *DbObjectIDs) StringNoOwner() for
this purpose.

Add cleanup function for disabled multicast support and namespaced
multicast cleanup.

Move noneMatch to the gress_policy.go, where it is used.

Add tests for multicast acl sync and cleanup.
Rename address_set_syncer package to external_ids_syncer, add acl syncer
sub-package.

Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
@npinaeva
Allow from node ACL:
cb4c4b3 
1. Use dbIDs with new NetpolNodeOwnerType
2. Add aclSync for allow from node ACL
3. Rework AllowFromNode ACL unit tests to run everything for ipv4 and
ipv6

Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
@npinaeva
Update gress policy ACLs to use new dbIndex.
2aab19e 
Move gress-related constants from policy.go to gress_policy.go.
Use old externalIDs for syncs only.

policy test "correctly retries recreating a network policy with the
same name" last expected data was updated, since newly generated ACLs

Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
@npinaeva
Update DefaultDeny ACLs to have new dbIDs.
28396ad 
Add NetpolNamespaceOwnerType for namespace-wide default deny acls.

Add acl_sync PrimaryID check to make sure in case more than 1 ACLs have
the same primaryID, only of them will be updated.
This also eliminates the need for "deleting a network policy that
failed half-way through creation succeeds" test, which is based on a
"found multiple results for provided predicate" condition.

Replace tests
"stale ACLs should be cleaned up or updated at startup via
syncNetworkPolicies" and
"ACLs with long names and run syncNetworkPolicies"
with the new "reconciles an existing networkPolicy updating stale
ACLs with long names", and a part that deletes stale ARP ACLs is now
updated and tested as a part of acl_sync.

Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
@npinaeva
Update EgressFirewall ACLs to have new dbIndex.
d75cee1 
Add EgressFirewallOwnerType for egress firewall ACLs.

Update syncEgressFirewall to use passed egressFirewalls objects for
cleanup, create updateEgressFirewallACLsDbIndex function that updates
old formatted ACLs.
Update egressfirewall_test.go, move a part of setup to BeforeEach.

Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
@npinaeva
Finalize new ACL dbIndex usage:
447b11b 
1. rename BuildACLFromDbIndex to BuildACL, since it is the only method
that should be used now.
2. Rename getACLMatchFromACLDir to getACLMatch, remove stale version.
3. update isEquivalentACL to checkACLPrimaryID, that matches on primaryID
until we get client indexes.
4. Add acls.md doc explaining all acls that are used by ovn-k and their
dependencies with examples
5. Update multicast docs

Add missing links to README.md

Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
@npinaeva
Update e2e tests for acl logging with the new acl names.
448cfc1 
Now Egress firewall ACLs are named "EF:<namespace>:<priority>"
default deny netpol ACLs "NP:<namespace>:<direction>"
gress ACLs "NP:<policyNamespace>:<policyName>:<direction>:<gressIdx>"

Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
@trozet
Merge pull request #3334 from npinaeva/acls-new-indexes
0254d0f 
Acls new indexes
@npinaeva
Use PrimaryID as a client index for ACL.
9d216fc 
Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
@npinaeva
optimize deleteStaleNetpolPeerAddrSets to iterate over all acls only …
b7afb8a 
…once

Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
@npinaeva
delete getNewLocalPolicyPorts log
ffdcf1b 
Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
@dceara
services: Don't try to list/cleanup templates when OVN doesn't suppor…
2a89def 
…t that.

Spotted in upstream ovn-org/ovn CI when running against ovn versions
<=22.09 which don't support component templates:

https://github.com/ovn-org/ovn/actions/runs/4628617882

Reported error:
  failed to sync chassis: error: failed to get template var list: error:
  Wrong parameter type (*nbdb.ChassisTemplateVar): Model not found in
  Database Model

Fixes: 4b3475a ("services: Use OVN template load balancers for NodePort services.")
Signed-off-by: Dumitru Ceara <dceara@redhat.com>
@trozet
Merge pull request #3523 from dceara/fix-no-template-support
0b3196b 
services: Don't try to list/cleanup templates when OVN doesn't suppor…
@trozet
Merge pull request #3522 from npinaeva/netpol-perf-fixes
87b62db 
Minor performance fixes
@trozet
Merge pull request #3521 from npinaeva/acl-use-client-index
9e21b3a 
Use PrimaryID as a client index for ACL.
@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 26, 2023
@openshift-ci openshift-ci bot requested review from abhat and dcbw May 26, 2023 10:23
@tssurya
Merge remote-tracking branch 'ovnorg-origin/acl-indexes-merge' into a…
2f2bc32 
…cl-indexes-merge-downstream

Conflicts:
	go-controller/pkg/libovsdb/libovsdb.go
because openshift#1652 is merged
already
@tssurya tssurya force-pushed the acl-indexes-merge-downstream branch from 331f2b2 to 2f2bc32 Compare May 30, 2023 19:10
@tssurya
Copy link
Contributor Author

tssurya commented May 30, 2023

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 30, 2023
@tssurya
Copy link
Contributor Author

tssurya commented May 30, 2023

/retest unit

@openshift-ci
Copy link
Contributor

openshift-ci bot commented May 30, 2023

@tssurya: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:

  • /test 4.14-upgrade-from-stable-4.13-e2e-aws-ovn-upgrade
  • /test 4.14-upgrade-from-stable-4.13-images
  • /test 4.14-upgrade-from-stable-4.13-local-gateway-e2e-aws-ovn-upgrade
  • /test 4.14-upgrade-from-stable-4.13-local-gateway-images
  • /test e2e-aws-ovn
  • /test e2e-aws-ovn-local-gateway
  • /test e2e-aws-ovn-local-to-shared-gateway-mode-migration
  • /test e2e-aws-ovn-shared-to-local-gateway-mode-migration
  • /test e2e-aws-ovn-upgrade
  • /test e2e-aws-ovn-upgrade-local-gateway
  • /test e2e-aws-ovn-windows
  • /test e2e-gcp-ovn
  • /test e2e-metal-ipi-ovn-dualstack
  • /test e2e-metal-ipi-ovn-ipv6
  • /test e2e-vsphere-windows
  • /test gofmt
  • /test images
  • /test lint
  • /test okd-images
  • /test unit

The following commands are available to trigger optional jobs:

  • /test e2e-aws-ovn-hypershift
  • /test e2e-aws-ovn-serial
  • /test e2e-azure-ovn
  • /test e2e-metal-ipi-ovn-ipv4
  • /test e2e-openstack-ovn
  • /test e2e-ovn-hybrid-step-registry
  • /test e2e-vsphere-ovn
  • /test okd-e2e-gcp-ovn

Use /test all to run the following jobs that were automatically triggered:

  • pull-ci-openshift-ovn-kubernetes-master-4.14-upgrade-from-stable-4.13-e2e-aws-ovn-upgrade
  • pull-ci-openshift-ovn-kubernetes-master-4.14-upgrade-from-stable-4.13-images
  • pull-ci-openshift-ovn-kubernetes-master-4.14-upgrade-from-stable-4.13-local-gateway-e2e-aws-ovn-upgrade
  • pull-ci-openshift-ovn-kubernetes-master-4.14-upgrade-from-stable-4.13-local-gateway-images
  • pull-ci-openshift-ovn-kubernetes-master-e2e-aws-ovn
  • pull-ci-openshift-ovn-kubernetes-master-e2e-aws-ovn-hypershift
  • pull-ci-openshift-ovn-kubernetes-master-e2e-aws-ovn-local-gateway
  • pull-ci-openshift-ovn-kubernetes-master-e2e-aws-ovn-local-to-shared-gateway-mode-migration
  • pull-ci-openshift-ovn-kubernetes-master-e2e-aws-ovn-shared-to-local-gateway-mode-migration
  • pull-ci-openshift-ovn-kubernetes-master-e2e-aws-ovn-upgrade
  • pull-ci-openshift-ovn-kubernetes-master-e2e-aws-ovn-upgrade-local-gateway
  • pull-ci-openshift-ovn-kubernetes-master-e2e-aws-ovn-windows
  • pull-ci-openshift-ovn-kubernetes-master-e2e-azure-ovn
  • pull-ci-openshift-ovn-kubernetes-master-e2e-gcp-ovn
  • pull-ci-openshift-ovn-kubernetes-master-e2e-metal-ipi-ovn-dualstack
  • pull-ci-openshift-ovn-kubernetes-master-e2e-metal-ipi-ovn-ipv6
  • pull-ci-openshift-ovn-kubernetes-master-e2e-openstack-ovn
  • pull-ci-openshift-ovn-kubernetes-master-e2e-ovn-hybrid-step-registry
  • pull-ci-openshift-ovn-kubernetes-master-e2e-vsphere-ovn
  • pull-ci-openshift-ovn-kubernetes-master-e2e-vsphere-windows
  • pull-ci-openshift-ovn-kubernetes-master-gofmt
  • pull-ci-openshift-ovn-kubernetes-master-images
  • pull-ci-openshift-ovn-kubernetes-master-lint
  • pull-ci-openshift-ovn-kubernetes-master-okd-e2e-gcp-ovn
  • pull-ci-openshift-ovn-kubernetes-master-okd-images
  • pull-ci-openshift-ovn-kubernetes-master-unit
Details

In response to this:

/retest unit

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tssurya
Copy link
Contributor Author

tssurya commented May 30, 2023

/test unit

1 similar comment
@tssurya
Copy link
Contributor Author

tssurya commented May 30, 2023

/test unit

@tssurya
Copy link
Contributor Author

tssurya commented May 30, 2023
edited
Loading

unit test will fail till we get ovn-kubernetes/ovn-kubernetes#3505 in, I can get that in only when this merges since we don't want to disrupt merge order, so we are going to have to override that job :/

@tssurya
Copy link
Contributor Author

tssurya commented May 30, 2023

/test unit

@tssurya
Copy link
Contributor Author

tssurya commented May 30, 2023

/test unit

@tssurya
Copy link
Contributor Author

tssurya commented May 31, 2023

/retest

@tssurya
Copy link
Contributor Author

tssurya commented May 31, 2023

/payload 4.14 nightly informing

@openshift-ci
Copy link
Contributor

openshift-ci bot commented May 31, 2023

@tssurya: trigger 55 job(s) of type informing for the nightly release of OCP 4.14

  • periodic-ci-openshift-release-master-nightly-4.14-e2e-alibaba-ovn
  • periodic-ci-openshift-release-master-nightly-4.14-console-aws
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-aws-csi
  • periodic-ci-openshift-release-master-ci-4.14-e2e-aws-ovn
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-aws-ovn-fips
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-aws-ovn-single-node
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-aws-ovn-single-node-serial
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-aws-sdn
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-aws-sdn-cgroupsv2
  • periodic-ci-openshift-release-master-ci-4.14-e2e-aws-sdn-techpreview
  • periodic-ci-openshift-release-master-ci-4.14-e2e-aws-sdn-techpreview-serial
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-aws-ovn-upi
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-azure-csi
  • periodic-ci-openshift-release-master-ci-4.14-e2e-azure-ovn
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-azure-sdn
  • periodic-ci-openshift-release-master-ci-4.14-e2e-azure-sdn-techpreview
  • periodic-ci-openshift-release-master-ci-4.14-e2e-azure-sdn-techpreview-serial
  • periodic-ci-openshift-release-master-ci-4.14-e2e-azure-sdn-upgrade
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-azure-deploy-cnv
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-azure-upgrade-cnv
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-aws-driver-toolkit
  • periodic-ci-openshift-release-master-ci-4.14-e2e-gcp-ovn
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-gcp-ovn-csi
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-gcp-ovn-rt
  • periodic-ci-openshift-release-master-ci-4.14-upgrade-from-stable-4.13-e2e-gcp-ovn-upgrade
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-gcp-sdn
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-gcp-sdn-serial
  • periodic-ci-openshift-release-master-ci-4.14-e2e-gcp-sdn-techpreview
  • periodic-ci-openshift-release-master-ci-4.14-e2e-gcp-sdn-techpreview-serial
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-gcp-sdn-upgrade
  • periodic-ci-openshift-release-master-ci-4.14-upgrade-from-stable-4.13-e2e-gcp-sdn-upgrade
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-metal-ipi-ovn-dualstack
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-metal-ipi-sdn-bm-upgrade
  • periodic-ci-openshift-release-master-nightly-4.14-upgrade-from-stable-4.13-e2e-metal-ipi-sdn-bm-upgrade
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-metal-ipi-sdn-serial-ipv4
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-metal-ipi-sdn-serial-virtualmedia-bond
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-metal-ipi-serial-ovn-ipv6
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-metal-ipi-serial-ovn-dualstack
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-metal-ipi-upgrade-ovn-ipv6
  • periodic-ci-openshift-release-master-nightly-4.14-upgrade-from-stable-4.13-e2e-metal-ipi-upgrade-ovn-ipv6
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-metal-ovn-assisted
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-ovirt-csi
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-ovirt-sdn
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-aws-ovn-proxy
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-metal-ovn-single-node-live-iso
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-aws-sdn-upgrade
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-telco5g
  • periodic-ci-openshift-release-master-nightly-4.14-upgrade-from-stable-4.13-e2e-aws-sdn-upgrade
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-vsphere-ovn-csi
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-vsphere-ovn-serial
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-vsphere-ovn-techpreview
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-vsphere-ovn-techpreview-serial
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-vsphere-ovn-upi
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-vsphere-ovn-upi-serial
  • periodic-ci-openshift-release-master-nightly-4.14-e2e-vsphere-sdn

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/5619f840-ff81-11ed-9b89-6c0cf7df2d1e-0

@tssurya
Copy link
Contributor Author

tssurya commented May 31, 2023

/payload-abort

@openshift-ci
Copy link
Contributor

openshift-ci bot commented May 31, 2023

@tssurya: aborted active payload jobs for pull request #1684

@tssurya
Copy link
Contributor Author

tssurya commented May 31, 2023

/payload-aggregate periodic-ci-openshift-release-master-ci-4.14-e2e-gcp-ovn-upgrade 5

@openshift-ci
Copy link
Contributor

openshift-ci bot commented May 31, 2023

@tssurya: trigger 1 job(s) for the /payload-(job|aggregate) command

  • periodic-ci-openshift-release-master-ci-4.14-e2e-gcp-ovn-upgrade

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/173d7b50-ff82-11ed-89b0-105077cde5d5-0

@npinaeva
Copy link
Contributor

npinaeva commented May 31, 2023

/lgtm for conflicts around #1652

@tssurya
Copy link
Contributor Author

tssurya commented May 31, 2023

/test e2e-aws-ovn-hypershift

@npinaeva
Copy link
Contributor

npinaeva commented May 31, 2023

/lgtm

@tssurya
Copy link
Contributor Author

tssurya commented May 31, 2023

/hold

@openshift-ci openshift-ci bot added lgtm Indicates that a PR is ready to be merged. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels May 31, 2023
@jcaamano
Copy link
Contributor

jcaamano commented May 31, 2023

/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented May 31, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jcaamano, npinaeva, tssurya

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 31, 2023
@tssurya
Copy link
Contributor Author

tssurya commented May 31, 2023

/test e2e-aws-ovn-windows
/test e2e-vsphere-windows
/test okd-e2e-gcp-ovn
/test e2e-aws-ovn-hypershift

@tssurya
Copy link
Contributor Author

tssurya commented May 31, 2023

/hold cancel
upgrades are passing..

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 31, 2023
@tssurya
Copy link
Contributor Author

tssurya commented May 31, 2023

/test e2e-aws-ovn-windows

@tssurya
Copy link
Contributor Author

tssurya commented May 31, 2023

/test e2e-vsphere-windows
/test e2e-aws-ovn-windows

@tssurya
Copy link
Contributor Author

tssurya commented May 31, 2023

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 31, 2023
@tssurya
Copy link
Contributor Author

tssurya commented May 31, 2023

don't remove hold here, we want to prioritize #1690

@openshift-ci
Copy link
Contributor

openshift-ci bot commented May 31, 2023

@tssurya: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-upgrade-local-gateway 2f2bc32 link true /test e2e-aws-ovn-upgrade-local-gateway
ci/prow/e2e-vsphere-windows 2f2bc32 link true /test e2e-vsphere-windows
ci/prow/unit 2f2bc32 link true /test unit
ci/prow/e2e-aws-ovn-hypershift 2f2bc32 link false /test e2e-aws-ovn-hypershift

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@tssurya
Copy link
Contributor Author

tssurya commented Jun 1, 2023

closed in favour of #1692

@tssurya tssurya closed this Jun 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abhat abhat Awaiting requested review from abhat

@dcbw dcbw Awaiting requested review from dcbw

Assignees

@npinaeva npinaeva

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@tssurya @npinaeva @jcaamano @trozet @dceara