diff --git a/go-controller/pkg/ovn/egressfirewall_test.go b/go-controller/pkg/ovn/egressfirewall_test.go index 8e621536750..feff29c86d4 100644 --- a/go-controller/pkg/ovn/egressfirewall_test.go +++ b/go-controller/pkg/ovn/egressfirewall_test.go @@ -289,7 +289,7 @@ var _ = ginkgo.Describe("OVN EgressFirewall Operations", func() { config.Gateway.Mode = gwMode app.Action = func(ctx *cli.Context) error { // owned by non-existing namespace - fakeController := getFakeController(DefaultNetworkControllerName) + fakeController := getFakeController() purgeIDs := fakeController.getEgressFirewallACLDbIDs("none", 0) purgeACL := libovsdbops.BuildACL( "purgeACL1", @@ -489,7 +489,7 @@ var _ = ginkgo.Describe("OVN EgressFirewall Operations", func() { config.Gateway.Mode = gwMode app.Action = func(ctx *cli.Context) error { - fakeController := getFakeController(DefaultNetworkControllerName) + fakeController := getFakeController() fakeOVN.controller = fakeController namespace1 := *newNamespace("namespace1") @@ -522,7 +522,7 @@ var _ = ginkgo.Describe("OVN EgressFirewall Operations", func() { namespace1 := *newNamespace("namespace1") dnsName := util.LowerCaseFQDN("www.example.com") - fakeController := getFakeController(DefaultNetworkControllerName) + fakeController := getFakeController() fakeOVN.controller = fakeController // add dns address set along with the acl and pg to the initial db. diff --git a/go-controller/pkg/ovn/master_test.go b/go-controller/pkg/ovn/master_test.go index bd3ebd26dbf..bc87c41dcd0 100644 --- a/go-controller/pkg/ovn/master_test.go +++ b/go-controller/pkg/ovn/master_test.go @@ -1833,7 +1833,11 @@ func newClusterJoinSwitch() *nbdb.LogicalSwitch { } func newClusterPortGroup() *nbdb.PortGroup { - fakeController := getFakeController(DefaultNetworkControllerName) + return newClusterPortGroupForNetwork(&util.DefaultNetInfo{}) +} + +func newClusterPortGroupForNetwork(netInfo util.NetInfo) *nbdb.PortGroup { + fakeController := getFakeControllerForNetwork(netInfo) pgIDs := fakeController.getClusterPortGroupDbIDs(types.ClusterPortGroupNameBase) pg := libovsdbutil.BuildPortGroup(pgIDs, nil, nil) pg.UUID = pgIDs.String() @@ -1841,7 +1845,11 @@ func newClusterPortGroup() *nbdb.PortGroup { } func newRouterPortGroup() *nbdb.PortGroup { - fakeController := getFakeController(DefaultNetworkControllerName) + return newRouterPortGroupForNetwork(&util.DefaultNetInfo{}) +} + +func newRouterPortGroupForNetwork(netInfo util.NetInfo) *nbdb.PortGroup { + fakeController := getFakeControllerForNetwork(netInfo) pgIDs := fakeController.getClusterPortGroupDbIDs(types.ClusterRtrPortGroupNameBase) pg := libovsdbutil.BuildPortGroup(pgIDs, nil, nil) pg.UUID = pgIDs.String() diff --git a/go-controller/pkg/ovn/multicast_test.go b/go-controller/pkg/ovn/multicast_test.go index b1a6b772dfb..162948861ac 100644 --- a/go-controller/pkg/ovn/multicast_test.go +++ b/go-controller/pkg/ovn/multicast_test.go @@ -54,8 +54,12 @@ func setIpMode(m ipMode) { } func getMulticastDefaultExpectedData(clusterPortGroup, clusterRtrPortGroup *nbdb.PortGroup) []libovsdb.TestData { + return getMulticastDefaultExpectedDataForNetwork(&util.DefaultNetInfo{}, clusterPortGroup, clusterRtrPortGroup) +} +func getMulticastDefaultExpectedDataForNetwork(netInfo util.NetInfo, clusterPortGroup, clusterRtrPortGroup *nbdb.PortGroup) []libovsdb.TestData { + controllerName := getNetworkControllerName(netInfo.GetNetworkName()) match := getMulticastACLMatch() - aclIDs := getDefaultMcastACLDbIDs(mcastDefaultDenyID, libovsdbutil.ACLEgress, DefaultNetworkControllerName) + aclIDs := getDefaultMcastACLDbIDs(mcastDefaultDenyID, libovsdbutil.ACLEgress, controllerName) aclName := libovsdbutil.GetACLName(aclIDs) defaultDenyEgressACL := libovsdbops.BuildACL( aclName, @@ -74,7 +78,7 @@ func getMulticastDefaultExpectedData(clusterPortGroup, clusterRtrPortGroup *nbdb ) defaultDenyEgressACL.UUID = "defaultDenyEgressACL_UUID" - aclIDs = getDefaultMcastACLDbIDs(mcastDefaultDenyID, libovsdbutil.ACLIngress, DefaultNetworkControllerName) + aclIDs = getDefaultMcastACLDbIDs(mcastDefaultDenyID, libovsdbutil.ACLIngress, controllerName) aclName = libovsdbutil.GetACLName(aclIDs) defaultDenyIngressACL := libovsdbops.BuildACL( aclName, @@ -92,7 +96,7 @@ func getMulticastDefaultExpectedData(clusterPortGroup, clusterRtrPortGroup *nbdb defaultDenyIngressACL.UUID = "defaultDenyIngressACL_UUID" clusterPortGroup.ACLs = []string{defaultDenyEgressACL.UUID, defaultDenyIngressACL.UUID} - aclIDs = getDefaultMcastACLDbIDs(mcastAllowInterNodeID, libovsdbutil.ACLEgress, DefaultNetworkControllerName) + aclIDs = getDefaultMcastACLDbIDs(mcastAllowInterNodeID, libovsdbutil.ACLEgress, controllerName) aclName = libovsdbutil.GetACLName(aclIDs) egressMatch := libovsdbutil.GetACLMatch(clusterRtrPortGroup.Name, match, libovsdbutil.ACLEgress) defaultAllowEgressACL := libovsdbops.BuildACL( @@ -112,7 +116,7 @@ func getMulticastDefaultExpectedData(clusterPortGroup, clusterRtrPortGroup *nbdb ) defaultAllowEgressACL.UUID = "defaultAllowEgressACL_UUID" - aclIDs = getDefaultMcastACLDbIDs(mcastAllowInterNodeID, libovsdbutil.ACLIngress, DefaultNetworkControllerName) + aclIDs = getDefaultMcastACLDbIDs(mcastAllowInterNodeID, libovsdbutil.ACLIngress, controllerName) aclName = libovsdbutil.GetACLName(aclIDs) ingressMatch := libovsdbutil.GetACLMatch(clusterRtrPortGroup.Name, match, libovsdbutil.ACLIngress) defaultAllowIngressACL := libovsdbops.BuildACL( @@ -141,7 +145,11 @@ func getMulticastDefaultExpectedData(clusterPortGroup, clusterRtrPortGroup *nbdb } func getMulticastDefaultStaleData(clusterPortGroup, clusterRtrPortGroup *nbdb.PortGroup) []libovsdb.TestData { - testData := getMulticastDefaultExpectedData(clusterPortGroup, clusterRtrPortGroup) + return getMulticastDefaultStaleDataForNetwork(&util.DefaultNetInfo{}, clusterPortGroup, clusterRtrPortGroup) +} + +func getMulticastDefaultStaleDataForNetwork(netInfo util.NetInfo, clusterPortGroup, clusterRtrPortGroup *nbdb.PortGroup) []libovsdb.TestData { + testData := getMulticastDefaultExpectedDataForNetwork(netInfo, clusterPortGroup, clusterRtrPortGroup) defaultDenyIngressACL := testData[0].(*nbdb.ACL) newName := libovsdbutil.JoinACLName(types.ClusterPortGroupNameBase, "DefaultDenyMulticastIngress") defaultDenyIngressACL.Name = &newName @@ -179,7 +187,10 @@ func getDefaultPortGroups() (clusterPortGroup, clusterRtrPortGroup *nbdb.PortGro } func getMulticastPolicyExpectedData(ns string, ports []string) []libovsdb.TestData { - fakeController := getFakeController(DefaultNetworkControllerName) + return getMulticastPolicyExpectedDataForNetwork(&util.DefaultNetInfo{}, ns, ports) +} +func getMulticastPolicyExpectedDataForNetwork(netInfo util.NetInfo, ns string, ports []string) []libovsdb.TestData { + fakeController := getFakeControllerForNetwork(netInfo) pg_hash := fakeController.getNamespacePortGroupName(ns) egressMatch := libovsdbutil.GetACLMatch(pg_hash, fakeController.getMulticastACLEgrMatch(), libovsdbutil.ACLEgress) @@ -187,7 +198,7 @@ func getMulticastPolicyExpectedData(ns string, ports []string) []libovsdb.TestDa mcastMatch := getACLMatchAF(getMulticastACLIgrMatchV4(ip4AddressSet), getMulticastACLIgrMatchV6(ip6AddressSet), config.IPv4Mode, config.IPv6Mode) ingressMatch := libovsdbutil.GetACLMatch(pg_hash, mcastMatch, libovsdbutil.ACLIngress) - aclIDs := getNamespaceMcastACLDbIDs(ns, libovsdbutil.ACLEgress, DefaultNetworkControllerName) + aclIDs := getNamespaceMcastACLDbIDs(ns, libovsdbutil.ACLEgress, getNetworkControllerName(netInfo.GetNetworkName())) aclName := libovsdbutil.GetACLName(aclIDs) egressACL := libovsdbops.BuildACL( aclName, @@ -206,7 +217,7 @@ func getMulticastPolicyExpectedData(ns string, ports []string) []libovsdb.TestDa ) egressACL.UUID = ns + "mc-egress-UUID" - aclIDs = getNamespaceMcastACLDbIDs(ns, libovsdbutil.ACLIngress, DefaultNetworkControllerName) + aclIDs = getNamespaceMcastACLDbIDs(ns, libovsdbutil.ACLIngress, getNetworkControllerName(netInfo.GetNetworkName())) aclName = libovsdbutil.GetACLName(aclIDs) ingressACL := libovsdbops.BuildACL( aclName, diff --git a/go-controller/pkg/ovn/network_segmentation_multicast_test.go b/go-controller/pkg/ovn/network_segmentation_multicast_test.go new file mode 100644 index 00000000000..eba89c2e3d1 --- /dev/null +++ b/go-controller/pkg/ovn/network_segmentation_multicast_test.go @@ -0,0 +1,460 @@ +package ovn + +import ( + "github.com/urfave/cli/v2" + v1 "k8s.io/api/core/v1" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + + "github.com/onsi/gomega/format" + + "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/config" + "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/nbdb" + ovntest "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/testing" + "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/testing/libovsdb" + "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/types" + "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/util" +) + +func getDefaultPortGroupsForNetwork(netInfo util.NetInfo) (clusterPortGroup, clusterRtrPortGroup *nbdb.PortGroup) { + clusterPortGroup = newClusterPortGroupForNetwork(netInfo) + clusterRtrPortGroup = newRouterPortGroupForNetwork(netInfo) + return +} + +var _ = Describe("[Network Segmentation] OVN Multicast with IP Address Family", func() { + const ( + namespaceName1 = "namespace1" + nodeName = "node1" + ) + var ( + app *cli.App + fakeOvn *FakeOVN + gomegaFormatMaxLength int + nad = ovntest.GenerateNAD("bluenet", "rednad", "greenamespace", + types.Layer3Topology, "100.128.0.0/16", types.NetworkRolePrimary) + netInfo util.NetInfo + ) + + BeforeEach(func() { + // Restore global default values before each testcase + config.PrepareTestConfig() + config.IPv4Mode = true + config.IPv6Mode = false + config.EnableMulticast = true + + app = cli.NewApp() + app.Name = "test" + // flags are written to config.EnableMulticast + // if there is no --enable-multicast flag, it will set to false. + // alternative approach is to give this flag to app.Run, but that require more changes. + //app.Flags = config.Flags + + fakeOvn = NewFakeOVN(true) + gomegaFormatMaxLength = format.MaxLength + format.MaxLength = 0 + + var err error + netInfo, err = util.ParseNADInfo(nad) + Expect(err).ToNot(HaveOccurred()) + }) + + AfterEach(func() { + fakeOvn.shutdown() + format.MaxLength = gomegaFormatMaxLength + }) + + Context("on startup", func() { + It("creates default Multicast ACLs", func() { + app.Action = func(ctx *cli.Context) error { + clusterPortGroup, clusterRtrPortGroup := getDefaultPortGroupsForNetwork(netInfo) + fakeOvn.startWithDBSetup(libovsdb.TestSetup{ + NBData: []libovsdb.TestData{ + clusterPortGroup, + clusterRtrPortGroup, + }, + }) + + Expect(fakeOvn.NewSecondaryNetworkController(nad)).To(Succeed()) + controller, ok := fakeOvn.secondaryControllers[netInfo.GetNetworkName()] + Expect(ok).To(BeTrue()) + + Expect(controller.bnc.createDefaultDenyMulticastPolicy()).To(Succeed()) + Expect(controller.bnc.createDefaultAllowMulticastPolicy()).To(Succeed()) + + Eventually(fakeOvn.nbClient).Should(libovsdb.HaveData( + getMulticastDefaultExpectedDataForNetwork(netInfo, clusterPortGroup, clusterRtrPortGroup))) + return nil + } + err := app.Run([]string{app.Name}) + Expect(err).NotTo(HaveOccurred()) + }) + It("updates stale default Multicast ACLs", func() { + app.Action = func(ctx *cli.Context) error { + // start with stale ACLs + clusterPortGroup, clusterRtrPortGroup := getDefaultPortGroupsForNetwork(netInfo) + fakeOvn.startWithDBSetup(libovsdb.TestSetup{ + NBData: getMulticastDefaultStaleDataForNetwork(netInfo, clusterPortGroup, clusterRtrPortGroup), + }) + + Expect(fakeOvn.NewSecondaryNetworkController(nad)).To(Succeed()) + controller, ok := fakeOvn.secondaryControllers[netInfo.GetNetworkName()] + Expect(ok).To(BeTrue()) + + Expect(controller.bnc.createDefaultDenyMulticastPolicy()).To(Succeed()) + Expect(controller.bnc.createDefaultAllowMulticastPolicy()).To(Succeed()) + + // check acls are updated + Eventually(fakeOvn.nbClient).Should(libovsdb.HaveData( + getMulticastDefaultExpectedDataForNetwork(netInfo, clusterPortGroup, clusterRtrPortGroup))) + return nil + } + err := app.Run([]string{app.Name}) + Expect(err).NotTo(HaveOccurred()) + }) + It("cleans up Multicast resources when multicast is disabled", func() { + app.Action = func(ctx *cli.Context) error { + clusterPortGroup, clusterRtrPortGroup := getDefaultPortGroupsForNetwork(netInfo) + initialData := getMulticastDefaultExpectedDataForNetwork(netInfo, clusterPortGroup, clusterRtrPortGroup) + + nsData := getMulticastPolicyExpectedDataForNetwork(netInfo, namespaceName1, nil) + initialData = append(initialData, nsData...) + // namespace is still present, but multicast support is disabled + namespace1 := *newNamespace(namespaceName1) + fakeOvn.startWithDBSetup(libovsdb.TestSetup{NBData: initialData}, + &v1.NamespaceList{ + Items: []v1.Namespace{ + namespace1, + }, + }, + ) + + Expect(fakeOvn.NewSecondaryNetworkController(nad)).To(Succeed()) + controller, ok := fakeOvn.secondaryControllers[netInfo.GetNetworkName()] + Expect(ok).To(BeTrue()) + + // this "if !oc.multicastSupport" part of SetupMaster + err := controller.bnc.disableMulticast() + Expect(err).NotTo(HaveOccurred()) + + // check acls are deleted when multicast is disabled + clusterPortGroup, clusterRtrPortGroup = getDefaultPortGroupsForNetwork(netInfo) + namespacePortGroup := getNamespacePG(namespaceName1, controller.bnc.controllerName) + expectedData := []libovsdb.TestData{ + clusterPortGroup, + clusterRtrPortGroup, + namespacePortGroup, + } + + Eventually(fakeOvn.nbClient).Should(libovsdb.HaveData(expectedData)) + return nil + } + err := app.Run([]string{app.Name}) + Expect(err).NotTo(HaveOccurred()) + }) + It("creates namespace Multicast ACLs", func() { + app.Action = func(ctx *cli.Context) error { + clusterPortGroup, clusterRtrPortGroup := getDefaultPortGroupsForNetwork(netInfo) + expectedData := getMulticastDefaultExpectedDataForNetwork(netInfo, clusterPortGroup, clusterRtrPortGroup) + // namespace exists, but multicast acls do not + namespace1 := *newNamespace(namespaceName1) + namespace1.Annotations[util.NsMulticastAnnotation] = "true" + fakeOvn.startWithDBSetup(libovsdb.TestSetup{NBData: expectedData}, + &v1.NamespaceList{ + Items: []v1.Namespace{ + namespace1, + }, + }, + ) + + Expect(fakeOvn.NewSecondaryNetworkController(nad)).To(Succeed()) + controller, ok := fakeOvn.secondaryControllers[netInfo.GetNetworkName()] + Expect(ok).To(BeTrue()) + + err := controller.bnc.WatchNamespaces() + Expect(err).NotTo(HaveOccurred()) + expectedData = append(expectedData, getMulticastPolicyExpectedDataForNetwork(netInfo, namespaceName1, nil)...) + Eventually(fakeOvn.nbClient).Should(libovsdb.HaveData(expectedData)) + return nil + } + err := app.Run([]string{app.Name}) + Expect(err).NotTo(HaveOccurred()) + }) + /* + It("updates stale namespace Multicast ACLs", func() { + app.Action = func(ctx *cli.Context) error { + // start with stale ACLs for existing namespace + clusterPortGroup, clusterRtrPortGroup := getDefaultPortGroups() + expectedData := getMulticastDefaultExpectedData(clusterPortGroup, clusterRtrPortGroup) + expectedData = append(expectedData, getMulticastPolicyStaleData(namespaceName1, nil)...) + namespace1 := *newNamespace(namespaceName1) + namespace1.Annotations[util.NsMulticastAnnotation] = "true" + fakeOvn.startWithDBSetup(libovsdb.TestSetup{NBData: expectedData}, + &v1.NamespaceList{ + Items: []v1.Namespace{ + namespace1, + }, + }, + ) + + err := fakeOvn.controller.WatchNamespaces() + Expect(err).NotTo(HaveOccurred()) + + expectedData = getMulticastDefaultExpectedData(clusterPortGroup, clusterRtrPortGroup) + expectedData = append(expectedData, getMulticastPolicyExpectedData(namespaceName1, nil)...) + Eventually(fakeOvn.nbClient).Should(libovsdb.HaveData(expectedData)) + return nil + } + + err := app.Run([]string{app.Name}) + Expect(err).NotTo(HaveOccurred()) + }) + It("cleans up namespace Multicast ACLs when multicast is disabled for namespace", func() { + app.Action = func(ctx *cli.Context) error { + // start with stale ACLs + clusterPortGroup, clusterRtrPortGroup := getDefaultPortGroups() + defaultMulticastData := getMulticastDefaultExpectedData(clusterPortGroup, clusterRtrPortGroup) + namespaceMulticastData := getMulticastPolicyExpectedData(namespaceName1, nil) + namespace1 := *newNamespace(namespaceName1) + + fakeOvn.startWithDBSetup(libovsdb.TestSetup{NBData: append(defaultMulticastData, namespaceMulticastData...)}, + &v1.NamespaceList{ + Items: []v1.Namespace{ + namespace1, + }, + }, + ) + + err := fakeOvn.controller.WatchNamespaces() + Expect(err).NotTo(HaveOccurred()) + // only namespaced acls should be dereferenced, default acls will stay + namespacePortGroup := getNamespacePG(namespaceName1, fakeOvn.controller.controllerName) + expectedData := append(defaultMulticastData, namespacePortGroup) + Eventually(fakeOvn.nbClient).Should(libovsdb.HaveData(expectedData)) + return nil + } + err := app.Run([]string{app.Name}) + Expect(err).NotTo(HaveOccurred()) + }) + */ + }) + + /* + Context("during execution", func() { + for _, m := range getIpModes() { + m := m + It("tests enabling/disabling multicast in a namespace "+ipModeStr(m), func() { + app.Action = func(ctx *cli.Context) error { + namespace1 := *newNamespace(namespaceName1) + + fakeOvn.startWithDBSetup(libovsdb.TestSetup{}, + &v1.NamespaceList{ + Items: []v1.Namespace{ + namespace1, + }, + }, + ) + setIpMode(m) + + err := fakeOvn.controller.WatchNamespaces() + Expect(err).NotTo(HaveOccurred()) + ns, err := fakeOvn.fakeClient.KubeClient.CoreV1().Namespaces().Get(context.TODO(), namespace1.Name, metav1.GetOptions{}) + Expect(err).NotTo(HaveOccurred()) + Expect(ns).NotTo(BeNil()) + + // Multicast is denied by default. + _, ok := ns.Annotations[util.NsMulticastAnnotation] + Expect(ok).To(BeFalse()) + + // Enable multicast in the namespace. + updateMulticast(fakeOvn, ns, true) + expectedData := getMulticastPolicyExpectedData(namespace1.Name, nil) + Eventually(fakeOvn.nbClient).Should(libovsdb.HaveData(expectedData...)) + + // Disable multicast in the namespace. + updateMulticast(fakeOvn, ns, false) + + namespacePortGroup := getNamespacePG(namespaceName1, fakeOvn.controller.controllerName) + Eventually(fakeOvn.nbClient).Should(libovsdb.HaveData(namespacePortGroup)) + return nil + } + + err := app.Run([]string{app.Name}) + Expect(err).NotTo(HaveOccurred()) + }) + + It("tests enabling multicast in a namespace with a pod "+ipModeStr(m), func() { + app.Action = func(ctx *cli.Context) error { + namespace1 := *newNamespace(namespaceName1) + pods, tPods, tPodIPs := createTestPods(nodeName, namespaceName1, m) + + fakeOvn.startWithDBSetup(libovsdb.TestSetup{NBData: getNodeSwitch(nodeName)}, + &v1.NamespaceList{ + Items: []v1.Namespace{ + namespace1, + }, + }, + &v1.NodeList{ + Items: []v1.Node{ + *newNode("node1", "192.168.126.202/24"), + }, + }, + &v1.PodList{ + Items: pods, + }, + ) + setIpMode(m) + + for _, tPod := range tPods { + tPod.populateLogicalSwitchCache(fakeOvn) + } + + err := fakeOvn.controller.WatchNamespaces() + Expect(err).NotTo(HaveOccurred()) + err = fakeOvn.controller.WatchPods() + Expect(err).NotTo(HaveOccurred()) + ns, err := fakeOvn.fakeClient.KubeClient.CoreV1().Namespaces().Get(context.TODO(), namespace1.Name, metav1.GetOptions{}) + Expect(err).NotTo(HaveOccurred()) + Expect(ns).NotTo(BeNil()) + + // Enable multicast in the namespace + updateMulticast(fakeOvn, ns, true) + // calculate expected data + ports := []string{} + for _, tPod := range tPods { + ports = append(ports, tPod.portUUID) + } + expectedData := getMulticastPolicyExpectedData(namespace1.Name, ports) + expectedData = append(expectedData, getExpectedDataPodsAndSwitches(tPods, []string{nodeName})...) + Eventually(fakeOvn.nbClient).Should(libovsdb.HaveData(expectedData...)) + fakeOvn.asf.ExpectAddressSetWithAddresses(namespace1.Name, tPodIPs) + return nil + } + + err := app.Run([]string{app.Name}) + Expect(err).NotTo(HaveOccurred()) + }) + + It("tests enabling multicast in multiple namespaces with a long name > 42 characters "+ipModeStr(m), func() { + app.Action = func(ctx *cli.Context) error { + longNameSpace1Name := "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijk" // create with 63 characters + namespace1 := *newNamespace(longNameSpace1Name) + longNameSpace2Name := "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijl" // create with 63 characters + namespace2 := *newNamespace(longNameSpace2Name) + + fakeOvn.startWithDBSetup(libovsdb.TestSetup{NBData: getNodeSwitch(nodeName)}, + &v1.NamespaceList{ + Items: []v1.Namespace{ + namespace1, + namespace2, + }, + }, + ) + setIpMode(m) + + err := fakeOvn.controller.WatchNamespaces() + Expect(err).NotTo(HaveOccurred()) + fakeOvn.controller.WatchPods() + ns1, err := fakeOvn.fakeClient.KubeClient.CoreV1().Namespaces().Get(context.TODO(), namespace1.Name, metav1.GetOptions{}) + Expect(err).NotTo(HaveOccurred()) + Expect(ns1).NotTo(BeNil()) + ns2, err := fakeOvn.fakeClient.KubeClient.CoreV1().Namespaces().Get(context.TODO(), namespace2.Name, metav1.GetOptions{}) + Expect(err).NotTo(HaveOccurred()) + Expect(ns2).NotTo(BeNil()) + + portsns1 := []string{} + expectedData := getMulticastPolicyExpectedData(longNameSpace1Name, portsns1) + acl := expectedData[0].(*nbdb.ACL) + // Post ACL indexing work, multicast ACL's don't have names + // We use externalIDs instead; so we can check if the expected IDs exist for the long namespace so that + // isEquivalent logic will be correct + Expect(acl.Name).To(BeNil()) + Expect(acl.ExternalIDs[libovsdbops.ObjectNameKey.String()]).To(Equal(longNameSpace1Name)) + expectedData = append(expectedData, getMulticastPolicyExpectedData(longNameSpace2Name, nil)...) + acl = expectedData[3].(*nbdb.ACL) + Expect(acl.Name).To(BeNil()) + Expect(acl.ExternalIDs[libovsdbops.ObjectNameKey.String()]).To(Equal(longNameSpace2Name)) + expectedData = append(expectedData, getExpectedDataPodsAndSwitches([]testPod{}, []string{"node1"})...) + // Enable multicast in the namespace. + updateMulticast(fakeOvn, ns1, true) + updateMulticast(fakeOvn, ns2, true) + Eventually(fakeOvn.nbClient).Should(libovsdb.HaveData(expectedData...)) + return nil + } + + err := app.Run([]string{app.Name}) + Expect(err).NotTo(HaveOccurred()) + }) + + It("tests adding a pod to a multicast enabled namespace "+ipModeStr(m), func() { + app.Action = func(ctx *cli.Context) error { + namespace1 := *newNamespace(namespaceName1) + _, tPods, tPodIPs := createTestPods(nodeName, namespaceName1, m) + + ports := []string{} + for _, pod := range tPods { + ports = append(ports, pod.portUUID) + } + + fakeOvn.startWithDBSetup(libovsdb.TestSetup{NBData: getNodeSwitch(nodeName)}, + &v1.NamespaceList{ + Items: []v1.Namespace{ + namespace1, + }, + }, + &v1.NodeList{ + Items: []v1.Node{ + *newNode("node1", "192.168.126.202/24"), + }, + }, + ) + setIpMode(m) + + err := fakeOvn.controller.WatchNamespaces() + Expect(err).NotTo(HaveOccurred()) + err = fakeOvn.controller.WatchPods() + Expect(err).NotTo(HaveOccurred()) + ns, err := fakeOvn.fakeClient.KubeClient.CoreV1().Namespaces().Get(context.TODO(), namespace1.Name, metav1.GetOptions{}) + Expect(err).NotTo(HaveOccurred()) + Expect(ns).NotTo(BeNil()) + + // Enable multicast in the namespace. + updateMulticast(fakeOvn, ns, true) + // Check expected data without pods + expectedDataWithoutPods := getMulticastPolicyExpectedData(namespace1.Name, nil) + expectedDataWithoutPods = append(expectedDataWithoutPods, getNodeSwitch(nodeName)...) + Eventually(fakeOvn.nbClient).Should(libovsdb.HaveData(expectedDataWithoutPods)) + + // Create pods + for _, tPod := range tPods { + tPod.populateLogicalSwitchCache(fakeOvn) + _, err = fakeOvn.fakeClient.KubeClient.CoreV1().Pods(tPod.namespace).Create(context.TODO(), newPod( + tPod.namespace, tPod.podName, tPod.nodeName, tPod.podIP), metav1.CreateOptions{}) + Expect(err).NotTo(HaveOccurred()) + } + // Check pods were added + fakeOvn.asf.EventuallyExpectAddressSetWithAddresses(namespace1.Name, tPodIPs) + expectedDataWithPods := getMulticastPolicyExpectedData(namespace1.Name, ports) + expectedDataWithPods = append(expectedDataWithPods, getExpectedDataPodsAndSwitches(tPods, []string{nodeName})...) + Eventually(fakeOvn.nbClient).Should(libovsdb.HaveData(expectedDataWithPods...)) + + // Delete the pod from the namespace. + for _, tPod := range tPods { + err = fakeOvn.fakeClient.KubeClient.CoreV1().Pods(tPod.namespace).Delete(context.TODO(), + tPod.podName, *metav1.NewDeleteOptions(0)) + Expect(err).NotTo(HaveOccurred()) + } + fakeOvn.asf.EventuallyExpectEmptyAddressSetExist(namespace1.Name) + Eventually(fakeOvn.nbClient).Should(libovsdb.HaveData(expectedDataWithoutPods)) + + return nil + } + + err := app.Run([]string{app.Name}) + Expect(err).NotTo(HaveOccurred()) + }) + } + }) + */ +}) diff --git a/go-controller/pkg/ovn/policy_stale_test.go b/go-controller/pkg/ovn/policy_stale_test.go index 4d6a4e8c7c8..75e4ba48143 100644 --- a/go-controller/pkg/ovn/policy_stale_test.go +++ b/go-controller/pkg/ovn/policy_stale_test.go @@ -315,7 +315,7 @@ var _ = ginkgo.Describe("OVN Stale NetworkPolicy Operations", func() { "egress", "0", DefaultNetworkControllerName) localASName, _ := addressset.GetHashNamesForAS(staleAddrSetIDs) peerASName, _ := getNsAddrSetHashNames(namespace2.Name) - fakeController := getFakeController(DefaultNetworkControllerName) + fakeController := getFakeController() pgName := fakeController.getNetworkPolicyPGName(networkPolicy.Namespace, networkPolicy.Name) initialData := getPolicyData(newNetpolDataParams(networkPolicy).withPeerNamespaces(namespace2.Name)) staleACL := initialData[0].(*nbdb.ACL) diff --git a/go-controller/pkg/ovn/policy_test.go b/go-controller/pkg/ovn/policy_test.go index 6a4a5be4788..33430a02b32 100644 --- a/go-controller/pkg/ovn/policy_test.go +++ b/go-controller/pkg/ovn/policy_test.go @@ -35,16 +35,20 @@ import ( utilnet "k8s.io/utils/net" ) -func getFakeController(controllerName string) *DefaultNetworkController { +func getFakeControllerForNetwork(netInfo util.NetInfo) *DefaultNetworkController { controller := &DefaultNetworkController{ BaseNetworkController: BaseNetworkController{ - controllerName: controllerName, - NetInfo: &util.DefaultNetInfo{}, + controllerName: getNetworkControllerName(netInfo.GetNetworkName()), + NetInfo: netInfo, }, } return controller } +func getFakeController() *DefaultNetworkController { + return getFakeControllerForNetwork(&util.DefaultNetInfo{}) +} + func newNetworkPolicy(name, namespace string, podSelector metav1.LabelSelector, ingress []knet.NetworkPolicyIngressRule, egress []knet.NetworkPolicyEgressRule, policyTypes ...knet.PolicyType) *knet.NetworkPolicy { policy := &knet.NetworkPolicy{ @@ -452,7 +456,7 @@ func getNamespaceWithMultiplePoliciesExpectedData(networkPolicies []*knet.Networ func getHairpinningACLsV4AndPortGroup() []libovsdbtest.TestData { clusterPortGroup := newClusterPortGroup() - fakeController := getFakeController(DefaultNetworkControllerName) + fakeController := getFakeController() egressIDs := fakeController.getNetpolDefaultACLDbIDs("Egress") egressACL := libovsdbops.BuildACL( "", @@ -2134,7 +2138,7 @@ var _ = ginkgo.Describe("OVN AllowFromNode ACL low-level operations", func() { ) getFakeController := func(nbClient libovsdbclient.Client) *DefaultNetworkController { - controller := getFakeController(DefaultNetworkControllerName) + controller := getFakeController() controller.nbClient = nbClient return controller }