Support NSX default project for SecurityPolicy (vmware-tanzu#670)

Starting from VPC 2.0, it's not allowed to created objects under /orgs/default/projects/default/infra path. So for NetworkPolicy/SecurityPolicy with namespaceSelector, in order to create Groups under Default Project, it's needed to create them under /infra/domains/default/groups/<>. As for Groups under non default Project, it's still allowed to create them under /orgs/default/projects/<custom project>/infra/domains/default/groups. This patch is to: 1. Support NetworkPolicy/SecurityPolicy creation under Default Project. 2. Refactor VPC SecurityPolicy HAPI call process for both creation and deletion. 3. Refactor VPC SecurityPolicy store apply process after creation and deletion.
TaoZou1 · Sep 11, 2024 · d3a36d5 · d3a36d5
1 parent cf5310f
commit d3a36d5
Show file tree

Hide file tree

Showing 12 changed files with 785 additions and 510 deletions.
diff --git a/pkg/controllers/networkpolicy/networkpolicy_controller.go b/pkg/controllers/networkpolicy/networkpolicy_controller.go
@@ -167,7 +167,7 @@ func (r *NetworkPolicyReconciler) CollectGarbage(ctx context.Context) {
 	for elem := range diffSet {
 		log.V(1).Info("GC collected NetworkPolicy", "ID", elem)
 		metrics.CounterInc(r.Service.NSXConfig, metrics.ControllerDeleteTotal, MetricResType)
-		err = r.Service.DeleteSecurityPolicy(types.UID(elem), false, servicecommon.ResourceTypeNetworkPolicy)
+		err = r.Service.DeleteSecurityPolicy(types.UID(elem), true, servicecommon.ResourceTypeNetworkPolicy)
 		if err != nil {
 			metrics.CounterInc(r.Service.NSXConfig, metrics.ControllerDeleteFailTotal, MetricResType)
 		} else {

diff --git a/pkg/controllers/securitypolicy/securitypolicy_controller.go b/pkg/controllers/securitypolicy/securitypolicy_controller.go
@@ -88,7 +88,7 @@ func deleteSuccess(r *SecurityPolicyReconciler, _ context.Context, o *v1alpha1.S
 
 func (r *SecurityPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	var obj client.Object
-	if r.Service.NSXConfig.EnableVPCNetwork {
+	if securitypolicy.IsVPCEnabled(r.Service) {
 		obj = &crdv1alpha1.SecurityPolicy{}
 	} else {
 		obj = &v1alpha1.SecurityPolicy{}
@@ -149,6 +149,7 @@ func (r *SecurityPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 			return ResultNormal, nil
 		}
 
+		log.Info("reconciling CR to create or update securitypolicy", "securitypolicy", req.NamespacedName)
 		if err := r.Service.CreateOrUpdateSecurityPolicy(realObj); err != nil {
 			if errors.As(err, &nsxutil.RestrictionError{}) {
 				log.Error(err, err.Error(), "securitypolicy", req.NamespacedName)
@@ -181,6 +182,7 @@ func (r *SecurityPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		}
 		updateSuccess(r, ctx, realObj)
 	} else {
+		log.Info("reconciling CR to delete securitypolicy", "securitypolicy", req.NamespacedName)
 		if controllerutil.ContainsFinalizer(obj, finalizerName) {
 			metrics.CounterInc(r.Service.NSXConfig, metrics.ControllerDeleteTotal, MetricResType)
 			if err := r.Service.DeleteSecurityPolicy(realObj.UID, false, servicecommon.ResourceTypeSecurityPolicy); err != nil {
@@ -242,7 +244,7 @@ func (r *SecurityPolicyReconciler) updateSecurityPolicyStatusConditions(ctx cont
 		}
 	}
 	if conditionsUpdated {
-		if r.Service.NSXConfig.EnableVPCNetwork {
+		if securitypolicy.IsVPCEnabled(r.Service) {
 			finalObj := securitypolicy.T1ToVPC(secPolicy)
 			err := r.Client.Status().Update(ctx, finalObj)
 			if err != nil {
@@ -288,7 +290,7 @@ func getExistingConditionOfType(conditionType v1alpha1.ConditionType, existingCo
 
 func (r *SecurityPolicyReconciler) setupWithManager(mgr ctrl.Manager) error {
 	var blr *builder.Builder
-	if r.Service.NSXConfig.EnableVPCNetwork {
+	if securitypolicy.IsVPCEnabled(r.Service) {
 		blr = ctrl.NewControllerManagedBy(mgr).For(&crdv1alpha1.SecurityPolicy{})
 	} else {
 		blr = ctrl.NewControllerManagedBy(mgr).For(&v1alpha1.SecurityPolicy{})
@@ -330,7 +332,7 @@ func (r *SecurityPolicyReconciler) CollectGarbage(ctx context.Context) {
 	}
 
 	var objectList client.ObjectList
-	if r.Service.NSXConfig.EnableVPCNetwork {
+	if securitypolicy.IsVPCEnabled(r.Service) {
 		objectList = &crdv1alpha1.SecurityPolicyList{}
 	} else {
 		objectList = &v1alpha1.SecurityPolicyList{}
@@ -357,9 +359,9 @@ func (r *SecurityPolicyReconciler) CollectGarbage(ctx context.Context) {
 
 	diffSet := nsxPolicySet.Difference(CRPolicySet)
 	for elem := range diffSet {
-		log.V(1).Info("GC collected SecurityPolicy CR", "UID", elem)
+		log.V(1).Info("GC collected SecurityPolicy CR", "securityPolicyUID", elem)
 		metrics.CounterInc(r.Service.NSXConfig, metrics.ControllerDeleteTotal, MetricResType)
-		err = r.Service.DeleteSecurityPolicy(types.UID(elem), false, servicecommon.ResourceTypeSecurityPolicy)
+		err = r.Service.DeleteSecurityPolicy(types.UID(elem), true, servicecommon.ResourceTypeSecurityPolicy)
 		if err != nil {
 			metrics.CounterInc(r.Service.NSXConfig, metrics.ControllerDeleteFailTotal, MetricResType)
 		} else {
@@ -373,7 +375,7 @@ func reconcileSecurityPolicy(r *SecurityPolicyReconciler, pkgclient client.Clien
 	podPortNames := getAllPodPortNames(pods)
 	log.V(1).Info("pod named port", "podPortNames", podPortNames)
 	var spList client.ObjectList
-	if r.Service.NSXConfig.EnableVPCNetwork {
+	if securitypolicy.IsVPCEnabled(r.Service) {
 		spList = &crdv1alpha1.SecurityPolicyList{}
 	} else {
 		spList = &v1alpha1.SecurityPolicyList{}

diff --git a/pkg/controllers/securitypolicy/securitypolicy_controller_test.go b/pkg/controllers/securitypolicy/securitypolicy_controller_test.go
@@ -231,7 +231,7 @@ func TestSecurityPolicyReconciler_Reconcile(t *testing.T) {
 		v1sp.ObjectMeta.DeletionTimestamp = &time
 		return nil
 	})
-	patch := gomonkey.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVpcCleanup bool) error {
+	patch := gomonkey.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVPCCleanupOrGC bool) error {
 		assert.FailNow(t, "should not be called")
 		return nil
 	})
@@ -247,7 +247,7 @@ func TestSecurityPolicyReconciler_Reconcile(t *testing.T) {
 		v1sp.Finalizers = []string{common.T1SecurityPolicyFinalizerName}
 		return nil
 	})
-	patch = gomonkey.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVpcCleanup bool) error {
+	patch = gomonkey.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVPCCleanupOrGC bool) error {
 		return nil
 	})
 	k8sClient.EXPECT().Update(ctx, gomock.Any(), gomock.Any()).Return(nil)
@@ -276,7 +276,7 @@ func TestSecurityPolicyReconciler_GarbageCollector(t *testing.T) {
 		a.Insert("2345")
 		return a
 	})
-	patch.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVpcCleanup bool) error {
+	patch.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVPCCleanupOrGC bool) error {
 		return nil
 	})
 	defer patch.Reset()
@@ -306,7 +306,7 @@ func TestSecurityPolicyReconciler_GarbageCollector(t *testing.T) {
 		a.Insert("1234")
 		return a
 	})
-	patch.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVpcCleanup bool) error {
+	patch.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVPCCleanupOrGC bool) error {
 		assert.FailNow(t, "should not be called")
 		return nil
 	})
@@ -325,7 +325,7 @@ func TestSecurityPolicyReconciler_GarbageCollector(t *testing.T) {
 		a := sets.New[string]()
 		return a
 	})
-	patch.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVpcCleanup bool) error {
+	patch.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVPCCleanupOrGC bool) error {
 		assert.FailNow(t, "should not be called")
 		return nil
 	})

diff --git a/pkg/nsx/services/common/types.go b/pkg/nsx/services/common/types.go
@@ -48,7 +48,7 @@ const (
 	TagScopeNSXServiceAccountCRName    string = "nsx-op/nsx_service_account_name"
 	TagScopeNSXServiceAccountCRUID     string = "nsx-op/nsx_service_account_uid"
 	TagScopeNSXProjectID               string = "nsx-op/nsx_project_id"
-	TagScopeProjectGroupShared         string = "nsx-op/is_nsx_project_shared"
+	TagScopeNSXShareCreatedFor         string = "nsx-op/nsx_share_created_for"
 	TagScopeSubnetPortCRName           string = "nsx-op/subnetport_name"
 	TagScopeSubnetPortCRUID            string = "nsx-op/subnetport_uid"
 	TagScopeIPPoolCRName               string = "nsx-op/ippool_name"
@@ -77,6 +77,9 @@ const (
 	TagValueGroupScope                 string = "scope"
 	TagValueGroupSource                string = "source"
 	TagValueGroupDestination           string = "destination"
+	TagValueShareCreatedForInfra       string = "infra"
+	TagValueShareCreatedForProject     string = "project"
+	TagValueShareNotCreated            string = "notShared"
 	TagValueGroupAvi                   string = "avi"
 	TagValueSLB                        string = "SLB"
 	AnnotationVPCNetworkConfig         string = "nsx.vmware.com/vpc_network_config"
@@ -122,13 +125,14 @@ const (
 	RuleSuffixEgressDrop    = "egress-isolation"
 	RuleSuffixIngressReject = "ingress-reject"
 	RuleSuffixEgressReject  = "egress-reject"
+	DefaultProject          = "default"
 	SecurityPolicyPrefix    = "sp"
 	NetworkPolicyPrefix     = "np"
 	TargetGroupSuffix       = "scope"
 	SrcGroupSuffix          = "src"
 	DstGroupSuffix          = "dst"
 	IpSetGroupSuffix        = "ipset"
-	SharePrefix             = "share"
+	ShareSuffix             = "share"
 )
 
 var (