use port group in route policy

Signed-off-by: HuangWei <[email protected]>

pkg/controller/ovn_fip.go

@@ -4,8 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"strconv"
-
+	"github.com/kubeovn/kube-ovn/pkg/ovs"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -14,6 +13,7 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/klog/v2"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"strconv"
 
 	kubeovnv1 "github.com/kubeovn/kube-ovn/pkg/apis/kubeovn/v1"
 	"github.com/kubeovn/kube-ovn/pkg/ovsdb/ovnnb"
@@ -422,24 +422,11 @@ func (c *Controller) handleUpdateOvnFip(key string) error {
 		}
 		// ovn add fip
 		if vpcName == c.config.ClusterRouter {
-			// fix issue https://github.com/kubeovn/kube-ovn/issues/3502
-			// Where ovn fip is not work for default vpc
-			match := fmt.Sprintf("ip4.src == %s", internalV4Ip)
-			cm, err := c.configMapsLister.ConfigMaps(c.config.ExternalGatewayConfigNS).Get(util.ExternalGatewayConfig)
-			if err != nil {
-				klog.Errorf("failed to create config map %s, %v", util.ExternalGatewayConfig, err)
-				return err
-			}
-			externalGwAddr := cm.Data["external-gw-addr"]
-			if externalGwAddr == "" {
-				err = fmt.Errorf("external-gw-addr should not be empty in config map %s", util.ExternalGatewayConfig)
-				klog.Errorf("%v", err)
-				return err
-			}
+			// Default vpc
+			defaultVpcToDefaultExternalPortGroupName := ovs.VpcSubnetToPortGroupName(vpcName, c.config.ExternalGatewaySwitch)
 
-			if err = c.OVNNbClient.AddLogicalRouterPolicy(vpcName, util.DefaultVpcFipPolicyPriority, match,
-				ovnnb.LogicalRouterPolicyActionReroute, []string{externalGwAddr}, nil); err != nil {
-				klog.Errorf("failed to create LogicalRouterPolicy for fip: %s, %v", fip.Name, err)
+			if err := c.OVNNbClient.PortGroupAddPorts(defaultVpcToDefaultExternalPortGroupName, cachedFip.Spec.IPName); err != nil {
+				klog.Errorf("failed to add port %s to port group %s, %v", cachedFip.Spec.IPName, defaultVpcToDefaultExternalPortGroupName, err)
 				return err
 			}
 		}
@@ -480,9 +467,10 @@ func (c *Controller) handleDelOvnFip(key string) error {
 	// ovn delete fip nat
 	if cachedFip.Status.Vpc != "" && cachedFip.Status.V4Eip != "" && cachedFip.Status.V4Ip != "" {
 		if cachedFip.Status.Vpc == c.config.ClusterRouter {
-			match := fmt.Sprintf("ip4.src == %s", cachedFip.Status.V4Ip)
-			if err = c.OVNNbClient.DeleteLogicalRouterPolicy(cachedFip.Status.Vpc, util.DefaultVpcFipPolicyPriority, match); err != nil {
-				klog.Errorf("failed to delete LogicalRouterPolicy for fip: %s, %v", cachedFip.Name, err)
+			defaultVpcToDefaultExternalPortGroupName := ovs.VpcSubnetToPortGroupName(c.config.ClusterRouter, c.config.ExternalGatewaySwitch)
+			if err := c.OVNNbClient.PortGroupRemovePorts(defaultVpcToDefaultExternalPortGroupName, cachedFip.Spec.IPName); err != nil {
+				klog.Errorf("failed to remove port %s from port group %s, %v", cachedFip.Spec.IPName, defaultVpcToDefaultExternalPortGroupName, err)
+				return err
 			}
 		}
 		if err = c.OVNNbClient.DeleteNat(cachedFip.Status.Vpc, ovnnb.NATTypeDNATAndSNAT, cachedFip.Status.V4Eip, cachedFip.Status.V4Ip); err != nil {

pkg/controller/vpc.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"github.com/kubeovn/kube-ovn/pkg/ovs"
 	"net"
 	"reflect"
 	"slices"
@@ -418,6 +419,31 @@ func (c *Controller) handleAddOrUpdateVpc(key string) error {
 				}
 			}
 		}
+
+		defaultVpcToDefaultExternalPortGroupName := ovs.VpcSubnetToPortGroupName(vpc.Name, c.config.ExternalGatewaySwitch)
+		snatMatch := "ip4.src == $" + defaultVpcToDefaultExternalPortGroupName
+		if externalSubnetExist {
+			if err := c.OVNNbClient.CreatePortGroup(defaultVpcToDefaultExternalPortGroupName, nil); err != nil {
+				klog.Errorf("failed to create port group %s for vpc %s, %v", defaultVpcToDefaultExternalPortGroupName, vpc.Name, err)
+				return err
+			}
+			if policies, err := c.OVNNbClient.GetLogicalRouterPolicy(vpc.Name, util.DefaultVpcToExternalNetworkSnatPolicyPriority, snatMatch, true); err != nil {
+				klog.Errorf("failed to get snat policy route for vpc %s to external network, %v", vpc.Name, err)
+			} else if len(policies) == 0 {
+				if err := c.OVNNbClient.AddLogicalRouterPolicy(vpc.Name, util.DefaultVpcToExternalNetworkSnatPolicyPriority, snatMatch,
+					ovnnb.LogicalRouterPolicyActionReroute, []string{externalSubnet.Spec.Gateway}, nil); err != nil {
+					klog.Errorf("failed to add snat policy route for vpc %s to external network, %v", vpc.Name, err)
+				}
+			}
+		} else {
+			if err := c.OVNNbClient.DeleteLogicalRouterPolicy(vpc.Name, util.DefaultVpcToExternalNetworkSnatPolicyPriority, snatMatch); err != nil {
+				klog.Errorf("failed to delete snat policy route for vpc %s to external network, %v", vpc.Name, err)
+			}
+			if err := c.OVNNbClient.DeletePortGroup(defaultVpcToDefaultExternalPortGroupName); err != nil {
+				klog.Errorf("failed to delete port group %s for vpc %s, %v", defaultVpcToDefaultExternalPortGroupName, vpc.Name, err)
+				return err
+			}
+		}
 	}
 
 	routeNeedDel, routeNeedAdd, err := diffStaticRoute(staticExistedRoutes, staticTargetRoutes)

pkg/ovs/util.go

@@ -22,6 +22,12 @@ func PodNameToPortName(pod, namespace, provider string) string {
 	return fmt.Sprintf("%s.%s.%s", pod, namespace, provider)
 }
 
+func VpcSubnetToPortGroupName(vpc, subnet string) string {
+	portGroupName := fmt.Sprintf("%s.%s", vpc, subnet)
+	portGroupName = strings.ReplaceAll(portGroupName, "-", ".")
+	return portGroupName
+}
+
 func GetLocalnetName(subnet string) string {
 	return fmt.Sprintf("localnet.%s", subnet)
 }

pkg/util/const.go

@@ -199,13 +199,13 @@ const (
 	OvnFip      = "ovn"
 	IptablesFip = "iptables"
 
-	U2OSubnetPolicyPriority     = 29400
-	GatewayRouterPolicyPriority = 29000
-	OvnICPolicyPriority         = 29500
-	NodeRouterPolicyPriority    = 30000
-	NodeLocalDNSPolicyPriority  = 30100
-	DefaultVpcFipPolicyPriority = 30500
-	SubnetRouterPolicyPriority  = 31000
+	GatewayRouterPolicyPriority                   = 29000
+	DefaultVpcToExternalNetworkSnatPolicyPriority = 29200
+	U2OSubnetPolicyPriority                       = 29400
+	OvnICPolicyPriority                           = 29500
+	NodeRouterPolicyPriority                      = 30000
+	NodeLocalDNSPolicyPriority                    = 30100
+	SubnetRouterPolicyPriority                    = 31000
 
 	OffloadType  = "offload-port"
 	InternalType = "internal-port"