Support NSX default project for SecurityPolicy

Starting from VPC 2.0, it's not allowed to created objects under /orgs/default/projects/default/infra path. So for NetworkPolicy/SecurityPolicy with namespaceSelector, in order to create Groups under Default Project, it's needed to create them under /infra/domains/default/groups/<>. As for Groups under non default Project, it's still allowed to create them under /orgs/default/projects/<custom project>/infra/domains/default/groups. This patch is to: 1. Support NetworkPolicy/SecurityPolicy creation under Default Project. 2. Refactor VPC SecurityPolicy HA API call process for both creation and deletion. 3. Refactor VPC SecurityPolicy store apply process after creation and deletion.
vmware-tanzu · Sep 9, 2024 · dddc42e · dddc42e
1 parent 58e302e
commit dddc42e
Show file tree

Hide file tree

Showing 12 changed files with 780 additions and 505 deletions.
diff --git a/pkg/controllers/networkpolicy/networkpolicy_controller.go b/pkg/controllers/networkpolicy/networkpolicy_controller.go
@@ -167,7 +167,7 @@ func (r *NetworkPolicyReconciler) CollectGarbage(ctx context.Context) {
 	for elem := range diffSet {
 		log.V(1).Info("GC collected NetworkPolicy", "ID", elem)
 		metrics.CounterInc(r.Service.NSXConfig, metrics.ControllerDeleteTotal, MetricResType)
-		err = r.Service.DeleteSecurityPolicy(types.UID(elem), false, servicecommon.ResourceTypeNetworkPolicy)
+		err = r.Service.DeleteSecurityPolicy(types.UID(elem), true, servicecommon.ResourceTypeNetworkPolicy)
 		if err != nil {
 			metrics.CounterInc(r.Service.NSXConfig, metrics.ControllerDeleteFailTotal, MetricResType)
 		} else {

diff --git a/pkg/controllers/securitypolicy/securitypolicy_controller.go b/pkg/controllers/securitypolicy/securitypolicy_controller.go
@@ -149,6 +149,7 @@ func (r *SecurityPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 			return ResultNormal, nil
 		}
 
+		log.Info("reconciling CR to create or update securitypolicy", "securitypolicy", req.NamespacedName)
 		if err := r.Service.CreateOrUpdateSecurityPolicy(realObj); err != nil {
 			if errors.As(err, &nsxutil.RestrictionError{}) {
 				log.Error(err, err.Error(), "securitypolicy", req.NamespacedName)
@@ -181,6 +182,7 @@ func (r *SecurityPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		}
 		updateSuccess(r, ctx, realObj)
 	} else {
+		log.Info("reconciling CR to delete securitypolicy", "securitypolicy", req.NamespacedName)
 		if controllerutil.ContainsFinalizer(obj, finalizerName) {
 			metrics.CounterInc(r.Service.NSXConfig, metrics.ControllerDeleteTotal, MetricResType)
 			if err := r.Service.DeleteSecurityPolicy(realObj.UID, false, servicecommon.ResourceTypeSecurityPolicy); err != nil {
@@ -357,9 +359,9 @@ func (r *SecurityPolicyReconciler) CollectGarbage(ctx context.Context) {
 
 	diffSet := nsxPolicySet.Difference(CRPolicySet)
 	for elem := range diffSet {
-		log.V(1).Info("GC collected SecurityPolicy CR", "UID", elem)
+		log.V(1).Info("GC collected SecurityPolicy CR", "securityPolicyUID", elem)
 		metrics.CounterInc(r.Service.NSXConfig, metrics.ControllerDeleteTotal, MetricResType)
-		err = r.Service.DeleteSecurityPolicy(types.UID(elem), false, servicecommon.ResourceTypeSecurityPolicy)
+		err = r.Service.DeleteSecurityPolicy(types.UID(elem), true, servicecommon.ResourceTypeSecurityPolicy)
 		if err != nil {
 			metrics.CounterInc(r.Service.NSXConfig, metrics.ControllerDeleteFailTotal, MetricResType)
 		} else {

diff --git a/pkg/controllers/securitypolicy/securitypolicy_controller_test.go b/pkg/controllers/securitypolicy/securitypolicy_controller_test.go
@@ -231,7 +231,7 @@ func TestSecurityPolicyReconciler_Reconcile(t *testing.T) {
 		v1sp.ObjectMeta.DeletionTimestamp = &time
 		return nil
 	})
-	patch := gomonkey.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVpcCleanup bool) error {
+	patch := gomonkey.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVPCCleanupOrGC bool) error {
 		assert.FailNow(t, "should not be called")
 		return nil
 	})
@@ -247,7 +247,7 @@ func TestSecurityPolicyReconciler_Reconcile(t *testing.T) {
 		v1sp.Finalizers = []string{common.T1SecurityPolicyFinalizerName}
 		return nil
 	})
-	patch = gomonkey.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVpcCleanup bool) error {
+	patch = gomonkey.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVPCCleanupOrGC bool) error {
 		return nil
 	})
 	k8sClient.EXPECT().Update(ctx, gomock.Any(), gomock.Any()).Return(nil)
@@ -276,7 +276,7 @@ func TestSecurityPolicyReconciler_GarbageCollector(t *testing.T) {
 		a.Insert("2345")
 		return a
 	})
-	patch.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVpcCleanup bool) error {
+	patch.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVPCCleanupOrGC bool) error {
 		return nil
 	})
 	defer patch.Reset()
@@ -306,7 +306,7 @@ func TestSecurityPolicyReconciler_GarbageCollector(t *testing.T) {
 		a.Insert("1234")
 		return a
 	})
-	patch.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVpcCleanup bool) error {
+	patch.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVPCCleanupOrGC bool) error {
 		assert.FailNow(t, "should not be called")
 		return nil
 	})
@@ -325,7 +325,7 @@ func TestSecurityPolicyReconciler_GarbageCollector(t *testing.T) {
 		a := sets.New[string]()
 		return a
 	})
-	patch.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVpcCleanup bool) error {
+	patch.ApplyMethod(reflect.TypeOf(service), "DeleteSecurityPolicy", func(_ *securitypolicy.SecurityPolicyService, UID interface{}, isVPCCleanupOrGC bool) error {
 		assert.FailNow(t, "should not be called")
 		return nil
 	})

diff --git a/pkg/nsx/services/common/types.go b/pkg/nsx/services/common/types.go
@@ -48,7 +48,7 @@ const (
 	TagScopeNSXServiceAccountCRName    string = "nsx-op/nsx_service_account_name"
 	TagScopeNSXServiceAccountCRUID     string = "nsx-op/nsx_service_account_uid"
 	TagScopeNSXProjectID               string = "nsx-op/nsx_project_id"
-	TagScopeProjectGroupShared         string = "nsx-op/is_nsx_project_shared"
+	TagScopeNSXShareCreatedFor         string = "nsx-op/nsx_share_created_for"
 	TagScopeSubnetPortCRName           string = "nsx-op/subnetport_name"
 	TagScopeSubnetPortCRUID            string = "nsx-op/subnetport_uid"
 	TagScopeIPPoolCRName               string = "nsx-op/ippool_name"
@@ -77,6 +77,9 @@ const (
 	TagValueGroupScope                 string = "scope"
 	TagValueGroupSource                string = "source"
 	TagValueGroupDestination           string = "destination"
+	TagValueShareCreatedForInfra       string = "infra"
+	TagValueShareCreatedForProject     string = "project"
+	TagValueShareNotCreated            string = "notShared"
 	TagValueGroupAvi                   string = "avi"
 	TagValueSLB                        string = "SLB"
 	AnnotationVPCNetworkConfig         string = "nsx.vmware.com/vpc_network_config"
@@ -122,13 +125,14 @@ const (
 	RuleSuffixEgressDrop    = "egress-isolation"
 	RuleSuffixIngressReject = "ingress-reject"
 	RuleSuffixEgressReject  = "egress-reject"
+	DefaultProject          = "default"
 	SecurityPolicyPrefix    = "sp"
 	NetworkPolicyPrefix     = "np"
 	TargetGroupSuffix       = "scope"
 	SrcGroupSuffix          = "src"
 	DstGroupSuffix          = "dst"
 	IpSetGroupSuffix        = "ipset"
-	SharePrefix             = "share"
+	ShareSuffix             = "share"
 )
 
 var (