Export Policy Fix when VolConfig has no value

torirevilla · vivakeram · web-flow · commit 0abce91d127f · 2025-02-19T09:30:10.000-05:00
Ensure the correct export policy is used even when the volume config does not have a stored value.

Co-authored-by: vivakeram &lt;vivaker@netapp.com&gt;
diff --git a/storage_drivers/ontap/api/abstraction_rest.go b/storage_drivers/ontap/api/abstraction_rest.go
@@ -216,6 +216,7 @@ func (d OntapAPIREST) VolumeInfo(ctx context.Context, name string) (*Volume, err
 		"type", "size", "comment", "aggregates", "nas", "guarantee",
 		"snapshot_policy", "snapshot_directory_access_enabled",
 		"space.snapshot.used", "space.snapshot.reserve_percent",
+		"nas.export_policy.name",
 	}
 	volumeGetResponse, err := d.api.VolumeGetByName(ctx, name, fields)
 	if err != nil {
diff --git a/storage_drivers/ontap/ontap_common.go b/storage_drivers/ontap/ontap_common.go
@@ -4490,21 +4490,33 @@ func deleteAutomaticSnapshot(
 func removeExportPolicyRules(
 	ctx context.Context, exportPolicy string, publishInfo *tridentmodels.VolumePublishInfo, clientAPI api.OntapAPI,
 ) error {
+	fields := LogFields{
+		"Method":     "removeExportPolicyRules",
+		"policyName": exportPolicy,
+		"nodeIPs":    publishInfo.HostIP,
+	}
+
+	Logc(ctx).WithFields(fields).Debug(">>>> removeExportPolicyRules")
+	defer Logc(ctx).WithFields(fields).Debug("<<<< removeExportPolicyRules")
+
 	var removeRuleIndexes []int
 
 	nodeIPRules := make(map[string]struct{})
 	for _, ip := range publishInfo.HostIP {
+		ip = strings.TrimSpace(ip)
 		nodeIPRules[ip] = struct{}{}
 	}
+
 	// Get export policy rules from given policy
-	allExportRules, err := clientAPI.ExportRuleList(ctx, exportPolicy)
+	existingExportRules, err := clientAPI.ExportRuleList(ctx, exportPolicy)
 	if err != nil {
 		return err
 	}
+	Logc(ctx).WithField("existingExportRules", existingExportRules).Debug("Existing export policy rules.")
 
 	// Match list of rules to rule index based on clientMatch address
 	// ONTAP expects the rule index to delete
-	for clientMatch, ruleIndex := range allExportRules {
+	for clientMatch, ruleIndex := range existingExportRules {
 		// For the policy, match the node IP addresses to the clientMatch to remove the matched items.
 		// Example:
 		// trident_pvc_123 is attached to node1 and node2. The policy is being unpublished from node1.
@@ -4521,18 +4533,27 @@ func removeExportPolicyRules(
 		// index 1: "1.1.1.0, 1.1.1.1"
 		// index 2: "2.2.2.0, 2.2.2.2"
 		// For this example, index 1 will be removed.
+
+		// Add a ruleIndex for deletion only if ALL the IPs in the clientMatch are in the list of IPs we are trying
+		// to delete
+		allMatch := true
 		for _, singleClientMatch := range strings.Split(clientMatch, ",") {
-			if _, match := nodeIPRules[singleClientMatch]; match {
-				removeRuleIndexes = append(removeRuleIndexes, ruleIndex)
+			singleClientMatch = strings.TrimSpace(singleClientMatch)
+			if _, match := nodeIPRules[singleClientMatch]; !match {
+				allMatch = false
+				break
 			}
 		}
+		if allMatch {
+			removeRuleIndexes = append(removeRuleIndexes, ruleIndex)
+		}
 	}
 
 	// Attempt to remove node IP addresses from export policy rules
+	Logc(ctx).WithField("removeRuleIndexes", removeRuleIndexes).Debug("Rule indexes to remove.")
 	for _, ruleIndex := range removeRuleIndexes {
 		if err = clientAPI.ExportRuleDestroy(ctx, exportPolicy, ruleIndex); err != nil {
 			Logc(ctx).WithError(err).Error("Error deleting export policy rule.")
-			return err
 		}
 	}
 
diff --git a/storage_drivers/ontap/ontap_common_test.go b/storage_drivers/ontap/ontap_common_test.go
@@ -2569,7 +2569,7 @@ func TestEnsureNodeAccess(t *testing.T) {
 
 	assert.NoError(t, err)
 
-	// Test 2 - Test When policy doesn't exists
+	// Test 2 - Test When policy doesn't exist
 
 	mockAPI = mockapi.NewMockOntapAPI(mockCtrl)
 	mockRestClient := newMockRestClient(t)
@@ -2603,6 +2603,210 @@ func TestEnsureNodeAccess(t *testing.T) {
 	assert.Error(t, err)
 }
 
+func TestRemoveExportPolicyRules_Success(t *testing.T) {
+	ctx := context.TODO()
+	mockAPI := newMockOntapAPI(t)
+	exportPolicy := "testPolicy"
+	publishInfo := &tridentmodels.VolumePublishInfo{HostIP: []string{"1.1.1.1", "1.1.1.2"}}
+
+	mockAPI.EXPECT().ExportRuleList(ctx, exportPolicy).Return(map[string]int{"1.1.1.1": 1, "1.1.1.2": 2}, nil)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, 1).Return(nil)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, 2).Return(nil)
+
+	err := removeExportPolicyRules(ctx, exportPolicy, publishInfo, mockAPI)
+	assert.NoError(t, err)
+}
+
+func TestRemoveExportPolicyRules_ErrorInList(t *testing.T) {
+	ctx := context.TODO()
+	mockAPI := newMockOntapAPI(t)
+	exportPolicy := "testPolicy"
+	publishInfo := &tridentmodels.VolumePublishInfo{HostIP: []string{"1.1.1.1"}}
+	fakeErr := errors.New("fake error")
+
+	mockAPI.EXPECT().ExportRuleList(ctx, exportPolicy).Return(nil, fakeErr)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, gomock.Any()).Times(0)
+
+	err := removeExportPolicyRules(ctx, exportPolicy, publishInfo, mockAPI)
+	assert.Error(t, err)
+	assert.Equal(t, fakeErr, err)
+}
+
+func TestRemoveExportPolicyRules_ErrorInFirstDestroy(t *testing.T) {
+	ctx := context.TODO()
+	mockAPI := newMockOntapAPI(t)
+	exportPolicy := "testPolicy"
+	publishInfo := &tridentmodels.VolumePublishInfo{HostIP: []string{"1.1.1.1", "2.2.2.2"}}
+	fakeErr := errors.New("fake destroy error")
+
+	mockAPI.EXPECT().ExportRuleList(ctx, exportPolicy).Return(map[string]int{"1.1.1.1": 1, "2.2.2.2": 2}, nil)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, 1).Return(fakeErr)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, 2).Return(nil)
+
+	err := removeExportPolicyRules(ctx, exportPolicy, publishInfo, mockAPI)
+	assert.NoError(t, err)
+}
+
+func TestRemoveExportPolicyRules_NoMatchingRules(t *testing.T) {
+	ctx := context.TODO()
+	mockAPI := newMockOntapAPI(t)
+	exportPolicy := "testPolicy"
+	publishInfo := &tridentmodels.VolumePublishInfo{HostIP: []string{"1.1.1.1"}}
+
+	mockAPI.EXPECT().ExportRuleList(ctx, exportPolicy).Return(map[string]int{"2.2.2.2": 1}, nil)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, gomock.Any()).Times(0)
+
+	err := removeExportPolicyRules(ctx, exportPolicy, publishInfo, mockAPI)
+	assert.NoError(t, err)
+}
+
+func TestRemoveExportPolicyRules_AllIPsMatchInZapiRule(t *testing.T) {
+	ctx := context.TODO()
+	mockAPI := newMockOntapAPI(t)
+	exportPolicy := "testPolicy"
+	publishInfo := &tridentmodels.VolumePublishInfo{HostIP: []string{"1.1.1.2", "1.1.1.1"}}
+
+	mockAPI.EXPECT().ExportRuleList(ctx, exportPolicy).Return(map[string]int{"1.1.1.1, 1.1.1.2": 1}, nil)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, 1).Return(nil)
+
+	err := removeExportPolicyRules(ctx, exportPolicy, publishInfo, mockAPI)
+	assert.NoError(t, err)
+}
+
+func TestRemoveExportPolicyRules_DuplicateIPsMatchInZapiRule(t *testing.T) {
+	ctx := context.TODO()
+	mockAPI := newMockOntapAPI(t)
+	exportPolicy := "testPolicy"
+	publishInfo := &tridentmodels.VolumePublishInfo{HostIP: []string{"1.1.1.1", "1.1.1.2"}}
+
+	mockAPI.EXPECT().ExportRuleList(ctx, exportPolicy).
+		Return(map[string]int{"1.1.1.1, 1.1.1.2": 1, "1.1.1.2, 1.1.1.1": 2}, nil)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, 1).Return(nil).Times(1)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, 2).Return(nil).Times(1)
+
+	err := removeExportPolicyRules(ctx, exportPolicy, publishInfo, mockAPI)
+	assert.NoError(t, err)
+}
+
+func TestRemoveExportPolicyRules_OneIPMatchInZapiRule(t *testing.T) {
+	ctx := context.TODO()
+	mockAPI := newMockOntapAPI(t)
+	exportPolicy := "testPolicy"
+	publishInfo := &tridentmodels.VolumePublishInfo{HostIP: []string{"1.1.1.2"}}
+
+	mockAPI.EXPECT().ExportRuleList(ctx, exportPolicy).Return(map[string]int{"1.1.1.1, 1.1.1.2": 1}, nil)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, gomock.Any()).Times(0)
+
+	err := removeExportPolicyRules(ctx, exportPolicy, publishInfo, mockAPI)
+	assert.NoError(t, err)
+}
+
+func TestRemoveExportPolicyRules_NoIPMatchInZapiRule(t *testing.T) {
+	ctx := context.TODO()
+	mockAPI := newMockOntapAPI(t)
+	exportPolicy := "testPolicy"
+	publishInfo := &tridentmodels.VolumePublishInfo{HostIP: []string{"2.2.2.2", "2.2.2.3"}}
+
+	mockAPI.EXPECT().ExportRuleList(ctx, exportPolicy).Return(map[string]int{"1.1.1.1, 1.1.1.2": 1}, nil)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, gomock.Any()).Times(0)
+
+	err := removeExportPolicyRules(ctx, exportPolicy, publishInfo, mockAPI)
+	assert.NoError(t, err)
+}
+
+func TestRemoveExportPolicyRules_EmptyHostIPList(t *testing.T) {
+	ctx := context.TODO()
+	mockAPI := newMockOntapAPI(t)
+	exportPolicy := "testPolicy"
+	publishInfo := &tridentmodels.VolumePublishInfo{HostIP: []string{}}
+
+	mockAPI.EXPECT().ExportRuleList(ctx, exportPolicy).Return(map[string]int{"1.1.1.1": 1}, nil)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, gomock.Any()).Times(0)
+
+	err := removeExportPolicyRules(ctx, exportPolicy, publishInfo, mockAPI)
+	assert.NoError(t, err)
+}
+
+func TestRemoveExportPolicyRules_EmptyExportRuleList(t *testing.T) {
+	ctx := context.TODO()
+	mockAPI := newMockOntapAPI(t)
+	exportPolicy := "testPolicy"
+	publishInfo := &tridentmodels.VolumePublishInfo{HostIP: []string{"1.1.1.1"}}
+
+	mockAPI.EXPECT().ExportRuleList(ctx, exportPolicy).Return(map[string]int{}, nil)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, gomock.Any()).Times(0)
+
+	err := removeExportPolicyRules(ctx, exportPolicy, publishInfo, mockAPI)
+	assert.NoError(t, err)
+}
+
+func TestRemoveExportPolicyRules_InvalidIPFormat(t *testing.T) {
+	ctx := context.TODO()
+	mockAPI := newMockOntapAPI(t)
+	exportPolicy := "testPolicy"
+	publishInfo := &tridentmodels.VolumePublishInfo{HostIP: []string{"invalidIP"}}
+
+	mockAPI.EXPECT().ExportRuleList(ctx, exportPolicy).Return(map[string]int{"1.1.1.1": 1}, nil)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, gomock.Any()).Times(0)
+
+	err := removeExportPolicyRules(ctx, exportPolicy, publishInfo, mockAPI)
+	assert.NoError(t, err)
+}
+
+func TestRemoveExportPolicyRules_MixedValidAndInvalidIPs(t *testing.T) {
+	ctx := context.TODO()
+	mockAPI := newMockOntapAPI(t)
+	exportPolicy := "testPolicy"
+	publishInfo := &tridentmodels.VolumePublishInfo{HostIP: []string{"1.1.1.1", "invalidIP"}}
+
+	mockAPI.EXPECT().ExportRuleList(ctx, exportPolicy).Return(map[string]int{"1.1.1.1": 1}, nil)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, 1).Return(nil)
+
+	err := removeExportPolicyRules(ctx, exportPolicy, publishInfo, mockAPI)
+	assert.NoError(t, err)
+}
+
+func TestRemoveExportPolicyRules_IPsWithSpaces(t *testing.T) {
+	ctx := context.TODO()
+	mockAPI := newMockOntapAPI(t)
+	exportPolicy := "testPolicy"
+	publishInfo := &tridentmodels.VolumePublishInfo{HostIP: []string{" 1.1.1.1 ", " 1.1.1.2 "}}
+
+	mockAPI.EXPECT().ExportRuleList(ctx, exportPolicy).Return(map[string]int{"1.1.1.1": 1, "1.1.1.2": 2}, nil)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, 1).Return(nil)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, 2).Return(nil)
+
+	err := removeExportPolicyRules(ctx, exportPolicy, publishInfo, mockAPI)
+	assert.NoError(t, err)
+}
+
+func TestRemoveExportPolicyRules_IPsWithMixedFormats(t *testing.T) {
+	ctx := context.TODO()
+	mockAPI := newMockOntapAPI(t)
+	exportPolicy := "testPolicy"
+	publishInfo := &tridentmodels.VolumePublishInfo{HostIP: []string{"1.1.1.1", "2001:db8::1"}}
+
+	mockAPI.EXPECT().ExportRuleList(ctx, exportPolicy).Return(map[string]int{"1.1.1.1": 1, "2001:db8::1": 2}, nil)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, 1).Return(nil)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, 2).Return(nil)
+
+	err := removeExportPolicyRules(ctx, exportPolicy, publishInfo, mockAPI)
+	assert.NoError(t, err)
+}
+
+func TestRemoveExportPolicyRules_IPsMatchInMixedFormats(t *testing.T) {
+	ctx := context.TODO()
+	mockAPI := newMockOntapAPI(t)
+	exportPolicy := "testPolicy"
+	publishInfo := &tridentmodels.VolumePublishInfo{HostIP: []string{"1.1.1.1"}}
+
+	mockAPI.EXPECT().ExportRuleList(ctx, exportPolicy).Return(map[string]int{"::ffff:1.1.1.1": 1}, nil)
+	mockAPI.EXPECT().ExportRuleDestroy(ctx, exportPolicy, gomock.Any()).Times(0)
+
+	err := removeExportPolicyRules(ctx, exportPolicy, publishInfo, mockAPI)
+	assert.NoError(t, err)
+}
+
 func TestDeleteExportPolicy(t *testing.T) {
 	// Test-1: Positive flow
 
diff --git a/storage_drivers/ontap/ontap_nas.go b/storage_drivers/ontap/ontap_nas.go
@@ -826,16 +826,21 @@ func (d *NASStorageDriver) Unpublish(
 		return nil
 	}
 
-	exists, err := d.API.VolumeExists(ctx, volConfig.InternalName)
+	volume, err := d.API.VolumeInfo(ctx, volConfig.InternalName)
 	if err != nil {
 		Logc(ctx).WithError(err).Error("Error checking for existing volume.")
 		return err
 	}
-	if !exists {
+	if volume == nil {
 		Logc(ctx).WithField("volume", volConfig.InternalName).Debug("Volume not found.")
 		return errors.NotFoundError("volume not found")
 	}
 
+	// Trident versions <23.04 may not have the exportPolicy field set in the volume config,
+	// if this is the case we need to use the export policy from the volume info from ONTAP.
+	if volConfig.ExportPolicy == "" {
+		volConfig.ExportPolicy = volume.ExportPolicy
+	}
 	exportPolicy := volConfig.ExportPolicy
 	if exportPolicy == volExportPolicyName {
 		// Remove export policy rules matching the node IP address from the volume level policy
@@ -864,8 +869,8 @@ func (d *NASStorageDriver) Unpublish(
 			}
 		}
 
-	} else if exportPolicy == getExportPolicyName(publishInfo.BackendUUID) {
-		// volume using backend-based export policy.
+	} else {
+		// Volume is using a backend-based policy or migrating to using autoExportPolicies.
 		if len(publishInfo.Nodes) == 0 {
 			if err = d.setVolToEmptyPolicy(ctx, volConfig.InternalName); err != nil {
 				return err
@@ -929,11 +934,34 @@ func (d *NASStorageDriver) publishFlexVolShare(
 	}
 
 	// Ensure the flexVol has the correct export policy and rules applied.
+	backendPolicyName := getExportPolicyName(publishInfo.BackendUUID)
+	flexVolPolicyName := flexvol
+	// Trident versions <23.04 may not have the exportPolicy field set in the volume config,
+	// if this is the case we need to use the export policy from the volume info from ONTAP.
+	if volConfig.ExportPolicy != backendPolicyName && volConfig.ExportPolicy != flexvol &&
+		volConfig.ExportPolicy != getEmptyExportPolicyName(*d.Config.StoragePrefix) {
+		volume, err := d.API.VolumeInfo(ctx, flexvol)
+		if err != nil {
+			return err
+		}
+		if volume == nil {
+			return errors.NotFoundError("volume not found")
+		}
+		volConfig.ExportPolicy = volume.ExportPolicy
+	}
+
 	// If the flexVol already have backend policy, leave it as it is. We will have an opportunity to migrate it
 	// to flexVol policy during unpublish.
-	flexVolPolicyName := flexvol
-	if volConfig.ExportPolicy == getExportPolicyName(publishInfo.BackendUUID) {
-		flexVolPolicyName = volConfig.ExportPolicy
+	switch volConfig.ExportPolicy {
+	case getEmptyExportPolicyName(*d.Config.StoragePrefix), flexvol:
+		flexVolPolicyName = flexvol
+	case backendPolicyName:
+		flexVolPolicyName = backendPolicyName
+	default:
+		// This can happen if the customer switched from autoExportPolicy=false to true and the volume is still using
+		// default or user supplied export policy.
+		Logc(ctx).Debugf("Export policy %s is not managed by Trident.", volConfig.ExportPolicy)
+		return nil
 	}
 
 	volConfig.ExportPolicy = flexVolPolicyName
diff --git a/storage_drivers/ontap/ontap_nas_qtree.go b/storage_drivers/ontap/ontap_nas_qtree.go
@@ -866,8 +866,8 @@ func (d *NASQtreeStorageDriver) Unpublish(
 			}
 		}
 
-	} else if exportPolicy == getExportPolicyName(publishInfo.BackendUUID) {
-		// Qtree using backend-based export policy.
+	} else {
+		// Qtree is using a backend-based policy or migrating to using autoExportPolicies.
 		if len(publishInfo.Nodes) == 0 {
 			if err = d.setQtreeToEmptyPolicy(ctx, qtreeName, qtree.Volume); err != nil {
 				return err
diff --git a/storage_drivers/ontap/ontap_nas_qtree_test.go b/storage_drivers/ontap/ontap_nas_qtree_test.go
diff --git a/storage_drivers/ontap/ontap_nas_test.go b/storage_drivers/ontap/ontap_nas_test.go

Original file line number	Diff line number	Diff line change
`@@ -216,6 +216,7 @@ func (d OntapAPIREST) VolumeInfo(ctx context.Context, name string) (*Volume, err`
`216`	`216`	`"type", "size", "comment", "aggregates", "nas", "guarantee",`
`217`	`217`	`"snapshot_policy", "snapshot_directory_access_enabled",`
`218`	`218`	`"space.snapshot.used", "space.snapshot.reserve_percent",`
	`219`	`+ "nas.export_policy.name",`
`219`	`220`	`}`
`220`	`221`	`volumeGetResponse, err := d.api.VolumeGetByName(ctx, name, fields)`
`221`	`222`	`if err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -866,8 +866,8 @@ func (d *NASQtreeStorageDriver) Unpublish(`
`866`	`866`	`}`
`867`	`867`	`}`
`868`	`868`
`869`		`- } else if exportPolicy == getExportPolicyName(publishInfo.BackendUUID) {`
`870`		`- // Qtree using backend-based export policy.`
	`869`	`+ } else {`
	`870`	`+ // Qtree is using a backend-based policy or migrating to using autoExportPolicies.`
`871`	`871`	`if len(publishInfo.Nodes) == 0 {`
`872`	`872`	`if err = d.setQtreeToEmptyPolicy(ctx, qtreeName, qtree.Volume); err != nil {`
`873`	`873`	`return err`