Export policy fix NAS-Economy

Ensure the correct export policy is used even when the volume config does not have a stored value.

Author: torirevilla

storage_drivers/ontap/api/ontap_rest.go

@@ -4755,7 +4755,7 @@ func (c RestClient) QtreeGet(ctx context.Context, name, volumePrefix string) (*m
 	params.SetSvmUUID(convert.ToPtr(c.svmUUID))
 	params.SetName(convert.ToPtr(name))          // qtree name
 	params.SetVolumeName(convert.ToPtr(pattern)) // Flexvol name prefix
-	fields := []string{""}
+	fields := []string{"export_policy.name"}
 	params.SetFields(fields)
 
 	result, err := c.api.Storage.QtreeCollectionGet(params, c.authInfo)

storage_drivers/ontap/ontap_nas_qtree.go

@@ -718,11 +718,34 @@ func (d *NASQtreeStorageDriver) publishQtreeShare(
 	}
 
 	// Ensure the qtree has the correct export policy and rules applied.
+	backendPolicyName := getExportPolicyName(publishInfo.BackendUUID)
+	qtreePolicyName := qtree
+	// Trident versions <23.04 may not have the exportPolicy field set in the volume config,
+	// if this is the case we need to use the export policy from the qtree info from ONTAP.
+	if volConfig.ExportPolicy != backendPolicyName && volConfig.ExportPolicy != qtreePolicyName &&
+		volConfig.ExportPolicy != getEmptyExportPolicyName(*d.Config.StoragePrefix) {
+		backendQtree, err := d.API.QtreeGetByName(ctx, qtree, flexvol)
+		if err != nil {
+			return err
+		}
+		if backendQtree == nil {
+			return errors.NotFoundError(fmt.Sprintf("qtree %s not found", qtree))
+		}
+		volConfig.ExportPolicy = backendQtree.ExportPolicy
+	}
+
 	// If the qtree already have backend policy, leave it as it is. We will have an opportunity to migrate it
 	// to qtree policy during unpublish.
-	qtreePolicyName := qtree
-	if volConfig.ExportPolicy == getExportPolicyName(publishInfo.BackendUUID) {
-		qtreePolicyName = volConfig.ExportPolicy
+	switch volConfig.ExportPolicy {
+	case getEmptyExportPolicyName(*d.Config.StoragePrefix), qtree:
+		qtreePolicyName = qtree
+	case backendPolicyName:
+		qtreePolicyName = backendPolicyName
+	default:
+		// This can happen if the customer switched from autoExportPolicy=false to true and the volume is still using
+		// default or user supplied export policy.
+		Logc(ctx).Debugf("Export policy %s is not managed by Trident.", volConfig.ExportPolicy)
+		return nil
 	}
 
 	volConfig.ExportPolicy = qtreePolicyName
@@ -743,8 +766,6 @@ func (d *NASQtreeStorageDriver) publishQtreeShare(
 	}
 
 	// Ensure the parent flex-vol has the correct export policy and rules applied
-	backendPolicyName := getExportPolicyName(publishInfo.BackendUUID)
-
 	if err := ensureNodeAccessForPolicy(ctx, targetNode, d.API, &d.Config, backendPolicyName); err != nil {
 		return err
 	}
@@ -796,17 +817,20 @@ func (d *NASQtreeStorageDriver) Unpublish(
 		Logc(ctx).WithError(err).Error("Error getting volume pattern.")
 		return err
 	}
-	exists, flexvol, err := d.API.QtreeExists(ctx, qtreeName, volumePattern)
+	qtree, err := d.API.QtreeGetByName(ctx, qtreeName, volumePattern)
 	if err != nil {
 		Logc(ctx).WithError(err).Error("Error checking for existing qtree.")
 		return err
 	}
-	if !exists {
+	if qtree == nil {
 		Logc(ctx).WithField("qtree", qtreeName).Debug("Qtree not found.")
 		return errors.NotFoundError("qtree not found")
 	}
 
 	exportPolicy := volConfig.ExportPolicy
+	if exportPolicy == "" {
+		exportPolicy = qtree.ExportPolicy
+	}
 	if exportPolicy == qtreeName {
 		// Remove export policy rules matching the node IP address from qtree level policy
 		if err = removeExportPolicyRules(ctx, exportPolicy, publishInfo, d.API); err != nil {
@@ -822,7 +846,7 @@ func (d *NASQtreeStorageDriver) Unpublish(
 		}
 		if len(allExportRules) == 0 {
 			// Set qtree to the empty policy
-			if err = d.setQtreeToEmptyPolicy(ctx, qtreeName, flexvol); err != nil {
+			if err = d.setQtreeToEmptyPolicy(ctx, qtreeName, qtree.Volume); err != nil {
 				return err
 			}
 
@@ -837,7 +861,7 @@ func (d *NASQtreeStorageDriver) Unpublish(
 	} else if exportPolicy == getExportPolicyName(publishInfo.BackendUUID) {
 		// Qtree using backend-based export policy.
 		if len(publishInfo.Nodes) == 0 {
-			if err = d.setQtreeToEmptyPolicy(ctx, qtreeName, flexvol); err != nil {
+			if err = d.setQtreeToEmptyPolicy(ctx, qtreeName, qtree.Volume); err != nil {
 				return err
 			}
 			volConfig.ExportPolicy = getEmptyExportPolicyName(*d.Config.StoragePrefix)

storage_drivers/ontap/ontap_nas_qtree_test.go

@@ -1164,6 +1164,75 @@ func TestPublish_WithErrorInApiOperation(t *testing.T) {
 	assert.Error(t, result2, "Expected error when qtree does not exist, got nil")
 }
 
+func TestPublishQtreeShare_WithDefaultPolicy_Success(t *testing.T) {
+	qtreeName := "testQtree"
+	flexVolName := "testFlexVol"
+	nodeIP := "1.1.1.1"
+	defaultPolicy := "default"
+
+	nodes := make([]*models.Node, 0)
+	nodes = append(nodes, &models.Node{Name: "node1", IPs: []string{nodeIP}})
+
+	publishInfo := models.VolumePublishInfo{
+		BackendUUID: BackendUUID,
+		Unmanaged:   false,
+		Nodes:       nodes,
+		HostName:    "node1",
+	}
+
+	// Create mock driver and api
+	mockAPI, driver := newMockOntapNasQtreeDriver(t)
+	mockAPI.EXPECT().QtreeGetByName(ctx, qtreeName, flexVolName).Return(
+		&api.Qtree{ExportPolicy: defaultPolicy, Volume: flexVolName}, nil)
+
+	// This handles the case where the customer originally created a backend with autoExportPolicy set to false and
+	// mounted a volume and then later changed autoExportPolicy to true
+	volConfig := &storage.VolumeConfig{ExportPolicy: defaultPolicy}
+	driver.Config.AutoExportPolicy = true
+
+	result := driver.publishQtreeShare(ctx, qtreeName, flexVolName, volConfig, &publishInfo)
+
+	assert.NoError(t, result, "Expected no error in publishQtreeShare, got error")
+}
+
+func TestPublishQtreeShare_LegacyVolumeWithEmptyPolicyInConfig_Success(t *testing.T) {
+	qtreeName := "testQtree"
+	flexVolName := "testFlexVol"
+	nodeIP := "1.1.1.1"
+	backendPolicy := getExportPolicyName(BackendUUID)
+
+	nodes := make([]*models.Node, 0)
+	nodes = append(nodes, &models.Node{Name: "node1", IPs: []string{nodeIP}})
+
+	publishInfo := models.VolumePublishInfo{
+		BackendUUID: BackendUUID,
+		Unmanaged:   false,
+		Nodes:       nodes,
+		HostName:    "node1",
+	}
+
+	// Create mock driver and api
+	mockAPI, driver := newMockOntapNasQtreeDriver(t)
+	mockAPI.EXPECT().QtreeGetByName(ctx, qtreeName, flexVolName).Return(
+		&api.Qtree{ExportPolicy: backendPolicy, Volume: flexVolName}, nil)
+	mockAPI.EXPECT().ExportPolicyExists(ctx, gomock.Any()).AnyTimes().Return(true, nil)
+	// Return node ip rules when asked for them
+	mockAPI.EXPECT().ExportRuleList(gomock.Any(), backendPolicy).Return(map[string]int{"1.1.1.1": 1}, nil)
+	mockAPI.EXPECT().ExportRuleList(gomock.Any(), backendPolicy).Return(map[string]int{"1.1.1.1": 1}, nil)
+	mockAPI.EXPECT().QtreeModifyExportPolicy(ctx, qtreeName, flexVolName, backendPolicy).AnyTimes().Return(nil)
+	mockAPI.EXPECT().VolumeModifyExportPolicy(ctx, flexVolName, backendPolicy).AnyTimes().Return(nil)
+
+	// This handles the case where the customer originally created and mounted a volume in trident version <=23.01
+	// and then later upgraded to 24.10. This would have the volConfig.ExportPolicy = "".
+	driver.Config.AutoExportPolicy = true
+	driver.Config.AutoExportCIDRs = []string{"0.0.0.0/0"}
+	volConfig := &storage.VolumeConfig{ExportPolicy: ""}
+
+	result := driver.publishQtreeShare(ctx, qtreeName, flexVolName, volConfig, &publishInfo)
+
+	assert.NoError(t, result, "Expected no error in publishQtreeShare, got error")
+}
+
 func TestPublishQtreeShare_WithEmptyPolicy_Success(t *testing.T) {
 	qtreeName := "testQtree"
 	flexVolName := "testFlexVol"
@@ -1180,7 +1249,7 @@ func TestPublishQtreeShare_WithEmptyPolicy_Success(t *testing.T) {
 		HostName:    "node1",
 	}
 
-	volConfig := &storage.VolumeConfig{ExportPolicy: "trident_empty"}
+	volConfig := &storage.VolumeConfig{ExportPolicy: getEmptyExportPolicyName("trident")}
 
 	// Create mock driver and api
 	mockAPI, driver := newMockOntapNasQtreeDriver(t)
@@ -1296,7 +1365,7 @@ func TestPublishQtreeShare_WithErrorInApiOperation(t *testing.T) {
 		HostName:    "node1",
 	}
 
-	volConfig := &storage.VolumeConfig{ExportPolicy: "trident_empty"}
+	volConfig := &storage.VolumeConfig{ExportPolicy: getEmptyExportPolicyName("trident")}
 
 	// CASE 1: Error in checking if export policy exists
 	mockAPI, driver := newMockOntapNasQtreeDriver(t)
@@ -5871,7 +5940,8 @@ func TestOntapNasEcoUnpublish(t *testing.T) {
 			name: "qtreeWithOneMount",
 			args: args{publishEnforcement: false, autoExportPolicy: true},
 			mocks: func(mockAPI *mockapi.MockOntapAPI, qtreeName, flexVolName, backendPolicy string) {
-				mockAPI.EXPECT().QtreeExists(ctx, qtreeName, gomock.Any()).Return(true, flexVolName, nil)
+				mockAPI.EXPECT().QtreeGetByName(ctx, qtreeName, gomock.Any()).
+					Return(&api.Qtree{ExportPolicy: qtreeName, Volume: flexVolName}, nil)
 				mockAPI.EXPECT().ExportRuleList(ctx, qtreeName).
 					Return(map[string]int{"1.1.1.1": 1, "2.2.2.2": 2}, nil)
 				mockAPI.EXPECT().ExportRuleDestroy(ctx, qtreeName, gomock.Any()).Times(2)
@@ -5885,7 +5955,8 @@ func TestOntapNasEcoUnpublish(t *testing.T) {
 			name: "emptyPolicyDoesNotExist",
 			args: args{publishEnforcement: false, autoExportPolicy: true},
 			mocks: func(mockAPI *mockapi.MockOntapAPI, qtreeName, flexVolName, backendPolicy string) {
-				mockAPI.EXPECT().QtreeExists(ctx, qtreeName, gomock.Any()).Return(true, flexVolName, nil)
+				mockAPI.EXPECT().QtreeGetByName(ctx, qtreeName, gomock.Any()).
+					Return(&api.Qtree{ExportPolicy: qtreeName, Volume: flexVolName}, nil)
 				mockAPI.EXPECT().ExportRuleList(ctx, qtreeName).
 					Return(map[string]int{"1.1.1.1": 1, "2.2.2.2": 2}, nil)
 				mockAPI.EXPECT().ExportRuleDestroy(ctx, qtreeName, gomock.Any()).Times(2)
@@ -5906,7 +5977,8 @@ func TestOntapNasEcoUnpublish(t *testing.T) {
 			name: "qtreeWithTwoMounts",
 			args: args{publishEnforcement: false, autoExportPolicy: true},
 			mocks: func(mockAPI *mockapi.MockOntapAPI, qtreeName, flexVolName, backendPolicy string) {
-				mockAPI.EXPECT().QtreeExists(ctx, qtreeName, gomock.Any()).Return(true, flexVolName, nil)
+				mockAPI.EXPECT().QtreeGetByName(ctx, qtreeName, gomock.Any()).
+					Return(&api.Qtree{ExportPolicy: qtreeName, Volume: flexVolName}, nil)
 				mockAPI.EXPECT().ExportRuleList(ctx, qtreeName).
 					Return(map[string]int{"1.1.1.1": 1, "2.2.2.2": 2, "4.4.4.4": 4, "5.5.5.5": 5}, nil)
 				mockAPI.EXPECT().ExportRuleDestroy(ctx, qtreeName, gomock.Any()).Times(2)
@@ -5918,24 +5990,26 @@ func TestOntapNasEcoUnpublish(t *testing.T) {
 			name: "qtreeDoesNotExist",
 			args: args{publishEnforcement: false, autoExportPolicy: true},
 			mocks: func(mockAPI *mockapi.MockOntapAPI, qtreeName, flexVolName, backendPolicy string) {
-				mockAPI.EXPECT().QtreeExists(ctx, qtreeName, gomock.Any()).Return(false, "", nil)
+				mockAPI.EXPECT().QtreeGetByName(ctx, qtreeName, gomock.Any()).
+					Return(nil, fmt.Errorf("qtree does not exist"))
 			},
 			wantErr: assert.Error,
 		},
 		{
 			name: "qtreeExistError",
 			args: args{publishEnforcement: false, autoExportPolicy: true},
 			mocks: func(mockAPI *mockapi.MockOntapAPI, qtreeName, flexVolName, backendPolicy string) {
-				mockAPI.EXPECT().QtreeExists(ctx, qtreeName, gomock.Any()).Return(false, "",
-					fmt.Errorf("some api error"))
+				mockAPI.EXPECT().QtreeGetByName(ctx, qtreeName, gomock.Any()).
+					Return(nil, fmt.Errorf("some api error"))
 			},
 			wantErr: assert.Error,
 		},
 		{
 			name: "exportRuleListError",
 			args: args{publishEnforcement: false, autoExportPolicy: true},
 			mocks: func(mockAPI *mockapi.MockOntapAPI, qtreeName, flexVolName, backendPolicy string) {
-				mockAPI.EXPECT().QtreeExists(ctx, qtreeName, gomock.Any()).Return(true, flexVolName, nil)
+				mockAPI.EXPECT().QtreeGetByName(ctx, qtreeName, gomock.Any()).
+					Return(&api.Qtree{ExportPolicy: qtreeName, Volume: flexVolName}, nil)
 				mockAPI.EXPECT().ExportRuleList(ctx, qtreeName).Return(nil, fmt.Errorf("some api error"))
 			},
 			wantErr: assert.Error,
@@ -5979,6 +6053,7 @@ func TestOntapNasEcoLegacyUnpublish(t *testing.T) {
 
 	type args struct {
 		autoExportPolicy bool
+		exportPolicy     string
 		nodeNum          int
 	}
 
@@ -5994,9 +6069,25 @@ func TestOntapNasEcoLegacyUnpublish(t *testing.T) {
 			// After unpublish, the qtree is expected to be set to the empty export policy with no rules because it
 			// is no longer in use by any pods on any node.
 			name: "legacyQtreeWithOneMount",
-			args: args{autoExportPolicy: true, nodeNum: 0},
+			args: args{autoExportPolicy: true, nodeNum: 0, exportPolicy: "trident-1234"},
+			mocks: func(mockAPI *mockapi.MockOntapAPI, qtreeName, flexVolName, backendPolicy string) {
+				mockAPI.EXPECT().QtreeGetByName(ctx, qtreeName, gomock.Any()).
+					Return(&api.Qtree{ExportPolicy: backendPolicy, Volume: flexVolName}, nil)
+				mockAPI.EXPECT().QtreeModifyExportPolicy(ctx, qtreeName, flexVolName, "tridentempty")
+			},
+			wantErr: assert.NoError,
+		},
+		{
+			// This qtree has the backend based export policy "trident-1234" but its volConfig.ExportPolicy="" because
+			// this qtree vol was created using trident version <= 23.01. During Unpublish, the correct export policy
+			// should be querired from backend and used.
+			// After unpublish, the qtree is expected to be set to the empty export policy with no rules because it
+			// is no longer in use by any pods on any node.
+			name: "legacyQtreeWithEmptyExportPolicyInVolConfig",
+			args: args{autoExportPolicy: true, nodeNum: 0, exportPolicy: ""},
 			mocks: func(mockAPI *mockapi.MockOntapAPI, qtreeName, flexVolName, backendPolicy string) {
-				mockAPI.EXPECT().QtreeExists(ctx, qtreeName, gomock.Any()).Return(true, flexVolName, nil)
+				mockAPI.EXPECT().QtreeGetByName(ctx, qtreeName, gomock.Any()).
+					Return(&api.Qtree{ExportPolicy: backendPolicy, Volume: flexVolName}, nil)
 				mockAPI.EXPECT().QtreeModifyExportPolicy(ctx, qtreeName, flexVolName, "tridentempty")
 			},
 			wantErr: assert.NoError,
@@ -6006,9 +6097,10 @@ func TestOntapNasEcoLegacyUnpublish(t *testing.T) {
 			// After unpublish, the qtree is expected to be set to the empty export policy with no rules because it
 			// is no longer in use by any pods on any node.
 			name: "emptyPolicyDoesNotExist",
-			args: args{autoExportPolicy: true, nodeNum: 0},
+			args: args{autoExportPolicy: true, nodeNum: 0, exportPolicy: "trident-1234"},
 			mocks: func(mockAPI *mockapi.MockOntapAPI, qtreeName, flexVolName, backendPolicy string) {
-				mockAPI.EXPECT().QtreeExists(ctx, qtreeName, gomock.Any()).Return(true, flexVolName, nil)
+				mockAPI.EXPECT().QtreeGetByName(ctx, qtreeName, gomock.Any()).
+					Return(&api.Qtree{ExportPolicy: backendPolicy, Volume: flexVolName}, nil)
 				mockAPI.EXPECT().QtreeModifyExportPolicy(ctx, qtreeName, flexVolName, "tridentempty").
 					Return(errors.NotFoundError("export policy not found"))
 				mockAPI.EXPECT().ExportPolicyCreate(ctx, "tridentempty")
@@ -6020,9 +6112,10 @@ func TestOntapNasEcoLegacyUnpublish(t *testing.T) {
 			// This qtree has the backend based export policy "trident-1234" and has more than one publication.
 			// After unpublish, the qtree is expected to continue to use the backend based export policy.
 			name: "legacyQtreeWithMultipleMounts",
-			args: args{autoExportPolicy: true, nodeNum: 2},
+			args: args{autoExportPolicy: true, nodeNum: 2, exportPolicy: "trident-1234"},
 			mocks: func(mockAPI *mockapi.MockOntapAPI, qtreeName, flexVolName, backendPolicy string) {
-				mockAPI.EXPECT().QtreeExists(ctx, qtreeName, gomock.Any()).Return(true, flexVolName, nil)
+				mockAPI.EXPECT().QtreeGetByName(ctx, qtreeName, gomock.Any()).
+					Return(&api.Qtree{ExportPolicy: backendPolicy, Volume: flexVolName}, nil)
 			},
 			wantErr: assert.NoError,
 		},
@@ -6032,7 +6125,6 @@ func TestOntapNasEcoLegacyUnpublish(t *testing.T) {
 		t.Run(tr.name, func(t *testing.T) {
 			volConfig := &storage.VolumeConfig{
 				InternalName: "trident_pvc_123",
-				ExportPolicy: "trident-1234",
 			}
 
 			publishInfo := &models.VolumePublishInfo{
@@ -6044,6 +6136,7 @@ func TestOntapNasEcoLegacyUnpublish(t *testing.T) {
 
 			mockAPI, driver := newMockOntapNasQtreeDriver(t)
 			driver.Config.AutoExportPolicy = tr.args.autoExportPolicy
+			volConfig.ExportPolicy = tr.args.exportPolicy
 
 			mockAPI.EXPECT().SVMName().AnyTimes().Return("SVM1")
 			tr.mocks(mockAPI, volConfig.InternalName, "flexVolName", getExportPolicyName(publishInfo.BackendUUID))