EgressIP: fix startup sync to add metadata

martinkennelly · martinkennelly · commit 7588fd3a66c6 · 2025-07-07T11:53:43.000+01:00
Initial implementations erroneously assumed a CIDR for NATs
logicalIP.

Also, eip controller expects all OVN constructs that support
EIP to have this metadata so if we cannot build this metadata
then add dummy data so its cleaned up later by EIP controller.

This was not caught by unit tests because the unit test also
contained the assumption of only logical IP with no mask.

It was not caught by upstream CI because we have no reboot tests.

Signed-off-by: Martin Kennelly &lt;mkennell@redhat.com&gt;
diff --git a/go-controller/pkg/ovn/external_ids_syncer/logical_router_policy/logical_router_policy_sync.go b/go-controller/pkg/ovn/external_ids_syncer/logical_router_policy/logical_router_policy_sync.go
@@ -101,7 +101,8 @@ func (syncer *LRPSyncer) syncEgressIPReRoutes() error {
 			podInfo, err := cache.getPod(podIP)
 			if err != nil {
 				klog.Infof("Failed to find Logical Switch Port cache entry for pod IP %s: %v", podIP.String(), err)
-				continue
+				// pod not found, add dummy metadata that will be cleaned up by EIP controller sync.
+				podInfo = podNetInfo{namespace: "UNKNOWN", name: "UNKNOWN"}
 			}
 			ipFamily := getIPFamily(isIPv6)
 			lrp.ExternalIDs = getEgressIPLRPReRouteDbIDs(eipName, podInfo.namespace, podInfo.name, ipFamily, defaultNetworkName, syncer.controllerName).GetExternalIDs()
diff --git a/go-controller/pkg/ovn/external_ids_syncer/logical_router_policy/logical_router_policy_sync_test.go b/go-controller/pkg/ovn/external_ids_syncer/logical_router_policy/logical_router_policy_sync_test.go
@@ -122,7 +122,7 @@ var _ = ginkgo.Describe("OVN Logical Router Syncer", func() {
 					map[string]string{"name": egressIPName},
 					defaultNetworkControllerName)},
 				finalLRPs: []*nbdb.LogicalRouterPolicy{getReRouteLRP(podNamespace, podName, v4PodIPStr, 0, v4IPFamilyValue, v4PodNextHops,
-					map[string]string{"name": egressIPName},
+					getEgressIPLRPReRouteDbIDs(egressIPName, "UNKNOWN", "UNKNOWN", v4IPFamilyValue, defaultNetworkName, defaultNetworkControllerName).GetExternalIDs(),
 					defaultNetworkControllerName)},
 				v4ClusterSubnets: []*net.IPNet{v4PodClusterSubnet},
 				v4JoinSubnet:     v4JoinSubnet,
diff --git a/go-controller/pkg/ovn/external_ids_syncer/nat/nat_sync.go b/go-controller/pkg/ovn/external_ids_syncer/nat/nat_sync.go
@@ -10,6 +10,7 @@ import (
 	libovsdbclient "github.com/ovn-org/libovsdb/client"
 	"github.com/ovn-org/libovsdb/ovsdb"
 
+	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/config"
 	libovsdbops "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/libovsdb/ops"
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/nbdb"
 	ovntypes "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/types"
@@ -86,10 +87,10 @@ func (n *NATSyncer) syncEgressIPNATs() error {
 			klog.Errorf("Expected NAT %s to contain 'name' as a key within its external IDs", nat.UUID)
 			continue
 		}
-		podIP, _, err := net.ParseCIDR(nat.LogicalIP)
-		if err != nil {
-			klog.Errorf("Failed to process logical IP %q of NAT %s", nat.LogicalIP, nat.UUID)
-			continue
+		// for egress IP, the logicalIP does not contain a mask.
+		podIP := net.ParseIP(nat.LogicalIP)
+		if podIP == nil {
+			return fmt.Errorf("failed to process logical IP %q of NAT %s", nat.LogicalIP, nat.UUID)
 		}
 		isV6 := utilsnet.IsIPv6(podIP)
 		var ipFamily egressIPFamilyValue
@@ -103,15 +104,15 @@ func (n *NATSyncer) syncEgressIPNATs() error {
 			pod, found = v4PodCache.getPodByIP(podIP)
 		}
 		if !found {
-			klog.Errorf("Failed to find logical switch port that contains IP address %s", podIP.String())
-			continue
+			// set it to unknown and the egress IP controller syncer will take care of removing it.
+			pod = podNetInfo{namespace: "UNKNOWN", name: "UNKNOWN"}
+			ipFamily = getFirstSupportIPFamily()
 		}
 		nat.ExternalIDs = getEgressIPNATDbIDs(eIPName, pod.namespace, pod.name, ipFamily, n.controllerName).GetExternalIDs()
 		ops, err = libovsdbops.UpdateNATOps(n.nbClient, ops, nat)
 		if err != nil {
 			klog.Errorf("Failed to generate NAT ops for NAT %s: %v", nat.UUID, err)
 		}
-		klog.Infof("## martin found %d nats", len(ops))
 	}
 
 	_, err = libovsdbops.TransactAndCheck(n.nbClient, ops)
@@ -176,3 +177,10 @@ func getEgressIPNATDbIDs(eIPName, podNamespace, podName string, ipFamily egressI
 		libovsdbops.IPFamilyKey:   string(ipFamily),
 	})
 }
+
+func getFirstSupportIPFamily() egressIPFamilyValue {
+	if config.IPv4Mode {
+		return ipFamilyValueV4
+	}
+	return ipFamilyValueV6
+}
diff --git a/go-controller/pkg/ovn/external_ids_syncer/nat/nat_sync_test.go b/go-controller/pkg/ovn/external_ids_syncer/nat/nat_sync_test.go
@@ -26,22 +26,22 @@ const (
 	egressIP                     = "10.10.10.10"
 	nat1UUID                     = "nat-1-UUID"
 	nat2UUID                     = "nat-2-UUID"
-	pod1V4CIDRStr                = "10.128.0.5/32"
-	pod1V6CIDRStr                = "2001:0000:130F:0000:0000:09C0:876A:130B/128"
+	pod1V4Str                    = "10.128.0.5"
+	pod1V6Str                    = "2001:0000:130F:0000:0000:09C0:876A:130B"
 	pod1Namespace                = "ns1"
 	pod1Name                     = "pod1"
-	pod2V4CIDRStr                = "10.128.0.6/32"
-	pod2V6CIDRStr                = "2001:0000:130F:0000:0000:09C0:876A:130A/128"
+	pod2V4Str                    = "10.128.0.6"
+	pod2V6Str                    = "2001:0000:130F:0000:0000:09C0:876A:130A"
 	pod2Namespace                = "ns1"
 	pod2Name                     = "pod2"
 	defaultNetworkControllerName = "default-network-controller"
 )
 
 var (
-	pod1V4IPNet  = testing.MustParseIPNet(pod1V4CIDRStr)
-	pod1V6IPNet  = testing.MustParseIPNet(pod1V6CIDRStr)
-	pod2V4IPNet  = testing.MustParseIPNet(pod2V4CIDRStr)
-	pod2V6IPNet  = testing.MustParseIPNet(pod2V6CIDRStr)
+	pod1V4IP     = testing.MustParseIP(pod1V4Str)
+	pod1V6IP     = testing.MustParseIP(pod1V6Str)
+	pod2V4IP     = testing.MustParseIP(pod2V4Str)
+	pod2V6IP     = testing.MustParseIP(pod2V6Str)
 	legacyExtIDs = map[string]string{legacyEIPNameExtIDKey: egressIPName}
 	pod1V4ExtIDs = getEgressIPNATDbIDs(egressIPName, pod1Namespace, pod1Name, ipFamilyValueV4, defaultNetworkControllerName).GetExternalIDs()
 	pod1V6ExtIDs = getEgressIPNATDbIDs(egressIPName, pod1Namespace, pod1Name, ipFamilyValueV6, defaultNetworkControllerName).GetExternalIDs()
@@ -54,64 +54,64 @@ var _ = ginkgo.Describe("NAT Syncer", func() {
 		ginkgo.DescribeTable("egress NATs", func(sync natSync) {
 			performTest(defaultNetworkControllerName, sync.initialNATs, sync.finalNATs, sync.pods)
 		}, ginkgo.Entry("converts legacy IPv4 NATs", natSync{
-			initialNATs: []*nbdb.NAT{getSNAT(nat1UUID, pod1V4CIDRStr, egressIP, legacyExtIDs)},
-			finalNATs:   []*nbdb.NAT{getSNAT(nat1UUID, pod1V4CIDRStr, egressIP, pod1V4ExtIDs)},
+			initialNATs: []*nbdb.NAT{getSNAT(nat1UUID, pod1V4Str, egressIP, legacyExtIDs)},
+			finalNATs:   []*nbdb.NAT{getSNAT(nat1UUID, pod1V4Str, egressIP, pod1V4ExtIDs)},
 			pods: podsNetInfo{
 				{
-					[]net.IP{pod1V4IPNet.IP},
+					[]net.IP{pod1V4IP},
 					pod1Namespace,
 					pod1Name,
 				},
 				{
-					[]net.IP{pod2V4IPNet.IP},
+					[]net.IP{pod2V4IP},
 					pod2Namespace,
 					pod2Name,
 				},
 			},
 		}),
 			ginkgo.Entry("converts legacy IPv6 NATs", natSync{
-				initialNATs: []*nbdb.NAT{getSNAT(nat1UUID, pod1V6CIDRStr, egressIP, legacyExtIDs)},
-				finalNATs:   []*nbdb.NAT{getSNAT(nat1UUID, pod1V6CIDRStr, egressIP, pod1V6ExtIDs)},
+				initialNATs: []*nbdb.NAT{getSNAT(nat1UUID, pod1V6Str, egressIP, legacyExtIDs)},
+				finalNATs:   []*nbdb.NAT{getSNAT(nat1UUID, pod1V6Str, egressIP, pod1V6ExtIDs)},
 				pods: podsNetInfo{
 					{
-						[]net.IP{pod1V6IPNet.IP},
+						[]net.IP{pod1V6IP},
 						pod1Namespace,
 						pod1Name,
 					},
 					{
-						[]net.IP{pod2V6IPNet.IP},
+						[]net.IP{pod2V6IP},
 						pod2Namespace,
 						pod2Name,
 					},
 				},
 			}),
 			ginkgo.Entry("converts legacy dual stack NATs", natSync{
-				initialNATs: []*nbdb.NAT{getSNAT(nat1UUID, pod1V4CIDRStr, egressIP, legacyExtIDs), getSNAT(nat2UUID, pod1V6CIDRStr, egressIP, legacyExtIDs)},
-				finalNATs:   []*nbdb.NAT{getSNAT(nat1UUID, pod1V4CIDRStr, egressIP, pod1V4ExtIDs), getSNAT(nat2UUID, pod1V6CIDRStr, egressIP, pod1V6ExtIDs)},
+				initialNATs: []*nbdb.NAT{getSNAT(nat1UUID, pod1V4Str, egressIP, legacyExtIDs), getSNAT(nat2UUID, pod1V6Str, egressIP, legacyExtIDs)},
+				finalNATs:   []*nbdb.NAT{getSNAT(nat1UUID, pod1V4Str, egressIP, pod1V4ExtIDs), getSNAT(nat2UUID, pod1V6Str, egressIP, pod1V6ExtIDs)},
 				pods: podsNetInfo{
 					{
-						[]net.IP{pod1V4IPNet.IP, pod1V6IPNet.IP},
+						[]net.IP{pod1V4IP, pod1V6IP},
 						pod1Namespace,
 						pod1Name,
 					},
 					{
-						[]net.IP{pod2V4IPNet.IP, pod2V6IPNet.IP},
+						[]net.IP{pod2V4IP, pod2V6IP},
 						pod2Namespace,
 						pod2Name,
 					},
 				},
 			}),
 			ginkgo.Entry("doesn't alter NAT with correct external IDs", natSync{
-				initialNATs: []*nbdb.NAT{getSNAT(nat1UUID, pod1V6CIDRStr, egressIP, pod1V6ExtIDs)},
-				finalNATs:   []*nbdb.NAT{getSNAT(nat1UUID, pod1V6CIDRStr, egressIP, pod1V6ExtIDs)},
+				initialNATs: []*nbdb.NAT{getSNAT(nat1UUID, pod1V6Str, egressIP, pod1V6ExtIDs)},
+				finalNATs:   []*nbdb.NAT{getSNAT(nat1UUID, pod1V6Str, egressIP, pod1V6ExtIDs)},
 				pods: podsNetInfo{
 					{
-						[]net.IP{pod1V4IPNet.IP, pod1V6IPNet.IP},
+						[]net.IP{pod1V4IP, pod1V6IP},
 						pod1Namespace,
 						pod1Name,
 					},
 					{
-						[]net.IP{pod2V4IPNet.IP, pod2V6IPNet.IP},
+						[]net.IP{pod2V4IP, pod2V6IP},
 						pod2Namespace,
 						pod2Name,
 					},
