advertised network isolation: imporove DB ids

kyrtapz · kyrtapz · commit bb0bdced764c · 2025-05-16T17:28:43.000+02:00
Use the constant value for global DB entries.
Use the actual controller for per-network ACLs.

Signed-off-by: Patryk Diak &lt;pdiak@redhat.com&gt;
diff --git a/go-controller/pkg/ovn/gateway_test.go b/go-controller/pkg/ovn/gateway_test.go
@@ -44,7 +44,7 @@ func generateAdvertisedUDNIsolationExpectedNB(testData []libovsdbtest.TestData,
 
 	}
 	passACL := libovsdbutil.BuildACL(
-		GetAdvertisedNetworkSubnetsPassACLdbIDs(networkName, networkID),
+		GetAdvertisedNetworkSubnetsPassACLdbIDs(DefaultNetworkControllerName, networkName, networkID),
 		types.AdvertisedNetworkPassPriority,
 		strings.Join(passMatches, " || "),
 		nbdb.ACLActionPass,
diff --git a/go-controller/pkg/ovn/udn_isolation.go b/go-controller/pkg/ovn/udn_isolation.go
@@ -240,29 +240,28 @@ func (oc *DefaultNetworkController) getUDNOpenPortDbIDs(podNamespacedName string
 		})
 }
 
-const advertisedNetworkIsolationACLID = "advertised-network-isolation"
-const advertisedNetworkSubnetsAddressSet = "advertised-network-subnets"
-const advertisedNetworkSubnetsCtrl = "advertised-network-subnets-controller"
+// advertisedNetworkSubnetsKey is the object name key for the global advertised networks addressset and the global deny ACL
+const advertisedNetworkSubnetsKey = "advertised-network-subnets"
 
 // GetAdvertisedNetworkSubnetsAddressSetDBIDs returns the DB IDs for the advertised network subnets addressset
 func GetAdvertisedNetworkSubnetsAddressSetDBIDs() *libovsdbops.DbObjectIDs {
-	return libovsdbops.NewDbObjectIDs(libovsdbops.AddressSetAdvertisedNetwork, advertisedNetworkSubnetsCtrl, map[libovsdbops.ExternalIDKey]string{
-		libovsdbops.ObjectNameKey: advertisedNetworkSubnetsAddressSet,
+	return libovsdbops.NewDbObjectIDs(libovsdbops.AddressSetAdvertisedNetwork, DefaultNetworkControllerName, map[libovsdbops.ExternalIDKey]string{
+		libovsdbops.ObjectNameKey: advertisedNetworkSubnetsKey,
 	})
 }
 
 // GetAdvertisedNetworkSubnetsDropACLdbIDs returns the DB IDs for the advertised network subnets drop ACL
 func GetAdvertisedNetworkSubnetsDropACLdbIDs() *libovsdbops.DbObjectIDs {
-	return libovsdbops.NewDbObjectIDs(libovsdbops.ACLAdvertisedNetwork, advertisedNetworkIsolationACLID,
+	return libovsdbops.NewDbObjectIDs(libovsdbops.ACLAdvertisedNetwork, DefaultNetworkControllerName,
 		map[libovsdbops.ExternalIDKey]string{
-			libovsdbops.ObjectNameKey: advertisedNetworkSubnetsCtrl,
+			libovsdbops.ObjectNameKey: advertisedNetworkSubnetsKey,
 			libovsdbops.NetworkKey:    "",
 		})
 }
 
 // GetAdvertisedNetworkSubnetsPassACLdbIDs returns the DB IDs for the advertised network subnets pass ACL
-func GetAdvertisedNetworkSubnetsPassACLdbIDs(networkName string, networkID int) *libovsdbops.DbObjectIDs {
-	return libovsdbops.NewDbObjectIDs(libovsdbops.ACLAdvertisedNetwork, advertisedNetworkIsolationACLID,
+func GetAdvertisedNetworkSubnetsPassACLdbIDs(controller, networkName string, networkID int) *libovsdbops.DbObjectIDs {
+	return libovsdbops.NewDbObjectIDs(libovsdbops.ACLAdvertisedNetwork, controller,
 		map[libovsdbops.ExternalIDKey]string{
 			libovsdbops.ObjectNameKey: networkName,
 			libovsdbops.NetworkKey:    strconv.Itoa(networkID),
@@ -327,7 +326,7 @@ func (bnc *BaseNetworkController) addAdvertisedNetworkIsolation(nodeName string)
 
 	if len(passMatches) > 0 {
 		passACL := libovsdbutil.BuildACL(
-			GetAdvertisedNetworkSubnetsPassACLdbIDs(bnc.GetNetworkName(), bnc.GetNetworkID()),
+			GetAdvertisedNetworkSubnetsPassACLdbIDs(bnc.controllerName, bnc.GetNetworkName(), bnc.GetNetworkID()),
 			types.AdvertisedNetworkPassPriority,
 			strings.Join(passMatches, " || "),
 			nbdb.ACLActionPass,
@@ -337,7 +336,7 @@ func (bnc *BaseNetworkController) addAdvertisedNetworkIsolation(nodeName string)
 
 		ops, err = libovsdbops.CreateOrUpdateACLsOps(bnc.nbClient, ops, nil, passACL)
 		if err != nil {
-			return fmt.Errorf("failed to create or update network isolation pass ACL %s for network %s: %w", GetAdvertisedNetworkSubnetsPassACLdbIDs(bnc.GetNetworkName(), bnc.GetNetworkID()), bnc.GetNetworkName(), err)
+			return fmt.Errorf("failed to create or update network isolation pass ACL %s for network %s: %w", GetAdvertisedNetworkSubnetsPassACLdbIDs(bnc.controllerName, bnc.GetNetworkName(), bnc.GetNetworkID()), bnc.GetNetworkName(), err)
 		}
 		ops, err = libovsdbops.AddACLsToLogicalSwitchOps(bnc.nbClient, ops, bnc.GetNetworkScopedSwitchName(nodeName), passACL)
 		if err != nil {
@@ -377,7 +376,7 @@ func (bnc *BaseNetworkController) deleteAdvertisedNetworkIsolation(nodeName stri
 		return err
 	}
 
-	passACLIDs := GetAdvertisedNetworkSubnetsPassACLdbIDs(bnc.GetNetworkName(), bnc.GetNetworkID())
+	passACLIDs := GetAdvertisedNetworkSubnetsPassACLdbIDs(bnc.controllerName, bnc.GetNetworkName(), bnc.GetNetworkID())
 	passACLPredicate := libovsdbops.GetPredicate[*nbdb.ACL](passACLIDs, nil)
 	passACLs, err := libovsdbops.FindACLsWithPredicate(bnc.nbClient, passACLPredicate)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ func generateAdvertisedUDNIsolationExpectedNB(testData []libovsdbtest.TestData,`
`44`	`44`
`45`	`45`	`}`
`46`	`46`	`passACL := libovsdbutil.BuildACL(`
`47`		`- GetAdvertisedNetworkSubnetsPassACLdbIDs(networkName, networkID),`
	`47`	`+ GetAdvertisedNetworkSubnetsPassACLdbIDs(DefaultNetworkControllerName, networkName, networkID),`
`48`	`48`	`types.AdvertisedNetworkPassPriority,`
`49`	`49`	`strings.Join(passMatches, " \|\| "),`
`50`	`50`	`nbdb.ACLActionPass,`