Remove_ruleindex_unify_name_for_vpc_t1

vmware-tanzu · Sep 29, 2024 · 7975902 · 7975902
1 parent 5c97290
commit 7975902
Show file tree

Hide file tree

Showing 5 changed files with 156 additions and 101 deletions.
diff --git a/pkg/nsx/services/securitypolicy/builder.go b/pkg/nsx/services/securitypolicy/builder.go
@@ -5,7 +5,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"sort"
 	"strconv"
 	"strings"
 
@@ -39,24 +38,15 @@ var (
 	Int64  = common.Int64
 )
 
-func (service *SecurityPolicyService) buildSecurityPolicyName(obj *v1alpha1.SecurityPolicy, createdFor string) string {
-	if IsVPCEnabled(service) {
-		// For VPC scenario, we use obj.Name as the NSX resource display name for both SecurityPolicy and NetworkPolicy.
-		return util.GenerateTruncName(common.MaxNameLength, obj.Name, "", "", "", "")
-	}
-	prefix := common.SecurityPolicyPrefix
-	if createdFor != common.ResourceTypeSecurityPolicy {
-		prefix = common.NetworkPolicyPrefix
-	}
-	// For T1 scenario, we use ns-name as the key resource name for SecurityPolicy, it is to be consistent with the
-	// previous solutions.
-	return util.GenerateTruncName(common.MaxNameLength, strings.Join([]string{obj.Namespace, obj.Name}, common.ConnectorUnderline), prefix, "", "", "")
+func (service *SecurityPolicyService) buildSecurityPolicyName(obj *v1alpha1.SecurityPolicy) string {
+	return util.GenerateTruncName(common.MaxNameLength, obj.Name, "", "", "", "")
 }
 
 func (service *SecurityPolicyService) buildSecurityPolicyID(obj *v1alpha1.SecurityPolicy, createdFor string) string {
 	if IsVPCEnabled(service) {
 		return util.GenerateIDByObject(obj)
 	}
+
 	prefix := common.SecurityPolicyPrefix
 	if createdFor != common.ResourceTypeSecurityPolicy {
 		prefix = common.NetworkPolicyPrefix
@@ -76,7 +66,7 @@ func (service *SecurityPolicyService) buildSecurityPolicy(obj *v1alpha1.Security
 	nsxSecurityPolicy := &model.SecurityPolicy{}
 
 	nsxSecurityPolicy.Id = String(service.buildSecurityPolicyID(obj, createdFor))
-	nsxSecurityPolicy.DisplayName = String(service.buildSecurityPolicyName(obj, createdFor))
+	nsxSecurityPolicy.DisplayName = String(service.buildSecurityPolicyName(obj))
 	// TODO: confirm the sequence number: offset
 	nsxSecurityPolicy.SequenceNumber = Int64(int64(obj.Spec.Priority))
 
@@ -93,7 +83,7 @@ func (service *SecurityPolicyService) buildSecurityPolicy(obj *v1alpha1.Security
 	currentSet := sets.Set[string]{}
 	for ruleIdx, r := range obj.Spec.Rules {
 		rule := r
-		// A rule containing named port may expand to multiple rules if the name maps to multiple port numbers.
+		// A rule containing named ports may be expanded to multiple rules if the name ports map to multiple port numbers.
 		expandRules, buildGroups, buildGroupShares, err := service.buildRuleAndGroups(obj, &rule, ruleIdx, createdFor)
 		if err != nil {
 			log.Error(err, "failed to build rule and groups", "rule", rule, "ruleIndex", ruleIdx)
@@ -204,11 +194,6 @@ func (service *SecurityPolicyService) buildTargetTags(obj *v1alpha1.SecurityPoli
 	rule *v1alpha1.SecurityPolicyRule, ruleIdx int, createdFor string,
 ) []model.Tag {
 	basicTags := service.buildBasicTags(obj, createdFor)
-	sort.Slice(*targets, func(i, j int) bool {
-		k1, _ := json.Marshal((*targets)[i])
-		k2, _ := json.Marshal((*targets)[j])
-		return string(k1) < string(k2)
-	})
 	serializedBytes, _ := json.Marshal(*targets)
 	targetTags := []model.Tag{
 		{
@@ -242,7 +227,7 @@ func (service *SecurityPolicyService) buildTargetTags(obj *v1alpha1.SecurityPoli
 		targetTags = append(targetTags,
 			model.Tag{
 				Scope: String(common.TagScopeRuleID),
-				Tag:   String(service.buildRuleID(obj, rule, ruleIdx, createdFor)),
+				Tag:   String(service.buildRuleID(obj, ruleIdx, createdFor)),
 			},
 		)
 	}
@@ -379,7 +364,8 @@ func (service *SecurityPolicyService) buildAppliedGroupID(obj *v1alpha1.Security
 	if IsVPCEnabled(service) {
 		suffix := common.TargetGroupSuffix
 		if ruleIdx != -1 {
-			suffix = strings.Join([]string{strconv.Itoa(ruleIdx), suffix}, common.ConnectorUnderline)
+			ruleHash := service.buildRuleHashString(&(obj.Spec.Rules[ruleIdx]))
+			suffix = strings.Join([]string{ruleHash, suffix}, common.ConnectorUnderline)
 		}
 		return util.GenerateIDByObjectWithSuffix(obj, suffix)
 	}
@@ -415,17 +401,13 @@ func (service *SecurityPolicyService) buildAppliedGroupPath(obj *v1alpha1.Securi
 
 // build appliedTo group display name for both policy and rule levels.
 func (service *SecurityPolicyService) buildAppliedGroupName(obj *v1alpha1.SecurityPolicy, ruleIdx int) string {
-	var rule *v1alpha1.SecurityPolicyRule
 	if ruleIdx != -1 {
-		rule = &(obj.Spec.Rules[ruleIdx])
-		ruleName := strings.Join([]string{obj.Name, strconv.Itoa(ruleIdx)}, common.ConnectorUnderline)
-		if len(rule.Name) > 0 {
-			ruleName = rule.Name
-		}
-		return util.GenerateTruncName(common.MaxNameLength, ruleName, "", common.TargetGroupSuffix, "", "")
+		ruleHash := service.buildRuleHashString(&(obj.Spec.Rules[ruleIdx]))
+		suffix := strings.Join([]string{ruleHash, common.TargetGroupSuffix}, common.ConnectorUnderline)
+		return util.GenerateTruncName(common.MaxNameLength, obj.Name, "", suffix, "", "")
 	}
-	ruleName := strings.Join([]string{obj.Namespace, obj.Name}, common.ConnectorUnderline)
-	return util.GenerateTruncName(common.MaxNameLength, ruleName, "", common.TargetGroupSuffix, "", "")
+
+	return util.GenerateTruncName(common.MaxNameLength, obj.Name, "", common.TargetGroupSuffix, "", "")
 }
 
 func (service *SecurityPolicyService) buildRuleAndGroups(obj *v1alpha1.SecurityPolicy, rule *v1alpha1.SecurityPolicyRule,
@@ -598,21 +580,42 @@ func (service *SecurityPolicyService) buildRuleOutGroup(obj *v1alpha1.SecurityPo
 	return nsxRuleDstGroup, nsxRuleSrcGroupPath, nsxRuleDstGroupPath, nsxGroupShare, nil
 }
 
-func (service *SecurityPolicyService) buildRuleID(obj *v1alpha1.SecurityPolicy, rule *v1alpha1.SecurityPolicyRule, ruleIdx int, createdFor string) string {
-	serializedBytes, _ := json.Marshal(rule)
-	ruleHash := fmt.Sprintf("%s", util.Sha1(string(serializedBytes)))
-	ruleIdxStr := fmt.Sprintf("%d", ruleIdx)
+func (service *SecurityPolicyService) buildRuleID(obj *v1alpha1.SecurityPolicy, ruleIdx int, createdFor string) string {
+	ruleHash := service.buildRuleHashString(&(obj.Spec.Rules[ruleIdx]))
+
 	if IsVPCEnabled(service) {
-		suffix := strings.Join([]string{ruleIdxStr, ruleHash}, common.ConnectorUnderline)
-		return util.GenerateIDByObjectWithSuffix(obj, suffix)
+		return util.GenerateIDByObjectWithSuffix(obj, ruleHash)
 	}
+
 	prefix := common.SecurityPolicyPrefix
 	if createdFor == common.ResourceTypeNetworkPolicy {
 		prefix = common.NetworkPolicyPrefix
 	}
+	ruleIdxStr := fmt.Sprintf("%d", ruleIdx)
 	return util.GenerateID(fmt.Sprintf("%s", obj.UID), prefix, ruleHash, ruleIdxStr)
 }
 
+// A rule containing named ports may be expanded to multiple NSX rules if the name ports map to multiple port numbers.
+// So, in VPC network, the rule port numbers, which either are defined in rule Port or resolved from named port, will be appended as CR rule baseID to distinguish them.
+// For T1, the portIdx and portAddressIdx are appended as suffix.
+func (service *SecurityPolicyService) buildExpandedRuleID(obj *v1alpha1.SecurityPolicy, rule *v1alpha1.SecurityPolicyRule, ruleIdx int, createdFor string,
+	portIdx int, portAddressIdx int, portNumber int, hasNamedport bool,
+) string {
+	ruleBaseID := service.buildRuleID(obj, ruleIdx, createdFor)
+
+	if IsVPCEnabled(service) {
+		portNumberSuffix := ""
+		if !hasNamedport {
+			portNumberSuffix = service.buildRulePortsNumberString(&rule.Ports)
+		} else {
+			portNumberSuffix = service.buildRulePortNumberString(&rule.Ports[portIdx], true, portNumber)
+		}
+		return strings.Join([]string{ruleBaseID, portNumberSuffix}, common.ConnectorUnderline)
+	}
+
+	return strings.Join([]string{ruleBaseID, strconv.Itoa(portIdx), strconv.Itoa(portAddressIdx)}, common.ConnectorUnderline)
+}
+
 func (service *SecurityPolicyService) buildRuleDisplayName(rule *v1alpha1.SecurityPolicyRule, portIdx, portNumber int, hasNamedport bool, createdFor string) (string, error) {
 	var ruleName string
 	var ruleAct string
@@ -747,24 +750,25 @@ func (service *SecurityPolicyService) buildRulePeerGroupID(obj *v1alpha1.Securit
 	if isSource == true {
 		suffix = common.SrcGroupSuffix
 	}
+
 	if IsVPCEnabled(service) {
-		suffix = strings.Join([]string{strconv.Itoa(ruleIdx), suffix}, common.ConnectorUnderline)
+		ruleHash := service.buildRuleHashString(&(obj.Spec.Rules[ruleIdx]))
+		suffix = strings.Join([]string{ruleHash, suffix}, common.ConnectorUnderline)
 		return util.GenerateIDByObjectWithSuffix(obj, suffix)
 	}
+
 	return util.GenerateID(string(obj.UID), common.SecurityPolicyPrefix, suffix, strconv.Itoa(ruleIdx))
 }
 
 func (service *SecurityPolicyService) buildRulePeerGroupName(obj *v1alpha1.SecurityPolicy, ruleIdx int, isSource bool) string {
-	rule := &(obj.Spec.Rules[ruleIdx])
 	suffix := common.DstGroupSuffix
 	if isSource == true {
 		suffix = common.SrcGroupSuffix
 	}
-	ruleName := strings.Join([]string{obj.Name, strconv.Itoa(ruleIdx)}, common.ConnectorUnderline)
-	if len(rule.Name) > 0 {
-		ruleName = rule.Name
-	}
-	return util.GenerateTruncName(common.MaxNameLength, ruleName, "", suffix, "", "")
+	ruleHash := service.buildRuleHashString(&(obj.Spec.Rules[ruleIdx]))
+	suffix = strings.Join([]string{ruleHash, suffix}, common.ConnectorUnderline)
+
+	return util.GenerateTruncName(common.MaxNameLength, obj.Name, "", suffix, "", "")
 }
 
 func (service *SecurityPolicyService) buildRulePeerGroupPath(obj *v1alpha1.SecurityPolicy, ruleIdx int, isSource, infraGroupShared, projectGroupShared bool, vpcInfo *common.VPCResourceInfo) (string, error) {
@@ -913,10 +917,6 @@ func (service *SecurityPolicyService) buildRulePeerGroup(obj *v1alpha1.SecurityP
 	return &rulePeerGroup, rulePeerGroupPath, nil, err
 }
 
-func (service *SecurityPolicyService) buildExpandedRuleId(ruleBaseId string, portIdx int, portAddressIdx int) string {
-	return strings.Join([]string{ruleBaseId, strconv.Itoa(portIdx), strconv.Itoa(portAddressIdx)}, common.ConnectorUnderline)
-}
-
 // Build rule basic info, ruleIdx is the index of the rules of security policy,
 // portIdx is the index of rule's ports, portAddressIdx is the index
 // of multiple port number if one named port maps to multiple port numbers.
@@ -937,7 +937,7 @@ func (service *SecurityPolicyService) buildRuleBasicInfo(obj *v1alpha1.SecurityP
 	}
 
 	nsxRule := model.Rule{
-		Id:             String(service.buildExpandedRuleId(service.buildRuleID(obj, rule, ruleIdx, createdFor), portIdx, portAddressIdx)),
+		Id:             String(service.buildExpandedRuleID(obj, rule, ruleIdx, createdFor, portIdx, portAddressIdx, portNumber, hasNamedport)),
 		DisplayName:    &displayName,
 		Direction:      &ruleDirection,
 		SequenceNumber: Int64(int64(ruleIdx)),
@@ -957,13 +957,6 @@ func (service *SecurityPolicyService) buildPeerTags(obj *v1alpha1.SecurityPolicy
 		groupTypeTag = String(common.TagValueGroupSource)
 		peers = &rule.Sources
 	}
-
-	// TODO: abstract sort func for both peers and targets
-	sort.Slice(*peers, func(i, j int) bool {
-		k1, _ := json.Marshal((*peers)[i])
-		k2, _ := json.Marshal((*peers)[j])
-		return string(k1) < string(k2)
-	})
 	serializedBytes, _ := json.Marshal(*peers)
 
 	peerTags := []model.Tag{
@@ -973,7 +966,7 @@ func (service *SecurityPolicyService) buildPeerTags(obj *v1alpha1.SecurityPolicy
 		},
 		{
 			Scope: String(common.TagScopeRuleID),
-			Tag:   String(service.buildRuleID(obj, rule, ruleIdx, createdFor)),
+			Tag:   String(service.buildRuleID(obj, ruleIdx, createdFor)),
 		},
 		{
 			Scope: String(common.TagScopeSelectorHash),
@@ -1009,6 +1002,7 @@ func (service *SecurityPolicyService) buildPeerTags(obj *v1alpha1.SecurityPolicy
 			)
 		}
 	}
+
 	return peerTags
 }
 
@@ -1888,6 +1882,51 @@ func (service *SecurityPolicyService) buildRulePortsString(ports *[]v1alpha1.Sec
 	return util.GenerateTruncName(common.MaxNameLength, portsString, "", suffix, "", "")
 }
 
+func (service *SecurityPolicyService) buildRulePortNumberString(port *v1alpha1.SecurityPolicyPort, hasNamedport bool, portNumber int) string {
+	// Build the rule port number string name for non named port.
+	// This is a common case where the string is built from port definition. For instance,
+	// - protocol: TCP
+	//   port: 8282
+	//   endPort: 8286
+	// The built port number string is: 8282.8286
+	// - protocol: UDP
+	//   port: 3308
+	// The built port number string is: 3308
+	if !hasNamedport {
+		if port.EndPort != 0 {
+			return fmt.Sprintf("%s.%d", (port.Port).String(), port.EndPort)
+		}
+		return fmt.Sprintf("%s", (port.Port).String())
+	} else {
+		// Build the rule port number string name for named port.
+		// The port number string is built from specific port number resolved from named port.
+		return fmt.Sprintf("%d", portNumber)
+	}
+}
+
+func (service *SecurityPolicyService) buildRulePortsNumberString(ports *[]v1alpha1.SecurityPolicyPort) string {
+	portsNumString := ""
+	if ports == nil || len(*ports) == 0 {
+		portsNumString = common.RuleAnyPorts
+	} else {
+		for idx, p := range *ports {
+			port := p
+			portNumString := service.buildRulePortNumberString(&port, false, -1)
+			if idx == 0 {
+				portsNumString = portNumString
+			} else {
+				portsNumString = strings.Join([]string{portsNumString, portNumString}, common.ConnectorUnderline)
+			}
+		}
+	}
+	return portsNumString
+}
+
+func (service *SecurityPolicyService) buildRuleHashString(rule *v1alpha1.SecurityPolicyRule) string {
+	serializedBytes, _ := json.Marshal(rule)
+	return fmt.Sprintf("%s", util.Sha1(string(serializedBytes)))
+}
+
 func (service *SecurityPolicyService) BuildNetworkPolicyAllowPolicyID(uid string) string {
 	return strings.Join([]string{uid, common.RuleActionAllow}, common.ConnectorUnderline)
 }