Remove rule index from rule/group ID/name for VPC and unify NSX resource name for VPC and T1 #785

timdengyun · 2024-09-29T04:45:52Z

This patch is to:

Remove SecurityPolicy rule index from rule ID and for VPC mode,
and keep T1 mode rule ID unchanged with rule index.
Remove SecurityPolicy rule index from group ID for VPC mode,
and keep T1 mode group ID unchanged with rule index.
Remove rule index from NSX group/rule name, and unify the NSX resource name for VPC and T1 network,
including SecurityPolicy, rule, and group.
Reduce length of rule hash string to 8 chars for VPC mode.

Test Done:

Create SecurityPolicy in VPC mode, do CRUD.
The SecurityPolicy CR name is: sp-app-access-policy-vpc
The generated NSX SecurityPolicy:

ID: sp-app-access-policy-vpc_36fcf0f9-170a-4346-bb14-9730e199bb49
Name: sp-app-access-policy-vpc

Policy appliedTo group:

ID: sp-app-access-policy-vpc_36fcf0f9-170a-4346-bb14-9730e199bb49_scope
Name: sp-app-access-policy-vpc_scope

For the rule with any ports:

    - direction: in
      action: drop

The build NSX Rule:

ID: sp-app-access-policy-vpc_36fcf0f9-170a-4346-bb14-9730e199bb49_d79c8ddf_all
Name: all_ingress_isolation

For rule:

    - direction: in
      action: allow
      sources:
        - vmSelector:
            matchLabels:
              app: coco
      ports:
        - protocol: TCP
          port: 8282
        - protocol: TCP
          port: 7000
          endPort: 7020

The build NSX rule:

ID: sp-app-access-policy-vpc_36fcf0f9-170a-4346-bb14-9730e199bb49_44b022be_8282_7000.7020
name: TCP.8282_TCP.7000.7020_ingress_allow

The rule appliedTo group:

ID: sp-app-access-policy-vpc_36fcf0f9-170a-4346-bb14-9730e199bb49_b7adc115_scope
Name:sp-app-access-policy-vpc_b7adc115_scope

Rule with user defined name:

  - direction: in
      name: rule-with-defined
      action: allow
      sources:
        - namespaceSelector:
            matchLabels:
              role: validate
          vmSelector:
            matchLabels:
              role: check
        - ipBlocks:
            - cidr: 100.64.232.1/32
      ports:
        - protocol: TCP
          port: 8081

ID: sp-app-access-policy-vpc_36fcf0f9-170a-4346-bb14-9730e199bb49_52658c89_8081
Name: rule-with-defined_ingress_allow

The source peer group for the this rule:

Path: /orgs/default/projects/dy-project1/infra/domains/default/groups/sp-app-access-policy-vpc_36fcf0f9-170a-4346-bb14-9730e199bb49_52658c89_src
ID: sp-app-access-policy-vpc_36fcf0f9-170a-4346-bb14-9730e199bb49_52658c89_src
Name: sp-app-access-policy-vpc_52658c89_src

The NSX Share for this source group:

ID: dy-project1_group_sp-app-access-policy-vpc_36fcf0f9-170a-4346-bb14-9730e199bb49_52658c89_src_share
Name: dy-project1_group_sp-app-access-policy-vpc_52658c89_src_share

Create NetworkPolicy in VPC mode, do CRUD.
The generated allow section SecurityPolicy:

ID: np-app-access_4a2afd8b-a5e8-4867-8515-fa4961b52f53_allow
Name: np-app-access

The generated isolation section SecurityPolicy:

ID: np-app-access_4a2afd8b-a5e8-4867-8515-fa4961b52f53_isolation
Name: np-app-access

Create SecurityPolicy in VPC mode, and do GC
Create NetworkPolicy in VPC mode, and do GC
Create SecurityPolicy with namedport in VPC mode
The rule with namedport:

      ports:
        - protocol: TCP
          port: db-port
        - protocol: UDP
          port: 5353
        - protocol: UDP
          port: 5354

The db-port will map to two ports number: 80 and 3366, so, the generated IPSet groups:

ID: sp-namedport-web_2cd759be-8d83-41e4-92d9-4eba6beab6cf_a347c628_3366_ipset
Name: TCP.db-port_UDP.5353_UDP.5354_TCP.3366_ingress_allow_ipset

ID: sp-namedport-web_2cd759be-8d83-41e4-92d9-4eba6beab6cf_a347c628_80_ipset
Name: TCP.db-port_UDP.5353_UDP.5354_TCP.80_ingress_allow_ipset

Create NetworkPolicy with namedport in VPC mode
For the same named port in the aforementioned, the generated IPSet groups:

ID: np-namedport-web_fd555fd3-04a6-4f6a-b035-79e587dd4767_allow_27cfee51_3366_ipset
Name: TCP.db-port_UDP.5353_UDP.5354_TCP.3366_ingress_allow_ipset

ID: np-namedport-web_fd555fd3-04a6-4f6a-b035-79e587dd4767_allow_27cfee51_80_ipset
Name: TCP.db-port_UDP.5353_UDP.5354_TCP.80_ingress_allow_ipset

Create SecurityPolicy in T1 mode, and do CRUD.
Create SecurityPolicy in T1 mode, and do GC.
T1 upgrade case:
Create a SecurityPolicy in v4.1.2 code, and start NSX operator with this patch to see if SecurityPolicy Name, group and rule name are changed as expected.
For the rule created in V4.1.2

    - direction: in
      action: allow
      sources:
        - namespaceSelector:
            matchLabels:
              role: test
      ports:
        - protocol: TCP
          port: 8082
          endPort: 8283

Before upgrade in V4.1.2

ID:sp_e52e71f7-600a-4c67-b241-ce87c6dd191e_c2f3ed42f3e59c15731f8426d65e13676663e147_1_0_0
Name:sp-app-access-policy-1-0-0

After upgrade, ID is not changed.

ID:sp_e52e71f7-600a-4c67-b241-ce87c6dd191e_c2f3ed42f3e59c15731f8426d65e13676663e147_1_0_0
Name:TCP.8082.8283_ingress_allow

codecov-commenter · 2024-09-29T08:09:43Z

Codecov Report

Attention: Patch coverage is 96.00000% with 3 lines in your changes missing coverage. Please review.

Please upload report for BASE (main@5c97290). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
pkg/nsx/services/securitypolicy/expand.go	50.00%	2 Missing ⚠️
pkg/util/utils.go	66.66%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #785   +/-   ##
=======================================
  Coverage        ?   48.61%           
=======================================
  Files           ?       94           
  Lines           ?    12047           
  Branches        ?        0           
=======================================
  Hits            ?     5857           
  Misses          ?     5705           
  Partials        ?      485

Flag	Coverage Δ
unit-tests	`48.61% <96.00%> (?)`

Files with missing lines	Coverage Δ
pkg/nsx/services/securitypolicy/builder.go	`82.75% <100.00%> (ø)`
pkg/util/utils.go	`50.65% <66.66%> (ø)`
pkg/nsx/services/securitypolicy/expand.go	`34.19% <50.00%> (ø)`

pkg/nsx/services/securitypolicy/builder.go

pkg/nsx/services/securitypolicy/firewall_test.go

pkg/nsx/services/securitypolicy/builder.go

wenyingd

Most of the code looks good to me. The only left comment is the current implementation related with named port is complicated. Because that logic is not introduced by this change, having offline sync with Yun, we would use another change to refine the functions.

pkg/nsx/services/securitypolicy/builder.go

timdengyun · 2024-10-09T09:09:12Z

Most of the code looks good to me. The only left comment is the current implementation related with named port is complicated. Because that logic is not introduced by this change, having offline sync with Yun, we would use another change to refine the functions.

The issue is open to track refactor work.
#795

pkg/nsx/services/securitypolicy/builder.go

This patch is to: 1. Remove SecurityPolicy rule index from rule ID and for VPC mode, and keep T1 mode rule ID unchanged with rule index. 2. Remove SecurityPolicy rule index from group ID for VPC mode, and keep T1 mode group ID unchanged with rule index. 3. Remove rule index from NSX group/rule name, and unify the NSX resource name for VPC and T1 network, including SecurityPolicy, rule, and group. 4. Reduce length of rule hash string to 8 chars for VPC mode.

zhengxiexie

LGTM

timdengyun requested review from zhengxiexie, wenyingd, heypnus and TaoZou1 September 29, 2024 04:45

timdengyun force-pushed the Remove_ruleindex_unify_name_for_vpc_t1 branch from 7975902 to 129fd18 Compare September 29, 2024 08:02

timdengyun removed the request for review from heypnus September 29, 2024 08:09

timdengyun force-pushed the Remove_ruleindex_unify_name_for_vpc_t1 branch from 129fd18 to d1eef01 Compare September 29, 2024 08:23

timdengyun commented Sep 29, 2024

View reviewed changes

pkg/nsx/services/securitypolicy/builder.go Show resolved Hide resolved

pkg/nsx/services/securitypolicy/builder.go Show resolved Hide resolved

timdengyun changed the title ~~Remove rule index from rule/group name and unify group name for VPC and T1~~ Remove rule index from rule/group name for VPC and unify group name for VPC and T1 Sep 29, 2024

timdengyun changed the title ~~Remove rule index from rule/group name for VPC and unify group name for VPC and T1~~ Remove rule index from rule/group name for VPC and unify name for VPC and T1 Oct 1, 2024

wenyingd reviewed Oct 8, 2024

View reviewed changes

timdengyun force-pushed the Remove_ruleindex_unify_name_for_vpc_t1 branch from d1eef01 to 91fd791 Compare October 8, 2024 11:08

timdengyun requested a review from wenyingd October 8, 2024 11:16

timdengyun force-pushed the Remove_ruleindex_unify_name_for_vpc_t1 branch from 91fd791 to cd8ac8e Compare October 8, 2024 16:48

timdengyun changed the title ~~Remove rule index from rule/group name for VPC and unify name for VPC and T1~~ Remove rule index from rule/group ID/name for VPC and unify NSX resource name for VPC and T1 Oct 8, 2024

wenyingd reviewed Oct 9, 2024

View reviewed changes

timdengyun force-pushed the Remove_ruleindex_unify_name_for_vpc_t1 branch from cd8ac8e to 5682e9a Compare October 9, 2024 04:37

timdengyun requested a review from wenyingd October 9, 2024 04:43

wenyingd previously approved these changes Oct 9, 2024

View reviewed changes

timdengyun dismissed wenyingd’s stale review via 8f0d2e0 October 9, 2024 08:50

timdengyun force-pushed the Remove_ruleindex_unify_name_for_vpc_t1 branch from 5682e9a to 8f0d2e0 Compare October 9, 2024 08:50

timdengyun requested a review from wenyingd October 9, 2024 08:52

timdengyun commented Oct 9, 2024

View reviewed changes

pkg/nsx/services/securitypolicy/builder.go Outdated Show resolved Hide resolved

timdengyun mentioned this pull request Oct 9, 2024

Refactor namedport logic #795

Open

timdengyun force-pushed the Remove_ruleindex_unify_name_for_vpc_t1 branch 2 times, most recently from 06dac12 to 9cadcf1 Compare October 9, 2024 09:18

timdengyun commented Oct 9, 2024

View reviewed changes

pkg/nsx/services/securitypolicy/builder.go Show resolved Hide resolved

timdengyun force-pushed the Remove_ruleindex_unify_name_for_vpc_t1 branch from 9cadcf1 to 06cfe91 Compare October 9, 2024 09:59

zhengxiexie approved these changes Oct 9, 2024

View reviewed changes

wenyingd approved these changes Oct 9, 2024

View reviewed changes

timdengyun merged commit 0445ed3 into vmware-tanzu:main Oct 9, 2024
2 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove rule index from rule/group ID/name for VPC and unify NSX resource name for VPC and T1 #785

Remove rule index from rule/group ID/name for VPC and unify NSX resource name for VPC and T1 #785

timdengyun commented Sep 29, 2024 •

edited

Loading

codecov-commenter commented Sep 29, 2024 •

edited

Loading

wenyingd left a comment

timdengyun commented Oct 9, 2024

zhengxiexie left a comment

Remove rule index from rule/group ID/name for VPC and unify NSX resource name for VPC and T1 #785

Remove rule index from rule/group ID/name for VPC and unify NSX resource name for VPC and T1 #785

Conversation

timdengyun commented Sep 29, 2024 • edited Loading

codecov-commenter commented Sep 29, 2024 • edited Loading

Codecov Report

wenyingd left a comment

Choose a reason for hiding this comment

timdengyun commented Oct 9, 2024

zhengxiexie left a comment

Choose a reason for hiding this comment

timdengyun commented Sep 29, 2024 •

edited

Loading

codecov-commenter commented Sep 29, 2024 •

edited

Loading