Fix policy synchronization in HA mode (#45)

kairen · kairen · commit 51bc5ef73890 · 2019-08-08T15:45:23.000+08:00
diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 VERSION_MAJOR ?= 0
 VERSION_MINOR ?= 7
-VERSION_BUILD ?= 0
+VERSION_BUILD ?= 1
 VERSION ?= v$(VERSION_MAJOR).$(VERSION_MINOR).$(VERSION_BUILD)
 
 GOOS ?= $(shell go env GOOS)
diff --git a/deploy/deployment.yml b/deploy/deployment.yml
@@ -24,7 +24,7 @@ spec:
       serviceAccountName: pa-controller
       containers:
       - name: pa-controller
-        image: inwinstack/pa-controller:v0.7.0
+        image: inwinstack/pa-controller:v0.7.1
         args:
         - --logtostderr=true
         - --v=2
diff --git a/pkg/ha/ha.go b/pkg/ha/ha.go
@@ -65,8 +65,8 @@ func (i *Inspector) getStatus() error {
 	}
 
 	if status.Enable == "yes" {
-		switch status.Group.Local.State {
-		case "active":
+		switch {
+		case status.Group.Local.State == "active" && status.Group.Local.StateSync == "Complete":
 			i.callbacks.OnActive()
 		default:
 			i.callbacks.OnPassive()
diff --git a/pkg/operator/pan/nat/controller.go b/pkg/operator/pan/nat/controller.go
@@ -186,6 +186,13 @@ func (c *Controller) reconcile(key string) error {
 		if err := c.createOrUpdate(nat); err != nil {
 			return c.makeFailed(nat, err)
 		}
+		return nil
+	}
+
+	if nat.Status.Phase == blendedv1.NATActive && !c.isExistingNatPolicy(nat) {
+		if err := c.createOrUpdate(nat); err != nil {
+			return c.makeFailed(nat, err)
+		}
 	}
 	return nil
 }
diff --git a/pkg/operator/pan/nat/controller_test.go b/pkg/operator/pan/nat/controller_test.go
@@ -18,7 +18,6 @@ package nat
 
 import (
 	"context"
-	"reflect"
 	"testing"
 	"time"
 
@@ -107,28 +106,6 @@ func TestNATController(t *testing.T) {
 		}
 	}
 	assert.Equal(t, false, failed, "The nat policy hasn't created.")
-
-	gnat, err := blendedset.InwinstackV1().NATs(namespace).Get(nat.Name, metav1.GetOptions{})
-	assert.Nil(t, err)
-
-	mc.Reset()
-	mc.AddResp("")
-	gnat.Spec.DestinationAddresses = []string{"140.23.110.10", "140.23.110.11"}
-	unat, err := blendedset.InwinstackV1().NATs(namespace).Update(gnat)
-	assert.Nil(t, err)
-
-	failed = true
-	for start := time.Now(); time.Since(start) < timeout; {
-		mc.AddResp(mc.Elm)
-		enrty, err := fwNat.Get(cfg.Vsys, unat.Name)
-		assert.Nil(t, err)
-		if reflect.DeepEqual(unat.Spec.DestinationAddresses, enrty.DestinationAddresses) {
-			failed = false
-			break
-		}
-	}
-	assert.Equal(t, false, failed, "The nat policy hasn't synced.")
-
 	assert.Nil(t, blendedset.InwinstackV1().NATs(namespace).Delete(nat.Name, nil))
 	natList, err := blendedset.InwinstackV1().NATs(namespace).List(metav1.ListOptions{})
 	assert.Nil(t, err)
diff --git a/pkg/operator/pan/nat/nat.go b/pkg/operator/pan/nat/nat.go
@@ -57,6 +57,15 @@ func (c *Controller) newNatPolicy(n *blendedv1.NAT) *nat.Entry {
 	return entry
 }
 
+func (c *Controller) isExistingNatPolicy(nat *blendedv1.NAT) bool {
+	if entry, err := c.fwNat.Get(c.cfg.Vsys, nat.Name); err == nil {
+		if len(entry.Name) != 0 {
+			return true
+		}
+	}
+	return false
+}
+
 func (c *Controller) updateNatPolicy(nat *blendedv1.NAT) error {
 	entry := c.newNatPolicy(nat)
 	if err := c.fwNat.Edit(c.cfg.Vsys, *entry); err != nil {
@@ -67,8 +76,7 @@ func (c *Controller) updateNatPolicy(nat *blendedv1.NAT) error {
 }
 
 func (c *Controller) deleteNatPolicy(nat *blendedv1.NAT) error {
-	enrty, err := c.fwNat.Get(c.cfg.Vsys, nat.Name)
-	if len(enrty.Name) == 0 && err != nil {
+	if !c.isExistingNatPolicy(nat) {
 		return nil
 	}
 
diff --git a/pkg/operator/pan/security/controller.go b/pkg/operator/pan/security/controller.go
@@ -185,6 +185,13 @@ func (c *Controller) reconcile(key string) error {
 		if err := c.createOrUpdate(security); err != nil {
 			return c.makeFailed(security, err)
 		}
+		return nil
+	}
+
+	if security.Status.Phase == blendedv1.SecurityActive && !c.isExistingSecurityPolicy(security) {
+		if err := c.createOrUpdate(security); err != nil {
+			return c.makeFailed(security, err)
+		}
 	}
 	return nil
 }
diff --git a/pkg/operator/pan/security/controller_test.go b/pkg/operator/pan/security/controller_test.go
@@ -18,7 +18,6 @@ package security
 
 import (
 	"context"
-	"reflect"
 	"testing"
 	"time"
 
@@ -109,28 +108,6 @@ func TestSecurityController(t *testing.T) {
 		}
 	}
 	assert.Equal(t, false, failed, "The security policy hasn't created.")
-
-	gsec2, err := blendedset.InwinstackV1().Securities(namespace).Get(sec.Name, metav1.GetOptions{})
-	assert.Nil(t, err)
-
-	mc.Reset()
-	mc.AddResp("")
-	gsec2.Spec.DestinationAddresses = []string{"140.23.110.12"}
-	usec, err := blendedset.InwinstackV1().Securities(namespace).Update(gsec2)
-	assert.Nil(t, err)
-
-	failed = true
-	for start := time.Now(); time.Since(start) < timeout; {
-		mc.AddResp(mc.Elm)
-		enrty, err := fwSec.Get(cfg.Vsys, usec.Name)
-		assert.Nil(t, err)
-		if reflect.DeepEqual(usec.Spec.DestinationAddresses, enrty.DestinationAddresses) {
-			failed = false
-			break
-		}
-	}
-	assert.Equal(t, false, failed, "The security policy hasn't synced.")
-
 	assert.Nil(t, blendedset.InwinstackV1().Securities(namespace).Delete(sec.Name, nil))
 	secList, err := blendedset.InwinstackV1().Securities(namespace).List(metav1.ListOptions{})
 	assert.Nil(t, err)
diff --git a/pkg/operator/pan/security/security.go b/pkg/operator/pan/security/security.go
@@ -61,6 +61,15 @@ func (c *Controller) newSecurityPolicy(sec *blendedv1.Security) *security.Entry
 	return entry
 }
 
+func (c *Controller) isExistingSecurityPolicy(sec *blendedv1.Security) bool {
+	if entry, err := c.fwSec.Get(c.cfg.Vsys, sec.Name); err == nil {
+		if len(entry.Name) != 0 {
+			return true
+		}
+	}
+	return false
+}
+
 func (c *Controller) updateSecurityPolicy(sec *blendedv1.Security) error {
 	entry := c.newSecurityPolicy(sec)
 	if err := c.fwSec.Edit(c.cfg.Vsys, *entry); err != nil {
@@ -75,8 +84,7 @@ func (c *Controller) updateSecurityPolicy(sec *blendedv1.Security) error {
 }
 
 func (c *Controller) deleteSecurityPolicy(sec *blendedv1.Security) error {
-	enrty, err := c.fwSec.Get(c.cfg.Vsys, sec.Name)
-	if len(enrty.Name) == 0 && err != nil {
+	if !c.isExistingSecurityPolicy(sec) {
 		return nil
 	}
 
diff --git a/pkg/operator/pan/service/controller.go b/pkg/operator/pan/service/controller.go
@@ -186,6 +186,13 @@ func (c *Controller) reconcile(key string) error {
 		if err := c.createOrUpdate(service); err != nil {
 			return c.makeFailed(service, err)
 		}
+		return nil
+	}
+
+	if service.Status.Phase == blendedv1.ServiceActive && !c.isExistingServiceObject(service) {
+		if err := c.createOrUpdate(service); err != nil {
+			return c.makeFailed(service, err)
+		}
 	}
 	return nil
 }
diff --git a/pkg/operator/pan/service/controller_test.go b/pkg/operator/pan/service/controller_test.go
@@ -22,10 +22,10 @@ import (
 	"time"
 
 	blendedv1 "github.com/inwinstack/blended/apis/inwinstack/v1"
+	"github.com/inwinstack/blended/constants"
 	blendedfake "github.com/inwinstack/blended/generated/clientset/versioned/fake"
 	blendedinformers "github.com/inwinstack/blended/generated/informers/externalversions"
 	"github.com/inwinstack/pa-controller/pkg/config"
-	"github.com/inwinstack/blended/constants"
 	"github.com/inwinstack/pango/objs/srvc"
 	"github.com/inwinstack/pango/testdata"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -99,28 +99,6 @@ func TestServiceController(t *testing.T) {
 		}
 	}
 	assert.Equal(t, false, failed, "The service object hasn't created.")
-
-	gsvc2, err := blendedset.InwinstackV1().Services().Get(svc.Name, metav1.GetOptions{})
-	assert.Nil(t, err)
-
-	mc.Reset()
-	mc.AddResp("")
-	gsvc2.Spec.DestinationPort = "9999"
-	usvc, err := blendedset.InwinstackV1().Services().Update(gsvc2)
-	assert.Nil(t, err)
-
-	failed = true
-	for start := time.Now(); time.Since(start) < timeout; {
-		mc.AddResp(mc.Elm)
-		enrty, err := fwSrvc.Get(cfg.Vsys, usvc.Name)
-		assert.Nil(t, err)
-		if usvc.Spec.DestinationPort == enrty.DestinationPort {
-			failed = false
-			break
-		}
-	}
-	assert.Equal(t, false, failed, "The service object hasn't synced.")
-
 	assert.Nil(t, blendedset.InwinstackV1().Services().Delete(svc.Name, nil))
 	svcList, err := blendedset.InwinstackV1().Services().List(metav1.ListOptions{})
 	assert.Nil(t, err)
diff --git a/pkg/operator/pan/service/service_object.go b/pkg/operator/pan/service/service_object.go
@@ -32,6 +32,15 @@ func (c *Controller) newServiceObject(svc *blendedv1.Service) *srvc.Entry {
 	}
 }
 
+func (c *Controller) isExistingServiceObject(svc *blendedv1.Service) bool {
+	if entry, err := c.srvc.Get(c.cfg.Vsys, svc.Name); err == nil {
+		if len(entry.Name) != 0 {
+			return true
+		}
+	}
+	return false
+}
+
 func (c *Controller) updateServiceObject(svc *blendedv1.Service) error {
 	entry := c.newServiceObject(svc)
 	if err := c.srvc.Edit(c.cfg.Vsys, *entry); err != nil {
@@ -42,8 +51,7 @@ func (c *Controller) updateServiceObject(svc *blendedv1.Service) error {
 }
 
 func (c *Controller) deleteServiceObject(svc *blendedv1.Service) error {
-	enrty, err := c.srvc.Get(c.cfg.Vsys, svc.Name)
-	if len(enrty.Name) == 0 && err != nil {
+	if !c.isExistingServiceObject(svc) {
 		return nil
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -186,6 +186,13 @@ func (c *Controller) reconcile(key string) error {`
`186`	`186`	`if err := c.createOrUpdate(nat); err != nil {`
`187`	`187`	`return c.makeFailed(nat, err)`
`188`	`188`	`}`
	`189`	`+ return nil`
	`190`	`+ }`
	`191`	`+`
	`192`	`+ if nat.Status.Phase == blendedv1.NATActive && !c.isExistingNatPolicy(nat) {`
	`193`	`+ if err := c.createOrUpdate(nat); err != nil {`
	`194`	`+ return c.makeFailed(nat, err)`
	`195`	`+ }`
`189`	`196`	`}`
`190`	`197`	`return nil`
`191`	`198`	`}`
Original file line number	Diff line number	Diff line change
`@@ -185,6 +185,13 @@ func (c *Controller) reconcile(key string) error {`
`185`	`185`	`if err := c.createOrUpdate(security); err != nil {`
`186`	`186`	`return c.makeFailed(security, err)`
`187`	`187`	`}`
	`188`	`+ return nil`
	`189`	`+ }`
	`190`	`+`
	`191`	`+ if security.Status.Phase == blendedv1.SecurityActive && !c.isExistingSecurityPolicy(security) {`
	`192`	`+ if err := c.createOrUpdate(security); err != nil {`
	`193`	`+ return c.makeFailed(security, err)`
	`194`	`+ }`
`188`	`195`	`}`
`189`	`196`	`return nil`
`190`	`197`	`}`