-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-8504,OCPBUGS-8505,OCPBUGS-8471: [release-4.13] Fix EFW's name truncation logic & make EFW ACLs unique using extIDs #1558
Conversation
when the acl name is cropped. That happens when namespace name is longer than 43 symbols. Signed-off-by: Nadia Pinaeva <[email protected]> (cherry picked from commit dafe82b)
@npinaeva: This pull request references Jira Issue OCPBUGS-8471, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@npinaeva: No Bugzilla bug is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/jira refresh |
@npinaeva: This pull request references Jira Issue OCPBUGS-8471, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This commit adds a test to showcase that since syncEgressFirewall isn't calling libovsdbops.BuildACL directly, we are not truncating ACL names. Note that we really need ovn-org/libovsdb#338 for our test server to start screaming for long names. Signed-off-by: Surya Seetharaman <[email protected]> (cherry picked from commit d996d0e)
This commit ensures we truncate names as a precaution also in CreateOrUpdateACLsOps so that our bases are covered since not all code snippets call BuildACL directly Signed-off-by: Surya Seetharaman <[email protected]> (cherry picked from commit 7bfe50e)
In SetupMaster, we always call CreateOrUpdatePortGroupsOps with empty ACLs and PGs for the cluster-wide port group and cluster-wide-router-PG. This is disruptive during upgrades since momentarily all efw ACLs and multicast ACLs will be wiped out. This commit changes this to first check if the PG already exists, if then no need to do anything. Each of those features are responsible for ensuring ACLs, Ports are good on those PGs they own. NOTE: This bug was an issue for multicast and started being an issue for egf from ovn-org/ovn-kubernetes@bd29f41 Before that we didn't have ACLs on cluster wide PG. Signed-off-by: Surya Seetharaman <[email protected]> (cherry picked from commit 935bc55)
@npinaeva: This pull request references Jira Issue OCPBUGS-8471, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@npinaeva: No Bugzilla bug is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retitle OCPBUGS-8504,OCPBUGS-8505,OCPBUGS-8471: [release-4.13] Add egress firewall external id to make name+externalIDs unique |
@npinaeva: No Bugzilla bug is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@npinaeva: This pull request references Jira Issue OCPBUGS-8504, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-8505, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-8471, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retitle OCPBUGS-8504,OCPBUGS-8505,OCPBUGS-8471: [release-4.13] Fix EFW's name truncation logic & make EFW ACLs unique using extIDs |
@npinaeva: No Bugzilla bug is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM; waiting on CI
/approve |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: npinaeva, trozet, tssurya The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest-required infra problems all around |
/label backport-risk-assessed |
@npinaeva: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/label cherry-pick-approved |
/jira refresh |
@npinaeva: This pull request references Jira Issue OCPBUGS-8504, which is valid. The bug has been moved to the POST state. 6 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-8505, which is valid. The bug has been moved to the POST state. 6 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-8471, which is valid. The bug has been moved to the POST state. 6 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/tide refresh |
@npinaeva: Jira Issue OCPBUGS-8504: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-8504 has been moved to the MODIFIED state. Jira Issue OCPBUGS-8505: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-8505 has been moved to the MODIFIED state. Jira Issue OCPBUGS-8471: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-8471 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
even when the acl name is cropped. That happens when namespace name is longer than 43 symbols.
downstream merge #1556
upstream ovn-org/ovn-kubernetes#3464, ovn-org/ovn-kubernetes#3466
no conflicts