From 3669872af0fcde2af6185b42ee3674db4748ae52 Mon Sep 17 00:00:00 2001
From: fanriming <fanriming@chinatelecom.cn>
Date: Tue, 8 Oct 2024 18:24:04 +0800
Subject: [PATCH] gc for security group (#4559)

Signed-off-by: fanriming <fanriming@chinatelecom.cn>
---
 mocks/pkg/ovs/interface.go    |  8 ++--
 pkg/controller/gc.go          | 81 ++++++++++++++++++++++++++++++++++-
 pkg/ovs/interface.go          |  4 +-
 pkg/ovs/ovn-nb-address_set.go | 30 ++++++++-----
 pkg/ovs/ovn-nb-port_group.go  | 30 ++++++++-----
 5 files changed, 124 insertions(+), 29 deletions(-)

diff --git a/mocks/pkg/ovs/interface.go b/mocks/pkg/ovs/interface.go
index 900384efe83..92e6aa4067d 100644
--- a/mocks/pkg/ovs/interface.go
+++ b/mocks/pkg/ovs/interface.go
@@ -1475,7 +1475,7 @@ func (mr *MockPortGroupMockRecorder) CreatePortGroup(pgName, externalIDs interfa
 }
 
 // DeletePortGroup mocks base method.
-func (m *MockPortGroup) DeletePortGroup(pgName string) error {
+func (m *MockPortGroup) DeletePortGroup(pgName ...string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "DeletePortGroup", pgName)
 	ret0, _ := ret[0].(error)
@@ -1851,7 +1851,7 @@ func (mr *MockAddressSetMockRecorder) CreateAddressSet(asName, externalIDs inter
 }
 
 // DeleteAddressSet mocks base method.
-func (m *MockAddressSet) DeleteAddressSet(asName string) error {
+func (m *MockAddressSet) DeleteAddressSet(asName ...string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "DeleteAddressSet", asName)
 	ret0, _ := ret[0].(error)
@@ -2868,7 +2868,7 @@ func (mr *MockNbClientMockRecorder) DeleteAclsOps(parentName, parentType, direct
 }
 
 // DeleteAddressSet mocks base method.
-func (m *MockNbClient) DeleteAddressSet(asName string) error {
+func (m *MockNbClient) DeleteAddressSet(asName ...string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "DeleteAddressSet", asName)
 	ret0, _ := ret[0].(error)
@@ -3180,7 +3180,7 @@ func (mr *MockNbClientMockRecorder) DeleteNats(lrName, natType, logicalIP interf
 }
 
 // DeletePortGroup mocks base method.
-func (m *MockNbClient) DeletePortGroup(pgName string) error {
+func (m *MockNbClient) DeletePortGroup(pgName ...string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "DeletePortGroup", pgName)
 	ret0, _ := ret[0].(error)
diff --git a/pkg/controller/gc.go b/pkg/controller/gc.go
index a0460ffde58..206318fbc17 100644
--- a/pkg/controller/gc.go
+++ b/pkg/controller/gc.go
@@ -31,7 +31,9 @@ func (c *Controller) gc() error {
 		c.gcCustomLogicalRouter,
 		c.gcLogicalSwitchPort,
 		c.gcLoadBalancer,
-		c.gcPortGroup,
+		c.gcNetworkPolicy,
+		c.gcSecurityGroup,
+		c.gcAddressSet,
 		c.gcRoutePolicy,
 		c.gcStaticRoute,
 		c.gcVpcNatGateway,
@@ -625,7 +627,82 @@ func (c *Controller) gcLoadBalancer() error {
 	return nil
 }
 
-func (c *Controller) gcPortGroup() error {
+func (c *Controller) gcAddressSet() error {
+	klog.Infof("start to gc address set")
+	// get all address
+	addressSets, err := c.OVNNbClient.ListAddressSets(nil)
+	if err != nil {
+		klog.Errorf("failed to list address set,%v", err)
+		return err
+	}
+
+	asList := make([]string, 0)
+	for _, as := range addressSets {
+		sg := as.ExternalIDs[sgKey]
+		if sg == "" {
+			continue
+		}
+		// if address set not found associated port group, delete it
+		if pg, err := c.OVNNbClient.GetPortGroup(ovs.GetSgPortGroupName(sg), true); err == nil && pg == nil {
+			klog.Infof("ready to gc address set %s", as.Name)
+			asList = append(asList, as.Name)
+		}
+	}
+	if len(asList) == 0 {
+		return nil
+	}
+
+	if err = c.OVNNbClient.DeleteAddressSet(asList...); err != nil {
+		klog.Errorf("failed to delete address set %v,%v", asList, err)
+		return err
+	}
+
+	return nil
+}
+
+func (c *Controller) gcSecurityGroup() error {
+	klog.Infof("start to gc security group residual port groups")
+	// get security group
+	sgs, err := c.config.KubeOvnClient.KubeovnV1().SecurityGroups().List(context.Background(), metav1.ListOptions{})
+	if err != nil {
+		klog.Errorf("failed to list security group,%v", err)
+		return err
+	}
+	sgSet := strset.NewWithSize(len(sgs.Items))
+	for _, sg := range sgs.Items {
+		sgSet.Add(sg.Name)
+	}
+
+	pgs, err := c.OVNNbClient.ListPortGroups(nil)
+	if err != nil {
+		klog.Errorf("failed to list port group,%v", err)
+		return err
+	}
+
+	needToDelPgs := make([]string, 0)
+	denyAllPg := ovs.GetSgPortGroupName(util.DenyAllSecurityGroup)
+	defaultPg := ovs.GetSgPortGroupName(util.DefaultSecurityGroupName)
+	for _, pg := range pgs {
+		if pg.Name == denyAllPg || pg.Name == defaultPg || pg.ExternalIDs[networkPolicyKey] != "" {
+			continue
+		}
+		// if port group not exist in security group, delete it
+		if !sgSet.Has(pg.ExternalIDs["sg"]) {
+			klog.Infof("ready to gc port group %s", pg.Name)
+			needToDelPgs = append(needToDelPgs, pg.Name)
+		}
+	}
+	if len(needToDelPgs) == 0 {
+		return nil
+	}
+	if err = c.OVNNbClient.DeletePortGroup(needToDelPgs...); err != nil {
+		klog.Errorf("failed to gc port group list,%v", err)
+		return err
+	}
+	return nil
+}
+
+func (c *Controller) gcNetworkPolicy() error {
 	klog.Infof("start to gc network policy")
 
 	npNames := strset.New()
diff --git a/pkg/ovs/interface.go b/pkg/ovs/interface.go
index 7827cf29cb3..b617c11cf4e 100644
--- a/pkg/ovs/interface.go
+++ b/pkg/ovs/interface.go
@@ -128,7 +128,7 @@ type PortGroup interface {
 	PortGroupAddPorts(pgName string, lspNames ...string) error
 	PortGroupRemovePorts(pgName string, lspNames ...string) error
 	PortGroupSetPorts(pgName string, ports []string) error
-	DeletePortGroup(pgName string) error
+	DeletePortGroup(pgName ...string) error
 	ListPortGroups(externalIDs map[string]string) ([]ovnnb.PortGroup, error)
 	GetPortGroup(pgName string, ignoreNotFound bool) (*ovnnb.PortGroup, error)
 	PortGroupExists(pgName string) (bool, error)
@@ -153,7 +153,7 @@ type ACL interface {
 type AddressSet interface {
 	CreateAddressSet(asName string, externalIDs map[string]string) error
 	AddressSetUpdateAddress(asName string, addresses ...string) error
-	DeleteAddressSet(asName string) error
+	DeleteAddressSet(asName ...string) error
 	DeleteAddressSets(externalIDs map[string]string) error
 	ListAddressSets(externalIDs map[string]string) ([]ovnnb.AddressSet, error)
 }
diff --git a/pkg/ovs/ovn-nb-address_set.go b/pkg/ovs/ovn-nb-address_set.go
index 1476f8c56bd..235a0056cc7 100644
--- a/pkg/ovs/ovn-nb-address_set.go
+++ b/pkg/ovs/ovn-nb-address_set.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/ovn-org/libovsdb/client"
+	"github.com/ovn-org/libovsdb/model"
 	"github.com/scylladb/go-set/strset"
 	"k8s.io/klog/v2"
 
@@ -106,21 +107,30 @@ func (c *OVNNbClient) UpdateAddressSet(as *ovnnb.AddressSet, fields ...interface
 	return nil
 }
 
-func (c *OVNNbClient) DeleteAddressSet(asName string) error {
-	as, err := c.GetAddressSet(asName, true)
-	if err != nil {
-		klog.Error(err)
-		return fmt.Errorf("get address set %s: %w", asName, err)
+func (c *OVNNbClient) DeleteAddressSet(asName ...string) error {
+	delList := make([]*ovnnb.AddressSet, 0, len(asName))
+	for _, name := range asName {
+		// get address set
+		as, err := c.GetAddressSet(name, true)
+		if err != nil {
+			return fmt.Errorf("get address set %s when delete: %w", name, err)
+		}
+		// not found, skip
+		if as == nil {
+			continue
+		}
+		delList = append(delList, as)
 	}
-
-	// not found, skip
-	if as == nil {
+	if len(delList) == 0 {
 		return nil
 	}
 
-	op, err := c.Where(as).Delete()
+	var modelList []model.Model = make([]model.Model, len(delList))
+	for i, as := range delList {
+		modelList[i] = as
+	}
+	op, err := c.Where(modelList...).Delete()
 	if err != nil {
-		klog.Error(err)
 		return err
 	}
 
diff --git a/pkg/ovs/ovn-nb-port_group.go b/pkg/ovs/ovn-nb-port_group.go
index 87e661ba2bb..d6bbdb29b6a 100644
--- a/pkg/ovs/ovn-nb-port_group.go
+++ b/pkg/ovs/ovn-nb-port_group.go
@@ -152,24 +152,32 @@ func (c *OVNNbClient) PortGroupUpdatePorts(pgName string, op ovsdb.Mutator, lspN
 	return nil
 }
 
-func (c *OVNNbClient) DeletePortGroup(pgName string) error {
-	pg, err := c.GetPortGroup(pgName, true)
-	if err != nil {
-		klog.Error(err)
-		return fmt.Errorf("get port group %s when delete: %w", pgName, err)
+func (c *OVNNbClient) DeletePortGroup(pgName ...string) error {
+	delList := make([]*ovnnb.PortGroup, 0, len(pgName))
+	for _, name := range pgName {
+		// get port group
+		pg, err := c.GetPortGroup(name, true)
+		if err != nil {
+			return fmt.Errorf("get port group %s when delete: %w", name, err)
+		}
+		// not found, skip
+		if pg == nil {
+			continue
+		}
+		delList = append(delList, pg)
 	}
-
-	// not found, skip
-	if pg == nil {
+	if len(delList) == 0 {
 		return nil
 	}
 
-	op, err := c.Where(pg).Delete()
+	var modelList []model.Model = make([]model.Model, len(delList))
+	for i, pg := range delList {
+		modelList[i] = pg
+	}
+	op, err := c.Where(modelList...).Delete()
 	if err != nil {
-		klog.Error(err)
 		return err
 	}
-
 	if err := c.Transact("pg-del", op); err != nil {
 		klog.Error(err)
 		return fmt.Errorf("delete port group %s: %w", pgName, err)