AV-220793: Fix: Restricting FQDN functionality is not working as per …

…expectation in openshift route update scenario (#1560) * AV-220793: Fix: Restricting FQDN functionality is not working as per expectation in openshift route update scenario * Changing docker registry address
vmware · Oct 24, 2024 · 682b985 · 682b985
1 parent 48dd038
commit 682b985
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 4 deletions.
diff --git a/Makefile b/Makefile
@@ -334,7 +334,7 @@ helmtests:
 	-u root:root \
 	-v $(PWD)/helm/ako:/apps \
 	-v $(PWD)/tests/helmtests:/apps/tests \
-	avi-buildops-docker-registry-02.eng.vmware.com:5000/avi-buildops/helmunittest/helm-unittest:3.11.1-0.3.0 .
+	avi-buildops-docker-registry-02.avilb.broadcom.net:5000/avi-buildops/helmunittest/helm-unittest:3.11.1-0.3.0 .
 
 .PHONY: gatewayapitests
 gatewayapitests:

diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go
@@ -606,15 +606,22 @@ func AddRouteEventHandler(numWorkers uint32, c *AviController) cache.ResourceEve
 				}
 				if oldRoute.Spec.Host == newRoute.Spec.Host {
 					// same hosts
-					isAccepted := isRouteAcceptedWithFQDNRestriction(key, newRoute)
+					isAccepted := true
+					if lib.AKOControlConfig().GetAKOFQDNReusePolicy() == lib.FQDNReusePolicyStrict {
+						isAccepted = isRouteAcceptedWithFQDNRestriction(key, newRoute)
+					}
 					if isAccepted {
 						c.workqueue[bkt].AddRateLimited(key)
 						lib.IncrementQueueCounter(utils.ObjectIngestionLayer)
 						utils.AviLog.Debugf("key: %s, msg: UPDATE", key)
 					}
 				} else {
-					isOldAccepted := isRouteAcceptedWithFQDNRestriction(key, oldRoute)
-					isNewAccepted := isRouteAcceptedWithFQDNRestriction(key, newRoute)
+					isOldAccepted := true
+					isNewAccepted := true
+					if lib.AKOControlConfig().GetAKOFQDNReusePolicy() == lib.FQDNReusePolicyStrict {
+						isOldAccepted = isRouteAcceptedWithFQDNRestriction(key, oldRoute)
+						isNewAccepted = isRouteAcceptedWithFQDNRestriction(key, newRoute)
+					}
 					if !isOldAccepted && !isNewAccepted {
 						// set status
 						// update the status - already host claimed

diff --git a/tests/oshiftroutetests/oshift_secure_route_test.go b/tests/oshiftroutetests/oshift_secure_route_test.go
@@ -20,6 +20,7 @@ import (
 	"time"
 
 	"github.com/vmware/load-balancer-and-ingress-services-for-kubernetes/internal/cache"
+	"github.com/vmware/load-balancer-and-ingress-services-for-kubernetes/internal/lib"
 	avinodes "github.com/vmware/load-balancer-and-ingress-services-for-kubernetes/internal/nodes"
 	"github.com/vmware/load-balancer-and-ingress-services-for-kubernetes/pkg/utils"
 	"github.com/vmware/load-balancer-and-ingress-services-for-kubernetes/tests/integrationtest"
@@ -1164,3 +1165,65 @@ func TestUpdateSecureRouteNoKeyCertToKeyCert(t *testing.T) {
 	VerifySecureRouteDeletion(t, g, defaultModelName, 0, 0)
 	TearDownTestForRoute(t, defaultModelName)
 }
+
+func TestSecureRouteMultiNamespaceWithStrictRestrictFqdn(t *testing.T) {
+	g := gomega.NewGomegaWithT(t)
+	lib.AKOControlConfig().SetAKOFQDNReusePolicy("strict")
+	integrationtest.DeleteNamespace("test")
+	SetUpTestForRoute(t, defaultModelName)
+	route1 := FakeRoute{Path: "/foo"}.SecureRoute()
+	_, err := OshiftClient.RouteV1().Routes(defaultNamespace).Create(context.TODO(), route1, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("error in adding route: %v", err)
+	}
+	defer integrationtest.DeleteNamespace("test")
+
+	integrationtest.CreateSVC(t, "test", "avisvc", corev1.ProtocolTCP, corev1.ServiceTypeClusterIP, false)
+	integrationtest.CreateEPorEPS(t, "test", "avisvc", false, false, "1.1.1")
+	route2 := FakeRoute{Namespace: "test", Path: "/bar"}.SecureRoute()
+	_, err = OshiftClient.RouteV1().Routes("test").Create(context.TODO(), route2, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("error in adding route: %v", err)
+	}
+
+	aviModel := ValidateSniModel(t, g, defaultModelName)
+
+	g.Expect(aviModel.(*avinodes.AviObjectGraph).GetAviVS()[0].SniNodes).To(gomega.HaveLen(1))
+	sniVS := aviModel.(*avinodes.AviObjectGraph).GetAviVS()[0].SniNodes[0]
+	g.Eventually(func() string {
+		sniVS = aviModel.(*avinodes.AviObjectGraph).GetAviVS()[0].SniNodes[0]
+		return sniVS.VHDomainNames[0]
+	}, 40*time.Second).Should(gomega.Equal(defaultHostname))
+
+	g.Expect(sniVS.CACertRefs).To(gomega.HaveLen(1))
+	g.Expect(sniVS.SSLKeyCertRefs).To(gomega.HaveLen(1))
+
+	g.Eventually(func() int {
+		sniVS = aviModel.(*avinodes.AviObjectGraph).GetAviVS()[0].SniNodes[0]
+		return len(sniVS.PoolRefs)
+	}, 40*time.Second).Should(gomega.Equal(1))
+	g.Expect(sniVS.HttpPolicyRefs).To(gomega.HaveLen(1))
+	g.Expect(sniVS.HttpPolicyRefs[0].HppMap).To(gomega.HaveLen(1))
+	g.Expect(sniVS.PoolGroupRefs).To(gomega.HaveLen(1))
+
+	for _, pool := range sniVS.PoolRefs {
+		if pool.Name != "cluster--default-foo.com_foo-foo-avisvc" {
+			t.Fatalf("Unexpected poolName found: %s", pool.Name)
+		}
+	}
+	for _, httpps := range sniVS.HttpPolicyRefs {
+		if httpps.Name != "cluster--default-foo.com" {
+			t.Fatalf("Unexpected http policyset found: %s", httpps.Name)
+		}
+	}
+
+	err = OshiftClient.RouteV1().Routes("test").Delete(context.TODO(), defaultRouteName, metav1.DeleteOptions{})
+	if err != nil {
+		t.Fatalf("Couldn't DELETE the route %v", err)
+	}
+	lib.AKOControlConfig().SetAKOFQDNReusePolicy("internamespaceallowed")
+	VerifySecureRouteDeletion(t, g, defaultModelName, 0, 0)
+	TearDownTestForRoute(t, defaultModelName)
+	integrationtest.DelSVC(t, "test", "avisvc")
+	integrationtest.DelEPorEPS(t, "test", "avisvc")
+}