Skip to content

Commit

Permalink
Add test to showcase syncEgressFirewall isn't truncating ACL names
Browse files Browse the repository at this point in the history
This commit adds a test to showcase that
since syncEgressFirewall isn't calling libovsdbops.BuildACL
directly, we are not truncating ACL names.

Note that we really need ovn-org/libovsdb#338
for our test server to start screaming for long names.

Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
(cherry picked from commit d996d0e)
(cherry picked from commit e6a85ac)
  • Loading branch information
tssurya authored and npinaeva committed Mar 7, 2023
1 parent a5f65cb commit a74aaf6
Showing 1 changed file with 14 additions and 0 deletions.
14 changes: 14 additions & 0 deletions go-controller/pkg/ovn/egressfirewall_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1086,6 +1086,20 @@ var _ = ginkgo.Describe("OVN EgressFirewall Operations", func() {

gomega.Eventually(fakeOVN.nbClient).Should(libovsdbtest.HaveData(expectedDatabaseState))

// NOTE1: syncEgressFirewall is not calling libovsdbops.BuildACL and directly calls CreateOrUpdateACLs
// it doesn't truncate long names for acls if they are over 63 and we run into errors:
// E0228 09:54:13.167495 1 factory.go:567] Failed (will retry) in processExisting [0xc00176a000]:
// unable to update ACL information (direction and logging) during resync operation, err: error in transact
// with ops constraint violation: "egressFirewall_allow-traffic-apache-server-on-lbdns-node-run1-1_9999"
// length 68 is greater than maximum allowed length 63]: 1 ovsdb operations failed
// NOTE2: This is not caught by testing because our test server
// is not smart enough. See https://github.com/ovn-org/libovsdb/issues/338
err = fakeOVN.controller.syncEgressFirewall([]interface{}{*egressFirewall})
gomega.Expect(err).NotTo(gomega.HaveOccurred())
*ipv4ACL1.Name = buildEgressFwAclName(namespace1.Name, t.EgressFirewallStartPriority) // we end up resetting the name to long value
*ipv4ACL2.Name = buildEgressFwAclName(namespace1.Name, t.EgressFirewallStartPriority-1) // we end up resetting the name to long value
gomega.Eventually(fakeOVN.nbClient).Should(libovsdbtest.HaveData(expectedDatabaseState))

err = fakeOVN.fakeClient.EgressFirewallClient.K8sV1().EgressFirewalls(egressFirewall.Namespace).Delete(context.TODO(), egressFirewall.Name, *metav1.NewDeleteOptions(0))
gomega.Expect(err).NotTo(gomega.HaveOccurred())

Expand Down

0 comments on commit a74aaf6

Please sign in to comment.