Remove default tier prefix from Policy CRD without annotation (projectcalico#10399) (projectcalico#10418)

MichalFupso · web-flow · commit 9af429122279 · 2025-05-16T12:44:27.000-07:00
diff --git a/libcalico-go/lib/backend/k8s/resources/resources.go b/libcalico-go/lib/backend/k8s/resources/resources.go
@@ -327,8 +327,24 @@ func ConvertK8sResourceToCalicoResource(res Resource) error {
 	// so that they do not get overwritten.
 	if meta.Name == "" {
 		// We store the original v3 Name in our annotation when writing NetworkPolicy and GNP objects. If that's present, use it.
+		// If the kind is Policy and the annotation is not present, we remove the default. prefix to be compatible with previous Calico versions
 		// Otherwise, fill in the name from the underlying CRD.
-		meta.Name = rom.GetName()
+		switch res.GetObjectKind().GroupVersionKind().Kind {
+		case apiv3.KindGlobalNetworkPolicy:
+			policy := res.(*apiv3.GlobalNetworkPolicy)
+			meta.Name = determinePolicyName(rom.GetName(), policy.Spec.Tier)
+		case apiv3.KindNetworkPolicy:
+			policy := res.(*apiv3.NetworkPolicy)
+			meta.Name = determinePolicyName(rom.GetName(), policy.Spec.Tier)
+		case apiv3.KindStagedGlobalNetworkPolicy:
+			policy := res.(*apiv3.StagedGlobalNetworkPolicy)
+			meta.Name = determinePolicyName(rom.GetName(), policy.Spec.Tier)
+		case apiv3.KindStagedNetworkPolicy:
+			policy := res.(*apiv3.StagedNetworkPolicy)
+			meta.Name = determinePolicyName(rom.GetName(), policy.Spec.Tier)
+		default:
+			meta.Name = rom.GetName()
+		}
 	}
 	meta.Namespace = rom.GetNamespace()
 	meta.ResourceVersion = rom.GetResourceVersion()
@@ -365,3 +381,12 @@ func watchOptionsToK8sListOptions(wo api.WatchOptions) metav1.ListOptions {
 		AllowWatchBookmarks: wo.AllowWatchBookmarks,
 	}
 }
+
+func determinePolicyName(name, tier string) string {
+	if tier == "default" || tier == "" {
+		// It's possible the policy does not contain tier, that means it's in the default Tier it's added later by the API server
+		return strings.TrimPrefix(name, "default.")
+	}
+
+	return name
+}
diff --git a/libcalico-go/lib/backend/model/keys.go b/libcalico-go/lib/backend/model/keys.go
@@ -646,61 +646,39 @@ func ParseValue(key Key, rawData []byte) (interface{}, error) {
 
 	if valueType == reflect.TypeOf(apiv3.NetworkPolicy{}) {
 		policy := iface.(*apiv3.NetworkPolicy)
-		annotations := policy.Annotations
-		if annotations != nil && annotations[metadataAnnotation] != "" {
-			policy.Name, policy.Annotations, err = parseMetadataAnnotation(annotations)
-			if err != nil {
-				return nil, err
-			}
+		policy.Name, policy.Annotations, err = determinePolicyName(policy.Name, policy.Spec.Tier, policy.Annotations)
+		if err != nil {
+			return nil, err
 		}
 	}
 
 	if valueType == reflect.TypeOf(apiv3.GlobalNetworkPolicy{}) {
 		policy := iface.(*apiv3.GlobalNetworkPolicy)
-		annotations := policy.Annotations
-		if annotations != nil && annotations[metadataAnnotation] != "" {
-			policy.Name, policy.Annotations, err = parseMetadataAnnotation(annotations)
-			if err != nil {
-				return nil, err
-			}
+		policy.Name, policy.Annotations, err = determinePolicyName(policy.Name, policy.Spec.Tier, policy.Annotations)
+		if err != nil {
+			return nil, err
 		}
 	}
 
 	if valueType == reflect.TypeOf(apiv3.StagedNetworkPolicy{}) {
 		policy := iface.(*apiv3.StagedNetworkPolicy)
-		annotations := policy.Annotations
-		if annotations != nil && annotations[metadataAnnotation] != "" {
-			policy.Name, policy.Annotations, err = parseMetadataAnnotation(annotations)
-			if err != nil {
-				return nil, err
-			}
+		policy.Name, policy.Annotations, err = determinePolicyName(policy.Name, policy.Spec.Tier, policy.Annotations)
+		if err != nil {
+			return nil, err
 		}
 	}
 
 	if valueType == reflect.TypeOf(apiv3.StagedGlobalNetworkPolicy{}) {
 		policy := iface.(*apiv3.StagedGlobalNetworkPolicy)
-		annotations := policy.Annotations
-		if annotations != nil && annotations[metadataAnnotation] != "" {
-			policy.Name, policy.Annotations, err = parseMetadataAnnotation(annotations)
-			if err != nil {
-				return nil, err
-			}
+		policy.Name, policy.Annotations, err = determinePolicyName(policy.Name, policy.Spec.Tier, policy.Annotations)
+		if err != nil {
+			return nil, err
 		}
 	}
 
 	return iface, nil
 }
 
-func parseMetadataAnnotation(annotations map[string]string) (string, map[string]string, error) {
-	meta := &metav1.ObjectMeta{}
-	err := json.Unmarshal([]byte(annotations[metadataAnnotation]), meta)
-	if err != nil {
-		return "", nil, err
-	}
-	delete(annotations, metadataAnnotation)
-	return meta.Name, annotations, nil
-}
-
 // SerializeValue serializes a value in the model to a []byte to be stored in the datastore.  This
 // performs the opposite processing to ParseValue()
 func SerializeValue(d *KVPair) ([]byte, error) {
@@ -722,3 +700,24 @@ func SerializeValue(d *KVPair) ([]byte, error) {
 	}
 	return json.Marshal(d.Value)
 }
+
+// determinePolicyName updates Policy name based on either the projectcalico.org/metadata annotation that was added in 3.30,
+// or defaults the name to be returned without the default prefix if no annotation was found. This was the default behaviour in =<3.28
+func determinePolicyName(name, tier string, annotations map[string]string) (string, map[string]string, error) {
+	if annotations != nil && annotations[metadataAnnotation] != "" {
+		meta := &metav1.ObjectMeta{}
+		err := json.Unmarshal([]byte(annotations[metadataAnnotation]), meta)
+		if err != nil {
+			return "", nil, err
+		}
+		delete(annotations, metadataAnnotation)
+		return meta.Name, annotations, nil
+	}
+
+	if tier == "default" || tier == "" {
+		// It's possible the policy does not contain tier, that means it's in the default Tier it's added later by the API server
+		return strings.TrimPrefix(name, "default."), annotations, nil
+	}
+
+	return name, annotations, nil
+}
diff --git a/libcalico-go/lib/clientv3/globalnetworkpolicy_e2e_test.go b/libcalico-go/lib/clientv3/globalnetworkpolicy_e2e_test.go
@@ -16,6 +16,7 @@ package clientv3_test
 
 import (
 	"context"
+	"os/exec"
 	"time"
 
 	. "github.com/onsi/ginkgo"
@@ -404,6 +405,19 @@ var _ = testutils.E2eDatastoreDescribe("GlobalNetworkPolicy tests", testutils.Da
 		Entry("GlobalNetworkPolicy with default tier prefix", "default.netpol", "netpol"),
 	)
 
+	Describe("GlobalNetworkPolicy without name on the projectcalico.org annotation", func() {
+		It("Should return the name without default prefix", func() {
+			if config.Spec.DatastoreType == apiconfig.Kubernetes {
+				// We create the policies as a CRD to prevent the api server adding the correct annotation
+				err := exec.Command("kubectl", "create", "-f", "../../test/mock-policies.yaml").Run()
+				Expect(err).ToNot(HaveOccurred())
+
+				_, err = c.NetworkPolicies().Get(ctx, "default", "prefix-test-policy", options.GetOptions{})
+				Expect(err).ToNot(HaveOccurred())
+			}
+		})
+	})
+
 	DescribeTable("GlobalNetworkPolicy name validation tests",
 		func(policyName string, tier string, expectError bool) {
 			if tier != "default" {
diff --git a/libcalico-go/lib/clientv3/networkpolicy_e2e_test.go b/libcalico-go/lib/clientv3/networkpolicy_e2e_test.go
@@ -16,6 +16,7 @@ package clientv3_test
 
 import (
 	"context"
+	"os/exec"
 	"time"
 
 	. "github.com/onsi/ginkgo"
@@ -427,6 +428,19 @@ var _ = testutils.E2eDatastoreDescribe("NetworkPolicy tests", testutils.Datastor
 		Entry("NetworkPolicy with default tier prefix", "default.netpol", "netpol"),
 	)
 
+	Describe("NetworkPolicy without name on the projectcalico.org annotation", func() {
+		It("Should return the name without default prefix", func() {
+			if config.Spec.DatastoreType == apiconfig.Kubernetes {
+				// We create the policies as a CRD to prevent the api server adding the correct annotation
+				err := exec.Command("kubectl", "create", "-f", "../../test/mock-policies.yaml").Run()
+				Expect(err).ToNot(HaveOccurred())
+
+				_, err = c.NetworkPolicies().Get(ctx, "default", "prefix-test-policy", options.GetOptions{})
+				Expect(err).ToNot(HaveOccurred())
+			}
+		})
+	})
+
 	DescribeTable("NetworkPolicy name validation tests",
 		func(policyName string, tier string, expectError bool) {
 			namespace := "default"
diff --git a/libcalico-go/lib/clientv3/stagedglobalnetworkpolicy_e2e_test.go b/libcalico-go/lib/clientv3/stagedglobalnetworkpolicy_e2e_test.go
@@ -16,6 +16,7 @@ package clientv3_test
 
 import (
 	"context"
+	"os/exec"
 	"time"
 
 	. "github.com/onsi/ginkgo"
@@ -398,6 +399,19 @@ var _ = testutils.E2eDatastoreDescribe("StagedGlobalNetworkPolicy tests", testut
 		Entry("StagedGlobalNetworkPolicy with default tier prefix", "default.netpol", "netpol"),
 	)
 
+	Describe("StagedGlobalNetworkPolicy without name on the projectcalico.org annotation", func() {
+		It("Should return the name without default prefix", func() {
+			if config.Spec.DatastoreType == apiconfig.Kubernetes {
+				// We create the policies as a CRD to prevent the api server adding the correct annotation
+				err := exec.Command("kubectl", "create", "-f", "../../test/mock-policies.yaml").Run()
+				Expect(err).ToNot(HaveOccurred())
+
+				_, err = c.StagedGlobalNetworkPolicies().Get(ctx, "prefix-test-policy", options.GetOptions{})
+				Expect(err).ToNot(HaveOccurred())
+			}
+		})
+	})
+
 	DescribeTable("StagedGlobalNetworkPolicy name validation tests",
 		func(policyName string, tier string, expectError bool) {
 			if tier != "default" {
diff --git a/libcalico-go/lib/clientv3/stagednetworkpolicy_e2e_test.go b/libcalico-go/lib/clientv3/stagednetworkpolicy_e2e_test.go
@@ -16,6 +16,7 @@ package clientv3_test
 
 import (
 	"context"
+	"os/exec"
 	"time"
 
 	. "github.com/onsi/ginkgo"
@@ -430,6 +431,19 @@ var _ = testutils.E2eDatastoreDescribe("StagedNetworkPolicy tests", testutils.Da
 		Entry("StagedNetworkPolicy with default tier prefix", "default.netpol", "netpol"),
 	)
 
+	Describe("StagedNetworkPolicy without name on the projectcalico.org annotation", func() {
+		It("Should return the name without default prefix", func() {
+			if config.Spec.DatastoreType == apiconfig.Kubernetes {
+				// We create the policies as a CRD to prevent the api server adding the correct annotation
+				err := exec.Command("kubectl", "create", "-f", "../../test/mock-policies.yaml").Run()
+				Expect(err).ToNot(HaveOccurred())
+
+				_, err = c.StagedGlobalNetworkPolicies().Get(ctx, "prefix-test-policy", options.GetOptions{})
+				Expect(err).ToNot(HaveOccurred())
+			}
+		})
+	})
+
 	DescribeTable("StagedNetworkPolicy name validation tests",
 		func(policyName string, tier string, expectError bool) {
 			namespace := "default"
diff --git a/libcalico-go/test/mock-policies.yaml b/libcalico-go/test/mock-policies.yaml
@@ -0,0 +1,62 @@
+#These policies are used for testing if the correct policy name is returned when no name is part of the projectcalico.org/metadata annotation
+apiVersion: crd.projectcalico.org/v1
+kind: NetworkPolicy
+metadata:
+  name: default.prefix-test-policy
+  namespace: default
+  annotations:
+    test: test
+    projectcalico.org/metadata: '{}'
+spec:
+  tier: default
+  types:
+    - Ingress
+    - Egress
+
+---
+
+apiVersion: crd.projectcalico.org/v1
+kind: GlobalNetworkPolicy
+metadata:
+  name: default.prefix-test-policy
+  namespace: default
+  annotations:
+    test: test
+    projectcalico.org/metadata: '{}'
+spec:
+  tier: default
+  types:
+    - Ingress
+    - Egress
+
+---
+
+apiVersion: crd.projectcalico.org/v1
+kind: StagedNetworkPolicy
+metadata:
+  name: default.prefix-test-policy
+  namespace: default
+  annotations:
+    test: test
+    projectcalico.org/metadata: '{}'
+spec:
+  tier: default
+  types:
+    - Ingress
+    - Egress
+
+---
+
+apiVersion: crd.projectcalico.org/v1
+kind: StagedGlobalNetworkPolicy
+metadata:
+  name: default.prefix-test-policy
+  namespace: default
+  annotations:
+    test: test
+    projectcalico.org/metadata: '{}'
+spec:
+  tier: default
+  types:
+    - Ingress
+    - Egress
