fix(controller): backfill nat gateway lan ip safely (kubeovn#6424)

* fix(controller): backfill nat gateway lan ip and sync status

Backfill spec.lanIp from the running NAT gateway pod using StatefulSet owner references. Also mirror spec.lanIp into status and add tests for both behaviors.

Signed-off-by: jimyag <git@jimyag.com>

* refactor(controller): remove nat gateway status lanIp sync

Keep lanIp as a spec-only field for VpcNatGateway.
Remove redundant status.lanIp updates and related unit test coverage.

Signed-off-by: jimyag <git@jimyag.com>

* fix(controller): guard nat gw lanIp backfill when lister is nil

Fallback to direct API get when vpcNatGatewayLister is not initialized.
This prevents nil pointer panics in lanIp backfill test scenarios.

Signed-off-by: jimyag <git@jimyag.com>

* fix(controller): harden nat gw lanIp backfill checks

Restrict lanIp backfill to controller namespace pods and validate parsed IP values before patching.
Also simplify owner name guard logic and expand unit coverage for namespace and invalid-ip cases.

Signed-off-by: jimyag <git@jimyag.com>

* fix(controller): select nat gw lan ip by subnet protocol

Choose backfilled lanIp using subnet protocol to avoid preferring IPv4 on IPv6 subnets.
Add unit coverage for IPv6 subnet backfill behavior.

Signed-off-by: jimyag <git@jimyag.com>

* style(test): fix gofumpt formatting in pod backfill test

Apply gofumpt formatting to TestBackfillVpcNatGwLanIPFromPod setup block.
This matches CI lint expectations for Build kube-ovn.

Signed-off-by: jimyag <git@jimyag.com>

* fix(controller): trigger nat gateway reconcile from pod updates only

Limit VpcNatGateway reconcile trigger to NAT gateway pod update paths.
Remove parent enqueue logic from EIP/FIP/DNAT/SNAT child resource enqueue handlers.
Keep lanIP backfill in parent reconcile.

Signed-off-by: jimyag <git@jimyag.com>

* chore(controller): revert non-functional nat gw handler refactors

Signed-off-by: jimyag <git@jimyag.com>

---------

Signed-off-by: jimyag <git@jimyag.com>

Author: jimyag

pkg/controller/controller_test.go

@@ -62,6 +62,7 @@ func alwaysReady() bool { return true }
 // FakeControllerOptions holds optional parameters for creating a fake controller
 type FakeControllerOptions struct {
 	Subnets            []*kubeovnv1.Subnet
+	VpcNatGateways     []*kubeovnv1.VpcNatGateway
 	IPs                []*kubeovnv1.IP
 	Vlans              []*kubeovnv1.Vlan
 	NetworkAttachments []*nadv1.NetworkAttachmentDefinition
@@ -117,6 +118,13 @@ func newFakeControllerWithOptions(t *testing.T, opts *FakeControllerOptions) (*f
 			return nil, err
 		}
 	}
+	for _, gw := range opts.VpcNatGateways {
+		_, err := kubeovnClient.KubeovnV1().VpcNatGateways().Create(
+			context.Background(), gw, metav1.CreateOptions{})
+		if err != nil {
+			return nil, err
+		}
+	}
 	for _, ip := range opts.IPs {
 		_, err := kubeovnClient.KubeovnV1().IPs().Create(
 			context.Background(), ip, metav1.CreateOptions{})

pkg/controller/pod.go

@@ -543,6 +543,7 @@ func (c *Controller) handleAddOrUpdatePod(key string) (err error) {
 
 	isVpcNatGw, vpcGwName := c.checkIsPodVpcNatGw(pod)
 	if isVpcNatGw {
+		c.enqueueAddOrUpdateVpcNatGwByName(vpcGwName, "natgw-pod-update")
 		if needRestartNatGatewayPod(pod) {
 			klog.Infof("restarting vpc nat gateway %s", vpcGwName)
 			c.addOrUpdateVpcNatGatewayQueue.Add(vpcGwName)
@@ -722,6 +723,7 @@ func (c *Controller) reconcileAllocateSubnets(pod *v1.Pod, needAllocatePodNets [
 	// Check if pod is a vpc nat gateway. Annotation set will have subnet provider name as prefix
 	isVpcNatGw, vpcGwName := c.checkIsPodVpcNatGw(pod)
 	if isVpcNatGw {
+		c.enqueueAddOrUpdateVpcNatGwByName(vpcGwName, "natgw-pod-update")
 		klog.Infof("init vpc nat gateway pod %s/%s with name %s", namespace, name, vpcGwName)
 		c.initVpcNatGatewayQueue.Add(vpcGwName)
 	}
@@ -2637,6 +2639,108 @@ func (c *Controller) checkIsPodVpcNatGw(pod *v1.Pod) (bool, string) {
 	return isVpcNatGw, vpcGwName
 }
 
+func natGwNameFromStatefulSetOwner(pod *v1.Pod) string {
+	isStsPod, stsName, _ := isStatefulSetPod(pod)
+	if !isStsPod {
+		return ""
+	}
+
+	prefix := util.VpcNatGwNamePrefix + "-"
+	if !strings.HasPrefix(stsName, prefix) {
+		return ""
+	}
+	return strings.TrimPrefix(stsName, prefix)
+}
+
+func (c *Controller) backfillVpcNatGwLanIPFromPod(pod *v1.Pod, gwName string) error {
+	if pod == nil {
+		return nil
+	}
+	if pod.Namespace != c.config.PodNamespace {
+		return nil
+	}
+
+	ownerGwName := natGwNameFromStatefulSetOwner(pod)
+	if ownerGwName == "" {
+		return nil
+	}
+	if gwName == "" {
+		gwName = ownerGwName
+	}
+	// Use owner reference as a guard to avoid patching unrelated pods carrying a stale annotation.
+	if ownerGwName != gwName {
+		klog.Warningf("skip backfill for pod %s/%s: gw annotation %q does not match owner statefulset %q",
+			pod.Namespace, pod.Name, gwName, ownerGwName)
+		return nil
+	}
+
+	var (
+		gw  *kubeovnv1.VpcNatGateway
+		err error
+	)
+	if c.vpcNatGatewayLister != nil {
+		gw, err = c.vpcNatGatewayLister.Get(gwName)
+	} else {
+		gw, err = c.config.KubeOvnClient.KubeovnV1().VpcNatGateways().Get(context.Background(), gwName, metav1.GetOptions{})
+	}
+	if err != nil {
+		if k8serrors.IsNotFound(err) {
+			return nil
+		}
+		return err
+	}
+	if gw.Spec.LanIP != "" {
+		return nil
+	}
+
+	subnet, err := c.subnetsLister.Get(gw.Spec.Subnet)
+	if err != nil {
+		return fmt.Errorf("failed to get subnet %s: %w", gw.Spec.Subnet, err)
+	}
+	if !isOvnSubnet(subnet) {
+		return fmt.Errorf("subnet %s is not an OVN subnet", gw.Spec.Subnet)
+	}
+	provider := subnet.Spec.Provider
+
+	lanIP := pod.Annotations[fmt.Sprintf(util.IPAddressAnnotationTemplate, provider)]
+	v4IP, v6IP := util.SplitStringIP(lanIP)
+	switch subnet.Spec.Protocol {
+	case kubeovnv1.ProtocolIPv6:
+		lanIP = v6IP
+	case kubeovnv1.ProtocolIPv4:
+		lanIP = v4IP
+	case kubeovnv1.ProtocolDual:
+		if v4IP != "" {
+			lanIP = v4IP
+		} else {
+			lanIP = v6IP
+		}
+	default:
+		lanIP = v4IP
+	}
+	if lanIP == "" || net.ParseIP(lanIP) == nil {
+		return nil
+	}
+
+	patchPayload := map[string]any{
+		"spec": map[string]string{
+			"lanIp": lanIP,
+		},
+	}
+	raw, err := json.Marshal(patchPayload)
+	if err != nil {
+		return err
+	}
+
+	_, err = c.config.KubeOvnClient.KubeovnV1().VpcNatGateways().Patch(context.Background(),
+		gw.Name, types.MergePatchType, raw, metav1.PatchOptions{})
+	if err != nil {
+		return err
+	}
+	klog.Infof("backfilled vpc nat gateway %s spec.lanIP with pod %s/%s ip %s", gw.Name, pod.Namespace, pod.Name, lanIP)
+	return nil
+}
+
 func perInterfaceIPAnnotationKey(nadName, nadNamespace, ifaceName string) string {
 	return fmt.Sprintf("%s.%s.kubernetes.io/ip_address.%s", nadName, nadNamespace, ifaceName)
 }

pkg/controller/pod_test.go

@@ -1,12 +1,14 @@
 package controller
 
 import (
+	"context"
 	"fmt"
 	"testing"
 
 	nadv1 "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/apis/k8s.cni.cncf.io/v1"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -173,6 +175,160 @@ func TestCheckIsPodVpcNatGw(t *testing.T) {
 	})
 }
 
+func TestBackfillVpcNatGwLanIPFromPod(t *testing.T) {
+	const (
+		gwName    = "test-nat-gw"
+		subnet    = "nat-subnet"
+		provider  = "net1.default.ovn"
+		lanIP     = "10.244.0.10"
+		namespace = "default"
+	)
+
+	tests := []struct {
+		name                   string
+		gwSpecLanIP            string
+		subnetProtocol         string
+		givenGwName            string
+		podOwnerName           string
+		podNamespace           string
+		controllerPodNamespace string
+		podAnnotation          map[string]string
+		expectedLanIP          string
+	}{
+		{
+			name:                   "backfill lanIP from pod annotation",
+			gwSpecLanIP:            "",
+			subnetProtocol:         kubeovnv1.ProtocolIPv4,
+			givenGwName:            gwName,
+			podOwnerName:           util.GenNatGwName(gwName),
+			podNamespace:           namespace,
+			controllerPodNamespace: namespace,
+			podAnnotation: map[string]string{
+				fmt.Sprintf(util.IPAddressAnnotationTemplate, provider): lanIP,
+			},
+			expectedLanIP: lanIP,
+		},
+		{
+			name:                   "derive gateway name from owner reference",
+			gwSpecLanIP:            "",
+			subnetProtocol:         kubeovnv1.ProtocolIPv4,
+			givenGwName:            "",
+			podOwnerName:           util.GenNatGwName(gwName),
+			podNamespace:           namespace,
+			controllerPodNamespace: namespace,
+			podAnnotation: map[string]string{
+				fmt.Sprintf(util.IPAddressAnnotationTemplate, provider): lanIP,
+			},
+			expectedLanIP: lanIP,
+		},
+		{
+			name:                   "skip when spec lanIP already set",
+			gwSpecLanIP:            "10.244.0.99",
+			subnetProtocol:         kubeovnv1.ProtocolIPv4,
+			givenGwName:            gwName,
+			podOwnerName:           util.GenNatGwName(gwName),
+			podNamespace:           namespace,
+			controllerPodNamespace: namespace,
+			podAnnotation: map[string]string{
+				fmt.Sprintf(util.IPAddressAnnotationTemplate, provider): lanIP,
+			},
+			expectedLanIP: "10.244.0.99",
+		},
+		{
+			name:                   "skip when pod namespace is different from controller namespace",
+			gwSpecLanIP:            "",
+			subnetProtocol:         kubeovnv1.ProtocolIPv4,
+			givenGwName:            gwName,
+			podOwnerName:           util.GenNatGwName(gwName),
+			podNamespace:           "other-ns",
+			controllerPodNamespace: namespace,
+			podAnnotation: map[string]string{
+				fmt.Sprintf(util.IPAddressAnnotationTemplate, provider): lanIP,
+			},
+			expectedLanIP: "",
+		},
+		{
+			name:                   "skip when lanIP annotation is invalid",
+			gwSpecLanIP:            "",
+			subnetProtocol:         kubeovnv1.ProtocolIPv4,
+			givenGwName:            gwName,
+			podOwnerName:           util.GenNatGwName(gwName),
+			podNamespace:           namespace,
+			controllerPodNamespace: namespace,
+			podAnnotation: map[string]string{
+				fmt.Sprintf(util.IPAddressAnnotationTemplate, provider): "not-an-ip",
+			},
+			expectedLanIP: "",
+		},
+		{
+			name:                   "prefer IPv6 address for IPv6 subnet",
+			gwSpecLanIP:            "",
+			subnetProtocol:         kubeovnv1.ProtocolIPv6,
+			givenGwName:            gwName,
+			podOwnerName:           util.GenNatGwName(gwName),
+			podNamespace:           namespace,
+			controllerPodNamespace: namespace,
+			podAnnotation: map[string]string{
+				fmt.Sprintf(util.IPAddressAnnotationTemplate, provider): "10.244.0.10,fd00:10:16::10",
+			},
+			expectedLanIP: "fd00:10:16::10",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gw := &kubeovnv1.VpcNatGateway{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: gwName,
+				},
+				Spec: kubeovnv1.VpcNatGatewaySpec{
+					Vpc:    "vpc-a",
+					Subnet: subnet,
+					LanIP:  tt.gwSpecLanIP,
+				},
+			}
+			pod := &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        util.GenNatGwPodName(gwName),
+					Namespace:   tt.podNamespace,
+					Annotations: tt.podAnnotation,
+					OwnerReferences: []metav1.OwnerReference{
+						{
+							APIVersion: appsv1.SchemeGroupVersion.String(),
+							Kind:       util.KindStatefulSet,
+							Name:       tt.podOwnerName,
+						},
+					},
+				},
+			}
+
+			fakeController, err := newFakeControllerWithOptions(t, &FakeControllerOptions{
+				Subnets: []*kubeovnv1.Subnet{
+					{
+						ObjectMeta: metav1.ObjectMeta{Name: subnet},
+						Spec: kubeovnv1.SubnetSpec{
+							Provider: provider,
+							Protocol: tt.subnetProtocol,
+						},
+					},
+				},
+				VpcNatGateways: []*kubeovnv1.VpcNatGateway{gw},
+			})
+			require.NoError(t, err)
+
+			controller := fakeController.fakeController
+			controller.config.PodNamespace = tt.controllerPodNamespace
+			err = controller.backfillVpcNatGwLanIPFromPod(pod, tt.givenGwName)
+			require.NoError(t, err)
+
+			gotGw, err := controller.config.KubeOvnClient.KubeovnV1().VpcNatGateways().Get(
+				context.Background(), gwName, metav1.GetOptions{})
+			require.NoError(t, err)
+			assert.Equal(t, tt.expectedLanIP, gotGw.Spec.LanIP)
+		})
+	}
+}
+
 func TestGetPodKubeovnNetsNonPrimaryCNI(t *testing.T) {
 	tests := []struct {
 		name                string

pkg/controller/vpc_nat_gateway.go

@@ -99,6 +99,14 @@ func (c *Controller) enqueueAddVpcNatGw(obj any) {
 	c.addOrUpdateVpcNatGatewayQueue.Add(key)
 }
 
+func (c *Controller) enqueueAddOrUpdateVpcNatGwByName(gwName, reason string) {
+	if gwName == "" || c.addOrUpdateVpcNatGatewayQueue == nil {
+		return
+	}
+	klog.V(3).Infof("enqueue vpc-nat-gw %s from %s", gwName, reason)
+	c.addOrUpdateVpcNatGatewayQueue.Add(gwName)
+}
+
 func (c *Controller) enqueueUpdateVpcNatGw(_, newObj any) {
 	key := cache.MetaObjectToName(newObj.(*kubeovnv1.VpcNatGateway)).String()
 	klog.V(3).Infof("enqueue update vpc-nat-gw %s", key)
@@ -203,6 +211,10 @@ func (c *Controller) handleAddOrUpdateVpcNatGw(key string) error {
 	var natGwPodContainerRestartCount int32
 	pod, err := c.getNatGwPod(key)
 	if err == nil {
+		if err = c.backfillVpcNatGwLanIPFromPod(pod, key); err != nil {
+			klog.Errorf("failed to backfill lanIP for vpc nat gateway %s: %v", key, err)
+			return err
+		}
 		for _, containerStatus := range pod.Status.ContainerStatuses {
 			if containerStatus.Name == "vpc-nat-gw" {
 				natGwPodContainerRestartCount = containerStatus.RestartCount
@@ -224,6 +236,7 @@ func (c *Controller) handleAddOrUpdateVpcNatGw(key string) error {
 		needToCreate, oldSts = true, nil
 	}
 	gwChanged := isVpcNatGwChanged(gw)
+	needPatchStatus := gwChanged
 
 	newSts, err := c.genNatGwStatefulSet(gw, oldSts, natGwPodContainerRestartCount)
 	if err != nil {
@@ -256,6 +269,9 @@ func (c *Controller) handleAddOrUpdateVpcNatGw(key string) error {
 			klog.Error(err)
 			return err
 		}
+	}
+
+	if needPatchStatus {
 		if err = c.patchNatGwStatus(key); err != nil {
 			klog.Errorf("failed to patch nat gw sts status for nat gw %s, %v", key, err)
 			return err
@@ -1304,7 +1320,6 @@ func (c *Controller) patchNatGwStatus(key string) error {
 		gw.Status.Affinity = gw.Spec.Affinity
 		changed = true
 	}
-
 	if changed {
 		bytes, err := gw.Status.Bytes()
 		if err != nil {