fix duplicate acls because of parentkey (#5357)

* fix duplicate acls because of parentkey

Signed-off-by: clyi <clyi@alauda.io>

---------

Signed-off-by: clyi <clyi@alauda.io>

Author: changluyi

mocks/pkg/ovs/interface.go

@@ -28,8 +28,9 @@ import (
 
 func (c *Controller) InitOVN() error {
 	var err error
-	if err = c.migrateACLTier(); err != nil {
-		klog.Errorf("failed to migrate ACL tier: %v", err)
+
+	if err = c.migrateACLForVersionCompat(); err != nil {
+		klog.Errorf("failed to sync the older acl : %v", err)
 		return err
 	}
 
@@ -68,11 +69,20 @@ func (c *Controller) InitOVN() error {
 	return nil
 }
 
-// migrate tier field of ACL rules created in versions prior to v1.13.0
-// after upgrading, the tier field has a default value of zero, which is not the value used in versions >= v1.13.0
-// we need to migrate the tier field to the correct value
-func (c *Controller) migrateACLTier() error {
-	return c.OVNNbClient.MigrateACLTier()
+func (c *Controller) migrateACLForVersionCompat() error {
+	// migrate tier field of ACL rules created in versions prior to v1.13.0
+	// after upgrading, the tier field has a default value of zero, which is not the value used in versions >= v1.13.0
+	// we need to migrate the tier field to the correct value
+	if err := c.OVNNbClient.MigrateACLTier(); err != nil {
+		klog.Errorf("failed to migrate ACL tier: %v", err)
+		return err
+	}
+	// clean all no parent key acls
+	if err := c.OVNNbClient.CleanNoParentKeyAcls(); err != nil {
+		klog.Errorf("failed to clean all no parent key acls: %v", err)
+		return err
+	}
+	return nil
 }
 
 func (c *Controller) InitDefaultVpc() error {

pkg/controller/init.go

@@ -157,6 +157,7 @@ type ACL interface {
 	DeleteAclsOps(parentName, parentType, direction string, externalIDs map[string]string) ([]ovsdb.Operation, error)
 	UpdateAnpRuleACLOps(pgName, asName, protocol, aclName string, priority int, aclAction ovnnb.ACLAction, logACLActions []ovnnb.ACLAction, rulePorts []v1alpha1.AdminNetworkPolicyPort, isIngress, isBanp bool) ([]ovsdb.Operation, error)
 	MigrateACLTier() error
+	CleanNoParentKeyAcls() error
 }
 
 type AddressSet interface {

pkg/ovs/interface.go

@@ -1486,3 +1486,58 @@ func (c *OVNNbClient) MigrateACLTier() error {
 
 	return nil
 }
+
+func (c *OVNNbClient) CleanNoParentKeyAcls() error {
+	ctx, cancel := context.WithTimeout(context.Background(), c.Timeout)
+	defer cancel()
+
+	var aclList []ovnnb.ACL
+	if err := c.ovsDbClient.WhereCache(func(acl *ovnnb.ACL) bool {
+		_, ok := acl.ExternalIDs[aclParentKey]
+		return !ok
+	}).List(ctx, &aclList); err != nil {
+		err = fmt.Errorf("failed to list acls without parent: %w", err)
+		klog.Error(err)
+		return err
+	}
+
+	ops := make([]ovsdb.Operation, 0, len(aclList))
+	for _, acl := range aclList {
+		var portGroups []ovnnb.PortGroup
+		if err := c.ovsDbClient.WhereCache(func(pg *ovnnb.PortGroup) bool {
+			return slices.Contains(pg.ACLs, acl.UUID)
+		}).List(ctx, &portGroups); err == nil {
+			for _, pg := range portGroups {
+				op, err := c.portGroupUpdateACLOp(pg.Name, []string{acl.UUID}, ovsdb.MutateOperationDelete)
+				if err == nil {
+					ops = append(ops, op...)
+				}
+			}
+		}
+		var logicalSwitches []ovnnb.LogicalSwitch
+		if err := c.ovsDbClient.WhereCache(func(ls *ovnnb.LogicalSwitch) bool {
+			return slices.Contains(ls.ACLs, acl.UUID)
+		}).List(ctx, &logicalSwitches); err == nil {
+			for _, ls := range logicalSwitches {
+				op, err := c.logicalSwitchUpdateACLOp(ls.Name, []string{acl.UUID}, ovsdb.MutateOperationDelete)
+				if err == nil {
+					ops = append(ops, op...)
+				}
+			}
+		}
+		delOp, err := c.Where(&acl).Delete()
+		if err == nil {
+			ops = append(ops, delOp...)
+		}
+	}
+	if len(ops) == 0 {
+		return nil
+	}
+
+	if err := c.Transact("acl-clean-no-parent", ops); err != nil {
+		klog.Error(err)
+		return fmt.Errorf("failed to clean acls without parent: %w", err)
+	}
+
+	return nil
+}