feat: add vendor tagging for OVN resources and migration support

Add vendor=kube-ovn externalID to all OVN resources created by kube-ovn
to distinguish them from resources created by external systems like
OpenStack Neutron. This prevents kube-ovn from accidentally garbage
collecting or modifying resources it doesn't own.

Changes:
- Add version tracking in NBGlobal.ExternalIDs["kube-ovn-version"]
- Add migration that runs only when upgrading from versions < v1.15.0
- Auto-tag new resources: AddressSet, PortGroup, LoadBalancer,
  LogicalRouterPort, ACL
- Update GC functions to only operate on vendor=kube-ovn resources
- Update CleanNoParentKeyAcls to skip non-kube-ovn ACLs
- Add pattern matching to identify existing kube-ovn resources during
  migration (security groups, network policies, load balancers)

The migration identifies kube-ovn resources using:
- Existing externalIDs (lr, ls, sg, parent, subnet)
- Naming patterns (ovn.sg.*, cluster-*-loadbalancer, vpc-*-load)
- Association with tagged logical routers/switches

Resources that cannot be positively identified as kube-ovn owned are
left untouched to avoid interfering with external systems.

Fixes: #5995
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

Author: cloudnull

mocks/pkg/ovs/interface.go

@@ -599,7 +599,12 @@ func (c *Controller) gcLoadBalancer() error {
 			}
 		}
 		// lbs will remove from logical switch automatically when delete lbs
+		// Only delete load balancers that belong to kube-ovn (vendor=kube-ovn)
+		// This prevents deleting load balancers managed by external systems like OpenStack Neutron
 		if err = c.OVNNbClient.DeleteLoadBalancers(func(lb *ovnnb.LoadBalancer) bool {
+			if lb.ExternalIDs["vendor"] != util.CniTypeName {
+				return false
+			}
 			return !vpcLbs.Has(lb.Name)
 		}); err != nil {
 			klog.Errorf("delete all load balancers: %v", err)
@@ -740,8 +745,9 @@ func (c *Controller) gcLoadBalancer() error {
 
 func (c *Controller) gcAddressSet() error {
 	klog.Infof("start to gc address set")
-	// get all address
-	addressSets, err := c.OVNNbClient.ListAddressSets(nil)
+	// Only list address sets that belong to kube-ovn (vendor=kube-ovn)
+	// This prevents deleting address sets managed by external systems like OpenStack Neutron
+	addressSets, err := c.OVNNbClient.ListAddressSets(map[string]string{"vendor": util.CniTypeName})
 	if err != nil {
 		klog.Errorf("failed to list address set,%v", err)
 		return err
@@ -784,7 +790,9 @@ func (c *Controller) gcSecurityGroup() error {
 		sgSet.Add(sg.Name)
 	}
 
-	pgs, err := c.OVNNbClient.ListPortGroups(nil)
+	// Only list port groups that belong to kube-ovn (vendor=kube-ovn)
+	// This prevents deleting port groups managed by external systems like OpenStack Neutron
+	pgs, err := c.OVNNbClient.ListPortGroups(map[string]string{"vendor": util.CniTypeName})
 	if err != nil {
 		klog.Errorf("failed to list port group,%v", err)
 		return err
@@ -1220,6 +1228,12 @@ func (c *Controller) gcVPCDNS() error {
 
 func logicalRouterPortFilter(exceptPeerPorts *strset.Set) func(lrp *ovnnb.LogicalRouterPort) bool {
 	return func(lrp *ovnnb.LogicalRouterPort) bool {
+		// Only delete logical router ports that belong to kube-ovn (vendor=kube-ovn)
+		// This prevents deleting LRPs managed by external systems like OpenStack Neutron
+		if lrp.ExternalIDs["vendor"] != util.CniTypeName {
+			return false
+		}
+
 		if exceptPeerPorts.Has(lrp.Name) {
 			return false // ignore except lrp
 		}

pkg/controller/gc.go

@@ -7,6 +7,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/kubeovn/kube-ovn/pkg/ovsdb/ovnnb"
+	"github.com/kubeovn/kube-ovn/pkg/util"
 )
 
 func newLogicalRouterPort(lrName, lrpName, mac string, networks []string) *ovnnb.LogicalRouterPort {
@@ -15,7 +16,8 @@ func newLogicalRouterPort(lrName, lrpName, mac string, networks []string) *ovnnb
 		MAC:      mac,
 		Networks: networks,
 		ExternalIDs: map[string]string{
-			"lr": lrName,
+			"lr":     lrName,
+			"vendor": util.CniTypeName,
 		},
 	}
 }

pkg/controller/gc_test.go

@@ -30,8 +30,24 @@ import (
 func (c *Controller) InitOVN() error {
 	var err error
 
-	if err = c.migrateACLForVersionCompat(); err != nil {
-		klog.Errorf("failed to sync the older acl : %v", err)
+	// migrate vendor externalIDs to kube-ovn resources created in versions prior to v1.15.0
+	// this must run before ACL cleanup to ensure existing resources are properly tagged
+	if err = c.OVNNbClient.MigrateVendorExternalIDs(); err != nil {
+		klog.Errorf("failed to migrate vendor externalIDs: %v", err)
+		return err
+	}
+
+	// migrate tier field of ACL rules created in versions prior to v1.13.0
+	// after upgrading, the tier field has a default value of zero, which is not the value used in versions >= v1.13.0
+	// we need to migrate the tier field to the correct value
+	if err = c.OVNNbClient.MigrateACLTier(); err != nil {
+		klog.Errorf("failed to migrate ACL tier: %v", err)
+		return err
+	}
+
+	// clean all no parent key acls
+	if err = c.OVNNbClient.CleanNoParentKeyAcls(); err != nil {
+		klog.Errorf("failed to clean all no parent key acls: %v", err)
 		return err
 	}
 
@@ -70,22 +86,6 @@ func (c *Controller) InitOVN() error {
 	return nil
 }
 
-func (c *Controller) migrateACLForVersionCompat() error {
-	// migrate tier field of ACL rules created in versions prior to v1.13.0
-	// after upgrading, the tier field has a default value of zero, which is not the value used in versions >= v1.13.0
-	// we need to migrate the tier field to the correct value
-	if err := c.OVNNbClient.MigrateACLTier(); err != nil {
-		klog.Errorf("failed to migrate ACL tier: %v", err)
-		return err
-	}
-	// clean all no parent key acls
-	if err := c.OVNNbClient.CleanNoParentKeyAcls(); err != nil {
-		klog.Errorf("failed to clean all no parent key acls: %v", err)
-		return err
-	}
-	return nil
-}
-
 func (c *Controller) InitDefaultVpc() error {
 	cachedVpc, err := c.vpcsLister.Get(c.config.ClusterRouter)
 	if err != nil {

pkg/controller/init.go

@@ -27,6 +27,7 @@ type NBGlobal interface {
 	SetNodeLocalDNSIP(nodeLocalDNSIP string) error
 	SetSkipConntrackCidrs(skipConntrackCidrs string) error
 	GetNbGlobal() (*ovnnb.NBGlobal, error)
+	MigrateVendorExternalIDs() error
 }
 
 type LogicalRouter interface {

pkg/ovs/interface.go

@@ -1003,6 +1003,7 @@ func (c *OVNNbClient) newACL(parent, direction, priority, match, action string,
 		Priority:  intPriority,
 		ExternalIDs: map[string]string{
 			aclParentKey: parent,
+			"vendor":     util.CniTypeName,
 		},
 		Tier: tier,
 	}
@@ -1036,6 +1037,7 @@ func (c *OVNNbClient) newACLWithoutCheck(parent, direction, priority, match, act
 		Priority:  intPriority,
 		ExternalIDs: map[string]string{
 			aclParentKey: parent,
+			"vendor":     util.CniTypeName,
 		},
 		Tier: tier,
 	}
@@ -1726,10 +1728,21 @@ func (c *OVNNbClient) CleanNoParentKeyAcls() error {
 
 	var aclList []ovnnb.ACL
 	if err := c.ovsDbClient.WhereCache(func(acl *ovnnb.ACL) bool {
-		_, ok := acl.ExternalIDs[aclParentKey]
-		return !ok
+		// Only clean ACLs that belong to kube-ovn (vendor=kube-ovn) but are missing the parent key.
+		// This ensures we never touch ACLs created by external systems like OpenStack Neutron.
+		// ACLs without vendor tag or with a different vendor are left untouched.
+		if len(acl.ExternalIDs) == 0 {
+			return false
+		}
+		// Skip ACLs that don't belong to kube-ovn
+		if acl.ExternalIDs["vendor"] != util.CniTypeName {
+			return false
+		}
+		// Only target kube-ovn ACLs that are missing the parent key
+		_, hasParent := acl.ExternalIDs[aclParentKey]
+		return !hasParent
 	}).List(ctx, &aclList); err != nil {
-		err = fmt.Errorf("failed to list acls without parent: %w", err)
+		err = fmt.Errorf("failed to list kube-ovn acls without parent: %w", err)
 		klog.Error(err)
 		return err
 	}
@@ -1769,7 +1782,7 @@ func (c *OVNNbClient) CleanNoParentKeyAcls() error {
 
 	if err := c.Transact("acl-clean-no-parent", ops); err != nil {
 		klog.Error(err)
-		return fmt.Errorf("failed to clean acls without parent: %w", err)
+		return fmt.Errorf("failed to clean kube-ovn acls without parent: %w", err)
 	}
 
 	return nil

pkg/ovs/ovn-nb-acl.go

@@ -70,6 +70,7 @@ func newACL(parentName, direction, priority, match, action string, tier int, opt
 		Priority:  intPriority,
 		ExternalIDs: map[string]string{
 			aclParentKey: parentName,
+			"vendor":     util.CniTypeName,
 		},
 		Tier: tier,
 	}
@@ -1910,6 +1911,7 @@ func (suite *OvnClientTestSuite) testNewACL() {
 		Priority:  1000,
 		ExternalIDs: map[string]string{
 			aclParentKey: pgName,
+			"vendor":     util.CniTypeName,
 		},
 		Log:      true,
 		Severity: ptr.To(ovnnb.ACLSeverityWarning),

pkg/ovs/ovn-nb-acl_test.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"maps"
 	"net"
 	"strings"
 
@@ -13,6 +14,7 @@ import (
 	"k8s.io/klog/v2"
 
 	"github.com/kubeovn/kube-ovn/pkg/ovsdb/ovnnb"
+	"github.com/kubeovn/kube-ovn/pkg/util"
 )
 
 // CreateAddressSet create address set with external ids
@@ -22,6 +24,11 @@ func (c *OVNNbClient) CreateAddressSet(asName string, externalIDs map[string]str
 		return fmt.Errorf("address set %s must match `[a-zA-Z_.][a-zA-Z_.0-9]*`", asName)
 	}
 
+	// Create new map with vendor tag to avoid modifying caller's map
+	finalExternalIDs := make(map[string]string, len(externalIDs)+1)
+	maps.Copy(finalExternalIDs, externalIDs)
+	finalExternalIDs["vendor"] = util.CniTypeName
+
 	exists, err := c.AddressSetExists(asName)
 	if err != nil {
 		klog.Error(err)
@@ -35,7 +42,7 @@ func (c *OVNNbClient) CreateAddressSet(asName string, externalIDs map[string]str
 
 	as := &ovnnb.AddressSet{
 		Name:        asName,
-		ExternalIDs: externalIDs,
+		ExternalIDs: finalExternalIDs,
 	}
 
 	ops, err := c.Create(as)

pkg/ovs/ovn-nb-address_set.go

@@ -7,6 +7,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/kubeovn/kube-ovn/pkg/ovsdb/ovnnb"
+	"github.com/kubeovn/kube-ovn/pkg/util"
 )
 
 func newAddressSet(name string, externalIDs map[string]string) *ovnnb.AddressSet {
@@ -33,8 +34,10 @@ func (suite *OvnClientTestSuite) testCreateAddressSet() {
 		require.NoError(t, err)
 		require.NotEmpty(t, as.UUID)
 		require.Equal(t, asName, as.Name)
+		// vendor is automatically added by CreateAddressSet
 		require.Equal(t, map[string]string{
-			sgKey: "test-sg",
+			sgKey:    "test-sg",
+			"vendor": util.CniTypeName,
 		}, as.ExternalIDs)
 	})
 

pkg/ovs/ovn-nb-address_set_test.go

@@ -16,6 +16,7 @@ import (
 
 	ovsclient "github.com/kubeovn/kube-ovn/pkg/ovsdb/client"
 	"github.com/kubeovn/kube-ovn/pkg/ovsdb/ovnnb"
+	"github.com/kubeovn/kube-ovn/pkg/util"
 )
 
 // CreateLoadBalancer create loadbalancer
@@ -43,6 +44,9 @@ func (c *OVNNbClient) CreateLoadBalancer(lbName, protocol, selectFields string)
 		UUID:     ovsclient.NamedUUID(),
 		Name:     lbName,
 		Protocol: &protocol,
+		ExternalIDs: map[string]string{
+			"vendor": util.CniTypeName,
+		},
 	}
 
 	if len(selectFields) != 0 {