fix metallb underlay lflow rule is deleted unexpected (#5723)

* fix metallb underlay lflow rule is deleted unexpected

Signed-off-by: clyi <clyi@alauda.io>

* add log

Signed-off-by: clyi <clyi@alauda.io>

---------

Signed-off-by: clyi <clyi@alauda.io>

Author: changluyi

pkg/ovs/ovn-nb-load_balancer.go

@@ -467,68 +467,153 @@ func (c *OVNNbClient) LoadBalancerAddIPPortMapping(lbName, vipEndpoint string, m
 	return nil
 }
 
-// LoadBalancerDeleteIPPortMapping delete load balancer ip port mapping
+// LoadBalancerDeleteIPPortMapping deletes IP port mappings for a specific VIP from a load balancer.
+// This function ensures that only backend IPs that are no longer referenced by any VIP are removed.
 func (c *OVNNbClient) LoadBalancerDeleteIPPortMapping(lbName, vipEndpoint string) error {
-	var (
-		ops      []ovsdb.Operation
-		lb       *ovnnb.LoadBalancer
-		mappings map[string]string
-		vip      string
-		err      error
-	)
+	lb, err := c.getLoadBalancerForDeletion(lbName)
+	if err != nil {
+		klog.Errorf("failed to get load balancer for deletion: %v", err)
+		return err
+	}
+	if lb == nil {
+		return nil
+	}
 
-	if lb, err = c.GetLoadBalancer(lbName, true); err != nil {
-		klog.Errorf("failed to get lb health check: %v", err)
+	targetBackendIPs, err := c.extractBackendIPsFromVIP(lb, vipEndpoint)
+	if err != nil {
+		klog.Errorf("failed to extract backend IPs from VIP: %v", err)
 		return err
 	}
+	if len(targetBackendIPs) == 0 {
+		return nil
+	}
+
+	unusedBackendIPs := c.findUnusedBackendIPs(lb, vipEndpoint, targetBackendIPs)
+	return c.deleteUnusedIPPortMappings(lbName, vipEndpoint, unusedBackendIPs)
+}
+
+// getLoadBalancerForDeletion retrieves the load balancer and performs initial validation
+func (c *OVNNbClient) getLoadBalancerForDeletion(lbName string) (*ovnnb.LoadBalancer, error) {
+	lb, err := c.GetLoadBalancer(lbName, true)
+	if err != nil {
+		klog.Errorf("failed to get load balancer %s: %v", lbName, err)
+		return nil, err
+	}
 
 	if lb == nil {
-		klog.Infof("lb %s already deleted", lbName)
-		return nil
+		klog.Infof("load balancer %s already deleted", lbName)
+		return nil, nil
 	}
+
 	if len(lb.IPPortMappings) == 0 {
-		klog.Infof("lb %s has no ip port mapping", lbName)
-		return nil
+		klog.Infof("load balancer %s has no IP port mappings", lbName)
+		return nil, nil
 	}
 
-	if vip, _, err = net.SplitHostPort(vipEndpoint); err != nil {
-		err := fmt.Errorf("failed to split host port: %w", err)
-		klog.Error(err)
-		return err
+	return lb, nil
+}
+
+// extractBackendIPsFromVIP extracts the backend IPs that are used by a specific VIP
+func (c *OVNNbClient) extractBackendIPsFromVIP(lb *ovnnb.LoadBalancer, vipEndpoint string) (map[string]bool, error) {
+	vipBackends, exists := lb.Vips[vipEndpoint]
+	if !exists {
+		klog.Infof("VIP %s not found in load balancer", vipEndpoint)
+		return nil, nil
 	}
 
-	mappings = lb.IPPortMappings
-	for portIP, portMapVip := range lb.IPPortMappings {
-		splits := strings.Split(portMapVip, ":")
-		if len(splits) == 2 && splits[1] == vip {
-			delete(mappings, portIP)
+	backendIPs := make(map[string]bool)
+
+	for backend := range strings.SplitSeq(vipBackends, ",") {
+		if backendIP, _, err := net.SplitHostPort(backend); err == nil {
+			backendIPs[backendIP] = true
 		}
 	}
 
-	if ops, err = c.LoadBalancerOp(
+	klog.V(4).Infof("VIP %s uses %d backend IPs: %v", vipEndpoint, len(backendIPs), getMapKeys(backendIPs))
+	return backendIPs, nil
+}
+
+// findUnusedBackendIPs identifies which backend IPs are no longer used by any other VIP
+func (c *OVNNbClient) findUnusedBackendIPs(lb *ovnnb.LoadBalancer, targetVIP string, targetBackendIPs map[string]bool) map[string]string {
+	unusedBackendIPs := make(map[string]string)
+
+	for backendIP := range targetBackendIPs {
+		if !c.isBackendIPStillUsed(lb, targetVIP, backendIP) {
+			if portMapping, exists := lb.IPPortMappings[backendIP]; exists {
+				unusedBackendIPs[backendIP] = portMapping
+			}
+		}
+	}
+
+	klog.V(4).Infof("Found %d unused backend IPs for VIP %s", len(unusedBackendIPs), targetVIP)
+	return unusedBackendIPs
+}
+
+// isBackendIPStillUsed checks if a backend IP is still referenced by any other VIP
+func (c *OVNNbClient) isBackendIPStillUsed(lb *ovnnb.LoadBalancer, targetVIP, backendIP string) bool {
+	for otherVIP, otherBackends := range lb.Vips {
+		if otherVIP == targetVIP {
+			continue
+		}
+
+		for otherBackend := range strings.SplitSeq(otherBackends, ",") {
+			if otherBackendIP, _, err := net.SplitHostPort(otherBackend); err == nil && otherBackendIP == backendIP {
+				klog.V(5).Infof("Backend IP %s is still used by VIP %s", backendIP, otherVIP)
+				return true
+			}
+		}
+	}
+
+	klog.V(5).Infof("Backend IP %s is no longer used by any other VIP", backendIP)
+	return false
+}
+
+// deleteUnusedIPPortMappings performs the actual deletion of unused IP port mappings
+func (c *OVNNbClient) deleteUnusedIPPortMappings(lbName, vipEndpoint string, unusedBackendIPs map[string]string) error {
+	if len(unusedBackendIPs) == 0 {
+		klog.Infof("no unused backend IPs to delete for VIP %s in load balancer %s", vipEndpoint, lbName)
+		return nil
+	}
+
+	ops, err := c.LoadBalancerOp(
 		lbName,
 		func(lb *ovnnb.LoadBalancer) []model.Mutation {
 			return []model.Mutation{
 				{
 					Field:   &lb.IPPortMappings,
-					Value:   mappings,
+					Value:   unusedBackendIPs,
 					Mutator: ovsdb.MutateOperationDelete,
 				},
 			}
 		},
-	); err != nil {
+	)
+	if err != nil {
 		klog.Error(err)
-		return fmt.Errorf("failed to generate operations when deleting ip port mapping %s from load balancers %s: %w", vipEndpoint, lbName, err)
+		return fmt.Errorf("failed to generate operations when deleting IP port mappings for VIP %s from load balancer %s: %w", vipEndpoint, lbName, err)
 	}
+
 	if len(ops) == 0 {
 		return nil
 	}
+
 	if err = c.Transact("lb-del", ops); err != nil {
-		return fmt.Errorf("failed to delete ip port mappings %s from load balancer %s: %w", vipEndpoint, lbName, err)
+		return fmt.Errorf("failed to delete IP port mappings for VIP %s from load balancer %s: %w", vipEndpoint, lbName, err)
 	}
+
+	klog.Infof("successfully deleted %d unused backend IPs for VIP %s from load balancer %s",
+		len(unusedBackendIPs), vipEndpoint, lbName)
 	return nil
 }
 
+// getMapKeys returns the keys of a map as a slice
+func getMapKeys(m map[string]bool) []string {
+	keys := make([]string, 0, len(m))
+	for k := range m {
+		keys = append(keys, k)
+	}
+	return keys
+}
+
 // LoadBalancerUpdateIPPortMapping update load balancer ip port mapping
 func (c *OVNNbClient) LoadBalancerUpdateIPPortMapping(lbName, vipEndpoint string, ipPortMappings map[string]string) error {
 	ops, err := c.LoadBalancerOp(

pkg/ovs/ovn-nb-load_balancer_test.go

@@ -781,7 +781,7 @@ func (suite *OvnClientTestSuite) testLoadBalancerDeleteIPPortMapping() {
 					require.Contains(t, lb.IPPortMappings, backend)
 				}
 
-				err = nbClient.LoadBalancerDeleteIPPortMapping(lbName, vip)
+				err = nbClient.LoadBalancerDeleteIPPortMapping(lbName, vhost)
 				require.NoError(t, err)
 
 				lb, err = nbClient.GetLoadBalancer(lbName, false)
@@ -807,10 +807,29 @@ func (suite *OvnClientTestSuite) testLoadBalancerDeleteIPPortMapping() {
 	t.Run("delete ip port mappings from load balancer repeatedly",
 		func(t *testing.T) {
 			for vip, backends := range vips {
-				list := strings.Split(backends, ",")
+				var (
+					list        []string
+					vhost, host string
+				)
+				list = strings.Split(backends, ",")
 				mappings = make(map[string]string)
 
-				err = nbClient.LoadBalancerDeleteIPPortMapping(lbName, vip)
+				for _, backend := range list {
+					host, _, err = net.SplitHostPort(backend)
+					require.NoError(t, err)
+
+					mappings[host] = host
+				}
+
+				vhost, _, err = net.SplitHostPort(vip)
+				require.NoError(t, err)
+				err = nbClient.LoadBalancerAddVip(lbName, vhost, list...)
+				require.NoError(t, err)
+
+				err = nbClient.LoadBalancerAddIPPortMapping(lbName, vhost, mappings)
+				require.NoError(t, err)
+
+				err = nbClient.LoadBalancerDeleteIPPortMapping(lbName, vhost)
 				require.NoError(t, err)
 
 				lb, err = nbClient.GetLoadBalancer(lbName, false)
@@ -827,16 +846,45 @@ func (suite *OvnClientTestSuite) testLoadBalancerDeleteIPPortMapping() {
 	)
 
 	vips = map[string]string{
-		"[fd00:10:96::e86f]:8080": "",
+		"[fd00:10:96::e86f]:8080": "[fc00::af4:a]:8080,[fc00::af4:b]:8080,[fc00::af4:c]:8080",
 	}
 	t.Run("delete ip port mappings from load balancer repeatedly",
 		func(t *testing.T) {
-			for vip := range vips {
-				err = nbClient.LoadBalancerDeleteIPPortMapping(lbName, vip)
+			for vip, backends := range vips {
+				var (
+					list        []string
+					vhost, host string
+				)
+				list = strings.Split(backends, ",")
+				mappings = make(map[string]string)
+
+				for _, backend := range list {
+					host, _, err = net.SplitHostPort(backend)
+					require.NoError(t, err)
+
+					mappings[host] = host
+				}
+
+				vhost, _, err = net.SplitHostPort(vip)
+				require.NoError(t, err)
+				err = nbClient.LoadBalancerAddVip(lbName, vhost, list...)
+				require.NoError(t, err)
+
+				err = nbClient.LoadBalancerAddIPPortMapping(lbName, vhost, mappings)
+				require.NoError(t, err)
+
+				err = nbClient.LoadBalancerDeleteIPPortMapping(lbName, vhost)
 				require.NoError(t, err)
 
 				lb, err = nbClient.GetLoadBalancer(lbName, false)
 				require.NoError(t, err)
+
+				for _, backend := range list {
+					backend, _, err = net.SplitHostPort(backend)
+					require.NoError(t, err)
+
+					require.NotContains(t, lb.IPPortMappings, backend)
+				}
 			}
 		},
 	)

test/e2e/metallb/e2e_test.go

@@ -258,7 +258,7 @@ var _ = framework.Describe("[group:metallb]", func() {
 		if f.HasIPv4() {
 			underlayCidr = append(underlayCidr, cidrV4)
 			gateway = append(gateway, gatewayV4)
-			for index := range 5 {
+			for index := range 10 {
 				startIP := strings.Split(cidrV4, "/")[0]
 				ip, _ := ipam.NewIP(startIP)
 				metallbVIPv4s = append(metallbVIPv4s, ip.Add(100+int64(index)).String())
@@ -268,7 +268,7 @@ var _ = framework.Describe("[group:metallb]", func() {
 		if f.HasIPv6() {
 			underlayCidr = append(underlayCidr, cidrV6)
 			gateway = append(gateway, gatewayV6)
-			for index := range 5 {
+			for index := range 10 {
 				startIP := strings.Split(cidrV6, "/")[0]
 				ip, _ := ipam.NewIP(startIP)
 				metallbVIPv6s = append(metallbVIPv6s, ip.Add(100+int64(index)).String())
@@ -338,7 +338,7 @@ var _ = framework.Describe("[group:metallb]", func() {
 		deploy.Spec.Template.Spec.Containers[0].Args = args
 		_ = deployClient.CreateSync(deploy)
 
-		ginkgo.By("Creating a service for the deployment")
+		ginkgo.By("Creating the first service for the deployment")
 		ports := []corev1.ServicePort{
 			{
 				Name:       "http",
@@ -351,13 +351,30 @@ var _ = framework.Describe("[group:metallb]", func() {
 		service.Spec.ExternalTrafficPolicy = corev1.ServiceExternalTrafficPolicyTypeLocal
 		_ = serviceClient.CreateSync(service, func(s *corev1.Service) (bool, error) {
 			return len(s.Status.LoadBalancer.Ingress) != 0, nil
-		}, "lb service ip is not empty")
+		}, "first lb service ip is not empty")
 
-		ginkgo.By("Checking the service is reachable")
+		ginkgo.By("Creating the second service for the same deployment")
+		serviceName2 := "service2-" + framework.RandomSuffix()
+		service2 := framework.MakeService(serviceName2, corev1.ServiceTypeLoadBalancer, nil, podLabels, ports, "")
+		service2.Spec.ExternalTrafficPolicy = corev1.ServiceExternalTrafficPolicyTypeLocal
+		_ = serviceClient.CreateSync(service2, func(s *corev1.Service) (bool, error) {
+			return len(s.Status.LoadBalancer.Ingress) != 0, nil
+		}, "second lb service ip is not empty")
+
+		ginkgo.By("Checking both services are reachable")
 		service = f.ServiceClient().Get(serviceName)
+		service2 = f.ServiceClient().Get(serviceName2)
 		lbsvcIP := service.Status.LoadBalancer.Ingress[0].IP
+		lbsvcIP2 := service2.Status.LoadBalancer.Ingress[0].IP
 
 		checkReachable(f, containerID, clientip, lbsvcIP, "80", clusterName, true)
+		checkReachable(f, containerID, clientip, lbsvcIP2, "80", clusterName, true)
+
+		ginkgo.By("Deleting the first service")
+		serviceClient.DeleteSync(serviceName)
+
+		ginkgo.By("Checking the second service is still reachable after first service deletion")
+		checkReachable(f, containerID, clientip, lbsvcIP2, "80", clusterName, true)
 	})
 })