fix(vpc-nat-gw): use consistent provider for all pod annotations (#6204)

The VPC NAT gateway custom routes were not being applied because of
inconsistent annotation key prefixes. The `GenNatGwPodAnnotations`
function was hardcoding the "ovn" prefix for annotations like
`ovn.kubernetes.io/logical_switch`, while `setPodRoutesAnnotation`
was using the actual subnet provider (e.g., "subnet.namespace.ovn").

This caused the CNI daemon to look for routes annotation with a
different key than what was set by the controller, resulting in
routes being ignored.

Changes:
- Add `provider` parameter to `GenNatGwPodAnnotations` function
- Use annotation templates instead of hardcoded constants to generate
  annotation keys dynamically based on the provider
- Remove redundant annotation settings in `EnableNonPrimaryCNI` branch
  since `GenNatGwPodAnnotations` now handles all cases uniformly
- Update unit tests to cover both "ovn" and NAD provider scenarios

Fixes #6202

---------

Signed-off-by: zbb88888 <jmdxjsjgcxy@gmail.com>

Author: zbb88888

pkg/controller/vpc_nat_gateway.go

@@ -849,40 +849,28 @@ func (c *Controller) genNatGwStatefulSet(gw *kubeovnv1.VpcNatGateway, oldSts *v1
 	}
 
 	externalNadNamespace, externalNadName := c.getExternalSubnetNad(gw)
-	podAnnotations := util.GenNatGwPodAnnotations(gw, externalNadNamespace, externalNadName)
-
-	// Restart logic to fix #5072
-	if oldSts != nil && len(oldSts.Spec.Template.Annotations) != 0 {
-		if _, ok := oldSts.Spec.Template.Annotations[util.VpcNatGatewayContainerRestartAnnotation]; !ok && natGwPodContainerRestartCount > 0 {
-			podAnnotations[util.VpcNatGatewayContainerRestartAnnotation] = ""
-		}
-	}
 
 	eth0SubnetProvider, err := c.GetSubnetProvider(gw.Spec.Subnet)
 	if err != nil {
 		klog.Errorf("failed to get gw eth0 valid subnet provider: %v", err)
 		return nil, err
 	}
-	if c.config.EnableNonPrimaryCNI {
-		// We specify NAD using annotations when Kube-OVN is running as a secondary CNI
-		var attachedNetworks string
-		// Get NetworkAttachmentDefinition if specified by user from pod annotations
-		if gw.Annotations != nil && gw.Annotations[nadv1.NetworkAttachmentAnnot] != "" {
-			attachedNetworks = gw.Annotations[nadv1.NetworkAttachmentAnnot] + ", "
-		}
-		// Attach the external network to attachedNetworks
-		attachedNetworks += fmt.Sprintf("%s/%s", externalNadNamespace, externalNadName)
-		// Check if we have a subnet provider, if so, use it to set the routes annotation
-		// This is useful when running in secondary CNI mode, as the subnet provider will be the
-		// one that has the routes to the subnet
-		vpcNatGwNameAnnotation := fmt.Sprintf(util.VpcNatGatewayAnnotationTemplate, eth0SubnetProvider)
-		logicalSwitchAnnotation := fmt.Sprintf(util.LogicalSwitchAnnotationTemplate, eth0SubnetProvider)
-		ipAddressAnnotation := fmt.Sprintf(util.IPAddressAnnotationTemplate, eth0SubnetProvider)
-		// Merge new annotations with existing ones
-		podAnnotations[nadv1.NetworkAttachmentAnnot] = attachedNetworks
-		podAnnotations[vpcNatGwNameAnnotation] = gw.Name
-		podAnnotations[logicalSwitchAnnotation] = gw.Spec.Subnet
-		podAnnotations[ipAddressAnnotation] = gw.Spec.LanIP
+
+	// Get additional networks specified by user in gw.Annotations (for secondary CNI mode)
+	// TODO: the EnableNonPrimaryCNI check may not be necessary, as additional NADs could also
+	// be useful in primary CNI mode. Consider removing this condition in the future.
+	var additionalNetworks string
+	if c.config.EnableNonPrimaryCNI && gw.Annotations != nil {
+		additionalNetworks = gw.Annotations[nadv1.NetworkAttachmentAnnot]
+	}
+
+	podAnnotations := util.GenNatGwPodAnnotations(gw, externalNadNamespace, externalNadName, eth0SubnetProvider, additionalNetworks)
+
+	// Restart logic to fix #5072
+	if oldSts != nil && len(oldSts.Spec.Template.Annotations) != 0 {
+		if _, ok := oldSts.Spec.Template.Annotations[util.VpcNatGatewayContainerRestartAnnotation]; !ok && natGwPodContainerRestartCount > 0 {
+			podAnnotations[util.VpcNatGatewayContainerRestartAnnotation] = ""
+		}
 	}
 	klog.V(3).Infof("%s podAnnotations:%v", gw.Name, podAnnotations)
 

pkg/util/vpc_nat_gateway.go

@@ -59,12 +59,21 @@ func GenNatGwSelectors(selectors []string) map[string]string {
 }
 
 // GenNatGwPodAnnotations returns the Pod annotations for a NAT gateway
-func GenNatGwPodAnnotations(gw *kubeovnv1.VpcNatGateway, externalNadNamespace, externalNadName string) map[string]string {
+// additionalNetworks is optional, used when user specifies extra NADs in gw.Annotations
+func GenNatGwPodAnnotations(gw *kubeovnv1.VpcNatGateway, externalNadNamespace, externalNadName, provider, additionalNetworks string) map[string]string {
+	p := provider
+	if p == "" {
+		p = OvnProvider
+	}
+	attachedNetworks := fmt.Sprintf("%s/%s", externalNadNamespace, externalNadName)
+	if additionalNetworks != "" {
+		attachedNetworks = additionalNetworks + ", " + attachedNetworks
+	}
 	return map[string]string{
-		VpcNatGatewayAnnotation:      gw.Name,
-		nadv1.NetworkAttachmentAnnot: fmt.Sprintf("%s/%s", externalNadNamespace, externalNadName),
-		LogicalSwitchAnnotation:      gw.Spec.Subnet,
-		IPAddressAnnotation:          gw.Spec.LanIP,
+		fmt.Sprintf(VpcNatGatewayAnnotationTemplate, p): gw.Name,
+		nadv1.NetworkAttachmentAnnot:                    attachedNetworks,
+		fmt.Sprintf(LogicalSwitchAnnotationTemplate, p): gw.Spec.Subnet,
+		fmt.Sprintf(IPAddressAnnotationTemplate, p):     gw.Spec.LanIP,
 	}
 }
 

pkg/util/vpc_nat_gateway_test.go

@@ -1,6 +1,7 @@
 package util
 
 import (
+	"fmt"
 	"reflect"
 	"testing"
 
@@ -265,10 +266,12 @@ func TestGenNatGwPodAnnotations(t *testing.T) {
 		gw                   v1.VpcNatGateway
 		externalNadNamespace string
 		externalNadName      string
+		provider             string
+		additionalNetworks   string
 		expected             map[string]string
 	}{
 		{
-			name: "All fields provided",
+			name: "Empty provider defaults to ovn",
 			gw: v1.VpcNatGateway{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "test-gateway",
@@ -279,14 +282,82 @@ func TestGenNatGwPodAnnotations(t *testing.T) {
 				},
 			},
 			externalNadName:      "external-subnet",
-			externalNadNamespace: "kube-system",
+			externalNadNamespace: metav1.NamespaceSystem,
+			provider:             "",
+			additionalNetworks:   "",
 			expected: map[string]string{
 				VpcNatGatewayAnnotation:      "test-gateway",
 				nadv1.NetworkAttachmentAnnot: "kube-system/external-subnet",
 				LogicalSwitchAnnotation:      "internal-subnet",
 				IPAddressAnnotation:          "10.20.30.40",
 			},
 		},
+		{
+			name: "All fields provided with ovn provider",
+			gw: v1.VpcNatGateway{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-gateway",
+				},
+				Spec: v1.VpcNatGatewaySpec{
+					Subnet: "internal-subnet",
+					LanIP:  "10.20.30.40",
+				},
+			},
+			externalNadName:      "external-subnet",
+			externalNadNamespace: metav1.NamespaceSystem,
+			provider:             OvnProvider,
+			additionalNetworks:   "",
+			expected: map[string]string{
+				VpcNatGatewayAnnotation:      "test-gateway",
+				nadv1.NetworkAttachmentAnnot: "kube-system/external-subnet",
+				LogicalSwitchAnnotation:      "internal-subnet",
+				IPAddressAnnotation:          "10.20.30.40",
+			},
+		},
+		{
+			name: "All fields provided with NAD provider",
+			gw: v1.VpcNatGateway{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-gateway",
+				},
+				Spec: v1.VpcNatGatewaySpec{
+					Subnet: "internal-subnet",
+					LanIP:  "10.20.30.40",
+				},
+			},
+			externalNadName:      "external-subnet",
+			externalNadNamespace: metav1.NamespaceSystem,
+			provider:             "subnet.namespace.ovn",
+			additionalNetworks:   "",
+			expected: map[string]string{
+				fmt.Sprintf(VpcNatGatewayAnnotationTemplate, "subnet.namespace.ovn"): "test-gateway",
+				nadv1.NetworkAttachmentAnnot:                                         "kube-system/external-subnet",
+				fmt.Sprintf(LogicalSwitchAnnotationTemplate, "subnet.namespace.ovn"): "internal-subnet",
+				fmt.Sprintf(IPAddressAnnotationTemplate, "subnet.namespace.ovn"):     "10.20.30.40",
+			},
+		},
+		{
+			name: "With additional networks for secondary CNI",
+			gw: v1.VpcNatGateway{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-gateway",
+				},
+				Spec: v1.VpcNatGatewaySpec{
+					Subnet: "internal-subnet",
+					LanIP:  "10.20.30.40",
+				},
+			},
+			externalNadName:      "external-subnet",
+			externalNadNamespace: metav1.NamespaceSystem,
+			provider:             "subnet.namespace.ovn",
+			additionalNetworks:   "default/extra-net1, default/extra-net2",
+			expected: map[string]string{
+				fmt.Sprintf(VpcNatGatewayAnnotationTemplate, "subnet.namespace.ovn"): "test-gateway",
+				nadv1.NetworkAttachmentAnnot:                                         "default/extra-net1, default/extra-net2, kube-system/external-subnet",
+				fmt.Sprintf(LogicalSwitchAnnotationTemplate, "subnet.namespace.ovn"): "internal-subnet",
+				fmt.Sprintf(IPAddressAnnotationTemplate, "subnet.namespace.ovn"):     "10.20.30.40",
+			},
+		},
 		{
 			name: "No static LAN IP",
 			gw: v1.VpcNatGateway{
@@ -299,7 +370,9 @@ func TestGenNatGwPodAnnotations(t *testing.T) {
 				},
 			},
 			externalNadName:      "external-subnet",
-			externalNadNamespace: "kube-system",
+			externalNadNamespace: metav1.NamespaceSystem,
+			provider:             OvnProvider,
+			additionalNetworks:   "",
 			expected: map[string]string{
 				VpcNatGatewayAnnotation:      "test-gateway",
 				nadv1.NetworkAttachmentAnnot: "kube-system/external-subnet",
@@ -311,7 +384,7 @@ func TestGenNatGwPodAnnotations(t *testing.T) {
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			result := GenNatGwPodAnnotations(&tc.gw, tc.externalNadNamespace, tc.externalNadName)
+			result := GenNatGwPodAnnotations(&tc.gw, tc.externalNadNamespace, tc.externalNadName, tc.provider, tc.additionalNetworks)
 			if !reflect.DeepEqual(tc.expected, result) {
 				t.Errorf("got %v, but want %v", result, tc.expected)
 			}