any vpc can use any external subnet

[zbb88888]

Pull Request

• Make sure you have followed Kube-OVN Code Style.

What type of this PR

Examples of user facing changes:

• Features

any vpc can use any external subnet

For ovn-cluster to use the default external subnet:

1. Use enable-eip-snat
2. Use VPC spec enableExternal

For a custom VPC to use the default external subnet:

1. Use VPC spec enableExternal

For any VPC to use any provider-network vlan (external) subnet

1. Set the external subnet in the Vpc spec ExtraExternalSubnets
2. Set the enableExternal to true at the same time

Which issue(s) this PR fixes

Fixes #(issue-number)

[gemini-code-assist]

Hello @zbb88888, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Summary of Changes

Hello! I'm gemini-code-assist, here to provide a summary of this pull request. This PR, authored by zbb88888, aims to enhance the networking capabilities by allowing any Virtual Private Cloud (VPC) to utilize any external subnet, removing the previous limitation where typically only the default VPC could connect to the default external network. The changes involve significant refactoring within the VPC controller to manage external connectivity and BFD sessions for custom VPCs, as well as minor adjustments in the external gateway controller and API definitions.

Highlights

• Enhanced VPC External Connectivity: The core change allows any custom VPC to connect to external networks, not just the default VPC. This includes connecting to the default external subnet and/or additional external subnets specified in the VPC configuration.
• VPC Controller Refactoring: The logic for handling VPC external connections has been refactored into a dedicated function (handleUpdateVpcExternal) within the VPC controller, centralizing the management of adding and removing external subnet connections based on the VPC spec and status.
• Support for Multiple External Subnets: The controller now correctly handles the ExtraExternalSubnets field, allowing a VPC to connect to multiple external subnets (primarily provider network VLAN subnets) in addition to the default external subnet.
• BFD Integration for Custom VPCs: BFD session management, previously more tied to the default external gateway, is now integrated into the custom VPC external handling logic, enabling BFD for custom VPCs connected to the default external subnet gateway.
• Centralized Status Updates: VPC status updates related to external connectivity (EnableExternal, ExtraExternalSubnets, EnableBfd) are now handled in a single, centralized function (updateVpcExternalStatus), improving consistency.

Changelog

Click here to see the changelog

• pkg/apis/kubeovn/v1/vpc.go
  • Added clarifying comments to the EnableExternal and ExtraExternalSubnets fields in the VpcSpec struct to better explain their intended use.
• pkg/controller/external_gw.go
  • Added a check in resyncExternalGateway to skip default VPC external gateway handling if the default VPC is configured with ExtraExternalSubnets, deferring this case to the VPC controller.
• pkg/controller/vpc.go
  • Refactored the main VPC external connectivity logic from handleAddOrUpdateVpc into a new helper function handleUpdateVpcExternal (Diff 3).
  • Modified handleAddOrUpdateVpc to call handleUpdateVpcExternal when a VPC's external status needs reconciliation (Diff 3).
  • Updated handleUpdateVpcExternal to manage connections for both the default external subnet and ExtraExternalSubnets for any VPC based on spec and status differences (Diff 3).
  • Added a check to prevent using logical gateway external subnets for external access in the VPC controller's handling (Diff 1).
  • Improved error handling when the external subnet gateway address is not available (Diff 2).
  • Integrated BFD session creation and deletion logic for custom VPCs enabling BFD with external connectivity (Diff 3).
  • Removed redundant VPC status updates from handleAddVpcExternalSubnet and handleDelVpcExternalSubnet (Diff 4, 6).
  • Renamed updateVpcAddExternalStatus to updateVpcExternalStatus and updated it to centrally manage the EnableExternal, ExtraExternalSubnets, and EnableBfd status fields based on the spec (Diff 7).
  • Changed the log level for deleting VPC LRPs from debug (V(3)) to info (Diff 5).

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

Routers connect with flair,
Sending packets through the air.
Subnets align,
Connections shine,
Networking beyond compare.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request aims to enhance VPC external connectivity by allowing any VPC to use any external subnet, which is a valuable feature for flexibility. The changes primarily involve refactoring the external subnet handling logic within the VPC controller and adjusting the external gateway controller's behavior for the default VPC.

The refactoring in pkg/controller/vpc.go into the new handleUpdateVpcExternal function is a significant part of this effort. While the overall direction is good, there are a few potential issues related to the logic for connecting the default external subnet when extra subnets are also specified, and the logic for disconnecting extra subnets when external access is disabled. Additionally, some areas could benefit from further refactoring for clarity and maintainability.

Summary of Findings

• Default External Subnet Connection Logic: In handleUpdateVpcExternal, if EnableExternal: true and ExtraExternalSubnets are also specified, the default external subnet might not be connected during initial enablement. This could be a functional bug if EnableExternal is meant to always manage the default external subnet connection. (Severity: High)
• Incorrect Disabling Logic for ExtraExternalSubnets: In handleUpdateVpcExternal, when EnableExternal is set to false, the logic for removing ExtraExternalSubnets incorrectly depends on the current spec. It should remove all active extra subnets listed in the status. (Severity: High)
• Function Complexity: The function handleUpdateVpcExternal in pkg/controller/vpc.go is quite long. Breaking it into smaller helper functions could improve maintainability. (Severity: Medium)
• Clarity in Status Update Function: The function updateVpcExternalStatus in pkg/controller/vpc.go modifies a spec field (vpc.Spec.EnableExternal) which is confusing for a status update function. (Severity: Medium)
• Parameter Typo: In pkg/controller/vpc.go, the parameter defualtExternalSubnetExist in handleUpdateVpcExternal is misspelled. (Severity: Low, not commented due to review settings)

Merge Readiness

This pull request introduces significant changes to how VPC external subnets are handled. While the refactoring is a good step towards more flexible external connectivity, there are a couple of high-severity issues identified in pkg/controller/vpc.go concerning the logic for connecting the default external subnet and disconnecting extra subnets. These issues could lead to incorrect network configurations.

Additionally, there are medium-severity suggestions for improving code clarity and maintainability.

I recommend that the high-severity issues be addressed before merging this pull request. As an AI reviewer, I am not authorized to approve pull requests; please ensure further review and approval from other maintainers.

[gemini-code-assist]

There appears to be a potential issue with how the default external subnet is handled when vpc.Spec.EnableExternal is true, a default external subnet exists (defualtExternalSubnetExist), and vpc.Spec.ExtraExternalSubnets are also specified, particularly during the initial enablement (!vpc.Status.EnableExternal).

Currently:

1. If vpc.Spec.ExtraExternalSubnets == nil && defualtExternalSubnetExist (line 635), the default external subnet is connected.
2. Then, the loop at line 645 connects subnets from vpc.Spec.ExtraExternalSubnets.

If vpc.Spec.ExtraExternalSubnets is not nil, the condition at line 635 is false, and the default external subnet is not connected by that block. The loop at line 645 then only connects the ExtraExternalSubnets.

This means if EnableExternal: true and ExtraExternalSubnets are provided, the default external subnet (e.g., ovn-external) might not be connected, even if it exists and EnableExternal is intended to manage it (as per the comment // EnableExternal only handle default external subnet in pkg/apis/kubeovn/v1/vpc.go).

Could you clarify if this is the intended behavior? If EnableExternal: true should always attempt to connect the default external subnet (when available), this logic might need adjustment to ensure it's connected regardless of the presence of ExtraExternalSubnets.

[gemini-code-assist]

When !vpc.Spec.EnableExternal && vpc.Status.EnableExternal (i.e., external access is being disabled for the VPC), the logic for removing ExtraExternalSubnets seems incorrect.

The current loop iterates vpc.Status.ExtraExternalSubnets and only disconnects a subnet if !slices.Contains(vpc.Spec.ExtraExternalSubnets, subnet).

However, if vpc.Spec.EnableExternal is false, all external connections, including all ExtraExternalSubnets that were previously active (and are in vpc.Status.ExtraExternalSubnets), should be removed. The contents of vpc.Spec.ExtraExternalSubnets should be irrelevant at this point for deciding which active connections to tear down, as the overarching EnableExternal flag is false.

This could lead to stale connections if EnableExternal is set to false but some subnets remain listed in vpc.Spec.ExtraExternalSubnets that were also in vpc.Status.ExtraExternalSubnets.

Shouldn't all subnets listed in vpc.Status.ExtraExternalSubnets be disconnected here, similar to how the default external subnet is unconditionally disconnected at line 617?

		for _, subnet := range vpc.Status.ExtraExternalSubnets {
			klog.Infof("disconnect external subnet %s to vpc %s because EnableExternal is false", subnet, vpc.Name)
			if err := c.handleDelVpcExternalSubnet(vpc.Name, subnet); err != nil {
				klog.Errorf("failed to delete external subnet %s connection for vpc %s, error %v", subnet, vpc.Name, err)
				return err
			}
		}

[gemini-code-assist]

The new function handleUpdateVpcExternal is quite comprehensive, covering various scenarios for enabling, disabling, and managing BFD for external connections. However, it's over 120 lines long.

To improve readability and maintainability, would it be beneficial to break this function down into smaller, more focused helper functions? For example, separate functions for:

• Handling the disabling of external connections.
• Handling the initial enablement of external connections.
• Handling the diffing of ExtraExternalSubnets.
• Managing BFD setup and teardown.

[gemini-code-assist]

This line vpc.Spec.EnableExternal = enableExternal within updateVpcExternalStatus is a bit confusing. This function's primary purpose is to update the status of the VPC. While vpc is a deep copy and this change won't alter the actual CRD's spec (since it's a status patch), modifying a spec field here can be misleading for future readers.

The logic within this function correctly uses the enableExternal parameter (which should reflect the desired spec state) to determine the status fields. Could this line be removed to avoid potential confusion, as the spec of the cachedVpc or the enableExternal parameter itself should be the source of truth for spec values?

[coveralls]

Pull Request Test Coverage Report for Build 15248317977

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

• For more information on this, see Tracking coverage changes with pull request builds.
• To avoid this issue with future PRs, see these Recommended CI Configurations.
• For a quick fix, rebase this PR at GitHub. Your next report should be accurate.

Details

• 0 of 131 (0.0%) changed or added relevant lines in 2 files are covered.
• 5 unchanged lines in 1 file lost coverage.
• Overall coverage increased (+0.008%) to 21.856%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
pkg/controller/external_gw.go	0	11	0.0%
pkg/controller/vpc.go	0	120	0.0%

Files with Coverage Reduction	New Missed Lines	%
pkg/controller/vpc.go	5	0.0%

Totals
Change from base Build 15232125288:	0.008%
Covered Lines:	10366
Relevant Lines:	47428

---

💛 - Coveralls