Add tests for VIP finalizer handling and subnet status updates

makefiles/e2e.mk

@@ -205,15 +205,31 @@ vpc-egress-gateway-e2e:
 	ginkgo $(GINKGO_OUTPUT_OPT) $(GINKGO_PARALLEL_OPT) --randomize-all -v --timeout=30m \
 		--focus=CNI:Kube-OVN ./test/e2e/vpc-egress-gateway/vpc-egress-gateway.test -- $(TEST_BIN_ARGS)
 
-.PHONY: iptables-vpc-nat-gw-conformance-e2e
-iptables-vpc-nat-gw-conformance-e2e:
+.PHONY: iptables-eip-conformance-e2e
+iptables-eip-conformance-e2e:
 	ginkgo build $(E2E_BUILD_FLAGS) ./test/e2e/iptables-vpc-nat-gw
 	E2E_BRANCH=$(E2E_BRANCH) \
 	E2E_IP_FAMILY=$(E2E_IP_FAMILY) \
 	E2E_NETWORK_MODE=$(E2E_NETWORK_MODE) \
 	ginkgo $(GINKGO_OUTPUT_OPT) $(GINKGO_PARALLEL_OPT) --randomize-all -v \
 		--focus=CNI:Kube-OVN ./test/e2e/iptables-vpc-nat-gw/iptables-vpc-nat-gw.test -- $(TEST_BIN_ARGS)
 
+.PHONY: iptables-eip-qos-conformance-e2e
+iptables-eip-qos-conformance-e2e:
+	ginkgo build $(E2E_BUILD_FLAGS) ./test/e2e/iptables-eip-qos
+	E2E_BRANCH=$(E2E_BRANCH) \
+	E2E_IP_FAMILY=$(E2E_IP_FAMILY) \
+	E2E_NETWORK_MODE=$(E2E_NETWORK_MODE) \
+	ginkgo $(GINKGO_OUTPUT_OPT) --randomize-all -v \
+		--focus=CNI:Kube-OVN ./test/e2e/iptables-eip-qos/iptables-eip-qos.test -- $(TEST_BIN_ARGS)
+
+.PHONY: iptables-vpc-nat-gw-conformance-e2e
+iptables-vpc-nat-gw-conformance-e2e:
+	$(MAKE) iptables-eip-conformance-e2e
+	$(MAKE) iptables-eip-qos-conformance-e2e
+
+
+
 .PHONY: ovn-vpc-nat-gw-conformance-e2e
 ovn-vpc-nat-gw-conformance-e2e:
 	ginkgo build $(E2E_BUILD_FLAGS) ./test/e2e/ovn-vpc-nat-gw

pkg/controller/controller.go

@@ -159,7 +159,7 @@ type Controller struct {
 	addIptablesEipQueue    workqueue.TypedRateLimitingInterface[string]
 	updateIptablesEipQueue workqueue.TypedRateLimitingInterface[string]
 	resetIptablesEipQueue  workqueue.TypedRateLimitingInterface[string]
-	delIptablesEipQueue    workqueue.TypedRateLimitingInterface[string]
+	delIptablesEipQueue    workqueue.TypedRateLimitingInterface[*kubeovnv1.IptablesEIP]
 
 	iptablesFipsLister     kubeovnlister.IptablesFIPRuleLister
 	iptablesFipSynced      cache.InformerSynced
@@ -184,7 +184,7 @@ type Controller struct {
 	addOvnEipQueue    workqueue.TypedRateLimitingInterface[string]
 	updateOvnEipQueue workqueue.TypedRateLimitingInterface[string]
 	resetOvnEipQueue  workqueue.TypedRateLimitingInterface[string]
-	delOvnEipQueue    workqueue.TypedRateLimitingInterface[string]
+	delOvnEipQueue    workqueue.TypedRateLimitingInterface[*kubeovnv1.OvnEip]
 
 	ovnFipsLister     kubeovnlister.OvnFipLister
 	ovnFipSynced      cache.InformerSynced
@@ -472,7 +472,7 @@ func Run(ctx context.Context, config *Configuration) {
 		addIptablesEipQueue:    newTypedRateLimitingQueue("AddIptablesEip", custCrdRateLimiter),
 		updateIptablesEipQueue: newTypedRateLimitingQueue("UpdateIptablesEip", custCrdRateLimiter),
 		resetIptablesEipQueue:  newTypedRateLimitingQueue("ResetIptablesEip", custCrdRateLimiter),
-		delIptablesEipQueue:    newTypedRateLimitingQueue("DeleteIptablesEip", custCrdRateLimiter),
+		delIptablesEipQueue:    newTypedRateLimitingQueue[*kubeovnv1.IptablesEIP]("DeleteIptablesEip", nil),
 
 		iptablesFipsLister:     iptablesFipInformer.Lister(),
 		iptablesFipSynced:      iptablesFipInformer.Informer().HasSynced,
@@ -563,7 +563,7 @@ func Run(ctx context.Context, config *Configuration) {
 		addOvnEipQueue:    newTypedRateLimitingQueue("AddOvnEip", custCrdRateLimiter),
 		updateOvnEipQueue: newTypedRateLimitingQueue("UpdateOvnEip", custCrdRateLimiter),
 		resetOvnEipQueue:  newTypedRateLimitingQueue("ResetOvnEip", custCrdRateLimiter),
-		delOvnEipQueue:    newTypedRateLimitingQueue("DeleteOvnEip", custCrdRateLimiter),
+		delOvnEipQueue:    newTypedRateLimitingQueue[*kubeovnv1.OvnEip]("DeleteOvnEip", nil),
 
 		ovnFipsLister:     ovnFipInformer.Lister(),
 		ovnFipSynced:      ovnFipInformer.Informer().HasSynced,

pkg/controller/ippool.go

@@ -52,7 +52,7 @@ func (c *Controller) enqueueUpdateIPPool(oldObj, newObj any) {
 	newIPPool := newObj.(*kubeovnv1.IPPool)
 	if !newIPPool.DeletionTimestamp.IsZero() {
 		klog.V(3).Infof("enqueue delete ippool %s due to deletion timestamp", cache.MetaObjectToName(newIPPool).String())
-		c.deleteIPPoolQueue.Add(newIPPool.DeepCopy())
+		c.deleteIPPoolQueue.Add(newIPPool)
 		return
 	}
 	if !slices.Equal(oldIPPool.Spec.Namespaces, newIPPool.Spec.Namespaces) ||

pkg/controller/ovn_dnat.go

@@ -34,8 +34,9 @@ func (c *Controller) enqueueUpdateOvnDnatRule(oldObj, newObj any) {
 			// avoid delete twice
 			return
 		}
-		klog.Infof("enqueue del ovn dnat %s", key)
-		c.delOvnDnatRuleQueue.Add(key)
+		// DNAT with finalizer should be handled in updateOvnDnatRuleQueue
+		klog.Infof("enqueue update (deleting) ovn dnat %s", key)
+		c.updateOvnDnatRuleQueue.Add(key)
 		return
 	}
 	oldDnat := oldObj.(*kubeovnv1.OvnDnatRule)
@@ -297,6 +298,48 @@ func (c *Controller) handleUpdateOvnDnatRule(key string) error {
 		klog.Error(err)
 		return err
 	}
+
+	// Handle deletion first (for DNATs with finalizers)
+	if !cachedDnat.DeletionTimestamp.IsZero() {
+		klog.Infof("handle deleting ovn dnat %s", key)
+		if cachedDnat.Status.Vpc == "" {
+			// Already cleaned, just remove finalizer
+			if err = c.handleDelOvnDnatFinalizer(cachedDnat); err != nil {
+				klog.Errorf("failed to remove finalizer for ovn dnat %s, %v", cachedDnat.Name, err)
+				return err
+			}
+			return nil
+		}
+
+		// ovn delete dnat
+		if cachedDnat.Status.V4Eip != "" && cachedDnat.Status.ExternalPort != "" {
+			if err = c.DelDnatRule(cachedDnat.Status.Vpc, cachedDnat.Name,
+				cachedDnat.Status.V4Eip, cachedDnat.Status.ExternalPort); err != nil {
+				klog.Errorf("failed to delete v4 dnat %s, %v", key, err)
+				return err
+			}
+		}
+		if cachedDnat.Status.V6Eip != "" && cachedDnat.Status.ExternalPort != "" {
+			if err = c.DelDnatRule(cachedDnat.Status.Vpc, cachedDnat.Name,
+				cachedDnat.Status.V6Eip, cachedDnat.Status.ExternalPort); err != nil {
+				klog.Errorf("failed to delete v6 dnat %s, %v", key, err)
+				return err
+			}
+		}
+
+		// Remove finalizer
+		if err = c.handleDelOvnDnatFinalizer(cachedDnat); err != nil {
+			klog.Errorf("failed to remove finalizer for ovn dnat %s, %v", cachedDnat.Name, err)
+			return err
+		}
+
+		// Reset eip
+		if cachedDnat.Spec.OvnEip != "" {
+			c.resetOvnEipQueue.Add(cachedDnat.Spec.OvnEip)
+		}
+		return nil
+	}
+
 	if !cachedDnat.Status.Ready {
 		// create dnat only in add process, just check to error out here
 		klog.Infof("wait ovn dnat %s to be ready only in the handle add process", cachedDnat.Name)
@@ -617,6 +660,7 @@ func (c *Controller) handleAddOvnDnatFinalizer(cachedDnat *kubeovnv1.OvnDnatRule
 		err     error
 	)
 
+	controllerutil.RemoveFinalizer(newDnat, util.DepreciatedFinalizerName)
 	controllerutil.AddFinalizer(newDnat, util.KubeOVNControllerFinalizer)
 	if patch, err = util.GenerateMergePatchPayload(cachedDnat, newDnat); err != nil {
 		klog.Errorf("failed to generate patch payload for ovn dnat '%s', %v", cachedDnat.Name, err)
@@ -655,5 +699,12 @@ func (c *Controller) handleDelOvnDnatFinalizer(cachedDnat *kubeovnv1.OvnDnatRule
 		klog.Errorf("failed to remove finalizer from ovn dnat '%s', %v", cachedDnat.Name, err)
 		return err
 	}
+
+	// Trigger associated EIP to recheck if it can be deleted now
+	if cachedDnat.Spec.OvnEip != "" {
+		klog.Infof("triggering eip %s update after dnat %s deletion", cachedDnat.Spec.OvnEip, cachedDnat.Name)
+		c.updateOvnEipQueue.Add(cachedDnat.Spec.OvnEip)
+	}
+
 	return nil
 }