fix conflict after cherry-pick

Signed-off-by: bobz965 <zhangbingbing2_yewu@cmss.chinamobile.com>

Author: zbb88888

pkg/controller/controller.go

@@ -789,10 +789,6 @@ func (c *Controller) Run(ctx context.Context) {
 		util.LogFatalAndExit(err, "failed to initialize default vpc")
 	}
 
-	if err := c.initNodeChassis(); err != nil {
-		util.LogFatalAndExit(err, "failed to initialize node chassis")
-	}
-
 	// sync ip crd before initIPAM since ip crd will be used to restore vm and statefulset pod in initIPAM
 	if err := c.initSyncCrdIPs(); err != nil {
 		util.LogFatalAndExit(err, "failed to sync crd ips")
@@ -806,41 +802,22 @@ func (c *Controller) Run(ctx context.Context) {
 		util.LogFatalAndExit(err, "failed to initialize node routes")
 	}
 
-	if err := c.initDenyAllSecurityGroup(); err != nil {
-		util.LogFatalAndExit(err, "failed to initialize 'deny_all' security group")
-	}
-
-	// remove resources in ovndb that not exist any more in kubernetes resources
-	if err := c.gc(); err != nil {
-		util.LogFatalAndExit(err, "failed to run gc")
-	}
-
-	c.registerSubnetMetrics()
 	if err := c.initSyncCrdSubnets(); err != nil {
 		util.LogFatalAndExit(err, "failed to sync crd subnets")
 	}
+
 	if err := c.initSyncCrdVlans(); err != nil {
 		util.LogFatalAndExit(err, "failed to sync crd vlans")
 	}
 
-	if c.config.PodDefaultFipType == util.IptablesFip {
-		if err := c.initSyncCrdVpcNatGw(); err != nil {
-			util.LogFatalAndExit(err, "failed to sync crd vpc nat gateways")
-		}
-	}
-
-	if c.config.EnableLb {
-		if err := c.initVpcDnsConfig(); err != nil {
-			util.LogFatalAndExit(err, "failed to initialize vpc-dns")
-		}
-	}
-
 	if err := c.addNodeGwStaticRoute(); err != nil {
 		util.LogFatalAndExit(err, "failed to add static route for node gateway")
 	}
 
 	// start workers to do all the network operations
 	c.startWorkers(ctx)
+
+	c.initResourceOnce()
 	<-ctx.Done()
 	klog.Info("Shutting down workers")
 }

pkg/controller/subnet.go

@@ -751,19 +751,6 @@ func (c *Controller) handleAddOrUpdateSubnet(key string) error {
 		return err
 	}
 
-	multicastSnoopFlag := map[string]string{"mcast_snoop": "true", "mcast_querier": "false"}
-	if subnet.Spec.EnableMulicastSnoop {
-		if err := c.OVNNbClient.LogicalSwitchUpdateOtherConfig(subnet.Name, ovsdb.MutateOperationInsert, multicastSnoopFlag); err != nil {
-			klog.Errorf("enable logical switch multicast snoop %s: %v", subnet.Name, err)
-			return err
-		}
-	} else {
-		if err := c.OVNNbClient.LogicalSwitchUpdateOtherConfig(subnet.Name, ovsdb.MutateOperationDelete, multicastSnoopFlag); err != nil {
-			klog.Errorf("disable logical switch multicast snoop  %s: %v", subnet.Name, err)
-			return err
-		}
-	}
-
 	subnet.Status.EnsureStandardConditions()
 
 	if err := c.updateSubnetDHCPOption(subnet, needRouter); err != nil {

pkg/ovs/ovn-nb-acl.go

@@ -22,28 +22,32 @@ import (
 func (c *OVNNbClient) UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol string, npp []netv1.NetworkPolicyPort, logEnable bool, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) {
 	acls := make([]*ovnnb.ACL, 0)
 
-	ipSuffix := "ip4"
-	if protocol == kubeovnv1.ProtocolIPv6 {
-		ipSuffix = "ip6"
-	}
+	if strings.HasSuffix(asIngressName, ".0") || strings.HasSuffix(asIngressName, ".all") {
+		// create the default drop rule for only once
+		ipSuffix := "ip4"
+		if protocol == kubeovnv1.ProtocolIPv6 {
+			ipSuffix = "ip6"
+		}
 
-	/* default drop acl */
-	allIPMatch := NewAndACLMatch(
-		NewACLMatch("outport", "==", "@"+pgName, ""),
-		NewACLMatch(ipSuffix, "", "", ""),
-	)
-	options := func(acl *ovnnb.ACL) {
-		if logEnable {
-			acl.Log = true
-			acl.Severity = &ovnnb.ACLSeverityWarning
+		/* default drop acl */
+		allIPMatch := NewAndACLMatch(
+			NewACLMatch("outport", "==", "@"+pgName, ""),
+			NewACLMatch(ipSuffix, "", "", ""),
+		)
+		options := func(acl *ovnnb.ACL) {
+			if logEnable {
+				acl.Log = true
+				acl.Severity = &ovnnb.ACLSeverityWarning
+			}
 		}
 
-	defaultDropACL, err := c.newACLWithoutCheck(pgName, ovnnb.ACLDirectionToLport, util.IngressDefaultDrop, allIPMatch.String(), ovnnb.ACLActionDrop, options)
-	if err != nil {
-		return nil, fmt.Errorf("new default drop ingress acl for port group %s: %v", pgName, err)
-	}
+		defaultDropACL, err := c.newACLWithoutCheck(pgName, ovnnb.ACLDirectionToLport, util.IngressDefaultDrop, allIPMatch.String(), ovnnb.ACLActionDrop, options)
+		if err != nil {
+			return nil, fmt.Errorf("new default drop ingress acl for port group %s: %v", pgName, err)
+		}
 
-	acls = append(acls, defaultDropACL)
+		acls = append(acls, defaultDropACL)
+	}
 
 	/* allow acl */
 	matches := newNetworkPolicyACLMatch(pgName, asIngressName, asExceptName, protocol, ovnnb.ACLDirectionToLport, npp, namedPortMap)
@@ -68,26 +72,17 @@ func (c *OVNNbClient) UpdateIngressACLOps(pgName, asIngressName, asExceptName, p
 func (c *OVNNbClient) UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol string, npp []netv1.NetworkPolicyPort, logEnable bool, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) {
 	acls := make([]*ovnnb.ACL, 0)
 
-	ipSuffix := "ip4"
-	if protocol == kubeovnv1.ProtocolIPv6 {
-		ipSuffix = "ip6"
-	}
-
-	/* default drop acl */
-	allIPMatch := NewAndACLMatch(
-		NewACLMatch("inport", "==", "@"+pgName, ""),
-		NewACLMatch(ipSuffix, "", "", ""),
-	)
-	options := func(acl *ovnnb.ACL) {
-		if logEnable {
-			acl.Log = true
-			acl.Severity = &ovnnb.ACLSeverityWarning
+	if strings.HasSuffix(asEgressName, ".0") || strings.HasSuffix(asEgressName, ".all") {
+		// create the default drop rule for only once
+		ipSuffix := "ip4"
+		if protocol == kubeovnv1.ProtocolIPv6 {
+			ipSuffix = "ip6"
 		}
 
 		/* default drop acl */
-		allIpMatch := NewAndAclMatch(
-			NewAclMatch("inport", "==", "@"+pgName, ""),
-			NewAclMatch(ipSuffix, "", "", ""),
+		allIPMatch := NewAndACLMatch(
+			NewACLMatch("inport", "==", "@"+pgName, ""),
+			NewACLMatch(ipSuffix, "", "", ""),
 		)
 		options := func(acl *ovnnb.ACL) {
 			if logEnable {
@@ -101,13 +96,14 @@ func (c *OVNNbClient) UpdateEgressACLOps(pgName, asEgressName, asExceptName, pro
 			acl.Options["apply-after-lb"] = "true"
 		}
 
-	defaultDropACL, err := c.newACLWithoutCheck(pgName, ovnnb.ACLDirectionFromLport, util.EgressDefaultDrop, allIPMatch.String(), ovnnb.ACLActionDrop, options)
-	if err != nil {
-		klog.Error(err)
-		return nil, fmt.Errorf("new default drop egress acl for port group %s: %v", pgName, err)
-	}
+		defaultDropACL, err := c.newACLWithoutCheck(pgName, ovnnb.ACLDirectionFromLport, util.EgressDefaultDrop, allIPMatch.String(), ovnnb.ACLActionDrop, options)
+		if err != nil {
+			klog.Error(err)
+			return nil, fmt.Errorf("new default drop egress acl for port group %s: %v", pgName, err)
+		}
 
-	acls = append(acls, defaultDropACL)
+		acls = append(acls, defaultDropACL)
+	}
 
 	/* allow acl */
 	matches := newNetworkPolicyACLMatch(pgName, asEgressName, asExceptName, protocol, ovnnb.ACLDirectionFromLport, npp, namedPortMap)