noironetworks / aci-containers / 11978

64%

master: 63%

Build Type

push

travis-pro

Committed by jeffinkottaram

Commit Message

Resolve named port conflicts across sibling NPs in shared HPP

When HPP optimization is enabled, multiple NetworkPolicies with
identical specs (same hash excluding PodSelector) share a single HPP
object. If these sibling NPs have named ports that resolve to different
numeric ports (e.g., NP1's "http" -> 80, NP2's "http" -> 8080), only the
last-processed NP's rules survived — the other sibling's rules were
silently dropped on each rebuild.

This happened because the shared HPP was rebuilt from scratch each time
any sibling NP was reprocessed, with no mechanism to preserve rules
contributed by other siblings.

Changes:
- Rule naming uses ingress-rule-index + proto-port (e.g.,
  "0-ipv4__tcp-80") instead of NP name, so sibling NPs produce stable,
  identical names for the same port
- Added per-NP ingress rule caching in hppReference.NpIngressRules to
  track which rules belong to which NP
- After generating rules for an NP, merges cached sibling NP rules into
  the subject before writing
- On NP deletion, requeues a sibling so the HPP is rewritten without
  stale entries
- Fixed MO leak: ClearApicObjects when removeFromHppCache returns no
  remaining hppRef
- Fixed nil-pointer panic in networkPolicyDeleted when
  DeletedFinalStateUnknown wraps a non-NetworkPolicy object
- Removed unused np parameter from buildLocalNetPolSubjRules

Test changes:
- Added TestNetworkPolicyMultipleNPsSharedHPPNamedPorts and
  TestNetworkPolicyMultipleNPsSharedHPPNamedPortsDirect covering the
  sibling-NP merge for both APIC and HPP-Direct paths
- Updated existing HppOptimize test expectations for new rule naming
  and buildLocalNetPolSubjRules signature

Coverage Stats

136 of 151 new or added lines in 1 file covered. (90.07%)

5 existing lines in 2 files now uncovered.

13675 of 21389 relevant lines covered (63.93%)

0.73 hits per line