AV-220286 set tenant from gslbconfig if namespacetenant is empty but …

…k8s object contains tenant annotation
vmware · Nov 3, 2024 · 97b5174 · 97b5174
1 parent 5e90fc2
commit 97b5174
Show file tree

Hide file tree

Showing 7 changed files with 161 additions and 55 deletions.
diff --git a/gslb/gslbutils/gslbutils.go b/gslb/gslbutils/gslbutils.go
@@ -491,6 +491,15 @@ func GetTenantInNamespaceAnnotation(namespace, cname string) string {
 	return tenant
 }
 
+func CheckTenant(namespace, cname, tenant string) bool {
+	namespaceTenant := GetTenantInNamespaceAnnotation(namespace, cname)
+	if namespaceTenant != "" && tenant != namespaceTenant {
+		Logf("cluster: %s, nstenant: %s, tenant: %s, msg: %s\n", cname, namespaceTenant, tenant, "rejected object because object tenant is not same as namespace")
+		return false
+	}
+	return true
+}
+
 var allClusterContexts []string
 
 func AddClusterContext(cc string) {

diff --git a/gslb/ingestion/event_handlers.go b/gslb/ingestion/event_handlers.go
diff --git a/gslb/ingestion/fullsync.go b/gslb/ingestion/fullsync.go
@@ -56,7 +56,8 @@ func fetchAndApplyAllIngresses(c *GSLBMemberController, nsList *corev1.Namespace
 	}
 	for _, ing := range ingList {
 		ihms := k8sobjects.GetIngressHostMeta(ing, c.GetName())
-		filterAndAddIngressMeta(ihms, c, acceptedIngStore, rejectedIngStore, 0, true)
+		namespaceTenant := gslbutils.GetTenantInNamespaceAnnotation(ing.Namespace, c.GetName())
+		filterAndAddIngressMeta(ihms, c, acceptedIngStore, rejectedIngStore, 0, true, namespaceTenant)
 	}
 }
 
@@ -81,6 +82,9 @@ func fetchAndApplyAllServices(c *GSLBMemberController, nsList *corev1.NamespaceL
 					c.GetName(), namespace.Name, svc.Name)
 				continue
 			}
+			if !gslbutils.CheckTenant(svc.Namespace, c.GetName(), svcMeta.Tenant) {
+				continue
+			}
 			if !filter.ApplyFilter(filter.FilterArgs{
 				Obj:     svcMeta,
 				Cluster: c.GetName(),
@@ -113,6 +117,9 @@ func fetchAndApplyAllRoutes(c *GSLBMemberController, nsList *corev1.NamespaceLis
 					routeMeta.Name, "rejected ADD route because IP address/hostname not found in status field")
 				continue
 			}
+			if !gslbutils.CheckTenant(route.Namespace, c.GetName(), routeMeta.Tenant) {
+				continue
+			}
 			if !filter.ApplyFilter(filter.FilterArgs{
 				Cluster: c.name,
 				Obj:     routeMeta,
@@ -146,7 +153,8 @@ func fetchAndApplyAllMultiClusterIngresses(c *GSLBMemberController, nsList *core
 	}
 	for _, mci := range mciList {
 		ihms := k8sobjects.GetHostMetaForMultiClusterIngress(mci, c.GetName())
-		filterAndAddMultiClusterIngressMeta(ihms, c, acceptedStore, rejectedStore, 0, true)
+		namespaceTenant := gslbutils.GetTenantInNamespaceAnnotation(mci.Namespace, c.name)
+		filterAndAddMultiClusterIngressMeta(ihms, c, acceptedStore, rejectedStore, 0, true, namespaceTenant)
 	}
 }
 

diff --git a/gslb/k8sobjects/ingress_object.go b/gslb/k8sobjects/ingress_object.go
@@ -141,6 +141,13 @@ func GetIngressHostMeta(ingress *networkingv1.Ingress, cname string) []IngressHo
 	var controllerUUID, tenant string
 
 	vsUUIDs, controllerUUID, tenant, err = parseVSAndControllerAnnotations(ingress.Annotations)
+	namespaceTenant := gslbutils.GetTenantInNamespaceAnnotation(ingress.Namespace, cname)
+
+	if namespaceTenant == "" {
+		tenant = gslbutils.GetTenant()
+		gslbutils.Debugf("cluster: %s, ns: %s, ingress: %s, tenant:%s, namespaceTenant %s ",
+			cname, ingress.Namespace, ingress.Name, tenant, namespaceTenant)
+	}
 	if err != nil && !syncVIPsOnly {
 		// Note that the ingress key will still be published to graph layer, but the key
 		// won't be processed, this is just to maintain the ingress information as part

diff --git a/gslb/k8sobjects/multicluster_ingress_objects.go b/gslb/k8sobjects/multicluster_ingress_objects.go
@@ -62,6 +62,10 @@ func GetHostMetaForMultiClusterIngress(mci *akov1alpha1.MultiClusterIngress, cna
 	var controllerUUID, tenant string
 
 	vsUUIDs, controllerUUID, tenant, err = parseVSAndControllerAnnotations(mci.ObjectMeta.Annotations)
+	namespaceTenant := gslbutils.GetTenantInNamespaceAnnotation(mci.Namespace, cname)
+	if namespaceTenant == "" {
+		tenant = gslbutils.GetTenant()
+	}
 	if err != nil && !syncVIPsOnly {
 		// Note that the ingress key will still be published to graph layer, but the key
 		// won't be processed, this is just to maintain the ingress information as part

diff --git a/gslb/k8sobjects/route_object.go b/gslb/k8sobjects/route_object.go
@@ -56,6 +56,12 @@ func GetRouteMeta(route *routev1.Route, cname string) RouteMeta {
 		gslbutils.Logf("cluster: %s, ns: %s, route: %s, msg: parsing Controller annotations", cname, route.Namespace, route.Name)
 		vsUUIDs, controllerUUID, tenant, err = parseVSAndControllerAnnotations(route.Annotations)
 	}
+	namespaceTenant := gslbutils.GetTenantInNamespaceAnnotation(route.Namespace, cname)
+	if namespaceTenant == "" {
+		tenant = gslbutils.GetTenant()
+		gslbutils.Debugf("cluster: %s, ns: %s, ingress: %s, tenant:%s, namespaceTenant %s ",
+			cname, route.Namespace, route.Name, tenant, namespaceTenant)
+	}
 	if err != nil && !syncVIPsOnly {
 		gslbutils.Logf("cluster: %s, ns: %s, route: %s, msg: skipping route because of error: %v",
 			cname, route.Namespace, route.Name, err)

diff --git a/gslb/k8sobjects/service_object.go b/gslb/k8sobjects/service_object.go
@@ -83,6 +83,10 @@ func GetSvcMeta(svc *corev1.Service, cname string) (SvcMeta, bool) {
 			cname, svc.Namespace, svc.Name, err)
 	}
 	vsUUIDs, controllerUUID, tenant, err := parseVSAndControllerAnnotations(svc.Annotations)
+	namespaceTenant := gslbutils.GetTenantInNamespaceAnnotation(svc.Namespace, cname)
+	if namespaceTenant == "" {
+		tenant = gslbutils.GetTenant()
+	}
 	if err != nil && !syncVIPsOnly {
 		gslbutils.Logf("cluster: %s, ns: %s, service: %s, msg: skipping service because of error in parsing VS and Controller annotations: %v",
 			cname, svc.Namespace, svc.Name, err)