Merge pull request #3766 from npinaeva/delete-acls-first

Delete address sets after acls that reference them
ovn-org · Jul 13, 2023 · eaf4827 · eaf4827
2 parents 15fe70b + 87885b0
commit eaf4827
Showing 1 changed file with 11 additions and 10 deletions.
diff --git a/go-controller/pkg/ovn/base_network_controller_policy.go b/go-controller/pkg/ovn/base_network_controller_policy.go
@@ -1268,16 +1268,6 @@ func (bnc *BaseNetworkController) cleanupNetworkPolicy(np *networkPolicy) error
 	bnc.shutdownHandlers(np)
 	var err error
 
-	// delete from peer address set
-	for i, asKey := range np.peerAddressSets {
-		if err := bnc.DeletePodSelectorAddressSet(asKey, np.getKeyWithKind()); err != nil {
-			// remove deleted address sets from the list
-			np.peerAddressSets = np.peerAddressSets[i:]
-			return fmt.Errorf("failed to delete network policy from peer address set %s: %v", asKey, err)
-		}
-	}
-	np.peerAddressSets = nil
-
 	// Delete the port group, idempotent
 	ops, err := libovsdbops.DeletePortGroupsOps(bnc.nbClient, nil, np.portGroupName)
 	if err != nil {
@@ -1303,6 +1293,17 @@ func (bnc *BaseNetworkController) cleanupNetworkPolicy(np *networkPolicy) error
 		return fmt.Errorf("unable to delete policy from default deny port groups: %v", err)
 	}
 
+	// delete from peer address set, this may cause address set deletion, so we need to
+	// do that after ACLs are deleted to avoid ovn-controller errors
+	for i, asKey := range np.peerAddressSets {
+		if err := bnc.DeletePodSelectorAddressSet(asKey, np.getKeyWithKind()); err != nil {
+			// remove deleted address sets from the list
+			np.peerAddressSets = np.peerAddressSets[i:]
+			return fmt.Errorf("failed to delete network policy from peer address set %s: %v", asKey, err)
+		}
+	}
+	np.peerAddressSets = nil
+
 	// finally, delete netpol from existing networkPolicies
 	// this is the signal that cleanup was successful
 	bnc.networkPolicies.Delete(npKey)