From 5a386f8b0d0a5bdc56549f40d4affabf65c2a5ef Mon Sep 17 00:00:00 2001
From: Rahul Jain <reachjainrahul@gmail.com>
Date: Tue, 25 Oct 2022 03:33:26 -0700
Subject: [PATCH] Update rule realization for failure case too

With antrea 1.9, networkpolicystatus support realization status
and error msg field. Added the backend support in Nephe too to
report realization for both success and failure case.

Signed-off-by: Rahul Jain <reachjainrahul@gmail.com>
---
 pkg/controllers/cloud/networkpolicy.go        | 28 ++++---------------
 .../cloud/networkpolicy_controller.go         | 26 +++++++++++++++++
 2 files changed, 32 insertions(+), 22 deletions(-)

diff --git a/pkg/controllers/cloud/networkpolicy.go b/pkg/controllers/cloud/networkpolicy.go
index 6563b60b..d2db2561 100644
--- a/pkg/controllers/cloud/networkpolicy.go
+++ b/pkg/controllers/cloud/networkpolicy.go
@@ -23,7 +23,6 @@ import (
 
 	"github.com/mohae/deepcopy"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/tools/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -1008,8 +1007,8 @@ func (a *appliedToSecurityGroup) getStatus() error {
 	return &InProgress{}
 }
 
-// updateRuleRealizationState report ANP realization status to Antrea Controller.
-func (a *appliedToSecurityGroup) updateRuleRealizationState(r *NetworkPolicyReconciler) {
+// updateRuleRealizationState update all ANPs status for a given appliedToGroup.
+func (a *appliedToSecurityGroup) updateRuleRealizationState(r *NetworkPolicyReconciler, failed bool, msg string) {
 	nps, err := r.networkPolicyIndexer.ByIndex(networkPolicyIndexerByAppliedToGrp, a.id.Name)
 	if err != nil {
 		r.Log.Error(err, "Get networkPolicy indexer failed.", "appliedToGroup", a.id.Name)
@@ -1017,24 +1016,8 @@ func (a *appliedToSecurityGroup) updateRuleRealizationState(r *NetworkPolicyReco
 	}
 	// Walk through all the ANPs for a given appliedToGroup and report combined status.
 	for _, i := range nps {
-		np := i.(*networkPolicy)
-		status := &antreanetworking.NetworkPolicyStatus{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      string(np.UID),
-				Namespace: np.Namespace,
-			},
-
-			Nodes: []antreanetworking.NetworkPolicyNodeStatus{
-				{
-					NodeName:   config.ANPNepheController,
-					Generation: np.Generation,
-				},
-			},
-		}
-		r.Log.V(1).Info("Updating rule realization.", "NP", np.Name, "Namespace", np.Namespace)
-		if err := r.antreaClient.NetworkPolicies().UpdateStatus(context.TODO(), status.Name, status); err != nil {
-			r.Log.Error(err, "Rule realization failed.", "NP", np.Name, "Namespace", np.Namespace)
-		}
+		np := i.(*networkPolicy).NetworkPolicy
+		r.sendRuleRealizationStatus(&np, failed, msg)
 	}
 }
 
@@ -1058,6 +1041,7 @@ func (a *appliedToSecurityGroup) notify(op securityGroupOperation, status error,
 		a.status = status
 	}
 	if status != nil {
+		a.updateRuleRealizationState(r, true, status.Error())
 		r.Log.Error(status, "AppliedToSecurityGroup operation failed", "Name", a.id.Name, "Op", op)
 		return nil
 	}
@@ -1078,7 +1062,7 @@ func (a *appliedToSecurityGroup) notify(op securityGroupOperation, status error,
 		a.hasMembers = true
 	case securityGroupOperationUpdateRules:
 		// AppliedToSecurityGroup added rules, now update rule realization state, addrGroup references and add members.
-		a.updateRuleRealizationState(r)
+		a.updateRuleRealizationState(r, false, "")
 		if err := a.updateAddrGroupReference(r); err != nil {
 			return err
 		}
diff --git a/pkg/controllers/cloud/networkpolicy_controller.go b/pkg/controllers/cloud/networkpolicy_controller.go
index 090eea90..6c2c8962 100644
--- a/pkg/controllers/cloud/networkpolicy_controller.go
+++ b/pkg/controllers/cloud/networkpolicy_controller.go
@@ -130,6 +130,31 @@ func (r *NetworkPolicyReconciler) isNetworkPolicySupported(anp *antreanetworking
 	return nil
 }
 
+// sendRuleRealizationStatus send anp realization status to antrea controller.
+func (r *NetworkPolicyReconciler) sendRuleRealizationStatus(anp *antreanetworking.NetworkPolicy, failed bool, msg string) {
+	status := &antreanetworking.NetworkPolicyStatus{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      string(anp.UID),
+			Namespace: anp.Namespace,
+		},
+
+		Nodes: []antreanetworking.NetworkPolicyNodeStatus{
+			{
+				NodeName:   config.ANPNepheController,
+				Generation: anp.Generation,
+			},
+		},
+	}
+	if failed {
+		status.Nodes[0].RealizationFailure = true
+		status.Nodes[0].Message = msg
+	}
+	r.Log.V(1).Info("Updating rule realization.", "NP", anp.Name, "Namespace", anp.Namespace)
+	if err := r.antreaClient.NetworkPolicies().UpdateStatus(context.TODO(), status.Name, status); err != nil {
+		r.Log.Error(err, "rule realization send failed.", "NP", anp.Name, "Namespace", anp.Namespace)
+	}
+}
+
 // normalizedANPObject updates ANP object with Nephe friendly name. Required for Azure
 // cloud which doesn't handles / in any cloud resource name.
 func (r *NetworkPolicyReconciler) normalizedANPObject(anp *antreanetworking.NetworkPolicy) {
@@ -394,6 +419,7 @@ func (r *NetworkPolicyReconciler) processNetworkPolicy(event watch.Event) error
 
 	r.Log.V(1).Info("Received NetworkPolicy event", "type", event.Type, "obj", anp)
 	if err := r.isNetworkPolicySupported(anp); err != nil {
+		r.sendRuleRealizationStatus(anp, true, err.Error())
 		return err
 	}
 	if anp.Namespace == "" {