From e0fffa6b53b3d61b384700b50d0faa5ef1a7cebb Mon Sep 17 00:00:00 2001
From: bobz965 <zhangbingbing2_yewu@cmss.chinamobile.com>
Date: Wed, 10 Apr 2024 17:59:49 +0800
Subject: [PATCH] fix br-external not init because of  no permission after
 ovn-nat-gw configmap created (#3902)

* fix gw

* fix sa


---------

Signed-off-by: bobz965 <zhangbingbing2_yewu@cmss.chinamobile.com>
---
 charts/kube-ovn/templates/ovn-CR.yaml | 8 ++++++++
 dist/images/install.sh                | 8 ++++++++
 pkg/daemon/gateway_linux.go           | 8 +++++---
 pkg/daemon/gateway_windows.go         | 8 +++++---
 pkg/ovs/ovn-nb-bfd.go                 | 3 +--
 yamls/sa.yaml                         | 8 ++++++++
 6 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/charts/kube-ovn/templates/ovn-CR.yaml b/charts/kube-ovn/templates/ovn-CR.yaml
index 69d46ad9258..03670d7c947 100644
--- a/charts/kube-ovn/templates/ovn-CR.yaml
+++ b/charts/kube-ovn/templates/ovn-CR.yaml
@@ -231,6 +231,14 @@ rules:
       - create
       - patch
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/dist/images/install.sh b/dist/images/install.sh
index 7b3fc7cb323..92be82aec28 100755
--- a/dist/images/install.sh
+++ b/dist/images/install.sh
@@ -3101,6 +3101,14 @@ rules:
       - create
       - patch
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
diff --git a/pkg/daemon/gateway_linux.go b/pkg/daemon/gateway_linux.go
index 880cde7f2b4..1d875c62351 100644
--- a/pkg/daemon/gateway_linux.go
+++ b/pkg/daemon/gateway_linux.go
@@ -1383,11 +1383,12 @@ func (c *Controller) setExGateway() error {
 			klog.Errorf("failed to get ovn-external-gw-config, %v", err)
 			return err
 		}
-		// enable external-gw-config without 'external-gw-nic' configured
-		// to reuse existing physical network from arg 'external-gateway-net'
+
 		linkName, exist := cm.Data["external-gw-nic"]
 		if !exist || len(linkName) == 0 {
-			return nil
+			err = fmt.Errorf("external-gw-nic not configured in ovn-external-gw-config")
+			klog.Error(err)
+			return err
 		}
 		link, err := netlink.LinkByName(linkName)
 		if err != nil {
@@ -1414,6 +1415,7 @@ func (c *Controller) setExGateway() error {
 		}
 
 		if !externalBrReady {
+			klog.Infof("create external bridge %s and add nic %s", externalBridge, linkName)
 			if _, err := ovs.Exec(
 				ovs.MayExist, "add-br", externalBridge, "--",
 				ovs.MayExist, "add-port", externalBridge, linkName,
diff --git a/pkg/daemon/gateway_windows.go b/pkg/daemon/gateway_windows.go
index 0161767033c..42fae64cc1a 100644
--- a/pkg/daemon/gateway_windows.go
+++ b/pkg/daemon/gateway_windows.go
@@ -54,12 +54,14 @@ func (c *Controller) setExGateway() error {
 			klog.Errorf("failed to get ovn-external-gw-config, %v", err)
 			return err
 		}
-		// enable external-gw-config without 'external-gw-nic' configured
-		// to reuse existing physical network from arg 'external-gateway-net'
+
 		linkName, exist := cm.Data["external-gw-nic"]
 		if !exist || len(linkName) == 0 {
-			return nil
+			err = fmt.Errorf("external-gw-nic not configured in ovn-external-gw-config")
+			klog.Error(err)
+			return err
 		}
+
 		externalBrReady := false
 		// if external nic already attached into another bridge
 		if existBr, err := ovs.Exec("port-to-br", linkName); err == nil {
diff --git a/pkg/ovs/ovn-nb-bfd.go b/pkg/ovs/ovn-nb-bfd.go
index 990faef7783..3adfc77fa04 100644
--- a/pkg/ovs/ovn-nb-bfd.go
+++ b/pkg/ovs/ovn-nb-bfd.go
@@ -133,7 +133,6 @@ func (c *OVNNbClient) DeleteBFD(lrpName, dstIP string) error {
 	if len(bfdList) == 0 {
 		return nil
 	}
-
 	for _, bfd := range bfdList {
 		ops, err := c.Where(&bfd).Delete()
 		if err != nil {
@@ -141,13 +140,13 @@ func (c *OVNNbClient) DeleteBFD(lrpName, dstIP string) error {
 			klog.Error(err)
 			return err
 		}
+		klog.Infof("delete lrp %s BFD dst ip %s", lrpName, bfd.DstIP)
 		if err = c.Transact("bfd-del", ops); err != nil {
 			err := fmt.Errorf("failed to delete BFD with with UUID %s: %v", bfd.UUID, err)
 			klog.Error(err)
 			return err
 		}
 	}
-
 	return nil
 }
 
diff --git a/yamls/sa.yaml b/yamls/sa.yaml
index 22e4dcc87b5..c2332385382 100644
--- a/yamls/sa.yaml
+++ b/yamls/sa.yaml
@@ -274,6 +274,14 @@ rules:
       - create
       - patch
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding