From e3b68219dd9f1ed6ed55779bc03f018f6c74e433 Mon Sep 17 00:00:00 2001
From: Bodo Petermann <b.petermann@syseleven.de>
Date: Mon, 22 Mar 2021 14:23:00 +0100
Subject: [PATCH] Fix LB failover for amphorav2: set security group

Fix for the issue that an amphorav2 LB cannot be reached after
loadbalancer failover. The LB security group was not set in the
amphora port.

Fixed the v2 variant of UpdateVIPSecurityGroup to actually return the
security group id (v1 already did).
The flow created in get_failover_LB_flow uses UpdateVIPSecurityGroup
which is supposed to provide VIP_SG_ID, which is later needed in
get_amphora_for_lb_failover_subflow as a requirement for
CreateVIPBasePort.

Story: 2008735
Task: 42087
Change-Id: I1bb334ef0c11a79038b21a873a6675d76b0fbefc
(cherry picked from commit 0513319f3d6e0d8ddbb6b386cbfe01829a68aa4e)
---
 octavia/controller/worker/v2/tasks/network_tasks.py          | 2 +-
 .../unit/controller/worker/v1/tasks/test_network_tasks.py    | 5 ++++-
 .../unit/controller/worker/v2/tasks/test_network_tasks.py    | 5 ++++-
 .../fix-amphorav2-failover-secgroup-c793de5e00b32653.yaml    | 5 +++++
 4 files changed, 14 insertions(+), 3 deletions(-)
 create mode 100644 releasenotes/notes/fix-amphorav2-failover-secgroup-c793de5e00b32653.yaml

diff --git a/octavia/controller/worker/v2/tasks/network_tasks.py b/octavia/controller/worker/v2/tasks/network_tasks.py
index c620c46241..938d1d5f1e 100644
--- a/octavia/controller/worker/v2/tasks/network_tasks.py
+++ b/octavia/controller/worker/v2/tasks/network_tasks.py
@@ -405,7 +405,7 @@ class UpdateVIPSecurityGroup(BaseNetworkTask):
         LOG.debug("Setup SG for loadbalancer id: %s", loadbalancer_id)
         db_lb = self.loadbalancer_repo.get(
             db_apis.get_session(), id=loadbalancer_id)
-        self.network_driver.update_vip_sg(db_lb, db_lb.vip)
+        return self.network_driver.update_vip_sg(db_lb, db_lb.vip)
 
 
 class GetSubnetFromVIP(BaseNetworkTask):
diff --git a/octavia/tests/unit/controller/worker/v1/tasks/test_network_tasks.py b/octavia/tests/unit/controller/worker/v1/tasks/test_network_tasks.py
index 97d4cf1434..0832c0ac04 100644
--- a/octavia/tests/unit/controller/worker/v1/tasks/test_network_tasks.py
+++ b/octavia/tests/unit/controller/worker/v1/tasks/test_network_tasks.py
@@ -34,6 +34,7 @@ COMPUTE_ID = uuidutils.generate_uuid()
 PORT_ID = uuidutils.generate_uuid()
 SUBNET_ID = uuidutils.generate_uuid()
 NETWORK_ID = uuidutils.generate_uuid()
+SG_ID = uuidutils.generate_uuid()
 IP_ADDRESS = "172.24.41.1"
 VIP = o_data_models.Vip(port_id=t_constants.MOCK_PORT_ID,
                         subnet_id=t_constants.MOCK_SUBNET_ID,
@@ -868,15 +869,17 @@ class TestNetworkTasks(base.TestCase):
     def test_update_vip_sg(self, mock_lb_get, mock_get_session,
                            mock_get_net_driver):
         mock_driver = mock.MagicMock()
+        mock_driver.update_vip_sg.return_value = SG_ID
         mock_get_net_driver.return_value = mock_driver
         mock_lb_get.return_value = self.load_balancer_mock
         net = network_tasks.UpdateVIPSecurityGroup()
 
-        net.execute(self.load_balancer_mock.id)
+        sg_id = net.execute(self.load_balancer_mock.id)
         mock_lb_get.assert_called_once_with('TEST',
                                             id=self.load_balancer_mock.id)
         mock_driver.update_vip_sg.assert_called_once_with(
             self.load_balancer_mock, self.load_balancer_mock.vip)
+        self.assertEqual(sg_id, SG_ID)
 
     def test_get_subnet_from_vip(self, mock_get_net_driver):
         mock_driver = mock.MagicMock()
diff --git a/octavia/tests/unit/controller/worker/v2/tasks/test_network_tasks.py b/octavia/tests/unit/controller/worker/v2/tasks/test_network_tasks.py
index f4b94ca7c2..9dec166d48 100644
--- a/octavia/tests/unit/controller/worker/v2/tasks/test_network_tasks.py
+++ b/octavia/tests/unit/controller/worker/v2/tasks/test_network_tasks.py
@@ -36,6 +36,7 @@ COMPUTE_ID = uuidutils.generate_uuid()
 PORT_ID = uuidutils.generate_uuid()
 SUBNET_ID = uuidutils.generate_uuid()
 NETWORK_ID = uuidutils.generate_uuid()
+SG_ID = uuidutils.generate_uuid()
 IP_ADDRESS = "172.24.41.1"
 VIP = o_data_models.Vip(port_id=t_constants.MOCK_PORT_ID,
                         subnet_id=t_constants.MOCK_SUBNET_ID,
@@ -985,12 +986,14 @@ class TestNetworkTasks(base.TestCase):
     def test_update_vip_sg(self, mock_session, mock_lb_get,
                            mock_get_net_driver):
         mock_driver = mock.MagicMock()
+        mock_driver.update_vip_sg.return_value = SG_ID
         mock_lb_get.return_value = LB
         mock_get_net_driver.return_value = mock_driver
         net = network_tasks.UpdateVIPSecurityGroup()
 
-        net.execute(self.load_balancer_mock)
+        sg_id = net.execute(self.load_balancer_mock)
         mock_driver.update_vip_sg.assert_called_once_with(LB, LB.vip)
+        self.assertEqual(sg_id, SG_ID)
 
     def test_get_subnet_from_vip(self, mock_get_net_driver):
         mock_driver = mock.MagicMock()
diff --git a/releasenotes/notes/fix-amphorav2-failover-secgroup-c793de5e00b32653.yaml b/releasenotes/notes/fix-amphorav2-failover-secgroup-c793de5e00b32653.yaml
new file mode 100644
index 0000000000..1e95f98539
--- /dev/null
+++ b/releasenotes/notes/fix-amphorav2-failover-secgroup-c793de5e00b32653.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixed an issue that an amphorav2 LB cannot be reached after loadbalancer
+    failover. The LB security group was not set in the amphora port.