[WIP]Change_project_group_membertype

pkg/nsx/services/securitypolicy/builder.go

@@ -1301,7 +1301,7 @@ func (service *SecurityPolicyService) updateMixedExpressionsMatchExpression(nsMa
 	var err error
 	opInIdx := 0
 	var opInMatchExpressions []v1.LabelSelectorRequirement
-	memberType := ""
+	isVpcEnable := isVpcEnabled(service)
 
 	nsFound, opInIdx1 := service.matchExpressionOpInExist(nsMatchExpressions)
 	portFound, opInIdx2 := service.matchExpressionOpInExist(matchExpressions)
@@ -1312,22 +1312,30 @@ func (service *SecurityPolicyService) updateMixedExpressionsMatchExpression(nsMa
 		return err
 	}
 
+	nsMemberType := "Segment"
+	if isVpcEnable {
+		nsMemberType = "VPCSubnet"
+	}
+	portMemberType, memberType := "SegmentPort", "SegmentPort"
+	if isVpcEnable {
+		portMemberType, memberType = "VPCSubnetPort", "VPCSubnetPort"
+	}
+
 	if nsFound {
 		opInIdx = opInIdx1
-		memberType = "Segment"
+		memberType = nsMemberType
 		opInMatchExpressions = nsMatchExpressions
 	} else if portFound {
 		opInIdx = opInIdx2
-		memberType = "SegmentPort"
 		opInMatchExpressions = matchExpressions
 	}
 
 	if !nsFound && !portFound {
-		err = service.buildExpressionsMatchExpression(matchExpressions, "SegmentPort", expressions)
+		err = service.buildExpressionsMatchExpression(matchExpressions, portMemberType, expressions)
 		if err == nil {
 			err = service.buildExpressionsMatchExpression(
 				nsMatchExpressions,
-				"Segment",
+				nsMemberType,
 				expressions,
 			)
 		}
@@ -1348,14 +1356,14 @@ func (service *SecurityPolicyService) updateMixedExpressionsMatchExpression(nsMa
 					expressions.Add(tagValueExpression)
 				}
 
-				service.updateExpressionsMatchLabels(matchLabels, "SegmentPort", expressions)
-				service.updateExpressionsMatchLabels(nsMatchLabels, "Segment", expressions)
+				service.updateExpressionsMatchLabels(matchLabels, portMemberType, expressions)
+				service.updateExpressionsMatchLabels(nsMatchLabels, nsMemberType, expressions)
 			}
 
 			if nsFound {
-				err = service.buildExpressionsMatchExpression(matchExpressions, "SegmentPort", expressions)
+				err = service.buildExpressionsMatchExpression(matchExpressions, portMemberType, expressions)
 			} else {
-				err = service.buildExpressionsMatchExpression(nsMatchExpressions, "Segment", expressions)
+				err = service.buildExpressionsMatchExpression(nsMatchExpressions, nsMemberType, expressions)
 			}
 			if err != nil {
 				break
@@ -1441,9 +1449,16 @@ func (service *SecurityPolicyService) updatePeerExpressions(obj *v1alpha1.Securi
 	// If NamespaceSelector is specified, peer group must be put under project level for sharing with VPC.
 	// VpcSubnet and VpcSubnetPort types are not supported in project level group.
 	// Project level group can support SegmentPort and Segment type.
-	// If groupShared is True, it means there are NamespaceSelectors in the rule groups, so we can use mixed criteria.
-	if isVpcEnable && !groupShared {
-		clusterMemberType = "VpcSubnetPort"
+	if isVpcEnable {
+		if !groupShared {
+			clusterMemberType = "VpcSubnetPort"
+		}
+		// If groupShared is True, it means there are NamespaceSelectors in the rule groups, so we can use mixed criteria.
+		if clusterMemberType == "Segment" {
+			clusterMemberType = "VpcSubnet"
+		} else {
+			clusterMemberType = "VpcSubnetPort"
+		}
 		memberType = "VpcSubnetPort"
 	}
 
@@ -1519,10 +1534,10 @@ func (service *SecurityPolicyService) updatePeerExpressions(obj *v1alpha1.Securi
 				// 1. A non-empty expression list, must be of odd size
 				// 2. An expression list size is equal to or greater than 3
 				// 3. In a list, with indices starting from 0, all non-conjunction expressions must be at even indices
-				// Hence, add one more SegmentPort member condition to meet the criteria aforementioned
+				// Hence, add one more SegmentPort/VpcSubnetPort member condition to meet the criteria aforementioned
 				service.addOperatorIfNeeded(expressions, "AND")
 				clusterSegPortExpression := service.buildExpression(
-					"Condition", "SegmentPort",
+					"Condition", memberType,
 					fmt.Sprintf("%s|%s", getScopeCluserTag(service), getCluster(service)),
 					"Tag", "EQUALS", "EQUALS",
 				)
@@ -1532,13 +1547,21 @@ func (service *SecurityPolicyService) updatePeerExpressions(obj *v1alpha1.Securi
 			} else {
 				tagValueExpression = nil
 				memberType = "Segment"
+				if isVpcEnable {
+					memberType = "VpcSubnet"
+				}
 				matchLabels = peer.NamespaceSelector.MatchLabels
 				matchExpressions = &peer.NamespaceSelector.MatchExpressions
 				// NamespaceSelector has one more built-in labels
 				matchLabelsCount = len(matchLabels) + ClusterTagCount
 			}
 		} else { // Handle PodSelector or VMSelector mixed with NamespaceSelector
 			memberType = "Segment"
+			portMemberType := "SegmentPort"
+			if isVpcEnable {
+				memberType = "VpcSubnet"
+				portMemberType = "VpcSubnetPort"
+			}
 			nsMatchLabels := peer.NamespaceSelector.MatchLabels
 			nsMatchExpressions := &peer.NamespaceSelector.MatchExpressions
 
@@ -1568,7 +1591,7 @@ func (service *SecurityPolicyService) updatePeerExpressions(obj *v1alpha1.Securi
 			matchExpressionsCount = len(*mergedMatchExpressions) + len(*nsMergedMatchExpressions)
 			opInValueCount += nsOpInValCount
 
-			service.updateExpressionsMatchLabels(matchLabels, "SegmentPort", expressions)
+			service.updateExpressionsMatchLabels(matchLabels, portMemberType, expressions)
 			service.updateExpressionsMatchLabels(nsMatchLabels, memberType, expressions)
 
 			// NamespaceSelector AND with PodSelector or VMSelector expressions to produce final expressions
@@ -1626,7 +1649,8 @@ func (service *SecurityPolicyService) updatePeerExpressions(obj *v1alpha1.Securi
 				false,
 			)
 		} else {
-			// Since cluster memberType is set as "Segment" or "SegmentPort", So the final produced group criteria is always treated as a mixed criteria
+			// Since cluster memberType is set as "Segment" or "SegmentPort",
+			// or "VpcSubnet" or "VpcSubnetPort", So the final produced group criteria is always treated as a mixed criteria
 			totalCriteriaCount, totalExprCount, err = service.validateSelectorExpressions(
 				matchLabelsCount,
 				matchExpressionsCount,