Make sure OVN PG is present before adding a SG rule

It's possible to have a security group created on one
controller and then a security group rule created on a
different controller quickly enough that the second
controller does not yet see that security group in its
local cache of the OVN northbound database. Check if
the port group is present or not in the idl's local copy
of the database before creating the security group rule.

Closes-bug: #2090921
Change-Id: If6a60eb086b9bcdfd90e154879561ba569f45750
Signed-off-by: Brian Haley <haleyb.dev@gmail.com>
(cherry picked from commit be4fb73)

Author: brianphaley

neutron/common/ovn/acl.py

@@ -296,15 +296,23 @@ def update_acls_for_security_group(plugin,
     if not is_sg_enabled():
         return
 
+    # It's possible to have a security group created on one controller and
+    # then a security group rule created on a different controller quickly
+    # enough that the second controller does not yet see that security group
+    # in its local cache of the OVN northbound database. Check if the port
+    # group is present or not in the idl's local copy of the database before
+    # creating the security group rule.
+    pg_name = utils.ovn_port_group_name(security_group_id)
+    ovn.check_for_row_by_value_and_retry('Port_Group', 'name', pg_name)
+
     # Check if ACL log name and severity supported or not
     keep_name_severity = _acl_columns_name_severity_supported(ovn)
 
     sg = plugin.get_security_group(admin_context, security_group_id)
     stateful = is_sg_stateful(sg)
 
     acl = _add_sg_rule_acl_for_port_group(
-        utils.ovn_port_group_name(security_group_id),
-        stateful, security_group_rule)
+        pg_name, stateful, security_group_rule)
     # Remove ACL log name and severity if not supported
     if is_add_acl:
         if not keep_name_severity:

neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/test_mech_driver.py

@@ -4522,6 +4522,15 @@ def test_update_sg_change_rule(self):
             sg_r = self._create_sg_rule(sg['id'], 'ingress',
                                         const.PROTO_NAME_UDP,
                                         ethertype=const.IPv6)
+
+            # Updating an ACL will call 'check_for_row_by_value_and_retry'
+            # for the PG at least once.
+            pg_name = ovn_utils.ovn_port_group_name(sg['id'])
+            cfrbvar = self.mech_driver.nb_ovn.check_for_row_by_value_and_retry
+            cfrbvar.assert_has_calls([
+                mock.call('Port_Group', 'name', pg_name)
+            ])
+
             self.assertEqual(
                 1, self.mech_driver.nb_ovn.pg_acl_add.call_count)