extension: implement VpcProvider, NetworkACLServiceProvider and VPC lifecycle

- NetworkExtensionElement now implements VpcProvider and NetworkACLServiceProvider
- implementVpc: creates the VPC namespace via implement script and applies VPC source NAT
- implement(network): skips source NAT assignment for VPC tier networks (handled by implementVpc)
- destroy(network): uses 'shutdown' script for VPC tiers to preserve shared namespace
- shutdownVpc: calls 'destroy' script on all extension-backed VPC tier networks to remove namespace
- VpcManagerImpl: dynamically discovers extension-backed VpcProviders via extensionHelper
- UI: add updateRegisteredExtension action to ExtensionResourcesTab

Author: weizhouapache

framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/network/NetworkExtensionElement.java

@@ -67,11 +67,17 @@
 import com.cloud.network.element.FirewallServiceProvider;
 import com.cloud.network.element.IpDeployer;
 import com.cloud.network.element.LoadBalancingServiceProvider;
+import com.cloud.network.element.NetworkACLServiceProvider;
 import com.cloud.network.element.NetworkElement;
 import com.cloud.network.element.PortForwardingServiceProvider;
 import com.cloud.network.element.SourceNatServiceProvider;
 import com.cloud.network.element.StaticNatServiceProvider;
 import com.cloud.network.element.UserDataServiceProvider;
+import com.cloud.network.element.VpcProvider;
+import com.cloud.network.vpc.NetworkACLItem;
+import com.cloud.network.vpc.PrivateGateway;
+import com.cloud.network.vpc.StaticRouteProfile;
+import com.cloud.network.vpc.Vpc;
 import com.cloud.network.lb.LoadBalancingRule;
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.FirewallRuleVO;
@@ -204,7 +210,7 @@ public class NetworkExtensionElement extends AdapterBase implements
         PortForwardingServiceProvider, IpDeployer, NetworkCustomActionProvider,
         DhcpServiceProvider, DnsServiceProvider, FirewallServiceProvider,
         UserDataServiceProvider, LoadBalancingServiceProvider,
-        AggregatedCommandExecutor {
+        VpcProvider, NetworkACLServiceProvider, AggregatedCommandExecutor {
 
     private static final Map<Service, Map<Capability, String>> DEFAULT_CAPABILITIES = new HashMap<>();
 
@@ -446,11 +452,11 @@ public boolean implement(Network network, NetworkOffering offering, DeployDestin
             return false;
         }
 
-        // Step 3: Configure source NAT if supported.
-        if (canHandle(network, Service.SourceNat)) {
+        // Step 3: Configure source NAT for non-VPC networks.
+        // VPC source NAT is managed at implementVpc().
+        if (network.getVpcId() == null && canHandle(network, Service.SourceNat)) {
             try {
                 Account owner = accountService.getAccount(network.getAccountId());
-                PublicIp sourceNatIp = null;
                 PublicIpAddress existingIp = networkModel.getSourceNatIpAddressForGuestNetwork(owner, network);
                 if (existingIp != null) {
                     applyIps(network, List.of(existingIp), Set.of(Service.SourceNat));
@@ -522,7 +528,9 @@ public boolean destroy(Network network, ReservationContext context)
         args.add("--network-id"); args.add(String.valueOf(network.getId()));
         args.add("--vlan");       args.add(safeStr(getVlanId(network)));
         args.addAll(getVpcIdArgs(network));
-        boolean result = executeScript(network, "destroy", args.toArray(new String[0]));
+        // For VPC tiers, keep shared namespace until shutdownVpc() by using shutdown here.
+        final String action = network.getVpcId() == null ? "destroy" : "shutdown";
+        boolean result = executeScript(network, action, args.toArray(new String[0]));
         if (result) {
             cleanupPlaceholderNicIp(network, context);
             networkDetailsDao.removeDetail(network.getId(), NETWORK_DETAIL_EXTENSION_DETAILS);
@@ -2137,4 +2145,160 @@ private String buildRestoreNetworkData(Network network, List<NicVO> nics,
 
         return Base64.getEncoder().encodeToString(json.toString().getBytes(StandardCharsets.UTF_8));
     }
+
+    // ---- VpcProvider ----
+
+    protected Network findVpcAnchorNetwork(long vpcId) {
+        final List<? extends Network> networks = networkModel.listNetworksByVpc(vpcId);
+        if (networks == null || networks.isEmpty()) {
+            return null;
+        }
+
+        for (final Network network : networks) {
+            if (canHandle(network, null)) {
+                return network;
+            }
+        }
+        return null;
+    }
+
+    protected PublicIpAddress getVpcSourceNatIp(long vpcId) {
+        final List<IPAddressVO> ips = ipAddressDao.listByAssociatedVpc(vpcId, true);
+        if (ips == null || ips.isEmpty()) {
+            return null;
+        }
+        IPAddressVO selected = null;
+        for (final IPAddressVO ip : ips) {
+            if (ip.getState() != IpAddress.State.Releasing) {
+                selected = ip;
+                break;
+            }
+        }
+        if (selected == null) {
+            selected = ips.get(0);
+        }
+
+        final VlanVO vlan = vlanDao.findById(selected.getVlanId());
+        if (vlan == null) {
+            logger.warn("No VLAN found for VPC source NAT IP {} (vpc={})", selected.getAddress(), vpcId);
+            return null;
+        }
+        return PublicIp.createFromAddrAndVlan(selected, vlan);
+    }
+
+    /**
+     * Creates the VPC namespace and applies VPC source NAT upfront.
+     */
+    @Override
+    public boolean implementVpc(Vpc vpc, DeployDestination dest, ReservationContext context)
+            throws ConcurrentOperationException, ResourceUnavailableException, InsufficientCapacityException {
+        final Network anchorNetwork = findVpcAnchorNetwork(vpc.getId());
+        if (anchorNetwork == null) {
+            logger.debug("implementVpc: no VPC tier network found for vpc {}", vpc.getId());
+            return true;
+        }
+
+        ensureExtensionDetails(anchorNetwork);
+        final String extensionIp = ensureExtensionIp(anchorNetwork);
+
+        final List<String> args = new ArrayList<>();
+        args.add("--network-id");   args.add(String.valueOf(anchorNetwork.getId()));
+        args.add("--vlan");         args.add(safeStr(getVlanId(anchorNetwork)));
+        args.add("--gateway");      args.add(safeStr(anchorNetwork.getGateway()));
+        args.add("--cidr");         args.add(safeStr(anchorNetwork.getCidr()));
+        args.add("--extension-ip"); args.add(safeStr(extensionIp));
+        args.addAll(getVpcIdArgs(anchorNetwork));
+
+        if (!executeScript(anchorNetwork, "implement", args.toArray(new String[0]))) {
+            return false;
+        }
+
+        if (canHandle(anchorNetwork, Service.SourceNat)) {
+            final PublicIpAddress sourceNatIp = getVpcSourceNatIp(vpc.getId());
+            if (sourceNatIp != null) {
+                applyIps(anchorNetwork, List.of(sourceNatIp), Set.of(Service.SourceNat));
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Removes the shared VPC namespace by destroying all extension-backed VPC tiers.
+     */
+    @Override
+    public boolean shutdownVpc(Vpc vpc, ReservationContext context)
+            throws ConcurrentOperationException, ResourceUnavailableException {
+        final List<? extends Network> networks = networkModel.listNetworksByVpc(vpc.getId());
+        if (networks == null || networks.isEmpty()) {
+            return true;
+        }
+
+        boolean result = true;
+        for (final Network network : networks) {
+            if (!canHandle(network, null)) {
+                continue;
+            }
+
+            final List<String> args = new ArrayList<>();
+            args.add("--network-id"); args.add(String.valueOf(network.getId()));
+            args.add("--vlan");       args.add(safeStr(getVlanId(network)));
+            args.addAll(getVpcIdArgs(network));
+
+            final boolean tierResult = executeScript(network, "destroy", args.toArray(new String[0]));
+            if (tierResult) {
+                networkDetailsDao.removeDetail(network.getId(), NETWORK_DETAIL_EXTENSION_DETAILS);
+            }
+            result = result && tierResult;
+        }
+
+        return result;
+    }
+
+    /** Private gateways are not supported by the network extension element. */
+    @Override
+    public boolean createPrivateGateway(PrivateGateway gateway)
+            throws ConcurrentOperationException, ResourceUnavailableException {
+        return true;
+    }
+
+    /** Private gateways are not supported by the network extension element. */
+    @Override
+    public boolean deletePrivateGateway(PrivateGateway gateway)
+            throws ConcurrentOperationException, ResourceUnavailableException {
+        return true;
+    }
+
+    /** Static routes are not supported by the network extension element. */
+    @Override
+    public boolean applyStaticRoutes(Vpc vpc, List<StaticRouteProfile> routes)
+            throws ResourceUnavailableException {
+        return true;
+    }
+
+    /** ACL items on private gateways are not supported by the network extension element. */
+    @Override
+    public boolean applyACLItemsToPrivateGw(PrivateGateway gateway, List<? extends NetworkACLItem> rules)
+            throws ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean updateVpcSourceNatIp(Vpc vpc, IpAddress address) {
+        return true;
+    }
+
+    @Override
+    public boolean applyNetworkACLs(Network config, List<? extends NetworkACLItem> rules) throws ResourceUnavailableException {
+        if (!canHandle(config, Service.NetworkACL)) {
+            return true;
+        }
+        // ACL semantics for this extension are handled by script policy/rule processing.
+        return true;
+    }
+
+    @Override
+    public boolean reorderAclRules(Vpc vpc, List<? extends Network> networks, List<? extends NetworkACLItem> networkACLItems) {
+        return true;
+    }
 }

server/src/main/java/com/cloud/network/vpc/VpcManagerImpl.java

@@ -84,6 +84,7 @@
 import org.apache.cloudstack.api.command.user.vpc.UpdateVPCCmd;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
+import org.apache.cloudstack.extension.Extension;
 import org.apache.cloudstack.extension.ExtensionHelper;
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.Configurable;
@@ -2268,8 +2269,24 @@ private void CheckAccountsAccess(Vpc vpc, Account networkAccount) {
     public List<VpcProvider> getVpcElements() {
         if (vpcElements == null) {
             vpcElements = new ArrayList<VpcProvider>();
-            vpcElements.add((VpcProvider) _ntwkModel.getElementImplementingProvider(Provider.VPCVirtualRouter.getName()));
-            vpcElements.add((VpcProvider) _ntwkModel.getElementImplementingProvider(Provider.JuniperContrailVpcRouter.getName()));
+            final NetworkElement vpcVirtualRouter = _ntwkModel.getElementImplementingProvider(Provider.VPCVirtualRouter.getName());
+            if (vpcVirtualRouter instanceof VpcProvider) {
+                vpcElements.add((VpcProvider) vpcVirtualRouter);
+            }
+
+            final NetworkElement contrailVpcRouter = _ntwkModel.getElementImplementingProvider(Provider.JuniperContrailVpcRouter.getName());
+            if (contrailVpcRouter instanceof VpcProvider) {
+                vpcElements.add((VpcProvider) contrailVpcRouter);
+            }
+
+            // Add extension-backed network orchestrators that can serve as VPC providers.
+            for (final Extension extension : extensionHelper.listExtensionsByType(Extension.Type.NetworkOrchestrator)) {
+                final String providerName = extension.getName();
+                final NetworkElement element = _ntwkModel.getElementImplementingProvider(providerName);
+                if (element instanceof VpcProvider) {
+                    vpcElements.add((VpcProvider) element);
+                }
+            }
         }
 
         if (vpcElements == null) {

ui/public/locales/en.json

@@ -235,6 +235,7 @@
 "label.action.unmanage.volume": "Unmanage Volume",
 "label.action.unmanage.volumes": "Unmanage Volumes",
 "label.action.unregister.extension.resource": "Unregister extension resource",
+"label.action.update.extension.resource": "Update extension resource details",
 "label.action.update.host": "Update Host",
 "label.action.update.security.groups": "Update security groups",
 "label.action.update.offering.access": "Update offering access",
@@ -4066,6 +4067,8 @@
 "message.validate.min": "Please enter a value greater than or equal to {0}.",
 "message.action.delete.object.storage": "Please confirm that you want to delete this Object Store",
 "message.action.unregister.extension.resource": "Please confirm that you want to unregister extension with this resource",
+"message.action.update.extension.resource": "Update the extension resource registration details",
+"message.success.update.extension.resource": "Successfully updated extension resource registration",
 "message.bgp.peers.null": "Please note, if no BGP peers are selected, the VR will connect to <br> (1) dedicated BGP peers the owner can access, if the owner has dedicated BGP peers and account setting use.system.bgp.peers is set to false; <br> (2) all BGP peers the owner can access, otherwise.<br>",
 "message.bucket.delete": "Please confirm that you want to delete this Bucket",
 "migrate.from": "Migrate from",

ui/src/views/extension/ExtensionResourcesTab.vue

@@ -34,6 +34,14 @@
           {{ text && $toLocaleDate(text) }}
         </template>
         <template v-if="column.key === 'actions'">
+          <span style="margin-right: 5px">
+            <tooltip-button
+              v-if="'updateRegisteredExtension' in $store.getters.apis"
+              :tooltip="$t('label.action.update.extension.resource')"
+              type="default"
+              icon="edit-outlined"
+              @onClick="openUpdateModal(record)" />
+          </span>
           <span style="margin-right: 5px">
             <a-popconfirm
               v-if="'unregisterExtension' in $store.getters.apis"
@@ -59,6 +67,19 @@
           :data-map="record.details" />
       </template>
     </a-table>
+    <a-modal
+      v-if="updateModalVisible"
+      :visible="updateModalVisible"
+      :title="$t('label.action.update.extension.resource')"
+      :closable="true"
+      :footer="null"
+      @cancel="closeUpdateModal">
+      <update-registered-extension
+        :resource="resource"
+        :extension-resource="selectedResource"
+        @refresh-data="$emit('refresh-data')"
+        @close-action="closeUpdateModal" />
+    </a-modal>
   </div>
 </template>
 
@@ -67,12 +88,14 @@ import { postAPI } from '@/api'
 import eventBus from '@/config/eventBus'
 import ObjectListTable from '@/components/view/ObjectListTable.vue'
 import TooltipButton from '@/components/widgets/TooltipButton'
+import UpdateRegisteredExtension from '@/views/extension/UpdateRegisteredExtension'
 
 export default {
   name: 'ExtensionResourcesTab',
   components: {
     ObjectListTable,
-    TooltipButton
+    TooltipButton,
+    UpdateRegisteredExtension
   },
   props: {
     resource: {
@@ -103,7 +126,9 @@ export default {
           title: this.$t('label.actions')
         }
       ],
-      unregisterLoading: false
+      unregisterLoading: false,
+      updateModalVisible: false,
+      selectedResource: null
     }
   },
   computed: {
@@ -112,13 +137,22 @@ export default {
     }
   },
   methods: {
+    openUpdateModal (record) {
+      this.selectedResource = record
+      this.updateModalVisible = true
+    },
+    closeUpdateModal () {
+      this.updateModalVisible = false
+      this.selectedResource = null
+    },
     unregisterExtension (record) {
       const params = {
         extensionid: this.resource.id,
         resourceid: record.id,
         resourcetype: record.type
       }
-      postAPI('unregisterExtension', params).then(json => {
+      this.unregisterLoading = true
+      postAPI('unregisterExtension', params).then(() => {
         eventBus.emit('async-job-complete', null)
         this.$notification.success({
           message: this.$t('label.unregister.extension'),
@@ -127,7 +161,7 @@ export default {
       }).catch(error => {
         this.$notifyError(error)
       }).finally(() => {
-        this.deleteLoading = false
+        this.unregisterLoading = false
       })
     }
   }