Fix security group rules comparison

Tomy2e · Tomy2e · commit 29360454ad77 · 2023-10-14T00:12:40.000+02:00
diff --git a/api/v1beta1/scalewaycluster_webhook.go b/api/v1beta1/scalewaycluster_webhook.go
@@ -4,6 +4,7 @@ import (
 	"net"
 	"reflect"
 
+	"github.com/scaleway/scaleway-sdk-go/api/instance/v1"
 	"github.com/scaleway/scaleway-sdk-go/scw"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -238,14 +239,20 @@ func (r *ScalewayCluster) validateSecurityGroupPolicy(sgp *SecurityGroupPolicy,
 			return field.Invalid(innerPath.Child("action"), rule.Action, err.Error())
 		}
 
-		if _, err := rule.Protocol.ToInstance(); err != nil {
+		proto, err := rule.Protocol.ToInstance()
+		if err != nil {
 			return field.Invalid(innerPath.Child("protocol"), rule.Protocol, err.Error())
 		}
 
 		if _, _, err := rule.Ports.ToRange(); err != nil {
 			return field.Invalid(innerPath.Child("ports"), rule.Ports, err.Error())
 		}
 
+		// When using ANY or ICMP, ports must be nil.
+		if (proto == instance.SecurityGroupRuleProtocolANY || proto == instance.SecurityGroupRuleProtocolICMP) && rule.Ports != nil {
+			return field.Invalid(innerPath.Child("ports"), rule.Ports, "ports must not be set when using ANY or ICMP protocols")
+		}
+
 		if rule.IPRange != nil {
 			if _, _, err := net.ParseCIDR(*rule.IPRange); err != nil {
 				return field.Invalid(innerPath.Child("ipRange"), rule.IPRange, err.Error())
diff --git a/internal/service/scaleway/securitygroup/securitygroup.go b/internal/service/scaleway/securitygroup/securitygroup.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"reflect"
 
 	"github.com/Tomy2e/cluster-api-provider-scaleway/api/v1beta1"
 	"github.com/Tomy2e/cluster-api-provider-scaleway/internal/scope"
@@ -72,11 +73,11 @@ func compareRules(a []v1beta1.SecurityGroupRule, b []*instance.SecurityGroupRule
 			return false, err
 		}
 
-		if from != b[i].DestPortFrom {
+		if !reflect.DeepEqual(from, b[i].DestPortFrom) {
 			return false, nil
 		}
 
-		if to != b[i].DestPortTo {
+		if !reflect.DeepEqual(to, b[i].DestPortTo) {
 			return false, nil
 		}
 	}
@@ -278,7 +279,12 @@ func (s *Service) ensureSecurityGroups(ctx context.Context, securityGroups []v1b
 					return fmt.Errorf("failed to set security group rules: %w", err)
 				}
 
-				l.Info("security group rules were updated", "securityGroupName", s.SecurityGroupName(sg.Name))
+				l.Info(
+					"security group rules were updated",
+					"securityGroupName", s.SecurityGroupName(sg.Name),
+					"compareInbound", compareInbound,
+					"compareOutbound", compareOutbound,
+				)
 			}
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@ import (`
`4`	`4`	`"context"`
`5`	`5`	`"fmt"`
`6`	`6`	`"net"`
	`7`	`+ "reflect"`
`7`	`8`
`8`	`9`	`"github.com/Tomy2e/cluster-api-provider-scaleway/api/v1beta1"`
`9`	`10`	`"github.com/Tomy2e/cluster-api-provider-scaleway/internal/scope"`
`@@ -72,11 +73,11 @@ func compareRules(a []v1beta1.SecurityGroupRule, b []*instance.SecurityGroupRule`
`72`	`73`	`return false, err`
`73`	`74`	`}`
`74`	`75`
`75`		`- if from != b[i].DestPortFrom {`
	`76`	`+ if !reflect.DeepEqual(from, b[i].DestPortFrom) {`
`76`	`77`	`return false, nil`
`77`	`78`	`}`
`78`	`79`
`79`		`- if to != b[i].DestPortTo {`
	`80`	`+ if !reflect.DeepEqual(to, b[i].DestPortTo) {`
`80`	`81`	`return false, nil`
`81`	`82`	`}`
`82`	`83`	`}`
`@@ -278,7 +279,12 @@ func (s *Service) ensureSecurityGroups(ctx context.Context, securityGroups []v1b`
`278`	`279`	`return fmt.Errorf("failed to set security group rules: %w", err)`
`279`	`280`	`}`
`280`	`281`
`281`		`- l.Info("security group rules were updated", "securityGroupName", s.SecurityGroupName(sg.Name))`
	`282`	`+ l.Info(`
	`283`	`+ "security group rules were updated",`
	`284`	`+ "securityGroupName", s.SecurityGroupName(sg.Name),`
	`285`	`+ "compareInbound", compareInbound,`
	`286`	`+ "compareOutbound", compareOutbound,`
	`287`	`+ )`
`282`	`288`	`}`
`283`	`289`	`}`
`284`	`290`	`}`