Dynamically allow tenancies access to Machines, Volumes, Kubernetes and Kubernetes Apps based on discovery of the portal-internal network (#425)

### Internal network is a shared network
Add a new config option to the openstack provider -
`internalNetIsShared` - which allows a network shared into a project to
be used as the portal-internal network.

If `internalNetIsShared` is True, shared networks that are available to
the project and have the `portal-internal` tag are preferentially chosen
as the portal-internal network over those that are owned by the project.

There are no changes to the default behaviour, and projects that do not
have access to a **shared** network with the `portal-internal` tag will
use an existing network owned by the project if it is available, or a
new network will be created if `createInternalNet` is True (the
default).

### Internal network doesn't exist
If the internal network can not be detected and `createInternalNet` is
False, the capabilites returned for a scoped session are updated to
disable machines, volumes, Kubernetes and Kubernetes apps API endpoints,
because creating resources of these types relies on the internal network
being determined. The UI reacts to the disabling of these endpoints by
removing the relevant items from the sidebar (Advanced>Machines,
Volumes) or from the platforms catalogue (Kubernetes and Kubernetes
apps).

### Machines functionality disabled
The "machines" functionality may be disabled for the OpenStack provider
by setting `supportsMachines` to False (default is True). This will
disable operations on machines and volumes across all projects, and will
cause the "advanced" menu element to be removed from the UI.

### Dynamic project capabilities vs configured capabilities
Configuration options remain for enabling and disabling CaaS, Kubernetes
and Kubernetes apps, alongside a new configuration option for Machines.
If a capability is disabled in config, it will not be enabled
dynamically on a per-tenant basis. If a capability is enabled in config,
it may be disabled on a per-tenant basis if the prerequisites for the
capability are not present (for example, the internal network was not
able to be determined for a project, so machines, volumes, Kubernetes
and Kubernetes Apps are dynamically disabled even though they are
enabled in configuration).

Author: m-bull

api/azimuth/provider/dto.py

@@ -17,6 +17,15 @@ class Capabilities:
     #: Indicates if the cloud supports volumes
     supports_volumes: bool = False
 
+    #: Indicates if machines are enabled for the cloud
+    supports_machines: bool = True
+
+    #: Indicates if kubernetes is enabled for the cloud
+    supports_kubernetes: bool = True
+
+    #: Indicates if kubernetes apps are enabled for the cloud
+    supports_apps: bool = True
+
 
 @dataclass(frozen=True)
 class Tenancy:

api/azimuth/provider/null.py

@@ -35,4 +35,7 @@ class ScopedSession(base.ScopedSession):
     provider_name = "null"
 
     def capabilities(self):
-        return dto.Capabilities(supports_volumes=False)
+        return dto.Capabilities(
+            supports_volumes=False,
+            supports_machines=False,
+        )

api/azimuth/provider/openstack/provider.py

@@ -137,14 +137,18 @@ class Provider(base.Provider):
                                The current tenancy name can be templated in using the
                                fragment ``{tenant_name}``.
         create_internal_net: If ``True`` (the default), then the internal network is
-                             auto-createdwhen a tagged network or templated network
+                             auto-created when a tagged network or templated network
                              cannot be found.
+        allow_shared_internal_net: If ``True`` (the default is False), then networks
+                                   that are not owned by the project are searched for
+                                   the correct tag.
         manila_project_share_gb: If >0 (the default is 0), then manila project share is
                                  auto created with specified size.
         internal_net_cidr: The CIDR for the internal network when it is auto-created
                            (default ``192.168.3.0/24``).
         internal_net_dns_nameservers: The DNS nameservers for the internal network when
                                       it is auto-created (default ``None``).
+        supports_machines: If True (the default), then users can manipulate machines
     """
 
     provider_name = "openstack"
@@ -155,19 +159,23 @@ def __init__(
         internal_net_template=None,
         external_net_template=None,
         create_internal_net=True,
+        allow_shared_internal_net=False,
         manila_project_share_gb=0,
         internal_net_cidr="192.168.3.0/24",
         internal_net_dns_nameservers=None,
+        supports_machines=True,
     ):
         self._metadata_prefix = metadata_prefix
         self._internal_net_template = internal_net_template
         self._external_net_template = external_net_template
         self._create_internal_net = create_internal_net
+        self._allow_shared_internal_net = allow_shared_internal_net
         self._manila_project_share_gb = 0
         if manila_project_share_gb:
             self._manila_project_share_gb = int(manila_project_share_gb)
         self._internal_net_cidr = internal_net_cidr
         self._internal_net_dns_nameservers = internal_net_dns_nameservers
+        self._supports_machines = supports_machines
 
     def _from_auth_session(self, auth_session, auth_user):
         return UnscopedSession(
@@ -177,9 +185,11 @@ def _from_auth_session(self, auth_session, auth_user):
             self._internal_net_template,
             self._external_net_template,
             self._create_internal_net,
+            self._allow_shared_internal_net,
             self._manila_project_share_gb,
             self._internal_net_cidr,
             self._internal_net_dns_nameservers,
+            self._supports_machines,
         )
 
 
@@ -198,18 +208,22 @@ def __init__(
         internal_net_template=None,
         external_net_template=None,
         create_internal_net=True,
+        allow_shared_internal_net=False,
         manila_project_share_gb=0,
         internal_net_cidr="192.168.3.0/24",
         internal_net_dns_nameservers=None,
+        supports_machines=True,
     ):
         super().__init__(auth_session, auth_user)
         self._metadata_prefix = metadata_prefix
         self._internal_net_template = internal_net_template
         self._external_net_template = external_net_template
         self._create_internal_net = create_internal_net
+        self._allow_shared_internal_net = allow_shared_internal_net
         self._manila_project_share_gb = manila_project_share_gb
         self._internal_net_cidr = internal_net_cidr
         self._internal_net_dns_nameservers = internal_net_dns_nameservers
+        self._supports_machines = supports_machines
 
     @convert_exceptions
     def _scoped_session(self, auth_user, tenancy, credential_data):
@@ -221,9 +235,11 @@ def _scoped_session(self, auth_user, tenancy, credential_data):
             self._internal_net_template,
             self._external_net_template,
             self._create_internal_net,
+            self._allow_shared_internal_net,
             self._manila_project_share_gb,
             self._internal_net_cidr,
             self._internal_net_dns_nameservers,
+            self._supports_machines,
         )
 
 
@@ -243,19 +259,23 @@ def __init__(
         internal_net_template=None,
         external_net_template=None,
         create_internal_net=True,
+        allow_shared_internal_net=False,
         manila_project_share_gb=0,
         internal_net_cidr="192.168.3.0/24",
         internal_net_dns_nameservers=None,
+        supports_machines=True,
     ):
         super().__init__(auth_user, tenancy)
         self._connection = connection
         self._metadata_prefix = metadata_prefix
         self._internal_net_template = internal_net_template
         self._external_net_template = external_net_template
         self._create_internal_net = create_internal_net
+        self._allow_shared_internal_net = allow_shared_internal_net
         self._manila_project_share_gb = manila_project_share_gb
         self._internal_net_cidr = internal_net_cidr
         self._internal_net_dns_nameservers = internal_net_dns_nameservers
+        self._supports_machines = supports_machines
 
         # TODO(johngarbutt): consider moving some of this to config
         # and/or hopefully having this feature on by default
@@ -281,13 +301,25 @@ def capabilities(self):
         See :py:meth:`.base.ScopedSession.capabilities`.
         """
         # Check if the relevant services are available to the project
-        try:
-            _ = self._connection.block_store
-        except api.ServiceNotSupported:
-            supports_volumes = False
-        else:
+        self._log("Fetching tenancy capabilities ")
+
+        if self._supports_machines:
+            # If machines support is enabled, then volumes are supported
+            # unless the connection to the openstack block-store fails.
             supports_volumes = True
-        return dto.Capabilities(supports_volumes=supports_volumes)
+
+            try:
+                _ = self._connection.block_store
+            except api.ServiceNotSupported:
+                supports_volumes = False
+        else:
+            # If machine support is disabled, then volumes are too
+            supports_volumes = False
+
+        return dto.Capabilities(
+            supports_volumes=supports_volumes,
+            supports_machines=self._supports_machines,
+        )
 
     @convert_exceptions
     def quotas(self):
@@ -460,14 +492,32 @@ def _tagged_network(self, net_type):
         # For the internal network this is what we want, but for all other types of
         # network (e.g. external, storage) we want to allow shared networks from other
         # projects to be selected - setting "project_id = None" allows this to happen
-        kwargs = {} if net_type == "internal" else {"project_id": None}
+        kwargs = (
+            {}
+            if net_type == "internal" and not self._allow_shared_internal_net
+            else {"project_id": None}
+        )
+
         networks = list(self._connection.network.networks.all(tags=tag, **kwargs))
+
         if len(networks) == 1:
-            self._log("Using tagged %s network '%s'", net_type, networks[0].name)
+            net_owner = (
+                "project"
+                if networks[0].project_id == self._connection.project_id
+                else "shared"
+            )
+
+            self._log(
+                "Using tagged %s %s network '%s'", net_owner, net_type, networks[0].name
+            )
             return networks[0]
         elif len(networks) > 1:
+            net_names = [network.name for network in networks]
             self._log(
-                "Found multiple networks with tag '%s'.", tag, level=logging.ERROR
+                "Found multiple networks with tag '%s': %s.",
+                tag,
+                ",".join(net_names),
+                level=logging.ERROR,
             )
             raise errors.InvalidOperationError(
                 f"Found multiple networks with tag '{tag}'."
@@ -485,16 +535,30 @@ def _templated_network(self, template, net_type):
         raised.
         """
         net_name = template.format(tenant_name=self._connection.project_name)
+
         # By default, networks.all() will only return networks that belong to the
         # project
         # For the internal network this is what we want, but for all other types of
         # network (e.g. external, storage) we want to allow shared networks from other
         # projects to be selected - setting "project_id = None" allows this to happen
-        kwargs = {} if net_type == "internal" else {"project_id": None}
+        kwargs = (
+            {}
+            if net_type == "internal" and not self._allow_shared_internal_net
+            else {"project_id": None}
+        )
         networks = list(self._connection.network.networks.all(name=net_name, **kwargs))
+
         if len(networks) == 1:
+            net_owner = (
+                "project"
+                if networks[0].project_id == self._connection.project_id
+                else "shared"
+            )
             self._log(
-                "Found %s network '%s' using template.", net_type, networks[0].name
+                "Found %s %s network '%s' using template.",
+                net_type,
+                net_owner,
+                networks[0].name,
             )
             return networks[0]
         elif len(networks) > 1: