Skip to content

Commit 4ae0b24

Browse files
Pacho20Pacho20
committed
Add support for new SGR protocols in PowerVS
The latest vpc-go-sdk introduces two new security group rule protocol types: 'any' and 'individual'. This commit adds full compatibility for these new protocols in the PowerVS implementation.
1 parent d3d97e2 commit 4ae0b24

File tree

5 files changed

+363
-22
lines changed

5 files changed

+363
-22
lines changed

api/powervs/v1beta2/types.go

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -285,6 +285,9 @@ var (
285285
)
286286

287287
const (
288+
// VPCSecurityGroupRuleProtocolAnyType is a string representation of the 'SecurityGroupRuleProtocolAny' type.
289+
VPCSecurityGroupRuleProtocolAnyType = "*vpcv1.SecurityGroupRuleProtocolAny"
290+
288291
// VPCSecurityGroupRuleProtocolIcmptcpudpType is a string representation of the 'SecurityGroupRuleProtocolIcmptcpudp' type.
289292
VPCSecurityGroupRuleProtocolIcmptcpudpType = "*vpcv1.SecurityGroupRuleProtocolIcmptcpudp"
290293

@@ -293,6 +296,9 @@ const (
293296

294297
// VPCSecurityGroupRuleProtocolTcpudpType is a string representation of the 'SecurityGroupRuleSecurityGroupRuleProtocolTcpudp' type.
295298
VPCSecurityGroupRuleProtocolTcpudpType = "*vpcv1.SecurityGroupRuleSecurityGroupRuleProtocolTcpudp"
299+
300+
// VPCSecurityGroupRuleProtocolIndividualType is a string representation of the 'SecurityGroupRuleProtocolIndividual' type.
301+
VPCSecurityGroupRuleProtocolIndividualType = "*vpcv1.SecurityGroupRuleProtocolIndividual"
296302
)
297303

298304
// VPCSecurityGroupRuleAction represents the actions for a Security Group Rule.
@@ -318,10 +324,12 @@ const (
318324
)
319325

320326
// VPCSecurityGroupRuleProtocol represents the protocols for a Security Group Rule.
321-
// +kubebuilder:validation:Enum=icmp_tcp_udp;icmp;tcp;udp
327+
// +kubebuilder:validation:Pattern=`^(any|icmp_tcp_udp|icmp|tcp|udp|ah|esp|gre|ip_in_ip|l2tp|rsvp|sctp|vrrp|number_(?:0|2|3|5|[7-9]|1[0-6]|1[8-9]|[2-3][0-9]|4[0-5]|4[89]|5[2-9]|[6-9][0-9]|10[0-9]|11[0-1]|11[3-4]|11[6-9]|12[0-9]|13[0-1]|13[3-9]|1[4-9][0-9]|2[0-4][0-9]|25[0-5]))$`
322328
type VPCSecurityGroupRuleProtocol string
323329

324330
const (
331+
// VPCSecurityGroupRuleProtocolAny defines the Rule is for any network protocols.
332+
VPCSecurityGroupRuleProtocolAny VPCSecurityGroupRuleProtocol = vpcv1.NetworkACLRuleProtocolAnyConst
325333
// VPCSecurityGroupRuleProtocolIcmpTCPUDP defines the Rule is for ICMP, TCP and UDP protocols.
326334
VPCSecurityGroupRuleProtocolIcmpTCPUDP VPCSecurityGroupRuleProtocol = vpcv1.NetworkACLRuleProtocolIcmpTCPUDPConst
327335
// VPCSecurityGroupRuleProtocolIcmp defiens the Rule is for ICMP network protocol.
@@ -447,6 +455,7 @@ type VPCSecurityGroupRuleRemote struct {
447455
// VPCSecurityGroupRulePrototype defines a VPC Security Group Rule's traffic specifics for a series of remotes (destinations or sources).
448456
// +kubebuilder:validation:XValidation:rule="self.protocol != 'icmp' ? (!has(self.icmpCode) && !has(self.icmpType)) : true",message="icmpCode and icmpType are only supported for VPCSecurityGroupRuleProtocolIcmp protocol"
449457
// +kubebuilder:validation:XValidation:rule="self.protocol == 'icmp' ? !has(self.portRange) : true",message="portRange is not valid for VPCSecurityGroupRuleProtocolIcmp protocol"
458+
// +kubebuilder:validation:XValidation:rule="(self.protocol != 'tcp' && self.protocol != 'udp') ? !has(self.portRange) : true",message="portRange is not valid for protocol"
450459
// +kubebuilder:validation:XValidation:rule="self.protocol == 'icmp_tcp_udp' ? !has(self.portRange) : true",message="portRange is not valid for VPCSecurityGroupRuleProtocolIcmpTCPUDP protocol"
451460
type VPCSecurityGroupRulePrototype struct {
452461
// icmpCode is the ICMP code for the Rule.

cloud/scope/powervs/powervs_cluster.go

Lines changed: 31 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1462,6 +1462,9 @@ func (s *ClusterScope) createVPCSecurityGroupRule(ctx context.Context, securityG
14621462
}
14631463

14641464
switch reflect.TypeOf(ruleIntf).String() {
1465+
case infrav1.VPCSecurityGroupRuleProtocolAnyType:
1466+
rule := ruleIntf.(*vpcv1.SecurityGroupRuleProtocolAny)
1467+
ruleID = rule.ID
14651468
case infrav1.VPCSecurityGroupRuleProtocolIcmptcpudpType:
14661469
rule := ruleIntf.(*vpcv1.SecurityGroupRuleProtocolIcmptcpudp)
14671470
ruleID = rule.ID
@@ -1471,6 +1474,9 @@ func (s *ClusterScope) createVPCSecurityGroupRule(ctx context.Context, securityG
14711474
case infrav1.VPCSecurityGroupRuleProtocolIcmpType:
14721475
rule := ruleIntf.(*vpcv1.SecurityGroupRuleSecurityGroupRuleProtocolIcmp)
14731476
ruleID = rule.ID
1477+
case infrav1.VPCSecurityGroupRuleProtocolIndividualType:
1478+
rule := ruleIntf.(*vpcv1.SecurityGroupRuleProtocolIndividual)
1479+
ruleID = rule.ID
14741480
}
14751481
log.Info("Created VPC security group rule", "ruleID", *ruleID)
14761482
return ruleID, nil
@@ -1600,7 +1606,7 @@ func (s *ClusterScope) validateVPCSecurityGroupRuleRemote(originalSGRemote *vpcv
16001606
}
16011607

16021608
// validateSecurityGroupRule compares a specific security group's rule with the spec and existing security group's rule.
1603-
func (s *ClusterScope) validateSecurityGroupRule(originalSecurityGroupRules []vpcv1.SecurityGroupRuleIntf, direction infrav1.VPCSecurityGroupRuleDirection, rule *infrav1.VPCSecurityGroupRulePrototype, remote infrav1.VPCSecurityGroupRuleRemote) (ruleID *string, match bool, err error) {
1609+
func (s *ClusterScope) validateSecurityGroupRule(originalSecurityGroupRules []vpcv1.SecurityGroupRuleIntf, direction infrav1.VPCSecurityGroupRuleDirection, rule *infrav1.VPCSecurityGroupRulePrototype, remote infrav1.VPCSecurityGroupRuleRemote) (ruleID *string, match bool, err error) { //nolint: gocyclo
16041610
updateError := func(e error) {
16051611
err = fmt.Errorf("failed to validate VPC security group rule's remote: %w", e)
16061612
}
@@ -1609,6 +1615,18 @@ func (s *ClusterScope) validateSecurityGroupRule(originalSecurityGroupRules []vp
16091615

16101616
for _, ogRuleIntf := range originalSecurityGroupRules {
16111617
switch reflect.TypeOf(ogRuleIntf).String() {
1618+
case infrav1.VPCSecurityGroupRuleProtocolAnyType:
1619+
ogRule := ogRuleIntf.(*vpcv1.SecurityGroupRuleProtocolAny)
1620+
ruleID = ogRule.ID
1621+
1622+
if *ogRule.Direction == string(direction) && *ogRule.Protocol == protocol {
1623+
ogRemote := ogRule.Remote.(*vpcv1.SecurityGroupRuleRemote)
1624+
match, err = s.validateVPCSecurityGroupRuleRemote(ogRemote, remote)
1625+
if err != nil {
1626+
updateError(err)
1627+
return nil, false, err
1628+
}
1629+
}
16121630
case infrav1.VPCSecurityGroupRuleProtocolIcmptcpudpType:
16131631
ogRule := ogRuleIntf.(*vpcv1.SecurityGroupRuleProtocolIcmptcpudp)
16141632
ruleID = ogRule.ID
@@ -1649,6 +1667,18 @@ func (s *ClusterScope) validateSecurityGroupRule(originalSecurityGroupRules []vp
16491667
return nil, false, err
16501668
}
16511669
}
1670+
case infrav1.VPCSecurityGroupRuleProtocolIndividualType:
1671+
ogRule := ogRuleIntf.(*vpcv1.SecurityGroupRuleProtocolIndividual)
1672+
ruleID = ogRule.ID
1673+
1674+
if *ogRule.Direction == string(direction) && *ogRule.Protocol == protocol {
1675+
ogRemote := ogRule.Remote.(*vpcv1.SecurityGroupRuleRemote)
1676+
match, err = s.validateVPCSecurityGroupRuleRemote(ogRemote, remote)
1677+
if err != nil {
1678+
updateError(err)
1679+
return nil, false, err
1680+
}
1681+
}
16521682
}
16531683
if match {
16541684
return ruleID, match, nil

0 commit comments

Comments
 (0)