VPC: Extend support for SG's (#1989)

cjschaef · web-flow · commit 8a563a0620f3 · 2024-10-17T15:09:04.000+01:00
Add support to reconcile SecurityGroups and SecurityGroupRules for VPC extended Infrastructure support. Related: #1896
diff --git a/cloud/scope/powervs_cluster.go b/cloud/scope/powervs_cluster.go
@@ -1615,8 +1615,10 @@ func (s *PowerVSClusterScope) validateVPCSecurityGroup(securityGroup infrav1beta
 		}
 	} else {
 		securityGroupDet, err = s.IBMVPCClient.GetSecurityGroupByName(*securityGroup.Name)
-		if err != nil && err.Error() != vpc.SecurityGroupByNameNotFound(*securityGroup.Name).Error() {
-			return nil, nil, err
+		if err != nil {
+			if _, ok := err.(*vpc.SecurityGroupByNameNotFound); !ok {
+				return nil, nil, err
+			}
 		}
 		if securityGroupDet == nil {
 			return nil, nil, nil
diff --git a/cloud/scope/vpc_cluster.go b/cloud/scope/vpc_cluster.go
diff --git a/controllers/ibmvpccluster_controller.go b/controllers/ibmvpccluster_controller.go
@@ -274,6 +274,19 @@ func (r *IBMVPCClusterReconciler) reconcileCluster(clusterScope *scope.VPCCluste
 	clusterScope.Info("Reconciliation of VPC Subnets complete")
 	conditions.MarkTrue(clusterScope.IBMVPCCluster, infrav1beta2.VPCSubnetReadyCondition)
 
+	// Reconcile the cluster's Security Groups (and Security Group Rules)
+	clusterScope.Info("Reconciling Security Groups")
+	if requeue, err := clusterScope.ReconcileSecurityGroups(); err != nil {
+		clusterScope.Error(err, "failed to reconcile Security Groups")
+		conditions.MarkFalse(clusterScope.IBMVPCCluster, infrav1beta2.VPCSecurityGroupReadyCondition, infrav1beta2.VPCSecurityGroupReconciliationFailedReason, capiv1beta1.ConditionSeverityError, "%s", err.Error())
+		return reconcile.Result{}, err
+	} else if requeue {
+		clusterScope.Info("Security Groups creation is pending, requeueing")
+		return reconcile.Result{RequeueAfter: 15 * time.Second}, nil
+	}
+	clusterScope.Info("Reconciliation of Security Groups complete")
+	conditions.MarkTrue(clusterScope.IBMVPCCluster, infrav1beta2.VPCSecurityGroupReadyCondition)
+
 	// TODO(cjschaef): add remaining resource reconciliation.
 
 	// Mark cluster as ready.
diff --git a/pkg/cloud/services/vpc/mock/vpc_generated.go b/pkg/cloud/services/vpc/mock/vpc_generated.go
diff --git a/pkg/cloud/services/vpc/service.go b/pkg/cloud/services/vpc/service.go
@@ -26,8 +26,14 @@ import (
 	"sigs.k8s.io/cluster-api-provider-ibmcloud/pkg/cloud/services/utils"
 )
 
-// SecurityGroupByNameNotFound returns an appropriate error when security group by name not found.
-var SecurityGroupByNameNotFound = func(name string) error { return fmt.Errorf("failed to find security group by name '%s'", name) }
+// SecurityGroupByNameNotFound represents an error when security group is not found by name.
+type SecurityGroupByNameNotFound struct {
+	Name string
+}
+
+func (s *SecurityGroupByNameNotFound) Error() string {
+	return fmt.Sprintf("failed to find security group by name: %s", s.Name)
+}
 
 // Service holds the VPC Service specific information.
 type Service struct {
@@ -472,14 +478,19 @@ func (s *Service) GetSecurityGroupByName(name string) (*vpcv1.SecurityGroup, err
 		}
 	}
 
-	return nil, SecurityGroupByNameNotFound(name)
+	return nil, &SecurityGroupByNameNotFound{Name: name}
 }
 
 // GetSecurityGroupRule gets a specific security group rule.
 func (s *Service) GetSecurityGroupRule(options *vpcv1.GetSecurityGroupRuleOptions) (vpcv1.SecurityGroupRuleIntf, *core.DetailedResponse, error) {
 	return s.vpcService.GetSecurityGroupRule(options)
 }
 
+// ListSecurityGroupRules returns a list of security group rules.
+func (s *Service) ListSecurityGroupRules(options *vpcv1.ListSecurityGroupRulesOptions) (*vpcv1.SecurityGroupRuleCollection, *core.DetailedResponse, error) {
+	return s.vpcService.ListSecurityGroupRules(options)
+}
+
 // GetVPCZonesByRegion gets the VPC availability zones for a specific IBM Cloud region.
 func (s *Service) GetVPCZonesByRegion(region string) ([]string, error) {
 	zones := make([]string, 0)
diff --git a/pkg/cloud/services/vpc/vpc.go b/pkg/cloud/services/vpc/vpc.go
@@ -69,5 +69,6 @@ type Vpc interface {
 	GetSecurityGroup(options *vpcv1.GetSecurityGroupOptions) (*vpcv1.SecurityGroup, *core.DetailedResponse, error)
 	GetSecurityGroupByName(name string) (*vpcv1.SecurityGroup, error)
 	GetSecurityGroupRule(options *vpcv1.GetSecurityGroupRuleOptions) (vpcv1.SecurityGroupRuleIntf, *core.DetailedResponse, error)
+	ListSecurityGroupRules(options *vpcv1.ListSecurityGroupRulesOptions) (*vpcv1.SecurityGroupRuleCollection, *core.DetailedResponse, error)
 	GetVPCZonesByRegion(region string) ([]string, error)
 }

Original file line number	Diff line number	Diff line change
`@@ -1615,8 +1615,10 @@ func (s *PowerVSClusterScope) validateVPCSecurityGroup(securityGroup infrav1beta`
`1615`	`1615`	`}`
`1616`	`1616`	`} else {`
`1617`	`1617`	`securityGroupDet, err = s.IBMVPCClient.GetSecurityGroupByName(*securityGroup.Name)`
`1618`		`- if err != nil && err.Error() != vpc.SecurityGroupByNameNotFound(*securityGroup.Name).Error() {`
`1619`		`- return nil, nil, err`
	`1618`	`+ if err != nil {`
	`1619`	`+ if _, ok := err.(*vpc.SecurityGroupByNameNotFound); !ok {`
	`1620`	`+ return nil, nil, err`
	`1621`	`+ }`
`1620`	`1622`	`}`
`1621`	`1623`	`if securityGroupDet == nil {`
`1622`	`1624`	`return nil, nil, nil`
Original file line number	Diff line number	Diff line change
`@@ -69,5 +69,6 @@ type Vpc interface {`
`69`	`69`	`GetSecurityGroup(options vpcv1.GetSecurityGroupOptions) (vpcv1.SecurityGroup, *core.DetailedResponse, error)`
`70`	`70`	`GetSecurityGroupByName(name string) (*vpcv1.SecurityGroup, error)`
`71`	`71`	`GetSecurityGroupRule(options vpcv1.GetSecurityGroupRuleOptions) (vpcv1.SecurityGroupRuleIntf, core.DetailedResponse, error)`
	`72`	`+ ListSecurityGroupRules(options vpcv1.ListSecurityGroupRulesOptions) (vpcv1.SecurityGroupRuleCollection, *core.DetailedResponse, error)`
`72`	`73`	`GetVPCZonesByRegion(region string) ([]string, error)`
`73`	`74`	`}`