Skip to content

Commit 2fc56b4

Browse files
EmilienMEmilienM
authored
Merge pull request #2465 from k8s-infra-cherrypick-robot/cherry-pick-2446-to-release-0.12
[release-0.12] fix: allow modification of all ManagedSecurityGroups
2 parents f3ba4ac + e131cb7 commit 2fc56b4

File tree

2 files changed

+95
-1
lines changed

2 files changed

+95
-1
lines changed

pkg/webhooks/openstackcluster_webhook.go

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -119,7 +119,7 @@ func (*openStackClusterWebhook) ValidateUpdate(_ context.Context, oldObjRaw, new
119119
oldObj.Spec.Bastion = &infrav1.Bastion{}
120120
newObj.Spec.Bastion = &infrav1.Bastion{}
121121

122-
// Allow changes to the managed allNodesSecurityGroupRules.
122+
// Allow changes to the managed securityGroupRules.
123123
if newObj.Spec.ManagedSecurityGroups != nil {
124124
if oldObj.Spec.ManagedSecurityGroups == nil {
125125
oldObj.Spec.ManagedSecurityGroups = &infrav1.ManagedSecurityGroups{}
@@ -128,6 +128,12 @@ func (*openStackClusterWebhook) ValidateUpdate(_ context.Context, oldObjRaw, new
128128
oldObj.Spec.ManagedSecurityGroups.AllNodesSecurityGroupRules = []infrav1.SecurityGroupRuleSpec{}
129129
newObj.Spec.ManagedSecurityGroups.AllNodesSecurityGroupRules = []infrav1.SecurityGroupRuleSpec{}
130130

131+
oldObj.Spec.ManagedSecurityGroups.ControlPlaneNodesSecurityGroupRules = []infrav1.SecurityGroupRuleSpec{}
132+
newObj.Spec.ManagedSecurityGroups.ControlPlaneNodesSecurityGroupRules = []infrav1.SecurityGroupRuleSpec{}
133+
134+
oldObj.Spec.ManagedSecurityGroups.WorkerNodesSecurityGroupRules = []infrav1.SecurityGroupRuleSpec{}
135+
newObj.Spec.ManagedSecurityGroups.WorkerNodesSecurityGroupRules = []infrav1.SecurityGroupRuleSpec{}
136+
131137
// Allow change to the allowAllInClusterTraffic.
132138
oldObj.Spec.ManagedSecurityGroups.AllowAllInClusterTraffic = false
133139
newObj.Spec.ManagedSecurityGroups.AllowAllInClusterTraffic = false

pkg/webhooks/openstackcluster_webhook_test.go

Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,94 @@ func TestOpenStackCluster_ValidateUpdate(t *testing.T) {
164164
},
165165
wantErr: false,
166166
},
167+
{
168+
name: "Changing security group rules on the OpenStackCluster.Spec.ManagedSecurityGroups.ControlPlaneNodesSecurityGroupRules is allowed",
169+
oldTemplate: &infrav1.OpenStackCluster{
170+
Spec: infrav1.OpenStackClusterSpec{
171+
IdentityRef: infrav1.OpenStackIdentityReference{
172+
Name: "foobar",
173+
CloudName: "foobar",
174+
},
175+
ManagedSecurityGroups: &infrav1.ManagedSecurityGroups{
176+
ControlPlaneNodesSecurityGroupRules: []infrav1.SecurityGroupRuleSpec{
177+
{
178+
Name: "foobar",
179+
Description: ptr.To("foobar"),
180+
PortRangeMin: ptr.To(80),
181+
PortRangeMax: ptr.To(80),
182+
Protocol: ptr.To("tcp"),
183+
RemoteManagedGroups: []infrav1.ManagedSecurityGroupName{"controlplane"},
184+
},
185+
},
186+
},
187+
},
188+
},
189+
newTemplate: &infrav1.OpenStackCluster{
190+
Spec: infrav1.OpenStackClusterSpec{
191+
IdentityRef: infrav1.OpenStackIdentityReference{
192+
Name: "foobar",
193+
CloudName: "foobar",
194+
},
195+
ManagedSecurityGroups: &infrav1.ManagedSecurityGroups{
196+
ControlPlaneNodesSecurityGroupRules: []infrav1.SecurityGroupRuleSpec{
197+
{
198+
Name: "foobar",
199+
Description: ptr.To("foobar"),
200+
PortRangeMin: ptr.To(80),
201+
PortRangeMax: ptr.To(80),
202+
Protocol: ptr.To("tcp"),
203+
RemoteManagedGroups: []infrav1.ManagedSecurityGroupName{"controlplane", "worker"},
204+
},
205+
},
206+
},
207+
},
208+
},
209+
wantErr: false,
210+
},
211+
{
212+
name: "Changing security group rules on the OpenStackCluster.Spec.ManagedSecurityGroups.WorkerNodesSecurityGroupRules is allowed",
213+
oldTemplate: &infrav1.OpenStackCluster{
214+
Spec: infrav1.OpenStackClusterSpec{
215+
IdentityRef: infrav1.OpenStackIdentityReference{
216+
Name: "foobar",
217+
CloudName: "foobar",
218+
},
219+
ManagedSecurityGroups: &infrav1.ManagedSecurityGroups{
220+
WorkerNodesSecurityGroupRules: []infrav1.SecurityGroupRuleSpec{
221+
{
222+
Name: "foobar",
223+
Description: ptr.To("foobar"),
224+
PortRangeMin: ptr.To(80),
225+
PortRangeMax: ptr.To(80),
226+
Protocol: ptr.To("tcp"),
227+
RemoteManagedGroups: []infrav1.ManagedSecurityGroupName{"worker"},
228+
},
229+
},
230+
},
231+
},
232+
},
233+
newTemplate: &infrav1.OpenStackCluster{
234+
Spec: infrav1.OpenStackClusterSpec{
235+
IdentityRef: infrav1.OpenStackIdentityReference{
236+
Name: "foobar",
237+
CloudName: "foobar",
238+
},
239+
ManagedSecurityGroups: &infrav1.ManagedSecurityGroups{
240+
WorkerNodesSecurityGroupRules: []infrav1.SecurityGroupRuleSpec{
241+
{
242+
Name: "foobar",
243+
Description: ptr.To("foobar"),
244+
PortRangeMin: ptr.To(80),
245+
PortRangeMax: ptr.To(80),
246+
Protocol: ptr.To("tcp"),
247+
RemoteManagedGroups: []infrav1.ManagedSecurityGroupName{"worker", "controlplane"},
248+
},
249+
},
250+
},
251+
},
252+
},
253+
wantErr: false,
254+
},
167255
{
168256
name: "Changing CIDRs on the OpenStackCluster.Spec.APIServerLoadBalancer.AllowedCIDRs is allowed",
169257
oldTemplate: &infrav1.OpenStackCluster{

0 commit comments

Comments
 (0)