Merge pull request #700 from zoltan0907/master

🐛 Add SecurityGroup to Loadbalancerport when not using octavia

Author: k8s-ci-robot

controllers/openstackcluster_controller.go

@@ -422,18 +422,18 @@ func (r *OpenStackClusterReconciler) reconcileNetworkComponents(log logr.Logger,
 		}
 	}
 
+	err = networkingService.ReconcileSecurityGroups(clusterName, openStackCluster)
+	if err != nil {
+		return errors.Errorf("failed to reconcile security groups: %v", err)
+	}
+
 	if openStackCluster.Spec.ManagedAPIServerLoadBalancer {
 		err = loadBalancerService.ReconcileLoadBalancer(clusterName, openStackCluster)
 		if err != nil {
 			return errors.Errorf("failed to reconcile load balancer: %v", err)
 		}
 	}
 
-	err = networkingService.ReconcileSecurityGroups(clusterName, openStackCluster)
-	if err != nil {
-		return errors.Errorf("failed to reconcile security groups: %v", err)
-	}
-
 	return nil
 }
 

pkg/cloud/services/loadbalancer/loadbalancer.go

@@ -19,17 +19,21 @@ package loadbalancer
 import (
 	"errors"
 	"fmt"
-	"github.com/go-logr/logr"
 	"time"
 
+	"github.com/go-logr/logr"
+	"k8s.io/apimachinery/pkg/util/wait"
+
 	"github.com/gophercloud/gophercloud"
 	"github.com/gophercloud/gophercloud/openstack/loadbalancer/v2/listeners"
 	"github.com/gophercloud/gophercloud/openstack/loadbalancer/v2/loadbalancers"
 	"github.com/gophercloud/gophercloud/openstack/loadbalancer/v2/monitors"
 	"github.com/gophercloud/gophercloud/openstack/loadbalancer/v2/pools"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/layer3/floatingips"
-	"k8s.io/apimachinery/pkg/util/wait"
+	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/security/groups"
+	"github.com/gophercloud/gophercloud/openstack/networking/v2/ports"
 	infrav1 "sigs.k8s.io/cluster-api-provider-openstack/api/v1alpha3"
+	"sigs.k8s.io/cluster-api-provider-openstack/pkg/cloud/services/networking"
 	"sigs.k8s.io/cluster-api-provider-openstack/pkg/record"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1alpha3"
 	"sigs.k8s.io/cluster-api/util"
@@ -61,6 +65,13 @@ func (s *Service) ReconcileLoadBalancer(clusterName string, openStackCluster *in
 		return err
 	}
 
+	if !openStackCluster.Spec.UseOctavia {
+		err := s.assignNeutronLbaasAPISecGroup(clusterName, lb)
+		if err != nil {
+			return err
+		}
+	}
+
 	fp, err := getOrCreateFloatingIP(s.networkingClient, openStackCluster, openStackCluster.Spec.ControlPlaneEndpoint.Host)
 	if err != nil {
 		return err
@@ -166,6 +177,36 @@ func (s *Service) ReconcileLoadBalancer(clusterName string, openStackCluster *in
 	return nil
 }
 
+func (s *Service) assignNeutronLbaasAPISecGroup(clusterName string, lb *loadbalancers.LoadBalancer) error {
+	neutronLbaasSecGroupName := networking.GetNeutronLBaasSecGroupName(clusterName)
+	listOpts := groups.ListOpts{
+		Name: neutronLbaasSecGroupName,
+	}
+	allPages, err := groups.List(s.networkingClient, listOpts).AllPages()
+	if err != nil {
+		return err
+	}
+
+	neutronLbaasGroups, err := groups.ExtractGroups(allPages)
+	if err != nil {
+		return err
+	}
+
+	if len(neutronLbaasGroups) != 1 {
+		return fmt.Errorf("error found %v securitygroups with name %v", len(neutronLbaasGroups), neutronLbaasSecGroupName)
+	}
+
+	updateOpts := ports.UpdateOpts{
+		SecurityGroups: &[]string{neutronLbaasGroups[0].ID},
+	}
+
+	_, err = ports.Update(s.networkingClient, lb.VipPortID, updateOpts).Extract()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 func (s *Service) ReconcileLoadBalancerMember(clusterName string, machine *clusterv1.Machine, openStackMachine *infrav1.OpenStackMachine, openStackCluster *infrav1.OpenStackCluster, ip string) error {
 	if !util.IsControlPlaneMachine(machine) {
 		return nil
@@ -186,7 +227,6 @@ func (s *Service) ReconcileLoadBalancerMember(clusterName string, machine *clust
 
 	lbID := openStackCluster.Status.Network.APIServerLoadBalancer.ID
 	subnetID := openStackCluster.Status.Network.Subnet.ID
-
 	portList := []int{int(openStackCluster.Spec.ControlPlaneEndpoint.Port)}
 	portList = append(portList, openStackCluster.Spec.APIServerLoadBalancerAdditionalPorts...)
 	for _, port := range portList {

pkg/cloud/services/loadbalancer/service.go

@@ -18,6 +18,7 @@ package loadbalancer
 
 import (
 	"fmt"
+
 	"github.com/go-logr/logr"
 
 	"github.com/gophercloud/gophercloud/openstack"

pkg/cloud/services/networking/securitygroups.go

@@ -31,6 +31,7 @@ const (
 	workerSuffix       string = "worker"
 	bastionSuffix      string = "bastion"
 	remoteGroupIDSelf  string = "self"
+	neutronLbaasSuffix string = "lbaas"
 )
 
 var defaultRules = []infrav1.SecurityGroupRule{
@@ -74,6 +75,11 @@ func (s *Service) ReconcileSecurityGroups(clusterName string, openStackCluster *
 		secGroupNames[bastionSuffix] = secBastionGroupName
 	}
 
+	if openStackCluster.Spec.ManagedAPIServerLoadBalancer && !openStackCluster.Spec.UseOctavia {
+		secLbaasGroupName := fmt.Sprintf("%s-cluster-%s-secgroup-%s", secGroupPrefix, clusterName, neutronLbaasSuffix)
+		secGroupNames[neutronLbaasSuffix] = secLbaasGroupName
+	}
+
 	//create security groups first, because desired rules use group ids.
 	for _, v := range secGroupNames {
 		if err := s.createSecurityGroupIfNotExists(openStackCluster, v); err != nil {
@@ -328,6 +334,44 @@ func (s *Service) generateDesiredSecGroups(secGroupNames map[string]string, open
 		}
 	}
 
+	if openStackCluster.Spec.ManagedAPIServerLoadBalancer && !openStackCluster.Spec.UseOctavia {
+		neutronLbaasRules := append(
+			[]infrav1.SecurityGroupRule{
+				{
+					Description:    "Kubernetes API",
+					Direction:      "ingress",
+					EtherType:      "IPv4",
+					PortRangeMin:   6443,
+					PortRangeMax:   6443,
+					Protocol:       "tcp",
+					RemoteIPPrefix: "0.0.0.0/0",
+				},
+			},
+			defaultRules...,
+		)
+		if openStackCluster.Spec.APIServerLoadBalancerAdditionalPorts != nil {
+			for _, value := range openStackCluster.Spec.APIServerLoadBalancerAdditionalPorts {
+				neutronLbaasRules = append(neutronLbaasRules,
+					[]infrav1.SecurityGroupRule{
+						{
+							Description:    "APIServerLoadBalancerAdditionalPorts",
+							Direction:      "ingress",
+							EtherType:      "IPv4",
+							PortRangeMin:   value,
+							PortRangeMax:   value,
+							Protocol:       "tcp",
+							RemoteIPPrefix: "0.0.0.0/0",
+						},
+					}...,
+				)
+			}
+		}
+		desiredSecGroups[neutronLbaasSuffix] = infrav1.SecurityGroup{
+			Name:  secGroupNames[neutronLbaasSuffix],
+			Rules: neutronLbaasRules,
+		}
+	}
+
 	desiredSecGroups[controlPlaneSuffix] = infrav1.SecurityGroup{
 		Name:  secGroupNames[controlPlaneSuffix],
 		Rules: controlPlaneRules,
@@ -531,3 +575,8 @@ func convertOSSecGroupRuleToConfigSecGroupRule(osSecGroupRule rules.SecGroupRule
 		RemoteIPPrefix:  osSecGroupRule.RemoteIPPrefix,
 	}
 }
+
+// GetNeutronLBaasSecGroupName export NeutronLBaasSecGroupName
+func GetNeutronLBaasSecGroupName(clusterName string) string {
+	return fmt.Sprintf("%s-cluster-%s-secgroup-%s", secGroupPrefix, clusterName, neutronLbaasSuffix)
+}