add initial pass for e2e test suite for hcp

Signed-off-by: Bharath Nallapeta <[email protected]>

Author: bnallapeta

Makefile

@@ -184,7 +184,10 @@ e2e-templates: $(addprefix $(E2E_NO_ARTIFACT_TEMPLATES_DIR)/, \
 		 cluster-template-flatcar.yaml \
                  cluster-template-k8s-upgrade.yaml \
 		 cluster-template-flatcar-sysext.yaml \
-		 cluster-template-no-bastion.yaml)
+		 cluster-template-no-bastion.yaml \
+		 cluster-template-hcp-management.yaml \
+		 cluster-template-hcp-workload.yaml \
+		 cluster-template-hcp-broken.yaml)
 # Currently no templates that require CI artifacts
 # $(addprefix $(E2E_TEMPLATES_DIR)/, add-templates-here.yaml) \
 
@@ -236,6 +239,16 @@ test-conformance: $(GINKGO) e2e-prerequisites ## Run clusterctl based conformanc
 test-conformance-fast: ## Run clusterctl based conformance test on workload cluster (requires Docker) using a subset of the conformance suite in parallel.
 	$(MAKE) test-conformance CONFORMANCE_E2E_ARGS="-kubetest.config-file=$(KUBETEST_FAST_CONF_PATH) -kubetest.ginkgo-nodes=5 $(E2E_ARGS)"
 
+HCP_E2E_ARGS ?=
+HCP_E2E_ARGS += $(E2E_ARGS)
+.PHONY: test-hcp
+test-hcp: $(GINKGO) e2e-prerequisites ## Run HCP (Hosted Control Plane) e2e tests
+	time $(GINKGO) -fail-fast -trace -timeout=3h -show-node-events -v -tags=e2e -nodes=$(E2E_GINKGO_PARALLEL) \
+		--output-dir="$(ARTIFACTS)" --junit-report="junit.hcp_suite.1.xml" \
+		-focus="$(E2E_GINKGO_FOCUS)" $(_SKIP_ARGS) $(E2E_GINKGO_ARGS) ./test/e2e/suites/hcp/... -- \
+			-config-path="$(E2E_CONF_PATH)" -artifacts-folder="$(ARTIFACTS)" \
+			-data-folder="$(E2E_DATA_DIR)" $(HCP_E2E_ARGS)
+
 
 
 APIDIFF_OLD_COMMIT ?= $(shell git rev-parse origin/main)

controllers/openstackmachine_controller_test.go

@@ -261,3 +261,153 @@ func TestGetPortIDs(t *testing.T) {
 		})
 	}
 }
+
+func TestOpenStackMachineSpecToOpenStackServerSpec_NilNetworkCases(t *testing.T) {
+	identityRef := infrav1.OpenStackIdentityReference{
+		Name:      "foo",
+		CloudName: "my-cloud",
+	}
+	image := infrav1.ImageParam{Filter: &infrav1.ImageFilter{Name: ptr.To("my-image")}}
+	tags := []string{"tag1", "tag2"}
+	userData := &corev1.LocalObjectReference{Name: "server-data-secret"}
+
+	tests := []struct {
+		name                 string
+		openStackCluster     *infrav1.OpenStackCluster
+		spec                 *infrav1.OpenStackMachineSpec
+		expectedDefaultNetID string
+		expectedPorts        []infrav1.PortOpts
+		description          string
+	}{
+		{
+			name: "Empty cluster network ID, machine defines explicit ports",
+			openStackCluster: &infrav1.OpenStackCluster{
+				Spec: infrav1.OpenStackClusterSpec{
+					ManagedSecurityGroups: &infrav1.ManagedSecurityGroups{},
+				},
+				Status: infrav1.OpenStackClusterStatus{
+					Network: &infrav1.NetworkStatusWithSubnets{
+						NetworkStatus: infrav1.NetworkStatus{
+							ID: "", // Empty network ID
+						},
+					},
+					WorkerSecurityGroup: &infrav1.SecurityGroupStatus{
+						ID: workerSecurityGroupUUID,
+					},
+				},
+			},
+			spec: &infrav1.OpenStackMachineSpec{
+				Flavor: ptr.To(flavorName),
+				Image:  image,
+				Ports: []infrav1.PortOpts{{
+					Network: &infrav1.NetworkParam{ID: ptr.To(networkUUID)},
+				}},
+			},
+			expectedDefaultNetID: "", // Empty because cluster network ID is empty
+			expectedPorts: []infrav1.PortOpts{{
+				Network: &infrav1.NetworkParam{ID: ptr.To(networkUUID)},
+				SecurityGroups: []infrav1.SecurityGroupParam{{
+					ID: ptr.To(workerSecurityGroupUUID),
+				}},
+			}},
+			description: "Should work when cluster has empty network ID but machine defines ports",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Verify the default network ID extraction logic
+			var defaultNetworkID string
+			if tt.openStackCluster.Status.Network != nil {
+				defaultNetworkID = tt.openStackCluster.Status.Network.ID
+			}
+
+			if defaultNetworkID != tt.expectedDefaultNetID {
+				t.Errorf("Expected defaultNetworkID = %q, got %q", tt.expectedDefaultNetID, defaultNetworkID)
+			}
+
+			// Test the spec conversion
+			var managedSecurityGroupID *string
+			if tt.openStackCluster.Status.WorkerSecurityGroup != nil {
+				managedSecurityGroupID = &tt.openStackCluster.Status.WorkerSecurityGroup.ID
+			}
+
+			spec := openStackMachineSpecToOpenStackServerSpec(
+				tt.spec,
+				identityRef,
+				tags,
+				"", // failureDomain
+				userData,
+				managedSecurityGroupID,
+				defaultNetworkID,
+			)
+
+			if !reflect.DeepEqual(spec.Ports, tt.expectedPorts) {
+				t.Errorf("Expected ports = %+v, got %+v", tt.expectedPorts, spec.Ports)
+			}
+		})
+	}
+}
+
+func TestValidateNetworkConfiguration(t *testing.T) {
+	tests := []struct {
+		name              string
+		clusterNetworkID  string
+		machinePortsCount int
+		expectError       bool
+		expectedErrorMsg  string
+		description       string
+	}{
+		{
+			name:              "Valid: cluster has network, machine has no explicit ports",
+			clusterNetworkID:  networkUUID,
+			machinePortsCount: 0,
+			expectError:       false,
+			description:       "Should succeed when cluster provides default network",
+		},
+		{
+			name:              "Valid: no cluster network, machine defines explicit ports",
+			clusterNetworkID:  "",
+			machinePortsCount: 1,
+			expectError:       false,
+			description:       "Should succeed when machine defines its own networking",
+		},
+		{
+			name:              "Invalid: no cluster network, no machine ports",
+			clusterNetworkID:  "",
+			machinePortsCount: 0,
+			expectError:       true,
+			expectedErrorMsg:  "no network configured: cluster network is missing and machine spec does not define ports with a network",
+			description:       "Should fail with terminal error when no networking is configured anywhere",
+		},
+		{
+			name:              "Valid: cluster network and machine ports both defined",
+			clusterNetworkID:  networkUUID,
+			machinePortsCount: 2,
+			expectError:       false,
+			description:       "Should succeed when both cluster and machine define networking",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Simulate the validation logic from the controller
+			hasClusterNetwork := tt.clusterNetworkID != ""
+			hasMachinePorts := tt.machinePortsCount > 0
+
+			shouldFail := !hasClusterNetwork && !hasMachinePorts
+
+			if shouldFail != tt.expectError {
+				t.Errorf("Expected error: %v, but validation result: %v", tt.expectError, shouldFail)
+			}
+
+			if tt.expectError && shouldFail {
+				// In the real controller, this would be a terminal error
+				actualError := "no network configured: cluster network is missing and machine spec does not define ports with a network"
+				if actualError != tt.expectedErrorMsg {
+					t.Errorf("Expected error message: %q, got: %q", tt.expectedErrorMsg, actualError)
+				}
+			}
+		})
+	}
+}

pkg/cloud/services/networking/securitygroups.go

@@ -20,6 +20,7 @@ import (
 	"errors"
 	"fmt"
 	"slices"
+	"strings"
 
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/attributestags"
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/security/groups"
@@ -564,6 +565,11 @@ func (s *Service) createRule(securityGroupID string, r resolvedSecurityGroupRule
 	s.scope.Logger().V(6).Info("Creating rule", "description", r.Description, "direction", dir, "portRangeMin", r.PortRangeMin, "portRangeMax", r.PortRangeMax, "proto", proto, "etherType", etherType, "remoteGroupID", r.RemoteGroupID, "remoteIPPrefix", r.RemoteIPPrefix, "securityGroupID", securityGroupID)
 	_, err := s.client.CreateSecGroupRule(createOpts)
 	if err != nil {
+		// Handle HTTP 409 (SecurityGroupRuleExists) as success - the rule already exists
+		if strings.Contains(err.Error(), "SecurityGroupRuleExists") || strings.Contains(err.Error(), "already exists") {
+			s.scope.Logger().V(4).Info("Security group rule already exists, treating as success", "description", r.Description, "securityGroupID", securityGroupID)
+			return nil
+		}
 		return err
 	}
 	return nil

test/e2e/data/e2e_conf.yaml

@@ -93,6 +93,7 @@ providers:
     - old: "--leader-elect"
       new: "--leader-elect=false\n        - --sync-period=1m"
 
+
 - name: openstack
   type: InfrastructureProvider
   versions:
@@ -182,6 +183,15 @@ variables:
   CNI: "../../data/cni/calico.yaml"
   CCM: "../../data/ccm/cloud-controller-manager.yaml"
   EXP_CLUSTER_RESOURCE_SET: "true"
+  # HCP/Kamaji configuration
+  KAMAJI_VERSION: "edge-25.7.1"
+  KAMAJI_NAMESPACE: "kamaji-system"
+  CLUSTER_DATASTORE: "default"
+  HCP_SERVICE_TYPE: "LoadBalancer"
+  HCP_CPU_LIMIT: "1000m"
+  HCP_MEMORY_LIMIT: "1Gi"
+  HCP_CPU_REQUEST: "100m"
+  HCP_MEMORY_REQUEST: "300Mi"
   OPENSTACK_BASTION_IMAGE_NAME: "cirros-0.6.1-x86_64-disk"
   OPENSTACK_BASTION_IMAGE_URL: https://storage.googleapis.com/artifacts.k8s-staging-capi-openstack.appspot.com/test/cirros/2022-12-05/cirros-0.6.1-x86_64-disk.img
   OPENSTACK_BASTION_IMAGE_HASH: 0c839612eb3f2469420f2ccae990827f
@@ -234,3 +244,4 @@ intervals:
   default/wait-machine-remediation: ["10m", "10s"]
   default/wait-image-create: ["15m", "10s"]
   default/wait-image-delete: ["2m", "10s"]
+  default/wait-daemonset: ["10m", "30s"]

test/e2e/data/kustomize/hcp-broken/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../default
+
+namePrefix: hcp-broken-
+
+patchesStrategicMerge:
+- patch-broken-networking.yaml

test/e2e/data/kustomize/hcp-broken/patch-broken-networking.yaml

@@ -0,0 +1,20 @@
+---
+# This patch removes networking configuration from OpenStackCluster
+# to test graceful failure scenarios when cluster network is missing
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+kind: OpenStackCluster
+metadata:
+  name: ${CLUSTER_NAME}
+spec:
+  # Remove managedSubnets to simulate missing network configuration
+  managedSubnets: []
+  # Remove managedSecurityGroups to further test edge cases
+  managedSecurityGroups: null
+  # Keep other required configuration
+  apiServerLoadBalancer:
+    enabled: true
+  externalNetwork:
+    id: ${OPENSTACK_EXTERNAL_NETWORK_ID}
+  identityRef:
+    cloudName: ${OPENSTACK_CLOUD}
+    name: ${CLUSTER_NAME}-cloud-config

test/e2e/data/kustomize/hcp-management/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+# Use same base resources as default but with our own component overrides
+resources:
+- ../../../../../kustomize/v1beta1/default
+
+# Override components to use existing images instead of downloading
+components:
+- ../common-patches/cluster
+- ../common-patches/cni
+- ../upgrade-patches
+- ../common-patches/ccm
+- ../common-patches/externalNetworkByName
+- ../common-patches/images-without-ref  # Use existing images instead of ORC download
+
+patchesStrategicMerge:
+- patch-management-cluster.yaml

test/e2e/data/kustomize/hcp-management/patch-management-cluster.yaml

@@ -0,0 +1,84 @@
+---
+# Patch the Cluster to ensure it has sufficient resources for HCP hosting
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: ${CLUSTER_NAME}
+spec:
+  clusterNetwork:
+    pods:
+      cidrBlocks:
+      - 10.244.0.0/16  # Different CIDR to avoid conflicts with workload clusters
+    services:
+      cidrBlocks:
+      - 10.96.0.0/12   # Different service CIDR
+---
+# Patch the OpenStackCluster to ensure robust networking for HCP
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+kind: OpenStackCluster
+metadata:
+  name: ${CLUSTER_NAME}
+spec:
+  managedSubnets:
+  - cidr: 10.10.0.0/24  # Larger management network
+    dnsNameservers:
+    - ${OPENSTACK_DNS_NAMESERVERS}
+  managedSecurityGroups:
+    allNodesSecurityGroupRules:
+    - description: Created by cluster-api-provider-openstack - BGP (calico)
+      direction: ingress
+      etherType: IPv4
+      name: BGP (Calico)
+      portRangeMax: 179
+      portRangeMin: 179
+      protocol: tcp
+      remoteManagedGroups:
+      - controlplane
+      - worker
+    - description: Created by cluster-api-provider-openstack - IP-in-IP (calico)
+      direction: ingress
+      etherType: IPv4
+      name: IP-in-IP (calico)
+      protocol: "4"
+      remoteManagedGroups:
+      - controlplane
+      - worker
+    # Additional security group rules for HCP hosting
+    - description: Created by cluster-api-provider-openstack - Kamaji API Server
+      direction: ingress
+      etherType: IPv4
+      name: Kamaji API Server
+      portRangeMax: 6443
+      portRangeMin: 6443
+      protocol: tcp
+      remoteManagedGroups:
+      - controlplane
+      - worker
+    - description: Created by cluster-api-provider-openstack - Kamaji etcd
+      direction: ingress
+      etherType: IPv4
+      name: Kamaji etcd
+      portRangeMax: 2380
+      portRangeMin: 2379
+      protocol: tcp
+      remoteManagedGroups:
+      - controlplane
+      - worker
+---
+# Patch the control plane to use larger instances for HCP hosting
+apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+kind: KubeadmControlPlane
+metadata:
+  name: ${CLUSTER_NAME}-control-plane
+spec:
+  replicas: ${CONTROL_PLANE_MACHINE_COUNT:-3}  # Default to 3 for HA
+---
+# Patch the control plane machine template for larger flavor
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+kind: OpenStackMachineTemplate
+metadata:
+  name: ${CLUSTER_NAME}-control-plane
+spec:
+  template:
+    spec:
+      flavor: ${OPENSTACK_CONTROL_PLANE_MACHINE_FLAVOR:-m1.large}  # Larger default for HCP hosting