PowerVC: Do not use Security Groups

hamzy · hamzy · commit cb223101d711 · 2025-11-19T08:57:07.000-06:00
PowerVC does not support OpenStack security groups.  Instead, they rely
on an external solution.
diff --git a/pkg/asset/machines/openstack/machines.go b/pkg/asset/machines/openstack/machines.go
@@ -63,7 +63,7 @@ func Machines(ctx context.Context, clusterID string, config *types.InstallConfig
 		providerSpec, err := generateProviderSpec(
 			ctx,
 			clusterID,
-			config.Platform.OpenStack,
+			config,
 			mpool,
 			osImage,
 			role,
@@ -102,7 +102,7 @@ func Machines(ctx context.Context, clusterID string, config *types.InstallConfig
 	machineSetProviderSpec, err := generateProviderSpec(
 		ctx,
 		clusterID,
-		config.Platform.OpenStack,
+		config,
 		mpool,
 		osImage,
 		role,
@@ -167,11 +167,13 @@ func Machines(ctx context.Context, clusterID string, config *types.InstallConfig
 	return machines, controlPlaneMachineSet, nil
 }
 
-func generateProviderSpec(ctx context.Context, clusterID string, platform *openstack.Platform, mpool *openstack.MachinePool, osImage string, role, userDataSecret string, failureDomain machinev1.OpenStackFailureDomain, configDrive *bool) (*machinev1alpha1.OpenstackProviderSpec, error) {
+func generateProviderSpec(ctx context.Context, clusterID string, config *types.InstallConfig, mpool *openstack.MachinePool, osImage string, role, userDataSecret string, failureDomain machinev1.OpenStackFailureDomain, configDrive *bool) (*machinev1alpha1.OpenstackProviderSpec, error) {
 	var controlPlaneNetwork machinev1alpha1.NetworkParam
 	additionalNetworks := make([]machinev1alpha1.NetworkParam, 0, len(mpool.AdditionalNetworkIDs))
 	primarySubnet := ""
 
+	platform := config.Platform.OpenStack
+
 	if platform.ControlPlanePort != nil {
 		var subnets []machinev1alpha1.SubnetParam
 		controlPlanePort := platform.ControlPlanePort
@@ -230,6 +232,9 @@ func generateProviderSpec(ctx context.Context, clusterID string, platform *opens
 			UUID: sg,
 		})
 	}
+	if config.Platform.Name() == powervc.Name {
+		securityGroups = nil
+	}
 
 	serverGroupName := clusterID + "-" + role
 	// We initially used the AZ name as part of the server group name for the masters
diff --git a/pkg/asset/machines/openstack/machinesets.go b/pkg/asset/machines/openstack/machinesets.go
@@ -66,7 +66,7 @@ func MachineSets(ctx context.Context, clusterID string, config *types.InstallCon
 		providerSpec, err := generateProviderSpec(
 			ctx,
 			clusterID,
-			config.Platform.OpenStack,
+			config,
 			mpool,
 			osImage,
 			role,
diff --git a/pkg/asset/machines/openstack/openstackmachines.go b/pkg/asset/machines/openstack/openstackmachines.go
@@ -44,7 +44,7 @@ func GenerateMachines(clusterID string, config *types.InstallConfig, pool *types
 		failureDomain := failureDomains[uint(idx)%uint(len(failureDomains))]
 		machineSpec, err := generateMachineSpec(
 			clusterID,
-			config.Platform.OpenStack,
+			config,
 			mpool,
 			osImage,
 			role,
@@ -114,7 +114,9 @@ func GenerateMachines(clusterID string, config *types.InstallConfig, pool *types
 	return result, nil
 }
 
-func generateMachineSpec(clusterID string, platform *openstack.Platform, mpool *openstack.MachinePool, osImage string, role string, failureDomain machinev1.OpenStackFailureDomain, configDrive *bool) (*capo.OpenStackMachineSpec, error) {
+func generateMachineSpec(clusterID string, config *types.InstallConfig, mpool *openstack.MachinePool, osImage string, role string, failureDomain machinev1.OpenStackFailureDomain, configDrive *bool) (*capo.OpenStackMachineSpec, error) {
+	platform := config.Platform.OpenStack
+
 	port := capo.PortOpts{}
 
 	addressPairs := populateAllowedAddressPairs(platform)
@@ -177,6 +179,10 @@ func generateMachineSpec(clusterID string, platform *openstack.Platform, mpool *
 		securityGroups = append(securityGroups, capo.SecurityGroupParam{ID: &mpool.AdditionalSecurityGroupIDs[i]})
 	}
 
+	if config.Platform.Name() == powervc.Name {
+		securityGroups = nil
+	}
+
 	spec := capo.OpenStackMachineSpec{
 		Flavor: ptr.To(mpool.FlavorName),
 		IdentityRef: &capo.OpenStackIdentityReference{
diff --git a/pkg/infrastructure/openstack/clusterapi/clusterapi.go b/pkg/infrastructure/openstack/clusterapi/clusterapi.go
@@ -20,6 +20,7 @@ import (
 	"github.com/openshift/installer/pkg/infrastructure/openstack/preprovision"
 	"github.com/openshift/installer/pkg/rhcos"
 	"github.com/openshift/installer/pkg/types/openstack"
+	"github.com/openshift/installer/pkg/types/powervc"
 )
 
 // Provider defines the InfraProvider.
@@ -75,8 +76,10 @@ func (p Provider) PreProvision(ctx context.Context, in clusterapi.PreProvisionIn
 				break
 			}
 		}
-		if err := preprovision.SecurityGroups(ctx, installConfig, infraID, mastersSchedulable); err != nil {
-			return fmt.Errorf("failed to create security groups: %w", err)
+		if installConfig.Config.Platform.Name() != powervc.Name {
+			if err := preprovision.SecurityGroups(ctx, installConfig, infraID, mastersSchedulable); err != nil {
+				return fmt.Errorf("failed to create security groups: %w", err)
+			}
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ import (`
`20`	`20`	`"github.com/openshift/installer/pkg/infrastructure/openstack/preprovision"`
`21`	`21`	`"github.com/openshift/installer/pkg/rhcos"`
`22`	`22`	`"github.com/openshift/installer/pkg/types/openstack"`
	`23`	`+ "github.com/openshift/installer/pkg/types/powervc"`
`23`	`24`	`)`
`24`	`25`
`25`	`26`	`// Provider defines the InfraProvider.`
`@@ -75,8 +76,10 @@ func (p Provider) PreProvision(ctx context.Context, in clusterapi.PreProvisionIn`
`75`	`76`	`break`
`76`	`77`	`}`
`77`	`78`	`}`
`78`		`- if err := preprovision.SecurityGroups(ctx, installConfig, infraID, mastersSchedulable); err != nil {`
`79`		`- return fmt.Errorf("failed to create security groups: %w", err)`
	`79`	`+ if installConfig.Config.Platform.Name() != powervc.Name {`
	`80`	`+ if err := preprovision.SecurityGroups(ctx, installConfig, infraID, mastersSchedulable); err != nil {`
	`81`	`+ return fmt.Errorf("failed to create security groups: %w", err)`
	`82`	`+ }`
`80`	`83`	`}`
`81`	`84`	`}`
`82`	`85`