openstack: Validate additionalSecurityGroupIDs

Add a pre-flight check that verifies that the security groups listed in
the machine-pool property `additionalSecurityGroupIDs` actually exist on
the cloud.

Author: pierreprinetti

pkg/asset/installconfig/openstack/validation/cloudinfo.go

@@ -17,6 +17,7 @@ import (
 	"github.com/gophercloud/gophercloud/v2/openstack/image/v2/images"
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/layer3/floatingips"
 	networkquotasets "github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/quotas"
+	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/security/groups"
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/networks"
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/subnets"
 	azutils "github.com/gophercloud/utils/v2/openstack/compute/v2/availabilityzones"
@@ -47,6 +48,7 @@ type CloudInfo struct {
 	NetworkExtensions       []extensions.Extension
 	Quotas                  []quota.Quota
 	Networks                []string
+	SecurityGroups          []string
 
 	clients *clients
 }
@@ -244,6 +246,11 @@ func (ci *CloudInfo) collectInfo(ctx context.Context, ic *types.InstallConfig) e
 		return err
 	}
 
+	ci.SecurityGroups, err = ci.getSecurityGroups(ctx)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -321,6 +328,26 @@ func (ci *CloudInfo) getNetworks(ctx context.Context) ([]string, error) {
 	return networkIDs, nil
 }
 
+// getSecurityGroups returns all the security group IDs available on the cloud.
+func (ci *CloudInfo) getSecurityGroups(ctx context.Context) ([]string, error) {
+	pages, err := groups.List(ci.clients.networkClient, groups.ListOpts{}).AllPages(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	groups, err := groups.ExtractGroups(pages)
+	if err != nil {
+		return nil, err
+	}
+
+	sgIDs := make([]string, len(groups))
+	for i := range groups {
+		sgIDs[i] = groups[i].ID
+	}
+
+	return sgIDs, nil
+}
+
 func (ci *CloudInfo) getNetworkByName(ctx context.Context, networkName string) (*networks.Network, error) {
 	if networkName == "" {
 		return nil, nil

pkg/asset/installconfig/openstack/validation/machinepool.go

@@ -69,6 +69,7 @@ func ValidateMachinePool(p *openstack.MachinePool, ci *CloudInfo, controlPlane b
 	allErrs = append(allErrs, validateUUIDV4s(p.AdditionalNetworkIDs, fldPath.Child("additionalNetworkIDs"))...)
 	allErrs = append(allErrs, validateUUIDV4s(p.AdditionalSecurityGroupIDs, fldPath.Child("additionalSecurityGroupIDs"))...)
 	allErrs = append(allErrs, validateAdditionalNetworks(p.AdditionalNetworkIDs, ci.Networks, fldPath.Child("additionalNetworkIDs"))...)
+	allErrs = append(allErrs, validateAdditionalSecurityGroups(p.AdditionalSecurityGroupIDs, ci.SecurityGroups, fldPath.Child("additionalSecurityGroupIDs"))...)
 
 	return allErrs
 }
@@ -87,6 +88,20 @@ func validateAdditionalNetworks(additionalNetworkIDs, availableNetworks []string
 	return allErrs
 }
 
+func validateAdditionalSecurityGroups(additionalSecurityGroupIDs, availableSecurityGroups []string, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	sgSet := make(map[string]struct{}, len(availableSecurityGroups))
+	for i := range availableSecurityGroups {
+		sgSet[availableSecurityGroups[i]] = struct{}{}
+	}
+	for i, n := range additionalSecurityGroupIDs {
+		if _, ok := sgSet[n]; !ok {
+			allErrs = append(allErrs, field.Invalid(fldPath.Index(i), n, "Security group either does not exist in this cloud, or is not available"))
+		}
+	}
+	return allErrs
+}
+
 func validateZones(input []string, available []string, fldPath *field.Path) field.ErrorList {
 	// check if machinepool default
 	if len(input) == 1 && input[0] == "" {