openstack: Fix security group tagging

pierreprinetti · pierreprinetti · commit 99b2307a7224 · 2024-07-22T14:07:54.000+02:00
Before this patch, we used the Neutron call to add tags to the newly
created security groups. However, that API doesn't accept tags
containing special characters such as slash (`/`), even when
url-encoded.

With this change, the security groups are tagged with an alternative API
call (replace-all-tags) which accepts the tags in a JSON object.
Apparently, Neutron accepts special characters (including slash) when
they come in a JSON object.
diff --git a/pkg/infrastructure/openstack/preprovision/securitygroups.go b/pkg/infrastructure/openstack/preprovision/securitygroups.go
@@ -64,7 +64,16 @@ func SecurityGroups(ctx context.Context, installConfig *installconfig.InstallCon
 			return fmt.Errorf("failed to create the Control plane security group: %w", err)
 		}
 
-		if err := attributestags.Add(ctx, networkClient, "security-groups", masterGroup.ID, "openshiftClusterID="+infraID).ExtractErr(); err != nil {
+		// The Neutron call to add a tag
+		// (https://docs.openstack.org/api-ref/network/v2/#add-a-tag)
+		// doesn't accept all special characters. Here we use the
+		// "replace-all-tags" call instead, because it accepts a more
+		// robust JSON body.
+		//
+		// see: https://bugzilla.redhat.com/show_bug.cgi?id=2299208
+		if _, err := attributestags.ReplaceAll(ctx, networkClient, "security-groups", masterGroup.ID, attributestags.ReplaceAllOpts{
+			Tags: []string{"openshiftClusterID=" + infraID},
+		}).Extract(); err != nil {
 			return fmt.Errorf("failed to tag the Control plane security group: %w", err)
 		}
 
@@ -76,7 +85,10 @@ func SecurityGroups(ctx context.Context, installConfig *installconfig.InstallCon
 			return fmt.Errorf("failed to create the Compute security group: %w", err)
 		}
 
-		if err := attributestags.Add(ctx, networkClient, "security-groups", workerGroup.ID, "openshiftClusterID="+infraID).ExtractErr(); err != nil {
+		// See comment above
+		if _, err := attributestags.ReplaceAll(ctx, networkClient, "security-groups", workerGroup.ID, attributestags.ReplaceAllOpts{
+			Tags: []string{"openshiftClusterID=" + infraID},
+		}).Extract(); err != nil {
 			return fmt.Errorf("failed to tag the Compute security group: %w", err)
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -64,7 +64,16 @@ func SecurityGroups(ctx context.Context, installConfig *installconfig.InstallCon`
`64`	`64`	`return fmt.Errorf("failed to create the Control plane security group: %w", err)`
`65`	`65`	`}`
`66`	`66`
`67`		`- if err := attributestags.Add(ctx, networkClient, "security-groups", masterGroup.ID, "openshiftClusterID="+infraID).ExtractErr(); err != nil {`
	`67`	`+ // The Neutron call to add a tag`
	`68`	`+ // (https://docs.openstack.org/api-ref/network/v2/#add-a-tag)`
	`69`	`+ // doesn't accept all special characters. Here we use the`
	`70`	`+ // "replace-all-tags" call instead, because it accepts a more`
	`71`	`+ // robust JSON body.`
	`72`	`+ //`
	`73`	`+ // see: https://bugzilla.redhat.com/show_bug.cgi?id=2299208`
	`74`	`+ if _, err := attributestags.ReplaceAll(ctx, networkClient, "security-groups", masterGroup.ID, attributestags.ReplaceAllOpts{`
	`75`	`+ Tags: []string{"openshiftClusterID=" + infraID},`
	`76`	`+ }).Extract(); err != nil {`
`68`	`77`	`return fmt.Errorf("failed to tag the Control plane security group: %w", err)`
`69`	`78`	`}`
`70`	`79`
`@@ -76,7 +85,10 @@ func SecurityGroups(ctx context.Context, installConfig *installconfig.InstallCon`
`76`	`85`	`return fmt.Errorf("failed to create the Compute security group: %w", err)`
`77`	`86`	`}`
`78`	`87`
`79`		`- if err := attributestags.Add(ctx, networkClient, "security-groups", workerGroup.ID, "openshiftClusterID="+infraID).ExtractErr(); err != nil {`
	`88`	`+ // See comment above`
	`89`	`+ if _, err := attributestags.ReplaceAll(ctx, networkClient, "security-groups", workerGroup.ID, attributestags.ReplaceAllOpts{`
	`90`	`+ Tags: []string{"openshiftClusterID=" + infraID},`
	`91`	`+ }).Extract(); err != nil {`
`80`	`92`	`return fmt.Errorf("failed to tag the Compute security group: %w", err)`
`81`	`93`	`}`
`82`	`94`	`}`