Support VPC security group for PowerVS clusters

kubernetes-sigs · May 16, 2024 · c417314 · c417314
1 parent 6b29c90
commit c417314
Show file tree

Hide file tree

Showing 14 changed files with 1,447 additions and 12 deletions.
diff --git a/api/v1beta1/zz_generated.conversion.go b/api/v1beta1/zz_generated.conversion.go
diff --git a/api/v1beta2/conditions_consts.go b/api/v1beta2/conditions_consts.go
@@ -85,6 +85,11 @@ const (
 	// NetworkReconciliationFailedReason used when an error occurs during network reconciliation.
 	NetworkReconciliationFailedReason = "NetworkReconciliationFailed"
 
+	// VPCSecurityGroupReadyCondition reports on the successful reconciliation of a VPC.
+	VPCSecurityGroupReadyCondition capiv1beta1.ConditionType = "VPCSecurityGroupReady"
+	// VPCSecurityGroupReconciliationFailedReason used when an error occurs during VPC reconciliation.
+	VPCSecurityGroupReconciliationFailedReason = "VPCSecurityGroupReconciliationFailed"
+
 	// VPCReadyCondition reports on the successful reconciliation of a VPC.
 	VPCReadyCondition capiv1beta1.ConditionType = "VPCReady"
 	// VPCReconciliationFailedReason used when an error occurs during VPC reconciliation.

diff --git a/api/v1beta2/ibmpowervscluster_types.go b/api/v1beta2/ibmpowervscluster_types.go
@@ -103,6 +103,10 @@ type IBMPowerVSClusterSpec struct {
 	// +optional
 	VPCSubnets []Subnet `json:"vpcSubnets,omitempty"`
 
+	// VPCSecurityGroups to attach it to the VPC resource
+	// +optional
+	VPCSecurityGroups []SecurityGroup `json:"vpcSecurityGroups,omitempty"`
+
 	// transitGateway contains information about IBM Cloud TransitGateway
 	// IBM Cloud TransitGateway helps in establishing network connectivity between IBM Cloud Power VS and VPC infrastructure
 	// more information about TransitGateway can be found here https://www.ibm.com/products/transit-gateway.
@@ -200,6 +204,9 @@ type IBMPowerVSClusterStatus struct {
 	// vpcSubnet is reference to IBM Cloud VPC subnet.
 	VPCSubnet map[string]ResourceReference `json:"vpcSubnet,omitempty"`
 
+	// vpcSecurityGroups is reference to IBM Cloud VPC security group.
+	VPCSecurityGroups map[string]VPCSecurityGroupStatus `json:"vpcSecurityGroups,omitempty"`
+
 	// transitGateway is reference to IBM Cloud TransitGateway.
 	TransitGateway *ResourceReference `json:"transitGateway,omitempty"`
 

diff --git a/api/v1beta2/ibmvpccluster_types.go b/api/v1beta2/ibmvpccluster_types.go
@@ -93,6 +93,17 @@ type AdditionalListenerSpec struct {
 	Port int64 `json:"port"`
 }
 
+// VPCSecurityGroupStatus defines a vpc security group resource status with its id and respective rule's ids.
+type VPCSecurityGroupStatus struct {
+	// id represents the id of the resource.
+	ID *string `json:"id,omitempty"`
+	// rules contains the id of rules created under the security group
+	RuleIDs []*string `json:"ruleIDs,omitempty"`
+	// +kubebuilder:default=false
+	// controllerCreated indicates whether the resource is created by the controller.
+	ControllerCreated *bool `json:"controllerCreated,omitempty"`
+}
+
 // VPCLoadBalancerStatus defines the status VPC load balancer.
 type VPCLoadBalancerStatus struct {
 	// id of VPC load balancer.

diff --git a/api/v1beta2/types.go b/api/v1beta2/types.go
@@ -232,18 +232,18 @@ const (
 // For example:
 // - any - Any source or destination (0.0.0.0/0)
 // - cidr - A CIDR representing a set of IP's (10.0.0.0/28)
-// - ip - A specific IP address (192.168.0.1)
+// - address - A specific address (192.168.0.1)
 // - sg - A Security Group.
-// +kubebuilder:validation:Enum=any;cidr;ip;sg
+// +kubebuilder:validation:Enum=any;cidr;address;sg
 type SecurityGroupRuleRemoteType string
 
 const (
 	// SecurityGroupRuleRemoteTypeAny defines the destination or source for the Rule is anything/anywhere.
 	SecurityGroupRuleRemoteTypeAny SecurityGroupRuleRemoteType = SecurityGroupRuleRemoteType("any")
 	// SecurityGroupRuleRemoteTypeCIDR defines the destination or source for the Rule is a CIDR block.
 	SecurityGroupRuleRemoteTypeCIDR SecurityGroupRuleRemoteType = SecurityGroupRuleRemoteType("cidr")
-	// SecurityGroupRuleRemoteTypeIP defines the destination or source for the Rule is an IP address.
-	SecurityGroupRuleRemoteTypeIP SecurityGroupRuleRemoteType = SecurityGroupRuleRemoteType("ip")
+	// SecurityGroupRuleRemoteTypeAddress defines the destination or source for the Rule is an address.
+	SecurityGroupRuleRemoteTypeAddress SecurityGroupRuleRemoteType = SecurityGroupRuleRemoteType("address")
 	// SecurityGroupRuleRemoteTypeSG defines the destination or source for the Rule is a VPC Security Group.
 	SecurityGroupRuleRemoteTypeSG SecurityGroupRuleRemoteType = SecurityGroupRuleRemoteType("sg")
 )
@@ -328,20 +328,20 @@ type SecurityGroupRule struct {
 
 // SecurityGroupRuleRemote defines a VPC Security Group Rule's remote details.
 // The type of remote defines the additional remote details where are used for defining the remote.
-// +kubebuilder:validation:XValidation:rule="self.remoteType == 'any' ? (!has(self.cidrSubnetName) && !has(self.ip) && !has(self.securityGroupName)) : true",message="cidrSubnetName, ip, and securityGroupName are not valid for SecurityGroupRuleRemoteTypeAny remoteType"
-// +kubebuilder:validation:XValidation:rule="self.remoteType == 'cidr' ? (has(self.cidrSubnetName) && !has(self.ip) && !has(self.securityGroupName)) : true",message="only cidrSubnetName is valid for SecurityGroupRuleRemoteTypeCIDR remoteType"
-// +kubebuilder:validation:XValidation:rule="self.remoteType == 'ip' ? (has(self.ip) && !has(self.cidrSubnetName) && !has(self.securityGroupName)) : true",message="only ip is valid for SecurityGroupRuleRemoteTypeIP remoteType"
-// +kubebuilder:validation:XValidation:rule="self.remoteType == 'sg' ? (has(self.securityGroupName) && !has(self.cidrSubnetName) && !has(self.ip)) : true",message="only securityGroupName is valid for SecurityGroupRuleRemoteTypeSG remoteType"
+// +kubebuilder:validation:XValidation:rule="self.remoteType == 'any' ? (!has(self.cidrSubnetName) && !has(self.address) && !has(self.securityGroupName)) : true",message="cidrSubnetName, addresss, and securityGroupName are not valid for SecurityGroupRuleRemoteTypeAny remoteType"
+// +kubebuilder:validation:XValidation:rule="self.remoteType == 'cidr' ? (has(self.cidrSubnetName) && !has(self.address) && !has(self.securityGroupName)) : true",message="only cidrSubnetName is valid for SecurityGroupRuleRemoteTypeCIDR remoteType"
+// +kubebuilder:validation:XValidation:rule="self.remoteType == 'address' ? (has(self.address) && !has(self.cidrSubnetName) && !has(self.securityGroupName)) : true",message="only address is valid for SecurityGroupRuleRemoteTypeIP remoteType"
+// +kubebuilder:validation:XValidation:rule="self.remoteType == 'sg' ? (has(self.securityGroupName) && !has(self.cidrSubnetName) && !has(self.address)) : true",message="only securityGroupName is valid for SecurityGroupRuleRemoteTypeSG remoteType"
 type SecurityGroupRuleRemote struct {
 	// cidrSubnetName is the name of the VPC Subnet to retrieve the CIDR from, to use for the remote's destination/source.
 	// Only used when remoteType is SecurityGroupRuleRemoteTypeCIDR.
 	// +optional
 	CIDRSubnetName *string `json:"cidrSubnetName,omitempty"`
 
-	// ip is the IP to use for the remote's destination/source.
+	//  address is the address to use for the remote's destination/source.
 	// Only used when remoteType is SecurityGroupRuleRemoteTypeIP.
 	// +optional
-	IP *string `json:"ip,omitempty"`
+	Address *string `json:"address,omitempty"`
 
 	// remoteType defines the type of filter to define for the remote's destination/source.
 	// +required

diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go