AllNodes security groups API

Co-Authored-By: Emilien Macchi <[email protected]> Co-Authored-By: Matthew Booth <[email protected]>
kubernetes-sigs · Feb 19, 2024 · e2f1d46 · e2f1d46
1 parent 1b320cb
commit e2f1d46
Show file tree

Hide file tree

Showing 34 changed files with 2,177 additions and 572 deletions.
diff --git a/api/v1alpha5/conversion.go b/api/v1alpha5/conversion.go
@@ -20,6 +20,7 @@ import (
 	"strings"
 
 	conversion "k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/utils/pointer"
 	utilconversion "sigs.k8s.io/cluster-api/util/conversion"
 	ctrlconversion "sigs.k8s.io/controller-runtime/pkg/conversion"
 
@@ -209,6 +210,10 @@ func Convert_v1alpha8_OpenStackClusterSpec_To_v1alpha5_OpenStackClusterSpec(in *
 		}
 	}
 
+	if in.ManagedSecurityGroups != nil {
+		out.ManagedSecurityGroups = true
+	}
+
 	return nil
 }
 
@@ -243,6 +248,13 @@ func Convert_v1alpha5_OpenStackClusterSpec_To_v1alpha8_OpenStackClusterSpec(in *
 	}
 	// We're dropping DNSNameservers even if these were set as without NodeCIDR it doesn't make sense.
 
+	if in.ManagedSecurityGroups {
+		out.ManagedSecurityGroups = &infrav1.ManagedSecurityGroups{}
+		if !in.AllowAllInClusterTraffic {
+			out.ManagedSecurityGroups.AllNodesSecurityGroupRules = infrav1.LegacyCalicoSecurityGroupRules()
+		}
+	}
+
 	return nil
 }
 
@@ -554,3 +566,58 @@ func Convert_v1alpha5_Bastion_To_v1alpha8_Bastion(in *Bastion, out *infrav1.Bast
 	in.Instance.FloatingIP = out.FloatingIP
 	return nil
 }
+
+func Convert_v1alpha8_SecurityGroupStatus_To_v1alpha5_SecurityGroup(in *infrav1.SecurityGroupStatus, out *SecurityGroup, s conversion.Scope) error { //nolint:revive
+	out.ID = in.ID
+	out.Name = in.Name
+	out.Rules = make([]SecurityGroupRule, len(in.Rules))
+	for i, rule := range in.Rules {
+		out.Rules[i] = SecurityGroupRule{
+			ID:        rule.ID,
+			Direction: rule.Direction,
+		}
+		if rule.Description != nil {
+			out.Rules[i].Description = *rule.Description
+		}
+		if rule.EtherType != nil {
+			out.Rules[i].EtherType = *rule.EtherType
+		}
+		if rule.PortRangeMin != nil {
+			out.Rules[i].PortRangeMin = *rule.PortRangeMin
+		}
+		if rule.PortRangeMax != nil {
+			out.Rules[i].PortRangeMax = *rule.PortRangeMax
+		}
+		if rule.Protocol != nil {
+			out.Rules[i].Protocol = *rule.Protocol
+		}
+		if rule.RemoteGroupID != nil {
+			out.Rules[i].RemoteGroupID = *rule.RemoteGroupID
+		}
+		if rule.RemoteIPPrefix != nil {
+			out.Rules[i].RemoteIPPrefix = *rule.RemoteIPPrefix
+		}
+	}
+	return nil
+}
+
+func Convert_v1alpha5_SecurityGroup_To_v1alpha8_SecurityGroupStatus(in *SecurityGroup, out *infrav1.SecurityGroupStatus, s conversion.Scope) error { //nolint:revive
+	out.ID = in.ID
+	out.Name = in.Name
+	out.Rules = make([]infrav1.SecurityGroupRuleStatus, len(in.Rules))
+	for i, rule := range in.Rules {
+		out.Rules[i] = infrav1.SecurityGroupRuleStatus{
+			ID:             rule.ID,
+			Description:    pointer.String(rule.Description),
+			Direction:      rule.Direction,
+			EtherType:      pointer.String(rule.EtherType),
+			PortRangeMin:   pointer.Int(rule.PortRangeMin),
+			PortRangeMax:   pointer.Int(rule.PortRangeMax),
+			Protocol:       pointer.String(rule.Protocol),
+			RemoteGroupID:  pointer.String(rule.RemoteGroupID),
+			RemoteIPPrefix: pointer.String(rule.RemoteIPPrefix),
+		}
+	}
+
+	return nil
+}
diff --git a/api/v1alpha5/conversion_test.go b/api/v1alpha5/conversion_test.go
@@ -49,7 +49,7 @@ func TestConvertFrom(t *testing.T) {
 				Spec: OpenStackClusterSpec{},
 				ObjectMeta: metav1.ObjectMeta{
 					Annotations: map[string]string{
-						"cluster.x-k8s.io/conversion-data": "{\"spec\":{\"allowAllInClusterTraffic\":false,\"apiServerLoadBalancer\":{},\"cloudName\":\"\",\"controlPlaneEndpoint\":{\"host\":\"\",\"port\":0},\"disableAPIServerFloatingIP\":false,\"disableExternalNetwork\":false,\"externalNetwork\":{},\"managedSecurityGroups\":false,\"network\":{}},\"status\":{\"ready\":false}}",
+						"cluster.x-k8s.io/conversion-data": "{\"spec\":{\"allowAllInClusterTraffic\":false,\"apiServerLoadBalancer\":{},\"cloudName\":\"\",\"controlPlaneEndpoint\":{\"host\":\"\",\"port\":0},\"disableAPIServerFloatingIP\":false,\"disableExternalNetwork\":false,\"externalNetwork\":{},\"managedSecurityGroups\":null,\"network\":{}},\"status\":{\"ready\":false}}",
 					},
 				},
 			},
@@ -64,7 +64,7 @@ func TestConvertFrom(t *testing.T) {
 				Spec: OpenStackClusterTemplateSpec{},
 				ObjectMeta: metav1.ObjectMeta{
 					Annotations: map[string]string{
-						"cluster.x-k8s.io/conversion-data": "{\"spec\":{\"template\":{\"spec\":{\"allowAllInClusterTraffic\":false,\"apiServerLoadBalancer\":{},\"cloudName\":\"\",\"controlPlaneEndpoint\":{\"host\":\"\",\"port\":0},\"disableAPIServerFloatingIP\":false,\"disableExternalNetwork\":false,\"externalNetwork\":{},\"managedSecurityGroups\":false,\"network\":{}}}}}",
+						"cluster.x-k8s.io/conversion-data": "{\"spec\":{\"template\":{\"spec\":{\"allowAllInClusterTraffic\":false,\"apiServerLoadBalancer\":{},\"cloudName\":\"\",\"controlPlaneEndpoint\":{\"host\":\"\",\"port\":0},\"disableAPIServerFloatingIP\":false,\"disableExternalNetwork\":false,\"externalNetwork\":{},\"managedSecurityGroups\":null,\"network\":{}}}}}",
 					},
 				},
 			},
@@ -109,3 +109,50 @@ func TestConvertFrom(t *testing.T) {
 		})
 	}
 }
+
+func TestConvert_v1alpha5_OpenStackClusterSpec_To_v1alpha8_OpenStackClusterSpec(t *testing.T) {
+	tests := []struct {
+		name        string
+		in          *OpenStackClusterSpec
+		expectedOut *infrav1.OpenStackClusterSpec
+	}{
+		{
+			name:        "empty",
+			in:          &OpenStackClusterSpec{},
+			expectedOut: &infrav1.OpenStackClusterSpec{},
+		},
+		{
+			name: "with managed security groups and not allow all in cluster traffic",
+			in: &OpenStackClusterSpec{
+				ManagedSecurityGroups:    true,
+				AllowAllInClusterTraffic: false,
+			},
+			expectedOut: &infrav1.OpenStackClusterSpec{
+				ManagedSecurityGroups: &infrav1.ManagedSecurityGroups{
+					AllNodesSecurityGroupRules: infrav1.LegacyCalicoSecurityGroupRules(),
+				},
+			},
+		},
+		{
+			name: "with managed security groups and allow all in cluster traffic",
+			in: &OpenStackClusterSpec{
+				ManagedSecurityGroups:    true,
+				AllowAllInClusterTraffic: true,
+			},
+			expectedOut: &infrav1.OpenStackClusterSpec{
+				ManagedSecurityGroups:    &infrav1.ManagedSecurityGroups{},
+				AllowAllInClusterTraffic: true,
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := gomega.NewWithT(t)
+			out := &infrav1.OpenStackClusterSpec{}
+			err := Convert_v1alpha5_OpenStackClusterSpec_To_v1alpha8_OpenStackClusterSpec(tt.in, out, nil)
+			g.Expect(err).NotTo(gomega.HaveOccurred())
+			g.Expect(out).To(gomega.Equal(tt.expectedOut))
+		})
+	}
+}
diff --git a/api/v1alpha5/zz_generated.conversion.go b/api/v1alpha5/zz_generated.conversion.go