From 3008f927e7bf705654707829bed74e3a1b32443b Mon Sep 17 00:00:00 2001
From: Brent Eagles <beagles@redhat.com>
Date: Fri, 22 Mar 2024 16:40:24 +0000
Subject: [PATCH] Fix a couple of router related issues.

Add missing negation of compare when reconciling router gateway info and
change the IP range of the provider subnet to avoid conflicts with IPs
allocated for pods and the macvlan master interfaces on the host. Also
fixes the physical netork name and changes the provider network and
routers to be created by the admin tenant.

Requires https://github.com/openstack-k8s-operators/install_yamls/pull/788
---
 pkg/octavia/const.go           |  3 +++
 pkg/octavia/lb_mgmt_network.go | 49 +++++++++++++++++++++++-----------
 pkg/octavia/network_consts.go  | 21 ++++++++-------
 3 files changed, 49 insertions(+), 24 deletions(-)

diff --git a/pkg/octavia/const.go b/pkg/octavia/const.go
index dba0002c..4af7def7 100644
--- a/pkg/octavia/const.go
+++ b/pkg/octavia/const.go
@@ -46,4 +46,7 @@ const (
 
 	// ApacheInternalPort -
 	ApacheInternalPort int32 = 80
+
+	// AdminTenantName
+	AdminTenant = "admin"
 )
diff --git a/pkg/octavia/lb_mgmt_network.go b/pkg/octavia/lb_mgmt_network.go
index 8e8f8c8d..a4e38d2a 100644
--- a/pkg/octavia/lb_mgmt_network.go
+++ b/pkg/octavia/lb_mgmt_network.go
@@ -71,7 +71,8 @@ func findPort(client *gophercloud.ServiceClient, portName string, networkID stri
 	return nil, nil
 }
 
-func ensurePort(client *gophercloud.ServiceClient, tenantNetwork *networks.Network, tenantSubnet *subnets.Subnet, log *logr.Logger) (*ports.Port, error) {
+func ensurePort(client *gophercloud.ServiceClient, tenantNetwork *networks.Network, tenantSubnet *subnets.Subnet,
+	securityGroups *[]string, log *logr.Logger) (*ports.Port, error) {
 	ipAddress := LbMgmtRouterPortIPv4
 	if tenantSubnet.IPVersion == 6 {
 		ipAddress = LbMgmtRouterPortIPv6
@@ -99,6 +100,7 @@ func ensurePort(client *gophercloud.ServiceClient, tenantNetwork *networks.Netwo
 				IPAddress: ipAddress,
 			},
 		},
+		SecurityGroups: securityGroups,
 	}
 	p, err = ports.Create(client, createOpts).Extract()
 	if err != nil {
@@ -250,7 +252,7 @@ func ensureNetworkExt(client *gophercloud.ServiceClient, createOpts networks.Cre
 		segment := []provider.Segment{
 			{
 				NetworkType:     "flat",
-				PhysicalNetwork: "br-octavia",
+				PhysicalNetwork: LbProvPhysicalNet,
 			},
 		}
 
@@ -469,7 +471,7 @@ func reconcileRouter(client *gophercloud.ServiceClient, router *routers.Router,
 	//
 	gatewayInfo := router.GatewayInfo
 	if gatewayNetwork.ID != gatewayInfo.NetworkID || *gatewayInfo.EnableSNAT ||
-		compareExternalFixedIPs(gatewayInfo.ExternalFixedIPs, fixedIPs) {
+		!compareExternalFixedIPs(gatewayInfo.ExternalFixedIPs, fixedIPs) {
 		gwInfo := routers.GatewayInfo{
 			NetworkID:        gatewayNetwork.ID,
 			EnableSNAT:       &enableSNAT,
@@ -645,14 +647,14 @@ func ensureHealthMgrRules(client *gophercloud.ServiceClient, securityGroup *grou
 			PortRangeMax: 5555,
 			PortRangeMin: 5555,
 			EtherType:    "IPv4",
-			Protocol:     "tcp",
+			Protocol:     "udp",
 		},
 		{
 			Description:  "health manager status port IPv6 rule",
 			PortRangeMax: 5555,
 			PortRangeMin: 5555,
 			EtherType:    "IPv6",
-			Protocol:     "tcp",
+			Protocol:     "udp",
 		},
 		{
 			Description:  "log offloading udp IPv4 rule",
@@ -772,12 +774,37 @@ func EnsureAmphoraManagementNetwork(
 	if err != nil {
 		return NetworkProvisioningSummary{}, err
 	}
-	tenantRouterPort, err := ensurePort(client, tenantNetwork, tenantSubnet, log)
+
+	lbMgmtSecurityGroupID, err := ensureSecurityGroup(client, tenantNetwork.TenantID, LbMgmtNetworkSecurityGroupName, ensureMgmtRules, log)
+	if err != nil {
+		log.Error(err, "Unable to complete configuration of management network security groups, continuing...")
+	}
+	lbHealthSecurityGroupID, err := ensureSecurityGroup(client, tenantNetwork.TenantID, LbMgmtHealthManagerSecurityGroupName, ensureHealthMgrRules, log)
+	if err != nil {
+		log.Error(err, "Unable to complete configuration of management network security groups, continuing...")
+	}
+
+	securityGroups := []string{lbMgmtSecurityGroupID, lbHealthSecurityGroupID}
+
+	tenantRouterPort, err := ensurePort(client, tenantNetwork, tenantSubnet, &securityGroups, log)
 	if err != nil {
 		return NetworkProvisioningSummary{}, err
 	}
+	adminTenant, err := GetProject(o, AdminTenant)
+	if err != nil {
+		return NetworkProvisioningSummary{}, err
+	}
+
+	_, err = ensureSecurityGroup(client, adminTenant.ID, LbProvNetworkSecurityGroupName, ensureMgmtRules, log)
+	if err != nil {
+		log.Error(err, "Unable to complete configuration of octavia provider network security groups, continuing...")
+	}
+	_, err = ensureSecurityGroup(client, adminTenant.ID, LbProvHealthManagerSecurityGroupName, ensureHealthMgrRules, log)
+	if err != nil {
+		log.Error(err, "Unable to complete configuration of octavia provider network security groups, continuing...")
+	}
 
-	providerNetwork, err := ensureProvNetwork(client, serviceTenant.ID, log)
+	providerNetwork, err := ensureProvNetwork(client, adminTenant.ID, log)
 	if err != nil {
 		return NetworkProvisioningSummary{}, err
 	}
@@ -831,14 +858,6 @@ func EnsureAmphoraManagementNetwork(
 			fmt.Errorf("Port %s has unexpected device ID %s and cannot be added to router %s", tenantRouterPort.ID,
 				tenantRouterPort.DeviceID, router.ID)
 	}
-	lbMgmtSecurityGroupID, err := ensureSecurityGroup(client, tenantNetwork.TenantID, LbMgmtNetworkSecurityGroupName, ensureMgmtRules, log)
-	if err != nil {
-		log.Error(err, "Unable to complete configuration of management network security groups, continuing...")
-	}
-	_, err = ensureSecurityGroup(client, tenantNetwork.TenantID, LbMgmtHealthManagerSecurityGroupName, ensureHealthMgrRules, log)
-	if err != nil {
-		log.Error(err, "Unable to complete configuration of management network security groups, continuing...")
-	}
 
 	return NetworkProvisioningSummary{
 		TenantNetworkID:    tenantNetwork.ID,
diff --git a/pkg/octavia/network_consts.go b/pkg/octavia/network_consts.go
index 7e326078..d2c3c55e 100644
--- a/pkg/octavia/network_consts.go
+++ b/pkg/octavia/network_consts.go
@@ -89,26 +89,23 @@ const (
 	LbProvSubnetCIDR = "172.23.0.0/24"
 
 	// LbProvSubnetAllocationPoolStart -
-	LbProvSubnetAllocationPoolStart = "172.23.0.5"
+	LbProvSubnetAllocationPoolStart = "172.23.0.100"
 
 	// LbProvSubnetAllocationPoolEnd -
-	LbProvSubnetAllocationPoolEnd = "172.23.0.25"
+	LbProvSubnetAllocationPoolEnd = "172.23.0.125"
 
 	// LbProvSubnetGatewayIP -
-	LbProvSubnetGatewayIP = "172.23.0.1"
+	LbProvSubnetGatewayIP = ""
 
 	// TODO(beagles): support IPv6 for the provider network.
 	// LbRouterName -
 	LbRouterName = "octavia-link-router"
 
-	// LbProvBridgeName -
-	LbProvBridgeName = "br-octavia"
-
-	// LbProvNetAttachName -
-	LbProvNetAttachName = "octavia"
+	// LbProvPhysicalNet -
+	LbProvPhysicalNet = "octavia"
 
 	// LbRouterFixedIPAddress
-	LbRouterFixedIPAddress = "172.23.0.5"
+	LbRouterFixedIPAddress = "172.23.0.150"
 
 	// LbMgmtRouterPortName
 	LbMgmtRouterPortName = "lb-mgmt-router-port"
@@ -132,4 +129,10 @@ const (
 
 	// LbMgmtHealthManagerSecurityGroup
 	LbMgmtHealthManagerSecurityGroupName = "lb-health-mgr-sec-grp"
+
+	// LbMgmtNetworkSecurityGroup
+	LbProvNetworkSecurityGroupName = "lb-prov-sec-grp"
+
+	// LbMgmtHealthManagerSecurityGroup
+	LbProvHealthManagerSecurityGroupName = "lb-health-prov-sec-grp"
 )