VPC: Extend support for SG's (#1989)

Add support to reconcile SecurityGroups and SecurityGroupRules for VPC extended Infrastructure support. Related: #1896
kubernetes-sigs · Oct 17, 2024 · 8a563a0 · 8a563a0
1 parent 622fcf4
commit 8a563a0
Show file tree

Hide file tree

Showing 6 changed files with 626 additions and 6 deletions.
diff --git a/cloud/scope/powervs_cluster.go b/cloud/scope/powervs_cluster.go
@@ -1615,8 +1615,10 @@ func (s *PowerVSClusterScope) validateVPCSecurityGroup(securityGroup infrav1beta
 		}
 	} else {
 		securityGroupDet, err = s.IBMVPCClient.GetSecurityGroupByName(*securityGroup.Name)
-		if err != nil && err.Error() != vpc.SecurityGroupByNameNotFound(*securityGroup.Name).Error() {
-			return nil, nil, err
+		if err != nil {
+			if _, ok := err.(*vpc.SecurityGroupByNameNotFound); !ok {
+				return nil, nil, err
+			}
 		}
 		if securityGroupDet == nil {
 			return nil, nil, nil

diff --git a/cloud/scope/vpc_cluster.go b/cloud/scope/vpc_cluster.go
diff --git a/controllers/ibmvpccluster_controller.go b/controllers/ibmvpccluster_controller.go
@@ -274,6 +274,19 @@ func (r *IBMVPCClusterReconciler) reconcileCluster(clusterScope *scope.VPCCluste
 	clusterScope.Info("Reconciliation of VPC Subnets complete")
 	conditions.MarkTrue(clusterScope.IBMVPCCluster, infrav1beta2.VPCSubnetReadyCondition)
 
+	// Reconcile the cluster's Security Groups (and Security Group Rules)
+	clusterScope.Info("Reconciling Security Groups")
+	if requeue, err := clusterScope.ReconcileSecurityGroups(); err != nil {
+		clusterScope.Error(err, "failed to reconcile Security Groups")
+		conditions.MarkFalse(clusterScope.IBMVPCCluster, infrav1beta2.VPCSecurityGroupReadyCondition, infrav1beta2.VPCSecurityGroupReconciliationFailedReason, capiv1beta1.ConditionSeverityError, "%s", err.Error())
+		return reconcile.Result{}, err
+	} else if requeue {
+		clusterScope.Info("Security Groups creation is pending, requeueing")
+		return reconcile.Result{RequeueAfter: 15 * time.Second}, nil
+	}
+	clusterScope.Info("Reconciliation of Security Groups complete")
+	conditions.MarkTrue(clusterScope.IBMVPCCluster, infrav1beta2.VPCSecurityGroupReadyCondition)
+
 	// TODO(cjschaef): add remaining resource reconciliation.
 
 	// Mark cluster as ready.

diff --git a/pkg/cloud/services/vpc/mock/vpc_generated.go b/pkg/cloud/services/vpc/mock/vpc_generated.go
diff --git a/pkg/cloud/services/vpc/service.go b/pkg/cloud/services/vpc/service.go
@@ -26,8 +26,14 @@ import (
 	"sigs.k8s.io/cluster-api-provider-ibmcloud/pkg/cloud/services/utils"
 )
 
-// SecurityGroupByNameNotFound returns an appropriate error when security group by name not found.
-var SecurityGroupByNameNotFound = func(name string) error { return fmt.Errorf("failed to find security group by name '%s'", name) }
+// SecurityGroupByNameNotFound represents an error when security group is not found by name.
+type SecurityGroupByNameNotFound struct {
+	Name string
+}
+
+func (s *SecurityGroupByNameNotFound) Error() string {
+	return fmt.Sprintf("failed to find security group by name: %s", s.Name)
+}
 
 // Service holds the VPC Service specific information.
 type Service struct {
@@ -472,14 +478,19 @@ func (s *Service) GetSecurityGroupByName(name string) (*vpcv1.SecurityGroup, err
 		}
 	}
 
-	return nil, SecurityGroupByNameNotFound(name)
+	return nil, &SecurityGroupByNameNotFound{Name: name}
 }
 
 // GetSecurityGroupRule gets a specific security group rule.
 func (s *Service) GetSecurityGroupRule(options *vpcv1.GetSecurityGroupRuleOptions) (vpcv1.SecurityGroupRuleIntf, *core.DetailedResponse, error) {
 	return s.vpcService.GetSecurityGroupRule(options)
 }
 
+// ListSecurityGroupRules returns a list of security group rules.
+func (s *Service) ListSecurityGroupRules(options *vpcv1.ListSecurityGroupRulesOptions) (*vpcv1.SecurityGroupRuleCollection, *core.DetailedResponse, error) {
+	return s.vpcService.ListSecurityGroupRules(options)
+}
+
 // GetVPCZonesByRegion gets the VPC availability zones for a specific IBM Cloud region.
 func (s *Service) GetVPCZonesByRegion(region string) ([]string, error) {
 	zones := make([]string, 0)

diff --git a/pkg/cloud/services/vpc/vpc.go b/pkg/cloud/services/vpc/vpc.go
@@ -69,5 +69,6 @@ type Vpc interface {
 	GetSecurityGroup(options *vpcv1.GetSecurityGroupOptions) (*vpcv1.SecurityGroup, *core.DetailedResponse, error)
 	GetSecurityGroupByName(name string) (*vpcv1.SecurityGroup, error)
 	GetSecurityGroupRule(options *vpcv1.GetSecurityGroupRuleOptions) (vpcv1.SecurityGroupRuleIntf, *core.DetailedResponse, error)
+	ListSecurityGroupRules(options *vpcv1.ListSecurityGroupRulesOptions) (*vpcv1.SecurityGroupRuleCollection, *core.DetailedResponse, error)
 	GetVPCZonesByRegion(region string) ([]string, error)
 }