Merge pull request #2353 from stackhpc/feat/node-specific-secgroup-rules

🌱 Support for additional controlplane and worker secgroup rules
kubernetes-sigs · Jan 9, 2025 · 16baa32 · 16baa32
2 parents 880a5f6 + ce85e03
commit 16baa32
Show file tree

Hide file tree

Showing 13 changed files with 534 additions and 19 deletions.
diff --git a/api/v1alpha6/openstackcluster_conversion.go b/api/v1alpha6/openstackcluster_conversion.go
@@ -222,6 +222,8 @@ func restorev1beta1ClusterSpec(previous *infrav1.OpenStackClusterSpec, dst *infr
 
 	if previous.ManagedSecurityGroups != nil && dst.ManagedSecurityGroups != nil {
 		dst.ManagedSecurityGroups.AllNodesSecurityGroupRules = previous.ManagedSecurityGroups.AllNodesSecurityGroupRules
+		dst.ManagedSecurityGroups.ControlPlaneNodesSecurityGroupRules = previous.ManagedSecurityGroups.ControlPlaneNodesSecurityGroupRules
+		dst.ManagedSecurityGroups.WorkerNodesSecurityGroupRules = previous.ManagedSecurityGroups.WorkerNodesSecurityGroupRules
 	}
 
 	if dst.APIServerLoadBalancer != nil && previous.APIServerLoadBalancer != nil {

diff --git a/api/v1alpha7/openstackcluster_conversion.go b/api/v1alpha7/openstackcluster_conversion.go
@@ -218,6 +218,8 @@ func restorev1beta1ClusterSpec(previous *infrav1.OpenStackClusterSpec, dst *infr
 
 	if previous.ManagedSecurityGroups != nil && dst.ManagedSecurityGroups != nil {
 		dst.ManagedSecurityGroups.AllNodesSecurityGroupRules = previous.ManagedSecurityGroups.AllNodesSecurityGroupRules
+		dst.ManagedSecurityGroups.ControlPlaneNodesSecurityGroupRules = previous.ManagedSecurityGroups.ControlPlaneNodesSecurityGroupRules
+		dst.ManagedSecurityGroups.WorkerNodesSecurityGroupRules = previous.ManagedSecurityGroups.WorkerNodesSecurityGroupRules
 	}
 
 	if dst.APIServerLoadBalancer != nil && previous.APIServerLoadBalancer != nil {

diff --git a/api/v1beta1/openstackcluster_types.go b/api/v1beta1/openstackcluster_types.go
@@ -320,6 +320,22 @@ type ManagedSecurityGroups struct {
 	// +optional
 	AllNodesSecurityGroupRules []SecurityGroupRuleSpec `json:"allNodesSecurityGroupRules,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
 
+	// controlPlaneNodesSecurityGroupRules defines the rules that should be applied to control plane nodes.
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	ControlPlaneNodesSecurityGroupRules []SecurityGroupRuleSpec `json:"controlPlaneNodesSecurityGroupRules,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
+
+	// workerNodesSecurityGroupRules defines the rules that should be applied to worker nodes.
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	WorkerNodesSecurityGroupRules []SecurityGroupRuleSpec `json:"workerNodesSecurityGroupRules,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
+
 	// AllowAllInClusterTraffic allows all ingress and egress traffic between cluster nodes when set to true.
 	// +kubebuilder:default=false
 	// +kubebuilder:validation:Required

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/cmd/models-schema/zz_generated.openapi.go b/cmd/models-schema/zz_generated.openapi.go
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml