Configurable OpenStack SecurityGroups

[elenz97]

How to categorize this issue?

/area networking /kind enhancement /platform openstack

What would you like to be added:

A configuration option to specify custom OpenStack SecurityGroups using this extension. From what i know, customizing OpenStack SecurityGroups should only be possible by specifying the desired configuration in the templates inside ./pkg/internal/infrastructure/templates. As of now, the rules specified in main.tpl.tf are static and use openstack_networking_secgroup_v2.cluster.[id|name] to bind to the desired cluster.

Why is this needed:

Apparently, the OpenStack SecurityGroups that are deployed via this extension cannot be configured externally, as they are statically baked into the template - Please correct me if i'm wrong on this. However, the default rules created are undesirable in production use-cases, since they enable all TCP/UDP traffic from/to any network source.

I'd be glad on getting any hint to support the above using this extension. If there is a chance of implementing this in a reasonable way, i'd also be ready to prepare a PR for it.

---

Since the project seems to be transitioning off of the usage of Terraform (https://github.com/gardener/gardener-extension-provider-openstack/issues/362), the implementation of this doesn't have to be in form of extending the existing templates. This might rather be seen as a good occasion to migrate logic into a go package using the gophercloud SDK instead.

[elenz97]

Hello, could anyone give me an update on the above?

[gardener-robot]

@SvenMW Command /add is not available to you but only to a Maintainer, Member, Author.