cluster-api-provider-openstack icon indicating copy to clipboard operation
cluster-api-provider-openstack copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

✨ Reconcile SecurityGroups <-> Instances separately

Open EmilienM opened this issue 1 year ago • 11 comments

What this PR does / why we need it:

Originally, the openstackmachine controller was adding the SecurityGroups to the instanceSpec. Now, the openstackmachine controller will first create the instances without security groups. Then we have a loop that will reconcile the desired security groups that we want to apply in the cluster[1] with the ones that are added to the instance's ports.

[1] for now, we have 2 sets of rules: the one that can be added to OpenStackMachine.Spec.SecurityGroups and the one managed by OpenStackCluster.Spec.ManagedSecurityGroups.

TODOs:

  • [ ] Handle what to do with OpenStackMachineSpec.Ports is defined with a SecurityGroupFilter. Probably I need to rework all work in Status and puts Ports in Status.
  • [ ] For an update to applied security groups, think about how we could indicate in the cluster status as a summary of how many machines have been updated.
  • [ ] add unit tests to at least the openstackmachine_controller
  • [ ] Handle "default" security group applied to all created ports by passing an empty slice of strings if no security groups is required when creating the port.
  • [ ] update documentation
  • [ ] squashed commits

EmilienM avatar Dec 05 '23 20:12 EmilienM

Deploy Preview for kubernetes-sigs-cluster-api-openstack ready!

Name Link
Latest commit 8138e6afd74649311fd847aab5cc219eff4c00e4
Latest deploy log https://app.netlify.com/sites/kubernetes-sigs-cluster-api-openstack/deploys/65732e56589bf800082faacd
Deploy Preview https://deploy-preview-1774--kubernetes-sigs-cluster-api-openstack.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

netlify[bot] avatar Dec 05 '23 20:12 netlify[bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: EmilienM Once this PR has been reviewed and has the lgtm label, please assign cecilerobertmichon for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Dec 05 '23 20:12 k8s-ci-robot

/test pull-cluster-api-provider-openstack-e2e-test

EmilienM avatar Dec 08 '23 01:12 EmilienM

/test pull-cluster-api-provider-openstack-e2e-test

EmilienM avatar Dec 08 '23 02:12 EmilienM

@EmilienM: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cluster-api-provider-openstack-e2e-test 8138e6afd74649311fd847aab5cc219eff4c00e4 link true /test pull-cluster-api-provider-openstack-e2e-test

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

k8s-ci-robot avatar Dec 08 '23 17:12 k8s-ci-robot

I'm taking a break from this PR as I figured that I really want the ports to be managed outside of the instance creation, see https://github.com/kubernetes-sigs/cluster-api-provider-openstack/pull/1788 That will simply the workflow:

Reconcile Ports -> Reconcile Security groups -> Reconcile Instances

EmilienM avatar Dec 11 '23 21:12 EmilienM

/hold

EmilienM avatar Dec 11 '23 21:12 EmilienM

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Dec 12 '23 03:12 k8s-ci-robot

Note: this one is not staled, I'll come back to it at some point this year, now that we have a new API for Security Groups.

EmilienM avatar Feb 21 '24 16:02 EmilienM

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle stale
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar May 21 '24 17:05 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle rotten
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Jun 20 '24 17:06 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Reopen this PR with /reopen
  • Mark this PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

k8s-triage-robot avatar Jul 20 '24 18:07 k8s-triage-robot

@k8s-triage-robot: Closed this PR.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Reopen this PR with /reopen
  • Mark this PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot avatar Jul 20 '24 18:07 k8s-ci-robot