🐛 Better checks before creating Floating IPs

[EmilienM]

What this PR does / why we need it:

When a floating is created, we need to make sure that
OpenStackCluster.Spec.DisableExternalNetwork is not set to True.
Otherwise, we'll have a nil pointer error.

• Add a check in reconcileBastion to check that external network is
  not disabled before creating the floating IP for the bastion.
• Add a check in reconcileControlPlaneEndpoint and
  reconcileAPIServerLoadBalancer to check that external
  network is not disabled (alongside the DisableAPIServerFloatingIP
  check) before creating the floating IP for the API server endpoint.
• Add a safeguard in GetOrCreateFloatingIP to return a proper error
  (instead of a nil pointer error) when
  openStackCluster.Status.ExternalNetwork is nil.
• Add API CEL to check that when DisableExternalNetwork is set and true,
  the bastion (if defined) doesn't have a floating IP defined and also
  that disableAPIServerFloatingIP (when set) is not False.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #2260

[netlify]

✅ Deploy Preview for kubernetes-sigs-cluster-api-openstack ready!

Name	Link
🔨 Latest commit	5429b4b
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-cluster-api-openstack/deploys/673eabd665c4a50008dc4345
😎 Deploy Preview	https://deploy-preview-2261--kubernetes-sigs-cluster-api-openstack.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[EmilienM]

/cc mdbooth

[EmilienM]

I initially wanted to do some webhook to just disallow DisableExternalNetwork to be True without also setting DisableAPIServerFloatingIP to True but it's not backward compatible and sucks for our users, so I did that.

[EmilienM]

/test pull-cluster-api-provider-openstack-e2e-test
flake

[EmilienM]

/cherry-pick release-0.11

[k8s-infra-cherrypick-robot]

@EmilienM: once the present PR merges, I will cherry-pick it on top of release-0.11 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-0.11

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mdbooth]

/lgtm

Any idea how far back we need to backport this? 0.11 at least.

[EmilienM]

/lgtm

Any idea how far back we need to backport this? 0.11 at least.

I'll investigate.
EDIT: backport is clean \o/

[EmilienM]

On this one I want an eye from @lentzi90.

[EmilienM]

/cherry-pick release-0.10

[k8s-infra-cherrypick-robot]

@EmilienM: once the present PR merges, I will cherry-pick it on top of release-0.10 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-0.10

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[lentzi90]

I initially wanted to do some webhook to just disallow DisableExternalNetwork to be True without also setting DisableAPIServerFloatingIP to True but it's not backward compatible and sucks for our users

Sure not backwards compatible, but do you mean that it is actually possible to use that configuration? I'm thinking it is ok to break backwards compatibility if all it was doing was cause nil pointer exceptions.

[lentzi90]

/lgtm
Looks good, and no need for extra logging now that the webhook immediately tells the user what is wrong 🙂

[lentzi90]

I'm happy with this, but as mentioned on slack, I have one concern.
Sorry I didn't think of it earlier.

Will the user ever be the one setting the floating IP? Or are we now just going to block the controller trying to add it?

[EmilienM]

I'm happy with this, but as mentioned on slack, I have one concern. Sorry I didn't think of it earlier.

Will the user ever be the one setting the floating IP? Or are we now just going to block the controller trying to add it?

yes, a user can set the FIP:

cluster-api-provider-openstack/controllers/openstackcluster_controller.go

Lines 422 to 424 in 5429b4b

	case openStackCluster.Spec.Bastion.FloatingIP != nil:
	// Use floating IP from the spec
	floatingIP = openStackCluster.Spec.Bastion.FloatingIP

[lentzi90]

Works as expected. If I try to manually do some invalid combination of disableExternalNetwork + API server floating IP or bastion floating IP, CEL will block it. If I enable the bastion and disable the external network it will be created without floating IP, no errors in the logs. For this situation there isn't anything obvious telling the user why the bastion didn't get a floating IP. That is not ideal, but surely better than nil pointer exceptions, so
/lgtm

[EmilienM]

Works as expected. If I try to manually do some invalid combination of disableExternalNetwork + API server floating IP or bastion floating IP, CEL will block it. If I enable the bastion and disable the external network it will be created without floating IP, no errors in the logs. For this situation there isn't anything obvious telling the user why the bastion didn't get a floating IP. That is not ideal, but surely better than nil pointer exceptions, so /lgtm

yeah that's why I updated the doc.

Let's ship it.
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: EmilienM

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [EmilienM]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-infra-cherrypick-robot]

@EmilienM: new pull request created: #2269

Details

In response to this:

/cherry-pick release-0.11

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-infra-cherrypick-robot]

@EmilienM: #2261 failed to apply on top of branch "release-0.10":

Applying: Better conditions for creating Floating IPs
Using index info to reconstruct a base tree...
M	api/v1beta1/openstackcluster_types.go
M	config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml
M	config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclustertemplates.yaml
M	controllers/openstackcluster_controller.go
M	controllers/openstackmachine_controller.go
M	docs/book/src/clusteropenstack/configuration.md
M	pkg/cloud/services/networking/floatingip.go
M	test/e2e/suites/apivalidations/openstackcluster_test.go
Falling back to patching base and 3-way merge...
Auto-merging test/e2e/suites/apivalidations/openstackcluster_test.go
CONFLICT (content): Merge conflict in test/e2e/suites/apivalidations/openstackcluster_test.go
Auto-merging pkg/cloud/services/networking/floatingip.go
Auto-merging docs/book/src/clusteropenstack/configuration.md
Auto-merging controllers/openstackmachine_controller.go
Auto-merging controllers/openstackcluster_controller.go
Auto-merging config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclustertemplates.yaml
Auto-merging config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml
Auto-merging api/v1beta1/openstackcluster_types.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 Better conditions for creating Floating IPs

Details

In response to this:

/cherry-pick release-0.10

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.