✨ pkg/cloud/services/networking/securitygroups.go reimplement reconcilation

[chrischdi]

What this PR does / why we need it:
Reimplements the security group reconcilation by only creating and/or
deleting the rules desired / not desired instead of deleting all and creating all rules.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #771

Special notes for your reviewer:

1. Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

Release note:

/hold

[k8s-ci-robot]

Welcome @chrischdi!

It looks like this is your first PR to kubernetes-sigs/cluster-api-provider-openstack 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/cluster-api-provider-openstack has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @chrischdi. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[theopenlab-ci]

Build failed.

• cluster-api-provider-openstack-current-acceptance-test-v1.18 : FAILURE in 34m 17s

[chrischdi]

I had to remove the RemoteIPPrefix: "0.0.0.0/0", which at the end has the same result as setting nothing: allow all.

Otherwise the reconcilation is getting a 409 because it would try to create another security group rule which has the same spec.

[jichenjc]

/ok-to-test

[theopenlab-ci]

Build failed.

• cluster-api-provider-openstack-current-acceptance-test-v1.18 : FAILURE in 34m 48s

[jichenjc]

recheck

[theopenlab-ci]

Build failed.

• cluster-api-provider-openstack-current-acceptance-test-v1.18 : FAILURE in 35m 03s

[chrischdi]

recheck

I'll debug it in a local devstack setup. From our environment I can see that the environment does not save the description.

[chrischdi]

I was able to fix the issue. By default there are already security group rules inside the security groups which have another description.

Because of that I changed the order to first delete not needed rules and create the new ones afterwards

[theopenlab-ci]

Build succeeded.

• cluster-api-provider-openstack-current-acceptance-test-v1.18 : SUCCESS in 44m 08s

[jichenjc]

reasonable change just curious about following statement, why are we creating an exactly same rule if we know
it's same, why we will create it?

I had to remove the RemoteIPPrefix: "0.0.0.0/0", which at the end has the same result as setting nothing: allow all.

Otherwise the reconcilation is getting a 409 because it would try to create another security group rule which has the same spec.

[sbueringer]

/retitle ✨ pkg/cloud/services/networking/securitygroups.go reimplement reconcilation

[sbueringer]

reasonable change just curious about following statement, why are we creating an exactly same rule if we know
it's same, why we will create it?

I had to remove the RemoteIPPrefix: "0.0.0.0/0", which at the end has the same result as setting nothing: allow all.

Otherwise the reconcilation is getting a 409 because it would try to create another security group rule which has the same spec.

I think the problem is that the deep equal does not detect that it's the same because the server will return something else compared to what we created before.

[sbueringer]

@chrischdi please rebase so that the tests are run against the new v1alpha4 master version

[chrischdi]

reasonable change just curious about following statement, why are we creating an exactly same rule if we know
it's same, why we will create it?

I had to remove the RemoteIPPrefix: "0.0.0.0/0", which at the end has the same result as setting nothing: allow all.

Otherwise the reconcilation is getting a 409 because it would try to create another security group rule which has the same spec.

I think the problem is that the deep equal does not detect that it's the same because the server will return something else compared to what we created before.

Exactly: on our OpenStack (which is "VMware Integrated OpenStack") the following happens:

• security groups get reconciled
  • rules get created
• security groups get reconciled again later on
  • rules previously created having RemoteIPPrefix: "0.0.0.0/0" will get deleted and created again, because the API returns nil instead of 0.0.0.0/0.

I can see the same result when using the openstack cli and checking the output of openstack security group rule list --debug <secgroup ID>

However: I think the response of the API is still okay, because nil will default to 0.0.0.0/0 in the backend according the cli docs:

$ openstack help security group rule create | grep -e ' --remote-ip' -A 3
  --remote-ip <ip-address>
                        Remote IP address block (may use CIDR notation;
                        default for IPv4 rule: 0.0.0.0/0, default for IPv6
                        rule: ::/0)

It is also ok for me to revert the removal of 0.0.0.0/0 on this PR if you like me to do so :-)

[chrischdi]

@chrischdi please rebase so that the tests are run against the new v1alpha4 master version

rebased to master :-)

[theopenlab-ci]

Build failed.

• cluster-api-provider-openstack-current-acceptance-test-v1.18 : FAILURE in 17m 46s

[chrischdi]

/retest

[chrischdi]

recheck

[theopenlab-ci]

Build failed.

• cluster-api-provider-openstack-current-acceptance-test-v1.18 : FAILURE in 21m 16s

[chrischdi]

Looks like we're hitting the same issues as in #779 , maybe I should wait for #759

[chrischdi]

rebased to master again to have gcp based tests

[chrischdi]

/test help

[sbueringer]

/test pull-cluster-api-provider-openstack-make-conformance

[k8s-ci-robot]

@chrischdi: The specified target(s) for /test were not found.
The following commands are available to trigger jobs:

• /test pull-cluster-api-provider-openstack-build
• /test pull-cluster-api-provider-openstack-test
• /test pull-cluster-api-provider-openstack-e2e-test
• /test pull-cluster-api-provider-openstack-make-conformance

Use /test all to run the following jobs:

• pull-cluster-api-provider-openstack-build
• pull-cluster-api-provider-openstack-test

Details

In response to this:

/test help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[theopenlab-ci]

Build failed.

• cluster-api-provider-openstack-current-acceptance-test-v1.18 : ERROR Unable to find playbook /var/lib/zuul/builds/19d03a8c35e1463eb6fef5ba93b69687/untrusted/project_0/github.com/kubernetes-sigs/cluster-api-provider-openstack/.zuul/playbooks/run.yaml in 8s

[sbueringer]

conformance test green now :)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chrischdi, sbueringer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [sbueringer]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jichenjc]

recheck

[theopenlab-ci]

Build failed.

• cluster-api-provider-openstack-current-acceptance-test-v1.18 : ERROR Unable to find playbook /var/lib/zuul/builds/61e6b02960a04be2be1d0973e8f402be/untrusted/project_0/github.com/kubernetes-sigs/cluster-api-provider-openstack/.zuul/playbooks/run.yaml in 8s

[jichenjc]

reasonable change just curious about following statement, why are we creating an exactly same rule if we know
it's same, why we will create it?

I had to remove the RemoteIPPrefix: "0.0.0.0/0", which at the end has the same result as setting nothing: allow all.

Otherwise the reconcilation is getting a 409 because it would try to create another security group rule which has the same spec.

I think the problem is that the deep equal does not detect that it's the same because the server will return something else compared to what we created before.

Exactly: on our OpenStack (which is "VMware Integrated OpenStack") the following happens:

* security groups get reconciled
  
  * rules get created

* security groups get reconciled again later on
  
  * rules previously created having `RemoteIPPrefix: "0.0.0.0/0"` will get deleted and created again, because the API returns `nil` instead of `0.0.0.0/0`.

I can see the same result when using the openstack cli and checking the output of openstack security group rule list --debug <secgroup ID>

However: I think the response of the API is still okay, because nil will default to 0.0.0.0/0 in the backend according the cli docs:

$ openstack help security group rule create | grep -e ' --remote-ip' -A 3
  --remote-ip <ip-address>
                        Remote IP address block (may use CIDR notation;
                        default for IPv4 rule: 0.0.0.0/0, default for IPv6
                        rule: ::/0)

It is also ok for me to revert the removal of 0.0.0.0/0 on this PR if you like me to do so :-)

no need, just want to understand the logic here, all good :_)

[jichenjc]

/lgtm

[jichenjc]

wait for zuul job to merge

[jichenjc]

@sbueringer looks like we don't want to run openstack/check anymore as the playbook is missing
so we should go ahead merge this and overwrite the failure..

[jichenjc]

/hold cancel

[sbueringer]

@jichenjc Yes we have to ignore the OpenLab failures for now. I'll try to remove the OpenLab ASAP after we have the ProwJob on release-0.3