• Kubernetes Submit Queue's avatar
    Merge pull request #65373 from multi-io/openstack_lbaas_node_secgroup_fix · 3d694993
    Kubernetes Submit Queue authored
    Automatic merge from submit-queue (batch tested with PRs 65449, 65373, 49410). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
    
    OpenStack LBaaS fix: must use ID, not name, of the node security group
    
    This is a bugfix for the OpenStack LBaaS cloud provider security group management.
    
    A bit of context: When creating a load balancer for a given `type: LoadBalancer` service, the provider will try to:
    
    (see `pkg/cloudprovider/providers/openstack/openstack_loadbalancer.go`/`EnsureLoadBalancer`)
    
    1. create a load balancer (LB) in Openstack with listeners corresponding to the service's ports
    2. attach a floating IP to the LB's network port
    
    If `manage-security-groups` is enabled in controller-manager's cloud.conf:
    
    3. create a security group with ingress rules corresponding to the LB's listeners, and attach it to the LB's network port
    4. for all nodes of the cluster, pick an existing security group for the nodes ("node security group") and add ingress rules to it exposing the service's NodePorts to the security group created in step 3.
    
    In the current upstream master, steps 1 through 3 work fine, step 4 fails, leading to a service that's not accessible via the LB without further manual intervention.
    
    The bug is in the "pick an existing security group" operation (func `getNodeSecurityGroupIDForLB`), which, contrary to its name, will return the security group's name rather than its ID (actually it returns a list of names rather than IDs, apparently to cover some corner cases where you might have more than one node security group, but anyway). This will then be used when trying to add the ingress rules to the group, which the Openstack API will reject with a 404 (at least on our (fairly standard) Openstack Ocata installation) because we're giving it a name where it expects an ID.
    
    The PR adds a "get ID given a name" lookup to the `getNodeSecurityGroupIDForLB` function, so it actually returns IDs. That's it. I'm not sure if the upstream code wasn't really tested, or maybe other people use other Openstacks with more lenient APIs. The bug and the fix is always reproducible on our installation.
    
    **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
    
    Fixes #58145
    
    
    **Special notes for your reviewer:**
    
    Should we turn `getNodeSecurityGroupIDForLB` into a method with the lbaas as its receiver because it now requires two of the lbaas's attributes? I'm not sure what the conventions are here, if any. 
    
    **Release note**:
    ```release-note
    NONE
    ```
    3d694993
Name
Last commit
Last update
..
api Loading commit data...
apis Loading commit data...
auth Loading commit data...
capabilities Loading commit data...
client Loading commit data...
cloudprovider Loading commit data...
controller Loading commit data...
credentialprovider Loading commit data...
features Loading commit data...
fieldpath Loading commit data...
generated Loading commit data...
kubeapiserver Loading commit data...
kubectl Loading commit data...
kubelet Loading commit data...
kubemark Loading commit data...
master Loading commit data...
printers Loading commit data...
probe Loading commit data...
proxy Loading commit data...
quota Loading commit data...
registry Loading commit data...
routes Loading commit data...
scheduler Loading commit data...
security Loading commit data...
securitycontext Loading commit data...
serviceaccount Loading commit data...
ssh Loading commit data...
util Loading commit data...
version Loading commit data...
volume Loading commit data...
watch/json Loading commit data...
windows/service Loading commit data...
.import-restrictions Loading commit data...
BUILD Loading commit data...
OWNERS Loading commit data...