Support VPC security group for PowerVS clusters

[dharaneeshvrd]

What this PR does / why we need it:
Add support for VPC security group for PowerVS clusters

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #
Fixes #1706

Special notes for your reviewer:

/area provider/ibmcloud

1. Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

Release note:

Support VPC security group for PowerVS clusters

[netlify]

✅ Deploy Preview for kubernetes-sigs-cluster-api-ibmcloud ready!

Name	Link
🔨 Latest commit	687d1d6
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-cluster-api-ibmcloud/deploys/664c74e7addf3200085a229d
😎 Deploy Preview	https://deploy-preview-1738--kubernetes-sigs-cluster-api-ibmcloud.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[Prajyot-Parab]

/cc @Karthik-K-N

[Karthik-K-N]

/cc @cjschaef

[k8s-ci-robot]

@Karthik-K-N: GitHub didn't allow me to request PR reviews from the following users: cjschaef.

Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc @cjschaef

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Karthik-K-N]

securityGroup.Name can be nil, so its better to handle it everywhere before directly de referring it.

[dharaneeshvrd]

Refactored it to get it from vpcv1.SecurityGroup where name is a required param.

[Karthik-K-N]

I think in case of multiple security groups we need to continue to process next item instead of returning from here.

[dharaneeshvrd]

Yes, Done
thanks!

[Karthik-K-N]

I think we should update the status as soon as we create rather than doing it after creating security group rule as it might fail.

[dharaneeshvrd]

Please have a look at the latest implementation, added ruleIDs also in status.

[Karthik-K-N]

s.GetVPCID() can be nil, So lets handle it.

[dharaneeshvrd]

As per the reconcile order, when it reaches here VPC status would have been populated right?
Do we really need to check? If its not populated, it would requeue on ReconcileVPC only I believe.

[Karthik-K-N]

May be lets use V level logs to dump detailed infos

[dharaneeshvrd]

Done

[Karthik-K-N]

How about logging with V(3) with which security group rule did not match.

[dharaneeshvrd]

It's really difficult to get that since it's not that straight forward. Let's keep it like this for now!

[Karthik-K-N]

How about declaring them in return parameters?

[dharaneeshvrd]

Done

[Karthik-K-N]

Is this should be !match? because we should validate all the rules, If the first rule matches we should not return right?

[cjschaef]

Perhaps we do not return and attempt to validate only one rule matches.
I expect this function is attempting to verify only one SecurityGroupRule definition from Spec exists in the SecurityGroup. And the function (validateSecurityGroupRule) gets called once for each SecurityGroupRule defined (per SecurityGroup).

So exiting here makes sense IMO, if we only want to validate that a SG Rule exists (expecting we wouldn't have duplicates.....which I don't know if the API allows that).

[dharaneeshvrd]

Yes its trying to match that particular rule passed is exists or not. So exiting as soon as it finds a match.

[Karthik-K-N]

May we can try to fetch by id as well, if id is already set in status? also we need to make sure name is not nil.

[dharaneeshvrd]

Yes agree, refactored, ptal!

[cjschaef]

The design makes sense, handling the complexities of SecurityGroups and SecurityGroupRules definitions.

In my mind, I was thinking VPC would iterate through creating all the SecurityGroups first, then return to populate the SecurityGroupRules, as some of the Remotes depend on the SecurityGroups (CRN). I will rethink the process some compared with the expectations here, if this looping is acceptable, when to raise errors, etc. due to these additional complexities (inter SecurityGroup/SecurityGroupRule dependencies).

[cjschaef]

Doesn't the detailedResponse provide an Http StatusCode you could check rather than rely on the error text?

[dharaneeshvrd]

Yes it would, but this method of validating the resource deletion is followed through out this controller code.
IMO also it's fine.

[cjschaef]

Perhaps we instead use the vpcv1.SecurityGroupsPager functionality instead?

[dharaneeshvrd]

Thanks for the suggestion, implemented using pager.

[cjschaef]

Perhaps we do not return and attempt to validate only one rule matches.
I expect this function is attempting to verify only one SecurityGroupRule definition from Spec exists in the SecurityGroup. And the function (validateSecurityGroupRule) gets called once for each SecurityGroupRule defined (per SecurityGroup).

So exiting here makes sense IMO, if we only want to validate that a SG Rule exists (expecting we wouldn't have duplicates.....which I don't know if the API allows that).

[dharaneeshvrd]

The design makes sense, handling the complexities of SecurityGroups and SecurityGroupRules definitions.

In my mind, I was thinking VPC would iterate through creating all the SecurityGroups first, then return to populate the SecurityGroupRules, as some of the Remotes depend on the SecurityGroups (CRN). I will rethink the process some compared with the expectations here, if this looping is acceptable, when to raise errors, etc. due to these additional complexities (inter SecurityGroup/SecurityGroupRule dependencies).

@cjschaef
I have n't used security groups that much, so could n't think of this use case. With the current implementation if we pass the security groups in order which the dependancy chain is, it would still handle it. But if we really need a freedom of referring the sg's CRN from different order, then we need to redesign and it will bring more complexities than current one.
Please let me know whether the current approach is ok or not!

Also I have refactored few things from last review, ptal!

[dharaneeshvrd]

/retest-required

[Karthik-K-N]

Thanks, Few questions otherwise, Overall LGTM

[Karthik-K-N]

As of now do we have any check which mandates the user to set remote.CIDRSubnetName when type is infrav1beta2.SecurityGroupRuleRemoteTypeCIDR , If not lets create an issue to add a wehbook later

[dharaneeshvrd]

Yes this is validated in kubebuilder rules in spec.

[Karthik-K-N]

Lets carefully handle *securityGroup.Name when user sets securityGroup.ID

[dharaneeshvrd]

Sure, taken care, please check!

[Karthik-K-N]

LGTM
@mkumatag @Prajyot-Parab @Amulyam24 Please take a look. Thanks

[Amulyam24]

@dharaneeshvrd, shouldn't we be returning false on err and not requeue?

[Amulyam24]

The requeue was added for handling the state of the infra resources, maybe it can be skipped if security group doesn't need state management?

[dharaneeshvrd]

Yes Agree, corrected.
Thanks @Amulyam24 !

[Amulyam24]

@dharaneesh, since we are returning false every time, maybe we can just return err and remove the requeue check in the controller?

[dharaneeshvrd]

Corrected!

[Amulyam24]

Can we set log level to 3 wherever applicable?

[dharaneeshvrd]

I think its ok here, since its going to this block only one time. Same is there on other components too when user provided spec is already exists in cloud, wdys?

[Amulyam24]

By default, we are setting the log level to 3 to keep uniformity as per the new changes in PR.
Refactoring the logs according to inputs shared here

[Amulyam24]

Can we add not found as a constant in types.go?

[dharaneeshvrd]

Done

[Amulyam24]

same comment applies here - please check if returning err would be enough and requeue can be avoided if not needed.

[dharaneeshvrd]

Yes true, I followed the vpc subnet deletion, but I think its bug to return from the loop after processing one item here ;)

[Amulyam24]

@dharaneeshvrd, couple of things, with log refactoring changes, do you mind following the below in this PR:

• consistent naming for VPC and infra resources in logs such as VPC, VPC subnet, VPC security group etc.
• Error messages starting with failed to...

Apart from minor comments, overall LGTM

[Amulyam24]

Can we log a statement on successful creation of a security group?

[dharaneeshvrd]

Done

[dharaneeshvrd]

@Amulyam24
I have refactored the logs and changed them to V(3).
Now I am not seeing any logs by default, let me know if you want to change the level here to display some if you planned, or please take care of them in your log refactor PR!
Thanks!

[Amulyam24]

@Amulyam24 I have refactored the logs and changed them to V(3). Now I am not seeing any logs by default, let me know if you want to change the level here to display some if you planned, or please take care of them in your log refactor PR! Thanks!

Sure @dharaneeshvrd, I can take care of them in the logging PR once this is merged. Changes LGTM!
@Prajyot-Parab @mkumatag PTAL.

[mkumatag]

any specific reason for not naming this as VPCSecurityGroup?

[dharaneeshvrd]

Since its a list item, named it in plural just like VPCSubnets and LoadBalancers.

[mkumatag]

n/m, this SecurityGroup struct is created earlier in the types.go file

[mkumatag]

Its always good to keep both the struct fieldname and the json name same.

[mkumatag]

function name says GetVPCSecurityGroupID but returning both security group id and also the rules.

Suggested change

	func (s *PowerVSClusterScope) GetVPCSecurityGroupID(name string) (*string, []*string) {
	func (s *PowerVSClusterScope) GetVPCSecurityGroup(name string) (*string, []*string) {

[mkumatag]

this is more or less same as GetVPCSecurityGroupID but only difference is that we are supplying the id as param

we can keep the functions like GetVPCSecurityGroupByName and GetVPCSecurityGroupByID with returning same content.

[mkumatag]

If we care just about rules as a param, then lets send only rules as a param

ruleIDs, ok, err := s.validateVPCSecurityGroupRules(securityGroupDet, securityGroup.Rules)

[mkumatag]

This comment applies for other functions as well.

[mkumatag]

except few, there is lots of common code, wondering if we can reuse some part of it

[mkumatag]

applies to other functions as well.

[dharaneeshvrd]

tried to reuse some parts, ptal now!

[mkumatag]

you can directly return from here instead.

[mkumatag]

why the field name is IP? do we need to rename this to Address

orig:

cluster-api-provider-ibmcloud/api/v1beta2/types.go

Line 344 in 0d56e7a

IP *string `json:"ip,omitempty"`

[dharaneeshvrd]

renamed to Address to keep it in sync with the VPC's field.

[mkumatag]

and also here

cluster-api-provider-ibmcloud/api/v1beta2/types.go

Line 344 in 0d56e7a

IP *string `json:"ip,omitempty"`

[dharaneeshvrd]

Addressed your comments, ptal now @mkumatag

[Karthik-K-N]

Overall LGTM

[mkumatag]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dharaneeshvrd, mkumatag

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mkumatag]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment