Merge pull request #2446 from cwrau/fix/allow-modification-of-managedsecuritygroups

fix: allow modification of all ManagedSecurityGroups

Author: k8s-ci-robot

Diff for: pkg/webhooks/openstackcluster_webhook.go

@@ -119,7 +119,7 @@ func (*openStackClusterWebhook) ValidateUpdate(_ context.Context, oldObjRaw, new
 	oldObj.Spec.Bastion = &infrav1.Bastion{}
 	newObj.Spec.Bastion = &infrav1.Bastion{}
 
-	// Allow changes to the managed allNodesSecurityGroupRules.
+	// Allow changes to the managed securityGroupRules.
 	if newObj.Spec.ManagedSecurityGroups != nil {
 		if oldObj.Spec.ManagedSecurityGroups == nil {
 			oldObj.Spec.ManagedSecurityGroups = &infrav1.ManagedSecurityGroups{}
@@ -128,6 +128,12 @@ func (*openStackClusterWebhook) ValidateUpdate(_ context.Context, oldObjRaw, new
 		oldObj.Spec.ManagedSecurityGroups.AllNodesSecurityGroupRules = []infrav1.SecurityGroupRuleSpec{}
 		newObj.Spec.ManagedSecurityGroups.AllNodesSecurityGroupRules = []infrav1.SecurityGroupRuleSpec{}
 
+		oldObj.Spec.ManagedSecurityGroups.ControlPlaneNodesSecurityGroupRules = []infrav1.SecurityGroupRuleSpec{}
+		newObj.Spec.ManagedSecurityGroups.ControlPlaneNodesSecurityGroupRules = []infrav1.SecurityGroupRuleSpec{}
+
+		oldObj.Spec.ManagedSecurityGroups.WorkerNodesSecurityGroupRules = []infrav1.SecurityGroupRuleSpec{}
+		newObj.Spec.ManagedSecurityGroups.WorkerNodesSecurityGroupRules = []infrav1.SecurityGroupRuleSpec{}
+
 		// Allow change to the allowAllInClusterTraffic.
 		oldObj.Spec.ManagedSecurityGroups.AllowAllInClusterTraffic = false
 		newObj.Spec.ManagedSecurityGroups.AllowAllInClusterTraffic = false

Diff for: pkg/webhooks/openstackcluster_webhook_test.go

@@ -164,6 +164,94 @@ func TestOpenStackCluster_ValidateUpdate(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "Changing security group rules on the OpenStackCluster.Spec.ManagedSecurityGroups.ControlPlaneNodesSecurityGroupRules is allowed",
+			oldTemplate: &infrav1.OpenStackCluster{
+				Spec: infrav1.OpenStackClusterSpec{
+					IdentityRef: infrav1.OpenStackIdentityReference{
+						Name:      "foobar",
+						CloudName: "foobar",
+					},
+					ManagedSecurityGroups: &infrav1.ManagedSecurityGroups{
+						ControlPlaneNodesSecurityGroupRules: []infrav1.SecurityGroupRuleSpec{
+							{
+								Name:                "foobar",
+								Description:         ptr.To("foobar"),
+								PortRangeMin:        ptr.To(80),
+								PortRangeMax:        ptr.To(80),
+								Protocol:            ptr.To("tcp"),
+								RemoteManagedGroups: []infrav1.ManagedSecurityGroupName{"controlplane"},
+							},
+						},
+					},
+				},
+			},
+			newTemplate: &infrav1.OpenStackCluster{
+				Spec: infrav1.OpenStackClusterSpec{
+					IdentityRef: infrav1.OpenStackIdentityReference{
+						Name:      "foobar",
+						CloudName: "foobar",
+					},
+					ManagedSecurityGroups: &infrav1.ManagedSecurityGroups{
+						ControlPlaneNodesSecurityGroupRules: []infrav1.SecurityGroupRuleSpec{
+							{
+								Name:                "foobar",
+								Description:         ptr.To("foobar"),
+								PortRangeMin:        ptr.To(80),
+								PortRangeMax:        ptr.To(80),
+								Protocol:            ptr.To("tcp"),
+								RemoteManagedGroups: []infrav1.ManagedSecurityGroupName{"controlplane", "worker"},
+							},
+						},
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "Changing security group rules on the OpenStackCluster.Spec.ManagedSecurityGroups.WorkerNodesSecurityGroupRules is allowed",
+			oldTemplate: &infrav1.OpenStackCluster{
+				Spec: infrav1.OpenStackClusterSpec{
+					IdentityRef: infrav1.OpenStackIdentityReference{
+						Name:      "foobar",
+						CloudName: "foobar",
+					},
+					ManagedSecurityGroups: &infrav1.ManagedSecurityGroups{
+						WorkerNodesSecurityGroupRules: []infrav1.SecurityGroupRuleSpec{
+							{
+								Name:                "foobar",
+								Description:         ptr.To("foobar"),
+								PortRangeMin:        ptr.To(80),
+								PortRangeMax:        ptr.To(80),
+								Protocol:            ptr.To("tcp"),
+								RemoteManagedGroups: []infrav1.ManagedSecurityGroupName{"worker"},
+							},
+						},
+					},
+				},
+			},
+			newTemplate: &infrav1.OpenStackCluster{
+				Spec: infrav1.OpenStackClusterSpec{
+					IdentityRef: infrav1.OpenStackIdentityReference{
+						Name:      "foobar",
+						CloudName: "foobar",
+					},
+					ManagedSecurityGroups: &infrav1.ManagedSecurityGroups{
+						WorkerNodesSecurityGroupRules: []infrav1.SecurityGroupRuleSpec{
+							{
+								Name:                "foobar",
+								Description:         ptr.To("foobar"),
+								PortRangeMin:        ptr.To(80),
+								PortRangeMax:        ptr.To(80),
+								Protocol:            ptr.To("tcp"),
+								RemoteManagedGroups: []infrav1.ManagedSecurityGroupName{"worker", "controlplane"},
+							},
+						},
+					},
+				},
+			},
+			wantErr: false,
+		},
 		{
 			name: "Changing CIDRs on the OpenStackCluster.Spec.APIServerLoadBalancer.AllowedCIDRs is allowed",
 			oldTemplate: &infrav1.OpenStackCluster{