[occm][WIP] Add SG to node ensure the different node's pods can acces…

…s each other

pkg/openstack/routes.go

@@ -19,14 +19,18 @@ package openstack
 import (
 	"context"
 	"net"
+	"strings"
 	"sync"
 
 	"github.com/gophercloud/gophercloud"
+	"github.com/gophercloud/gophercloud/openstack/identity/v3/groups"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/layer3/extraroutes"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/layer3/routers"
+	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/security/rules"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/ports"
+	secgroups "github.com/gophercloud/utils/openstack/networking/v2/extensions/security/groups"
 
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
 	cloudprovider "k8s.io/cloud-provider"
@@ -264,6 +268,70 @@ func updateAllowedAddressPairs(network *gophercloud.ServiceClient, port *ports.P
 	return unwinder, nil
 }
 
+func updateSecurityGroup(network *gophercloud.ServiceClient, port *ports.Port, newPairs []ports.AddressPair) (func(), error) {
+	segName := "occm-nodes-sg"
+	onFailure := newCaller()
+	var sgId string
+	var err error
+	sgId, err = secgroups.IDFromName(network, segName)
+	if err != nil {
+		if strings.Contains(err.Error(), "Unable to find") {
+			res := groups.Create(network, groups.CreateOpts{Name: segName})
+			if res.Err != nil {
+				return nil, res.Err
+			}
+			sgGroup, err := res.Extract()
+			if err != nil {
+				return nil, err
+			}
+			sgId = sgGroup.ID
+			ruleRes := rules.Create(network, rules.CreateOpts{Direction: rules.DirIngress, SecGroupID: sgId, RemoteGroupID: sgId})
+			if ruleRes.Err != nil {
+				return nil, ruleRes.Err
+			}
+			defer onFailure.call(func() {
+				groups.Delete(network, sgId)
+			})
+			klog.V(2).Infof("Node security group %s created", segName)
+		} else {
+			return nil, err
+		}
+	}
+	var newRules []string
+	for _, pair := range newPairs {
+		res := rules.Create(network, rules.CreateOpts{Direction: rules.DirIngress, SecGroupID: sgId, RemoteIPPrefix: pair.IPAddress})
+		if res.Err != nil {
+			return nil, res.Err
+		}
+		rule, err := res.Extract()
+		if err != nil {
+			return nil, err
+		}
+		klog.V(2).Infof("Node security group rule created: %v", rule)
+		newRules = append(newRules, rule.ID)
+	}
+	defer onFailure.call(func() {
+		for _, rule := range newRules {
+			rules.Delete(network, rule)
+		}
+	})
+
+	oldSgs := port.SecurityGroups
+	sgs := append(port.SecurityGroups, sgId)
+	res := ports.Update(network, port.ID, ports.UpdateOpts{SecurityGroups: &sgs})
+	if res.Err != nil {
+		return nil, res.Err
+	}
+	onFailure.disarm()
+	unwinder := func() {
+		ports.Update(network, port.ID, ports.UpdateOpts{SecurityGroups: &oldSgs})
+		for _, rule := range newRules {
+			rules.Delete(network, rule)
+		}
+	}
+	return unwinder, nil
+}
+
 // CreateRoute creates the described managed route
 func (r *Routes) CreateRoute(ctx context.Context, clusterName string, nameHint string, route *cloudprovider.Route) error {
 	ip, _, _ := net.ParseCIDR(route.DestinationCIDR)
@@ -344,8 +412,9 @@ func (r *Routes) CreateRoute(ctx context.Context, clusterName string, nameHint s
 		}
 	}
 
+	var newPairs []ports.AddressPair
 	if !found {
-		newPairs := append(port.AllowedAddressPairs, ports.AddressPair{
+		newPairs = append(port.AllowedAddressPairs, ports.AddressPair{
 			IPAddress: route.DestinationCIDR,
 		})
 		unwind, err := updateAllowedAddressPairs(r.network, port, newPairs)
@@ -355,6 +424,12 @@ func (r *Routes) CreateRoute(ctx context.Context, clusterName string, nameHint s
 		defer onFailure.call(unwind)
 	}
 
+	unwind, err := updateSecurityGroup(r.network, port, newPairs)
+	if err != nil {
+		return err
+	}
+	defer onFailure.call(unwind)
+
 	klog.V(4).Infof("Route created: %v", route)
 	onFailure.disarm()
 	return nil