OpenStack: allow to specify additional networks and security groups for masters and workers

[Fedosin]

In some cases we may need to provide access to additional networks and security groups. An example of this need would be to mount RWX volumes from OpenStack Manila, when shares are in another network (OSP default).
Since we plan to use Manila as the primary backend for the image registry, it is essential that we have this feature in IPI.

This PR adds two new parameters to OpenStack's MachinePool:

• additionalNetworkIDs (optional list of strings): IDs of additional networks for machines.
• additionalSecurityGroupIDs (optional list of strings): IDs of additional security groups for machines.

[Fedosin]

/hold

[abhinavdahiya]

if this get's merged, it would be very nice to have an enhancement created to document what user stories / use case this is solving.

for other cloud platforms we don't allow these additional sets unless they are necessary for successful installation... because otherwise we are increasing the surface area of configuration at install-time, which needs to be tested, and which goes against the OpenShift 4 goals.

if this is to just ease process of users, i would recommend we look into controller driven OLM operator like component to achieve this as a day-2 configuration.

[Fedosin]

@abhinavdahiya yeah, documentation is coming. most likely when you read this message, it's already available.

We need this change to enable OpenStack Manila (shared filesystem) integration in IPI. This is not a hard requirement, but in OSP we create an additional network for shared volumes, and we have to add workers to this network to allow mounting.
This is also important for IPI, because we plan to use Manila as a backend for the image registry (RWX PVC), and without this PR we can't do it properly.

[Fedosin]

/hold cancel

[Fedosin]

/retest

[Fedosin]

/test e2e-aws

[Fedosin]

/hold

blocked by openshift/cluster-api-provider-openstack#86

[Fedosin]

/hold cancel

[Fedosin]

/test e2e-openstack

[Fedosin]

/test e2e-openstack

[Fedosin]

/test e2e-openstack

[Fedosin]

/test e2e-openstack

[Fedosin]

/test e2e-openstack

[Fedosin]

/test e2e-openstack

[Fedosin]

/test e2e-openstack

[abhinavdahiya]

nit:

Suggested change

	networks := []openstackprovider.NetworkParam{
	{
	Subnets: []openstackprovider.SubnetParam{
	{
	Filter: openstackprovider.SubnetFilter{
	Name: fmt.Sprintf("%s-nodes", clusterID),
	Tags: fmt.Sprintf("%s=%s", "openshiftClusterID", clusterID),
	},
	},
	},
	},
	}
	networks := []openstackprovider.NetworkParam{{
	Subnets: []openstackprovider.SubnetParam{{
	Filter: openstackprovider.SubnetFilter{
	Name: fmt.Sprintf("%s-nodes", clusterID),
	Tags: fmt.Sprintf("%s=%s", "openshiftClusterID", clusterID),
	},
	}},
	}}

[abhinavdahiya]

/approve

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhinavdahiya, mandre

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [abhinavdahiya]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Fedosin]

/hold

[iamemilio]

Should we be using the valid values fetcher here to validate that these networks and security groups actually exist in openstack?

[Fedosin]

This will be done as a part of our Validation epic

[iamemilio]

You dont have to do this in this patch, but could we just pass the install config here, or make a new struct to pass tfvars? The number of arguments to this function is becoming ludicrous :)

[Fedosin]

I know... Abhinav asked the same question #3291 (comment)
But I think we don't have other options, because we need to differenciate between primary and additional objects, and the only way is to read them from the machine pool :(

[iamemilio]

/lgtm

[Fedosin]

/hold cancel

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci-robot]

@Fedosin: The following tests failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-aws-scaleup-rhel7	c1329de	link	/test e2e-aws-scaleup-rhel7
ci/prow/e2e-libvirt	c1329de	link	/test e2e-libvirt

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.