add security group rules in cluster status

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

api/v1alpha1/huaweicloudcluster_types.go

@@ -54,6 +54,7 @@ type HuaweiCloudClusterStatus struct {
 
 	// +kubebuilder:default=false
 	Ready      bool                 `json:"ready"`
+	Network    NetworkStatus        `json:"networkStatus,omitempty"`
 	Conditions clusterv1.Conditions `json:"conditions,omitempty"`
 }
 

api/v1alpha1/network_types.go

@@ -16,6 +16,8 @@ limitations under the License.
 
 package v1alpha1
 
+import "fmt"
+
 // NetworkSpect encapsulates the configuration options for HuaweiCloud network.
 type NetworkSpec struct {
 	// VPC configuration.
@@ -63,3 +65,81 @@ type SubnetSpec struct {
 	// NeutronSubnetId is the identifier of the subnet (OpenStack Neutron interface).
 	NeutronSubnetId string `json:"neutron_subnet_id"`
 }
+
+// SecurityGroupRole defines the unique role of a security group.
+// +kubebuilder:validation:Enum=bastion;node;controlplane;apiserver-lb;lb;node-eks-additional
+type SecurityGroupRole string
+
+var (
+	// SecurityGroupNode defines a Kubernetes workload node role.
+	SecurityGroupNode = SecurityGroupRole("node")
+
+	// SecurityGroupControlPlane defines a Kubernetes control plane node role.
+	SecurityGroupControlPlane = SecurityGroupRole("controlplane")
+
+	// SecurityGroupAPIServerLB defines a Kubernetes API Server Load Balancer role.
+	SecurityGroupAPIServerLB = SecurityGroupRole("apiserver-lb")
+
+	// SecurityGroupLB defines a container for the cloud provider to inject its load balancer ingress rules.
+	SecurityGroupLB = SecurityGroupRole("lb")
+)
+
+// SecurityGroupRule
+type SecurityGroupRule struct {
+	// ID is the unique identifier of the security group rule.
+	Id string `json:"id"`
+
+	// Description is the description of the security group rule.
+	Description string `json:"description"`
+
+	// SecurityGroupId is the security group id.
+	SecurityGroupId string `json:"security_group_id"`
+
+	// Direction is the direction of the security group rule. Accepted values are "ingress" and "egress".
+	Direction string `json:"direction"`
+
+	// Ethertype is the IP protocol type. The value can be IPv4 or IPv6.
+	Ethertype string `json:"ethertype"`
+
+	// Protocol is the protocol for the security group rule.
+	Protocol string `json:"protocol"`
+
+	// PortRangeMin is the start of port range.
+	PortRangeMin int32 `json:"port_range_min"`
+
+	// PortRangeMax is the end of port range.
+	PortRangeMax int32 `json:"port_range_max"`
+
+	// RemoteIpPrefix is the CIDR block to allow access from.
+	RemoteIpPrefix string `json:"remote_ip_prefix"`
+
+	// RemoteGroupId is the remote security group id.
+	RemoteGroupId string `json:"remote_group_id"`
+
+	// RemoteAddressGroupId is the remote address group id.
+	RemoteAddressGroupId string `json:"remote_address_group_id"`
+}
+
+// SecurityGroup defines an HuaweiCloud security group.
+type SecurityGroup struct {
+	// ID is a unique identifier.
+	ID string `json:"id"`
+
+	// Name is the security group name.
+	Name string `json:"name"`
+
+	// IngressRules is the inbound rules associated with the security group.
+	// +optional
+	SecurityGroupRules []SecurityGroupRule `json:"ingressRule,omitempty"`
+}
+
+// String returns a string representation of the security group.
+func (s *SecurityGroup) String() string {
+	return fmt.Sprintf("id=%s/name=%s", s.ID, s.Name)
+}
+
+// NetworkStatus encapsulates HuaweiCloud networking resources.
+type NetworkStatus struct {
+	// SecurityGroups is a map from the role/kind of the security group to its unique name, if any.
+	SecurityGroups map[SecurityGroupRole]SecurityGroup `json:"securityGroups,omitempty"`
+}

config/crd/bases/infrastructure.cluster.x-k8s.io_huaweicloudclusters.yaml

@@ -178,6 +178,91 @@ spec:
                   - type
                   type: object
                 type: array
+              networkStatus:
+                description: NetworkStatus encapsulates HuaweiCloud networking resources.
+                properties:
+                  securityGroups:
+                    additionalProperties:
+                      description: SecurityGroup defines an HuaweiCloud security group.
+                      properties:
+                        id:
+                          description: ID is a unique identifier.
+                          type: string
+                        ingressRule:
+                          description: IngressRules is the inbound rules associated
+                            with the security group.
+                          items:
+                            description: SecurityGroupRule
+                            properties:
+                              description:
+                                description: Description is the description of the
+                                  security group rule.
+                                type: string
+                              direction:
+                                description: Direction is the direction of the security
+                                  group rule. Accepted values are "ingress" and "egress".
+                                type: string
+                              ethertype:
+                                description: Ethertype is the IP protocol type. The
+                                  value can be IPv4 or IPv6.
+                                type: string
+                              id:
+                                description: ID is the unique identifier of the security
+                                  group rule.
+                                type: string
+                              port_range_max:
+                                description: PortRangeMax is the end of port range.
+                                format: int32
+                                type: integer
+                              port_range_min:
+                                description: PortRangeMin is the start of port range.
+                                format: int32
+                                type: integer
+                              protocol:
+                                description: Protocol is the protocol for the security
+                                  group rule.
+                                type: string
+                              remote_address_group_id:
+                                description: RemoteAddressGroupId is the remote address
+                                  group id.
+                                type: string
+                              remote_group_id:
+                                description: RemoteGroupId is the remote security
+                                  group id.
+                                type: string
+                              remote_ip_prefix:
+                                description: RemoteIpPrefix is the CIDR block to allow
+                                  access from.
+                                type: string
+                              security_group_id:
+                                description: SecurityGroupId is the security group
+                                  id.
+                                type: string
+                            required:
+                            - description
+                            - direction
+                            - ethertype
+                            - id
+                            - port_range_max
+                            - port_range_min
+                            - protocol
+                            - remote_address_group_id
+                            - remote_group_id
+                            - remote_ip_prefix
+                            - security_group_id
+                            type: object
+                          type: array
+                        name:
+                          description: Name is the security group name.
+                          type: string
+                      required:
+                      - id
+                      - name
+                      type: object
+                    description: SecurityGroups is a map from the role/kind of the
+                      security group to its unique name, if any.
+                    type: object
+                type: object
               ready:
                 default: false
                 type: boolean

internal/controller/huaweicloudcluster_controller.go

@@ -39,13 +39,28 @@ import (
 	"github.com/pkg/errors"
 )
 
+var defaultHCSecurityGroupRoles = []infrav1alpha1.SecurityGroupRole{
+	infrav1alpha1.SecurityGroupAPIServerLB,
+	infrav1alpha1.SecurityGroupLB,
+	infrav1alpha1.SecurityGroupControlPlane,
+	infrav1alpha1.SecurityGroupNode,
+}
+
 // HuaweiCloudClusterReconciler reconciles a HuaweiCloudCluster object
 type HuaweiCloudClusterReconciler struct {
 	client.Client
 	Scheme      *runtime.Scheme
 	Credentials *basic.Credentials
 }
 
+// securityGroupRolesForCluster returns the security group roles determined by the cluster configuration.
+func securityGroupRolesForCluster() []infrav1alpha1.SecurityGroupRole {
+	// Copy to ensure we do not modify the package-level variable.
+	roles := make([]infrav1alpha1.SecurityGroupRole, len(defaultHCSecurityGroupRoles))
+	copy(roles, defaultHCSecurityGroupRoles)
+	return roles
+}
+
 // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=huaweicloudclusters,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=huaweicloudclusters/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=huaweicloudclusters/finalizers,verbs=update
@@ -146,7 +161,7 @@ func (r *HuaweiCloudClusterReconciler) reconcileNormal(clusterScope *scope.Clust
 	}
 
 	// reconcile security group
-	sgSvc, err := securitygroup.NewService(clusterScope)
+	sgSvc, err := securitygroup.NewService(clusterScope, securityGroupRolesForCluster())
 	if err != nil {
 		return reconcile.Result{}, errors.Wrap(err, "failed to create security group service")
 	}
@@ -186,7 +201,7 @@ func (r *HuaweiCloudClusterReconciler) reconcileDelete(clusterScope *scope.Clust
 	}
 
 	// delete security group
-	sgSvc, err := securitygroup.NewService(clusterScope)
+	sgSvc, err := securitygroup.NewService(clusterScope, securityGroupRolesForCluster())
 	if err != nil {
 		return errors.Wrap(err, "failed to create security group service")
 	}

pkg/scope/cluster.go

@@ -120,6 +120,16 @@ func (s *ClusterScope) Region() string {
 	return s.HCCluster.Spec.Region
 }
 
+// SecurityGroups returns the cluster security groups as a map, it creates the map if empty.
+func (s *ClusterScope) SecurityGroups() map[infrav1alpha1.SecurityGroupRole]infrav1alpha1.SecurityGroup {
+	return s.HCCluster.Status.Network.SecurityGroups
+}
+
+// SetSecurityGroups updates the cluster security groups.
+func (s *ClusterScope) SetSecurityGroups(sg map[infrav1alpha1.SecurityGroupRole]infrav1alpha1.SecurityGroup) {
+	s.HCCluster.Status.Network.SecurityGroups = sg
+}
+
 // PatchObject persists the cluster configuration and status.
 func (s *ClusterScope) PatchObject() error {
 	applicableConditions := []clusterv1.ConditionType{

pkg/services/network/network.go

@@ -32,8 +32,6 @@ func (s *Service) ReconcileNetwork() error {
 		return err
 	}
 
-	// TODO: Public IPs
-
 	// TODO: Routing tables
 
 	klog.Infof("Reconcile network completed successfully")
@@ -67,8 +65,6 @@ func (s *Service) DeleteNetwork() error {
 		clusterv1.DeletedReason,
 		clusterv1.ConditionSeverityInfo, "")
 
-	// TODO: Delete Public IPs
-
 	// TODO: Delete Route Tables
 
 	// Delete VPC