Add Security Group support

charts/region/crds/region.unikorn-cloud.org_openstacksecuritygroups.yaml

@@ -0,0 +1,104 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: openstacksecuritygroups.region.unikorn-cloud.org
+spec:
+  group: region.unikorn-cloud.org
+  names:
+    categories:
+    - unikorn
+    kind: OpenstackSecurityGroup
+    listKind: OpenstackSecurityGroupList
+    plural: openstacksecuritygroups
+    singular: openstacksecuritygroup
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: OpenstackSecurityGroup has no controller, its a database record
+          of state.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              rules:
+                description: Rules are the security group rules.
+                items:
+                  properties:
+                    direction:
+                      description: |-
+                        The direction in which the security group rule is applied. The only values
+                        allowed are "ingress" or "egress".
+                      type: string
+                    id:
+                      description: ID is the security group rule ID.
+                      type: string
+                    port_range_max:
+                      description: |-
+                        The maximum port number in the range that is matched by the security group
+                        rule. The PortRangeMin attribute constrains the PortRangeMax attribute. If
+                        the protocol is ICMP, this value must be an ICMP type.
+                      type: integer
+                    port_range_min:
+                      description: |-
+                        The minimum port number in the range that is matched by the security group
+                        rule. If the protocol is TCP or UDP, this value must be less than or equal
+                        to the value of the PortRangeMax attribute. If the protocol is ICMP, this
+                        value must be an ICMP type.
+                      type: integer
+                    protocol:
+                      description: |-
+                        The protocol that is matched by the security group rule. Valid values are
+                        "tcp", "udp", "icmp" or an empty string.
+                      type: string
+                    remote_ip_prefix:
+                      description: |-
+                        The remote IP prefix to be associated with this security group rule.
+                        This attribute matches the specified IP prefix as the source IP address of
+                        the IP packet.
+                      pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\/(?:3[0-2]|[1-2]?[0-9])$
+                      type: string
+                  required:
+                  - direction
+                  - id
+                  - port_range_max
+                  - port_range_min
+                  - protocol
+                  type: object
+                type: array
+              securityGroupID:
+                description: SecurityGroupID is the security group ID.
+                type: string
+            type: object
+          status:
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}

charts/region/crds/region.unikorn-cloud.org_securitygroups.yaml

@@ -0,0 +1,176 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.1
+  name: securitygroups.region.unikorn-cloud.org
+spec:
+  group: region.unikorn-cloud.org
+  names:
+    categories:
+    - unikorn
+    kind: SecurityGroup
+    listKind: SecurityGroupList
+    plural: securitygroups
+    singular: securitygroup
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Available")].reason
+      name: status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: SecurityGroup defines a security group beloning to an identity.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              ingress:
+                description: Ingress are the ingress rules.
+                items:
+                  properties:
+                    cidr:
+                      description: Cidr is the CIDR block to allow traffic from.
+                      pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\/(?:3[0-2]|[1-2]?[0-9])$
+                      type: string
+                    port:
+                      description: Port is the port or range of ports.
+                      properties:
+                        number:
+                          description: Number is the port number.
+                          type: integer
+                        range:
+                          description: Range is the port range.
+                          properties:
+                            end:
+                              description: End is the end of the range.
+                              maximum: 65535
+                              type: integer
+                            start:
+                              description: Start is the start of the range.
+                              minimum: 1
+                              type: integer
+                          required:
+                          - end
+                          - start
+                          type: object
+                      type: object
+                    protocol:
+                      description: Protocol is the protocol of the rule.
+                      enum:
+                      - tcp
+                      - udp
+                      type: string
+                  required:
+                  - cidr
+                  - port
+                  - protocol
+                  type: object
+                type: array
+              pause:
+                description: Pause, if true, will inhibit reconciliation.
+                type: boolean
+              provider:
+                description: Provider defines the provider type.
+                enum:
+                - openstack
+                type: string
+              tags:
+                description: |-
+                  Tags are an abitrary list of key/value pairs that a client
+                  may populate to store metadata for the resource.
+                items:
+                  description: Tag is an arbirary key/value.
+                  properties:
+                    name:
+                      description: Name of the tag.
+                      type: string
+                    value:
+                      description: Value of the tag.
+                      type: string
+                  required:
+                  - name
+                  - value
+                  type: object
+                type: array
+            required:
+            - provider
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Current service state of a cluster manager.
+                items:
+                  description: |-
+                    Condition is a generic condition type for use across all resource types.
+                    It's generic so that the underlying controller-manager functionality can
+                    be shared across all resources.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      enum:
+                      - Provisioning
+                      - Provisioned
+                      - Cancelled
+                      - Errored
+                      - Deprovisioning
+                      - Deprovisioned
+                      type: string
+                    status:
+                      description: |-
+                        Status is the status of the condition.
+                        Can be True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      enum:
+                      - Available
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

cmd/unikorn-security-group-controller/main.go

@@ -0,0 +1,26 @@
+/*
+Copyright 2024 the Unikorn Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/unikorn-cloud/core/pkg/manager"
+	securitygroup "github.com/unikorn-cloud/region/pkg/managers/security-group"
+)
+
+func main() {
+	manager.Run(&securitygroup.Factory{})
+}

pkg/apis/unikorn/v1alpha1/helpers.go

@@ -70,3 +70,27 @@ func (c *PhysicalNetwork) StatusConditionWrite(t unikornv1core.ConditionType, st
 func (c *PhysicalNetwork) ResourceLabels() (labels.Set, error) {
 	return nil, nil
 }
+
+// Paused implements the ReconcilePauser interface.
+func (c *SecurityGroup) Paused() bool {
+	return c.Spec.Pause
+}
+
+// StatusConditionRead scans the status conditions for an existing condition whose type
+// matches.
+func (c *SecurityGroup) StatusConditionRead(t unikornv1core.ConditionType) (*unikornv1core.Condition, error) {
+	return unikornv1core.GetCondition(c.Status.Conditions, t)
+}
+
+// StatusConditionWrite either adds or updates a condition in the cluster manager status.
+// If the condition, status and message match an existing condition the update is
+// ignored.
+func (c *SecurityGroup) StatusConditionWrite(t unikornv1core.ConditionType, status corev1.ConditionStatus, reason unikornv1core.ConditionReason, message string) {
+	unikornv1core.UpdateCondition(&c.Status.Conditions, t, status, reason, message)
+}
+
+// ResourceLabels generates a set of labels to uniquely identify the resource
+// if it were to be placed in a single global namespace.
+func (c *SecurityGroup) ResourceLabels() (labels.Set, error) {
+	return nil, nil
+}

pkg/apis/unikorn/v1alpha1/register.go

@@ -55,6 +55,8 @@ func init() {
 	SchemeBuilder.Register(&OpenstackIdentity{}, &OpenstackIdentityList{})
 	SchemeBuilder.Register(&OpenstackPhysicalNetwork{}, &OpenstackPhysicalNetworkList{})
 	SchemeBuilder.Register(&VLANAllocation{}, &VLANAllocationList{})
+	SchemeBuilder.Register(&SecurityGroup{}, &SecurityGroupList{})
+	SchemeBuilder.Register(&OpenstackSecurityGroup{}, &OpenstackSecurityGroupList{})
 }
 
 // Resource maps a resource type to a group resource.