Keep security group assignments when security group is kept (#404)

* Keep security group assignments when security group is kept * check security group assignment on auxilary port * fix typo
stackitcloud · Aug 30, 2024 · 23bc53d · 23bc53d
1 parent be4f21e
commit 23bc53d
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 12 deletions.
diff --git a/controllers/yawol-controller/loadbalancer/loadbalancer_controller.go b/controllers/yawol-controller/loadbalancer/loadbalancer_controller.go
@@ -1348,6 +1348,19 @@ func (r *Reconciler) deleteSecGroups(
 	osClient openstack.Client,
 	lb *yawolv1beta1.LoadBalancer,
 ) (bool, error) {
+	// skip deletion and release status when annotated
+	if keep, err := strconv.ParseBool(lb.GetAnnotations()[yawolv1beta1.LoadBalancerKeepSecurityGroup]); err == nil && keep {
+		if lb.Status.SecurityGroupID == nil {
+			return false, nil
+		}
+		r.Log.Info("security group was released", "lb", lb.Namespace+"/"+lb.Name)
+		err = helper.RemoveFromLBStatus(ctx, r.Client.Status(), lb, "security_group_id")
+		if err != nil {
+			return true, fmt.Errorf("failed to remove from lb status: %w", err)
+		}
+		return false, nil
+	}
+
 	var err error
 
 	portClient, err := osClient.PortClient(ctx)
@@ -1364,18 +1377,6 @@ func (r *Reconciler) deleteSecGroups(
 	if err != nil {
 		return false, fmt.Errorf("failed to delete sec group usages: %w", err)
 	}
-	// skip deletion and release status when annotated
-	if keep, err := strconv.ParseBool(lb.GetAnnotations()[yawolv1beta1.LoadBalancerKeepSecurityGroup]); err == nil && keep {
-		if lb.Status.SecurityGroupID == nil {
-			return false, nil
-		}
-		r.Log.Info("security group was released", "lb", lb.Namespace+"/"+lb.Name)
-		err = helper.RemoveFromLBStatus(ctx, r.Client.Status(), lb, "security_group_id")
-		if err != nil {
-			return true, fmt.Errorf("failed to remove from lb status: %w", err)
-		}
-		return false, nil
-	}
 
 	var requeue bool
 	if lb.Status.SecurityGroupID != nil {

diff --git a/controllers/yawol-controller/loadbalancer/loadbalancer_controller_test.go b/controllers/yawol-controller/loadbalancer/loadbalancer_controller_test.go
@@ -10,6 +10,7 @@ import (
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	. "github.com/onsi/gomega/gstruct"
 
 	"github.com/gophercloud/gophercloud"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/layer3/floatingips"
@@ -811,13 +812,24 @@ var _ = Describe("loadbalancer controller", Serial, Ordered, func() {
 				}, timeout, interval).Should(Succeed())
 			})
 			It("should not delete the security group", func() {
+				portClient := mockClient.PortClientObj
+				auxiliaryPortName := "auxiliary-port"
+				securityGroupID := ""
+
 				By("checking that secgroup is set")
 				hopefully(nn, func(g Gomega, act LB) error {
 					g.Expect(act.Status.SecurityGroupID).To(Not(BeNil()))
 					g.Expect(*act.Status.SecurityGroupName == nn.String())
+					securityGroupID = *act.Status.SecurityGroupID
 					return nil
 				})
 
+				_, err := portClient.Create(ctx, ports.CreateOpts{
+					Name:           auxiliaryPortName,
+					SecurityGroups: &[]string{securityGroupID},
+				})
+				Expect(err).NotTo(HaveOccurred())
+
 				By("deleting the LB")
 				cleanupLB(nn, timeout)
 
@@ -829,6 +841,15 @@ var _ = Describe("loadbalancer controller", Serial, Ordered, func() {
 					g.Expect(err).To(Not(HaveOccurred()))
 					g.Expect(len(groups)).To(Equal(1))
 				}, timeout, interval).Should(Succeed())
+
+				By("checking the security group assignment is still there")
+				portList, err := portClient.List(ctx, ports.ListOpts{})
+				Expect(err).NotTo(HaveOccurred())
+				port := ports.Port{}
+				Expect(portList).To(ContainElement(MatchFields(IgnoreExtras, Fields{
+					"Name": Equal(auxiliaryPortName),
+				}), &port))
+				Expect(port.SecurityGroups).To(ConsistOf(securityGroupID))
 			})
 			It("should not delete the fip", func() {
 				var fipIP *string