Merge pull request #767 from winiciusallan/trustedvif

port: add trustedVIF field

Author: mandre

.github/workflows/e2e.yaml

@@ -38,8 +38,10 @@ jobs:
       with:
         enable_workaround_docker_io: 'false'
         branch: ${{ matrix.openstack_version }}
-        enabled_services: "openstack-cli-server,neutron-trunk"
+        enabled_services: "openstack-cli-server,neutron-trunk,neutron-port-trusted-vif"
         conf_overrides: |
+          enable_plugin neutron https://github.com/openstack/neutron ${{ matrix.openstack_version }}
+
           [[post-config|/etc/nova/nova.conf]]
           [filter_scheduler]
           enabled_filters = ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter,SameHostFilter,DifferentHostFilter,SimpleCIDRAffinityFilter,JsonFilter

api/v1alpha1/port_types.go

@@ -210,6 +210,12 @@ type PortResourceSpec struct {
 	// +optional
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="hostID is immutable"
 	HostID *HostID `json:"hostID,omitempty"` //nolint:kubeapilinter // HostID provides both raw ID and ServerRef options
+
+	// trustedVIF indicates whether the VF for the port will become
+	// trusted by physical function to perform some privileged
+	// operations. Only admin users can create ports with this field.
+	// +optional
+	TrustedVIF *bool `json:"trustedVIF,omitempty"`
 }
 
 type PortResourceStatus struct {
@@ -307,6 +313,12 @@ type PortResourceStatus struct {
 	// +optional
 	HostID string `json:"hostID,omitempty"`
 
+	// trustedVIF indicates whether the VF for the port will become
+	// trusted by physical function to perform some privileged
+	// operations.
+	// +optional
+	TrustedVIF *bool `json:"trustedVIF,omitempty"`
+
 	NeutronStatusMetadata `json:",inline"`
 }
 

api/v1alpha1/zz_generated.deepcopy.go

@@ -401,6 +401,12 @@ spec:
                     maxItems: 64
                     type: array
                     x-kubernetes-list-type: set
+                  trustedVIF:
+                    description: |-
+                      trustedVIF indicates whether the VF for the port will become
+                      trusted by physical function to perform some privileged
+                      operations. Only admin users can create ports with this field.
+                    type: boolean
                   vnicType:
                     description: |-
                       vnicType specifies the type of vNIC which this port should be
@@ -650,6 +656,12 @@ spec:
                     maxItems: 64
                     type: array
                     x-kubernetes-list-type: atomic
+                  trustedVIF:
+                    description: |-
+                      trustedVIF indicates whether the VF for the port will become
+                      trusted by physical function to perform some privileged
+                      operations.
+                    type: boolean
                   updatedAt:
                     description: updatedAt shows the date and time when the resource
                       was updated. The date and time stamp format is ISO 8601

cmd/models-schema/zz_generated.openapi.go

@@ -25,6 +25,7 @@ import (
 
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/portsbinding"
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/portsecurity"
+	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/portstrustedvif"
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/ports"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/utils/ptr"
@@ -318,7 +319,14 @@ func (actuator portActuator) CreateResource(ctx context.Context, obj *orcv1alpha
 			orcerrors.Terminal(orcv1alpha1.ConditionReasonInvalidConfiguration, fmt.Sprintf("Invalid value %s", resource.PortSecurity)))
 	}
 
-	osResource, err := actuator.osClient.CreatePort(ctx, &portSecurityOpts)
+	portTrustedOpts := portstrustedvif.PortCreateOptsExt{
+		CreateOptsBuilder: portSecurityOpts,
+	}
+	if resource.TrustedVIF != nil {
+		portTrustedOpts.PortTrustedVIF = resource.TrustedVIF
+	}
+
+	osResource, err := actuator.osClient.CreatePort(ctx, &portTrustedOpts)
 	if err != nil {
 		// We should require the spec to be updated before retrying a create which returned a conflict
 		if orcerrors.IsConflict(err) {
@@ -416,6 +424,7 @@ func (actuator portActuator) updateResource(ctx context.Context, obj orcObjectPT
 
 	updateOpts = handlePortBindingUpdate(updateOpts, resource, osResource)
 	updateOpts = handlePortSecurityUpdate(updateOpts, resource, osResource)
+	updateOpts = handlePortTrustedVIFUpdate(updateOpts, resource, osResource)
 
 	needsUpdate, err := needsUpdate(updateOpts)
 	if err != nil {
@@ -587,6 +596,20 @@ func handleAdminStateUpUpdate(updateOpts *ports.UpdateOpts, resource *resourceSp
 	}
 }
 
+func handlePortTrustedVIFUpdate(updateOpts ports.UpdateOptsBuilder, resource *resourceSpecT, osResource *osResourceT) ports.UpdateOptsBuilder {
+	trusted := resource.TrustedVIF
+	if trusted != nil {
+		if osResource.PortTrustedVIF == nil || *trusted != *osResource.PortTrustedVIF {
+			updateOpts = portstrustedvif.PortUpdateOptsExt{
+				UpdateOptsBuilder: updateOpts,
+				PortTrustedVIF:    trusted,
+			}
+		}
+	}
+
+	return updateOpts
+}
+
 type portHelperFactory struct{}
 
 var _ helperFactory = portHelperFactory{}

config/crd/bases/openstack.k-orc.cloud_ports.yaml

@@ -5,6 +5,7 @@ import (
 
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/portsbinding"
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/portsecurity"
+	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/portstrustedvif"
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/ports"
 	orcv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1"
 	osclients "github.com/k-orc/openstack-resource-controller/v2/internal/osclients"
@@ -435,3 +436,37 @@ func TestHandleAdminStateUpUpdate(t *testing.T) {
 		})
 	}
 }
+
+func TestHandleTrustedVIFUpdate(t *testing.T) {
+	testCases := []struct {
+		name          string
+		newValue      *bool
+		existingValue *bool
+		expectChange  bool
+	}{
+		{name: "Enabled when the value is not set", newValue: ptr.To(true), existingValue: nil, expectChange: true},
+		{name: "Enabled when was disabled", newValue: ptr.To(true), existingValue: ptr.To(false), expectChange: true},
+		{name: "Disabled when was enabled", newValue: ptr.To(false), existingValue: ptr.To(true), expectChange: true},
+		{name: "Keep the existing value if newValue is not set", newValue: nil, existingValue: ptr.To(true), expectChange: false},
+		{name: "Keep the existing value when they are the same (true)", newValue: ptr.To(true), existingValue: ptr.To(true), expectChange: false},
+		{name: "Keep the existing value when they are the same (false)", newValue: ptr.To(false), existingValue: ptr.To(false), expectChange: false},
+	}
+
+	for _, tt := range testCases {
+		t.Run(tt.name, func(t *testing.T) {
+			resource := &orcv1alpha1.PortResourceSpec{TrustedVIF: tt.newValue}
+			osResource := &osclients.PortExt{
+				PortTrustedVIFExt: portstrustedvif.PortTrustedVIFExt{
+					PortTrustedVIF: tt.existingValue,
+				},
+			}
+
+			updateOpts := handlePortTrustedVIFUpdate(&ports.UpdateOpts{}, resource, osResource)
+
+			got, _ := needsUpdate(updateOpts)
+			if got != tt.expectChange {
+				t.Errorf("expected needsUpdate=%v, got %v", tt.expectChange, got)
+			}
+		})
+	}
+}

internal/controllers/port/actuator.go

@@ -104,5 +104,9 @@ func (portStatusWriter) ApplyResourceStatus(log logr.Logger, osResource *osResou
 		resourceStatus.WithFixedIPs(fixedIPs...)
 	}
 
+	if osResource.PortTrustedVIF != nil {
+		resourceStatus.WithTrustedVIF(*osResource.PortTrustedVIF)
+	}
+
 	statusApply.WithResource(resourceStatus)
 }

internal/controllers/port/actuator_test.go

@@ -15,17 +15,26 @@ status:
     tags:
       - tag1
 ---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: Port
+metadata:
+  name: port-create-sriov-admin
+status:
+  resource:
+    name: port-create-sriov-admin
+    trustedVIF: true
+---
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
 resourceRefs:
     - apiVersion: openstack.k-orc.cloud/v1alpha1
       kind: port
       name: port-create-sriov
-      ref: port    
+      ref: port
     - apiVersion: openstack.k-orc.cloud/v1alpha1
       kind: subnet
       name: port-create-sriov
-      ref: subnet        
+      ref: subnet
 assertAll:
     - celExpr: "port.status.id != ''"
     - celExpr: "port.status.resource.createdAt != ''"
@@ -35,4 +44,4 @@ assertAll:
     - celExpr: "port.status.resource.fixedIPs[0].subnetID == subnet.status.id"
     - celExpr: "port.status.resource.fixedIPs[0].ip == '192.168.155.122'"
     - celExpr: "!has(port.status.resource.allowedAddressPairs)"
-    - celExpr: "!has(port.status.resource.securityGroups)"
+    - celExpr: "!has(port.status.resource.securityGroups)"

internal/controllers/port/status.go

@@ -43,4 +43,19 @@ spec:
     addresses:
     - subnetRef: port-create-sriov
       ip: 192.168.155.122
-    vnicType: direct
+    vnicType: direct
+---
+# This port is intended to be used to update fields where policies
+# enforce its mutability only by admins.
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: Port
+metadata:
+  name: port-create-sriov-admin
+spec:
+  cloudCredentialsRef:
+    cloudName: openstack-admin
+    secretName: openstack-clouds
+  managementPolicy: managed
+  resource:
+    networkRef: port-create-sriov
+    trustedVIF: true