Rename managedSecurityGroups.allNodesSecurityGroupRules

Rename `spec.managedSecurityGroups.allNodesSecurityGroupRules` to
`spec.managedSecurityGroups.clusterNodesSecurityGroupRules` to
clarify that these rules apply only to cluster nodes (control plane
and workers), and not to other managed resources such as
the bastion host.

Author: nikParasyr

api/v1beta1/conversion.go

@@ -430,6 +430,46 @@ func Convert_v1beta2_OpenStackClusterSpec_To_v1beta1_OpenStackClusterSpec(
 	return nil
 }
 
+func Convert_v1beta1_ManagedSecurityGroups_To_v1beta2_ManagedSecurityGroups(
+	in *ManagedSecurityGroups,
+	out *infrav1.ManagedSecurityGroups,
+	s apiconversion.Scope,
+) error {
+	if err := autoConvert_v1beta1_ManagedSecurityGroups_To_v1beta2_ManagedSecurityGroups(in, out, s); err != nil {
+		return err
+	}
+
+	if len(in.AllNodesSecurityGroupRules) > 0 {
+		out.ClusterNodesSecurityGroupRules = make([]infrav1.SecurityGroupRuleSpec, len(in.AllNodesSecurityGroupRules))
+		for i := range in.AllNodesSecurityGroupRules {
+			if err := Convert_v1beta1_SecurityGroupRuleSpec_To_v1beta2_SecurityGroupRuleSpec(&in.AllNodesSecurityGroupRules[i], &out.ClusterNodesSecurityGroupRules[i], s); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func Convert_v1beta2_ManagedSecurityGroups_To_v1beta1_ManagedSecurityGroups(
+	in *infrav1.ManagedSecurityGroups,
+	out *ManagedSecurityGroups,
+	s apiconversion.Scope,
+) error {
+	if err := autoConvert_v1beta2_ManagedSecurityGroups_To_v1beta1_ManagedSecurityGroups(in, out, s); err != nil {
+		return err
+	}
+
+	if len(in.ClusterNodesSecurityGroupRules) > 0 {
+		out.AllNodesSecurityGroupRules = make([]SecurityGroupRuleSpec, len(in.ClusterNodesSecurityGroupRules))
+		for i := range in.ClusterNodesSecurityGroupRules {
+			if err := Convert_v1beta2_SecurityGroupRuleSpec_To_v1beta1_SecurityGroupRuleSpec(&in.ClusterNodesSecurityGroupRules[i], &out.AllNodesSecurityGroupRules[i], s); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
 // LegacyCalicoSecurityGroupRules returns a list of security group rules for calico
 // that need to be applied to the control plane and worker security groups when
 // managed security groups are enabled and upgrading to v1beta1.

api/v1beta1/conversion_test.go

@@ -1115,3 +1115,104 @@ func TestOpenStackCluster_RoundTrip_ManagedRouter(t *testing.T) {
 		})
 	}
 }
+
+func TestOpenStackCluster_RoundTrip_ManagedSecurityGroups_ClusterNodesRules(t *testing.T) {
+	tests := []struct {
+		name string
+		in   OpenStackCluster
+	}{
+		{
+			name: "single rule",
+			in: OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					ManagedSecurityGroups: &ManagedSecurityGroups{
+						AllNodesSecurityGroupRules: []SecurityGroupRuleSpec{
+							{
+								Name:      "allow-http",
+								Direction: "ingress",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "multiple rules",
+			in: OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					ManagedSecurityGroups: &ManagedSecurityGroups{
+						AllNodesSecurityGroupRules: []SecurityGroupRuleSpec{
+							{
+								Name:      "allow-http",
+								Direction: "ingress",
+							},
+							{
+								Name:      "allow-https",
+								Direction: "ingress",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "mixed with other node rules",
+			in: OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					ManagedSecurityGroups: &ManagedSecurityGroups{
+						AllNodesSecurityGroupRules: []SecurityGroupRuleSpec{
+							{Name: "all-nodes-rule", Direction: "ingress"},
+						},
+						ControlPlaneNodesSecurityGroupRules: []SecurityGroupRuleSpec{
+							{Name: "cp-rule", Direction: "egress"},
+						},
+						WorkerNodesSecurityGroupRules: []SecurityGroupRuleSpec{
+							{Name: "worker-rule", Direction: "ingress"},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "no AllNodesSecurityGroupRules — field stays nil",
+			in: OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					ManagedSecurityGroups: &ManagedSecurityGroups{
+						AllowAllInClusterTraffic: true,
+					},
+				},
+			},
+		},
+		{
+			name: "no ManagedSecurityGroups at all",
+			in:   OpenStackCluster{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			hub := &infrav1.OpenStackCluster{}
+			g.Expect(tt.in.ConvertTo(hub)).To(Succeed())
+
+			// Verify intermediate v1beta2 state
+			if tt.in.Spec.ManagedSecurityGroups == nil {
+				g.Expect(hub.Spec.ManagedSecurityGroups).To(BeNil())
+			} else {
+				g.Expect(hub.Spec.ManagedSecurityGroups).NotTo(BeNil())
+				g.Expect(hub.Spec.ManagedSecurityGroups.ClusterNodesSecurityGroupRules).To(HaveLen(len(tt.in.Spec.ManagedSecurityGroups.AllNodesSecurityGroupRules)))
+				for i, rule := range tt.in.Spec.ManagedSecurityGroups.AllNodesSecurityGroupRules {
+					g.Expect(hub.Spec.ManagedSecurityGroups.ClusterNodesSecurityGroupRules[i].Name).To(Equal(rule.Name))
+					g.Expect(hub.Spec.ManagedSecurityGroups.ClusterNodesSecurityGroupRules[i].Direction).To(Equal(rule.Direction))
+				}
+			}
+
+			restored := &OpenStackCluster{}
+			g.Expect(restored.ConvertFrom(hub)).To(Succeed())
+
+			// Verify full round-trip
+			g.Expect(restored.Spec.ManagedSecurityGroups).To(Equal(tt.in.Spec.ManagedSecurityGroups))
+		})
+	}
+}

api/v1beta1/zz_generated.conversion.go

@@ -307,13 +307,13 @@ type ManagedNetwork struct {
 
 // ManagedSecurityGroups defines the desired state of security groups and rules for the cluster.
 type ManagedSecurityGroups struct {
-	// allNodesSecurityGroupRules defines the rules that should be applied to all nodes.
+	// clusterNodesSecurityGroupRules defines the rules that should be applied to all cluster nodes, excluding the bastion host.
 	// +patchMergeKey=name
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=name
 	// +optional
-	AllNodesSecurityGroupRules []SecurityGroupRuleSpec `json:"allNodesSecurityGroupRules,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
+	ClusterNodesSecurityGroupRules []SecurityGroupRuleSpec `json:"clusterNodesSecurityGroupRules,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
 
 	// controlPlaneNodesSecurityGroupRules defines the rules that should be applied to control plane nodes.
 	// +patchMergeKey=name

api/v1beta2/openstackcluster_types.go

@@ -1195,7 +1195,7 @@ var _ = Describe("OpenStackCluster controller", func() {
 			DisableAPIServerFloatingIP: ptr.To(true),
 			APIServerFixedIP:           ptr.To("192.168.0.10"),
 			ManagedSecurityGroups: &infrav1.ManagedSecurityGroups{
-				AllNodesSecurityGroupRules: []infrav1.SecurityGroupRuleSpec{
+				ClusterNodesSecurityGroupRules: []infrav1.SecurityGroupRuleSpec{
 					{
 						Direction: "ingress",
 						Protocol:  ptr.To("tcp"),
@@ -1271,7 +1271,7 @@ var _ = Describe("OpenStackCluster controller", func() {
 			DisableAPIServerFloatingIP: ptr.To(true),
 			APIServerFixedIP:           ptr.To("192.168.0.10"),
 			ManagedSecurityGroups: &infrav1.ManagedSecurityGroups{
-				AllNodesSecurityGroupRules: []infrav1.SecurityGroupRuleSpec{
+				ClusterNodesSecurityGroupRules: []infrav1.SecurityGroupRuleSpec{
 					{
 						Direction: "ingress",
 						Protocol:  ptr.To("tcp"),