Use port_trusted_vif extension for trusted VF when available

larainema · larainema · commit 89ad437591ee · 2026-04-15T21:34:51.000+08:00
When creating ports with TrustedVF enabled, check if the Neutron
port_trusted_vif extension is available. If it is, set the trusted
attribute via the dedicated port field instead of through
binding:profile. This follows the deprecation of setting trusted
directly in binding:profile in recent Neutron releases.

Falls back to the old binding:profile approach when the extension
is not available for backward compatibility.
diff --git a/pkg/cloud/services/networking/port.go b/pkg/cloud/services/networking/port.go
@@ -27,6 +27,7 @@ import (
 	"github.com/gophercloud/gophercloud/v2"
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/portsbinding"
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/portsecurity"
+	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/portstrustedvif"
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/ports"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -240,14 +241,33 @@ func (s *Service) EnsurePort(eventObject runtime.Object, portSpec *infrav1.Resol
 		builder = portSecurityOpts
 	}
 
+	// Determine if port_trusted_vif extension is available when TrustedVF is requested.
+	// If available, we use the dedicated port attribute instead of binding:profile.
+	var usePortTrustedVIF bool
+	if portSpec.Profile != nil && ptr.Deref(portSpec.Profile.TrustedVF, false) {
+		usePortTrustedVIF, err = s.HasPortTrustedVIFExtension()
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	portsBindingOpts := portsbinding.CreateOptsExt{
 		CreateOptsBuilder: builder,
 		HostID:            ptr.Deref(portSpec.HostID, ""),
 		VNICType:          ptr.Deref(portSpec.VNICType, ""),
-		Profile:           getPortProfile(portSpec.Profile),
+		Profile:           getPortProfile(portSpec.Profile, usePortTrustedVIF),
 	}
 	builder = portsBindingOpts
 
+	// If the port_trusted_vif extension is available, set trusted mode via the
+	// dedicated port attribute rather than through binding:profile.
+	if usePortTrustedVIF {
+		builder = portstrustedvif.PortCreateOptsExt{
+			CreateOptsBuilder: builder,
+			PortTrustedVIF:    portSpec.Profile.TrustedVF,
+		}
+	}
+
 	port, err := s.client.CreatePort(builder)
 	if err != nil {
 		record.Warnf(eventObject, "FailedCreatePort", "Failed to create port %s: %v", portSpec.Name, err)
@@ -262,7 +282,7 @@ func (s *Service) EnsurePort(eventObject runtime.Object, portSpec *infrav1.Resol
 	return port, nil
 }
 
-func getPortProfile(p *infrav1.BindingProfile) map[string]interface{} {
+func getPortProfile(p *infrav1.BindingProfile, usePortTrustedVIF bool) map[string]interface{} {
 	if p == nil {
 		return nil
 	}
@@ -274,7 +294,10 @@ func getPortProfile(p *infrav1.BindingProfile) map[string]interface{} {
 	if ptr.Deref(p.OVSHWOffload, false) {
 		portProfile["capabilities"] = []string{"switchdev"}
 	}
-	if ptr.Deref(p.TrustedVF, false) {
+	// Only set trusted in binding:profile if the port_trusted_vif extension
+	// is not available. When the extension is available, trusted mode is set
+	// via the dedicated port attribute instead.
+	if !usePortTrustedVIF && ptr.Deref(p.TrustedVF, false) {
 		portProfile["trusted"] = true
 	}
 
@@ -607,6 +630,24 @@ func (s *Service) IsTrunkExtSupported() (trunknSupported bool, err error) {
 	return true, nil
 }
 
+// HasPortTrustedVIFExtension checks whether the Neutron port_trusted_vif
+// extension is available. When this extension is present, trusted VF mode
+// should be set via the dedicated port attribute rather than through
+// binding:profile.
+func (s *Service) HasPortTrustedVIFExtension() (bool, error) {
+	allExts, err := s.client.ListExtensions()
+	if err != nil {
+		return false, err
+	}
+
+	for _, ext := range allExts {
+		if ext.Alias == "port-trusted-vif" {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
 // AdoptPortsServer looks for ports in desiredPorts which were previously created, and adds them to resources.Ports.
 // A port matches if it has the same name and network ID as the desired port.
 // TODO(emilien): remove this function: https://github.com/kubernetes-sigs/cluster-api-provider-openstack/pull/2071
diff --git a/pkg/cloud/services/networking/port_test.go b/pkg/cloud/services/networking/port_test.go
@@ -25,6 +25,7 @@ import (
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/attributestags"
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/portsbinding"
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/portsecurity"
+	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/portstrustedvif"
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/security/groups"
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/trunks"
 	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/networks"
@@ -161,6 +162,8 @@ func Test_EnsurePort(t *testing.T) {
 					Name:      "foo-port-1",
 					NetworkID: netID,
 				}).Return(nil, nil)
+				// Extension not available, so trusted goes into binding:profile
+				m.ListExtensions().Return([]extensions.Extension{}, nil)
 				// The following allows us to use gomega to
 				// compare the argument instead of gomock.
 				// Gomock's output in the case of a mismatch is
@@ -173,6 +176,50 @@ func Test_EnsurePort(t *testing.T) {
 			},
 			want: &ports.Port{ID: portID},
 		},
+		{
+			name: "uses port_trusted_vif extension when available instead of binding:profile",
+			port: infrav1.ResolvedPortSpec{
+				Name:      "test-port",
+				NetworkID: netID,
+				ResolvedPortSpecFields: infrav1.ResolvedPortSpecFields{
+					VNICType: ptr.To("direct"),
+					Profile: &infrav1.BindingProfile{
+						TrustedVF: ptr.To(true),
+					},
+				},
+			},
+			expect: func(m *mock.MockNetworkClientMockRecorder, g Gomega) {
+				var expectedCreateOpts ports.CreateOptsBuilder
+				expectedCreateOpts = ports.CreateOpts{
+					Name:      "test-port",
+					NetworkID: netID,
+				}
+				// When extension is available, trusted is NOT in binding:profile
+				expectedCreateOpts = portsbinding.CreateOptsExt{
+					CreateOptsBuilder: expectedCreateOpts,
+					VNICType:          "direct",
+				}
+				expectedCreateOpts = portstrustedvif.PortCreateOptsExt{
+					CreateOptsBuilder: expectedCreateOpts,
+					PortTrustedVIF:    ptr.To(true),
+				}
+
+				m.ListPort(ports.ListOpts{
+					Name:      "test-port",
+					NetworkID: netID,
+				}).Return(nil, nil)
+				// Extension is available
+				trustedVIFExt := extensions.Extension{}
+				trustedVIFExt.Alias = "port-trusted-vif"
+				m.ListExtensions().Return([]extensions.Extension{trustedVIFExt}, nil)
+				m.CreatePort(gomock.Any()).DoAndReturn(func(builder ports.CreateOptsBuilder) (*ports.Port, error) {
+					gotCreateOpts := builder.(portstrustedvif.PortCreateOptsExt)
+					g.Expect(gotCreateOpts).To(Equal(expectedCreateOpts), cmp.Diff(gotCreateOpts, expectedCreateOpts))
+					return &ports.Port{ID: portID}, nil
+				})
+			},
+			want: &ports.Port{ID: portID},
+		},
 		{
 			name: "creates minimum port correctly",
 			port: infrav1.ResolvedPortSpec{
