ibmcloud: add support for multiple security groups

Instead of attaching a single security group to VSIs, allow specifying
multiple security groups.

Signed-off-by: Patrik Fodor <[email protected]>

Author: Pacho20

src/cloud-api-adaptor/install/overlays/ibmcloud/kustomization.yaml

@@ -27,7 +27,7 @@ configMapGenerator:
   - IBMCLOUD_PODVM_INSTANCE_PROFILE_LIST="" #optional, comma separated list
   - IBMCLOUD_ZONE="" #set
   - IBMCLOUD_VPC_SUBNET_ID="" #set
-  - IBMCLOUD_VPC_SG_ID="" #set
+  - IBMCLOUD_SECURITY_GROUP_IDS="" #optional, comma separated list
   - IBMCLOUD_VPC_ID="" #set
   - CRI_RUNTIME_ENDPOINT="/run/cri-runtime/containerd.sock"
   - DISABLECVM="true" # Set to false to enable confidential VM

src/cloud-api-adaptor/test/provisioner/ibmcloud/provision_common.go

@@ -154,16 +154,6 @@ func createVPC() error {
 		}
 	}
 
-	sgoptions := &vpcv1.GetVPCDefaultSecurityGroupOptions{}
-	sgoptions.SetID(IBMCloudProps.VpcID)
-	defaultSG, _, err := IBMCloudProps.VPC.GetVPCDefaultSecurityGroup(sgoptions)
-	if err != nil {
-		return err
-	}
-
-	IBMCloudProps.SecurityGroupID = *defaultSG.ID
-	log.Infof("Got VPC default SecurityGroupID %s.", IBMCloudProps.SecurityGroupID)
-
 	return nil
 }
 
@@ -967,7 +957,7 @@ func (p *IBMCloudProvisioner) GetProperties(ctx context.Context, cfg *envconf.Co
 		"IBMCLOUD_PODVM_INSTANCE_PROFILE_NAME": IBMCloudProps.InstanceProfile,
 		"IBMCLOUD_ZONE":                        IBMCloudProps.Zone,
 		"IBMCLOUD_VPC_SUBNET_ID":               IBMCloudProps.SubnetID,
-		"IBMCLOUD_VPC_SG_ID":                   IBMCloudProps.SecurityGroupID,
+		"IBMCLOUD_SECURITY_GROUP_IDS":          IBMCloudProps.SecurityGroupIDs,
 		"IBMCLOUD_VPC_ID":                      IBMCloudProps.VpcID,
 		"CRI_RUNTIME_ENDPOINT":                 "/run/cri-runtime/containerd.sock",
 		"IBMCLOUD_API_KEY":                     IBMCloudProps.ApiKey,
@@ -982,18 +972,3 @@ func (p *IBMCloudProvisioner) GetProperties(ctx context.Context, cfg *envconf.Co
 		"TAGS":                                 IBMCloudProps.Tags,
 	}
 }
-
-func (p *IBMCloudProvisioner) GetVPCDefaultSecurityGroupID(vpcID string) (string, error) {
-	if len(IBMCloudProps.SecurityGroupID) > 0 {
-		return IBMCloudProps.SecurityGroupID, nil
-	}
-
-	options := &vpcv1.GetVPCDefaultSecurityGroupOptions{}
-	options.SetID(vpcID)
-	defaultSG, _, err := IBMCloudProps.VPC.GetVPCDefaultSecurityGroup(options)
-	if err != nil {
-		return "", err
-	}
-
-	return *defaultSG.ID, nil
-}

src/cloud-api-adaptor/test/provisioner/ibmcloud/provision_ibmcloud.properties

@@ -42,8 +42,8 @@ PUBLIC_GATEWAY_NAME=""
 VPC_SUBNET_NAME=""
 # optional, existing subnet id if using existing VPC and cluster for testing
 VPC_SUBNET_ID=""
-# optional, existing security group id if using existing VPC and cluster for testing
-VPC_SECURITY_GROUP_ID=""
+# optional, a list of security group IDs if you need additional ones besides the default
+IBMCLOUD_SECURITY_GROUP_IDS=""
 # optional, it'll be set as ${CLUSTER_NAME}-vpc if not provided
 VPC_NAME=""
 # optional, existing VPC id if using existing VPC and cluster for testing

src/cloud-api-adaptor/test/provisioner/ibmcloud/provision_initializer.go

@@ -28,7 +28,7 @@ type IBMCloudProperties struct {
 	CosApiKey         string
 	CosInstanceID     string
 	CosServiceURL     string
-	SecurityGroupID   string
+	SecurityGroupIDs  string
 	IamServiceURL     string
 	IksServiceURL     string
 	InitData          string
@@ -97,7 +97,7 @@ func InitIBMCloudProperties(properties map[string]string) error {
 		Zone:              properties["ZONE"],
 		SshKeyID:          properties["SSH_KEY_ID"],
 		SubnetID:          properties["VPC_SUBNET_ID"],
-		SecurityGroupID:   properties["VPC_SECURITY_GROUP_ID"],
+		SecurityGroupIDs:  properties["IBMCLOUD_SECURITY_GROUP_IDS"],
 		VpcID:             properties["VPC_ID"],
 		TunnelType:        properties["TUNNEL_TYPE"],
 		VxlanPort:         properties["VXLAN_PORT"],
@@ -200,8 +200,8 @@ func InitIBMCloudProperties(properties map[string]string) error {
 		if len(IBMCloudProps.SubnetID) <= 0 {
 			log.Info("[warning] VPC_SUBNET_ID was not set.")
 		}
-		if len(IBMCloudProps.SecurityGroupID) <= 0 {
-			log.Info("[warning] VPC_SECURITY_GROUP_ID was not set.")
+		if len(IBMCloudProps.SecurityGroupIDs) <= 0 {
+			log.Info("IBMCLOUD_SECURITY_GROUP_IDS was not set.")
 		}
 		if len(IBMCloudProps.VpcID) <= 0 {
 			log.Info("[warning] VPC_ID was not set.")

src/cloud-api-adaptor/test/provisioner/ibmcloud/provision_kustomize.go

@@ -49,7 +49,7 @@ func isKustomizeConfigMapKey(key string) bool {
 		return true
 	case "IBMCLOUD_VPC_SUBNET_ID":
 		return true
-	case "IBMCLOUD_VPC_SG_ID":
+	case "IBMCLOUD_SECURITY_GROUP_IDS":
 		return true
 	case "IBMCLOUD_VPC_ID":
 		return true

src/cloud-providers/ibmcloud/manager.go

@@ -29,7 +29,6 @@ func (_ *Manager) ParseCmd(flags *flag.FlagSet) {
 	reg.StringWithEnv(&ibmcloudVPCConfig.ProfileName, "profile-name", "", "IBMCLOUD_PODVM_INSTANCE_PROFILE_NAME", "Default instance profile name to be used for the Pod VMs")
 	reg.StringWithEnv(&ibmcloudVPCConfig.ZoneName, "zone-name", "", "IBMCLOUD_ZONE", "Zone name")
 	reg.StringWithEnv(&ibmcloudVPCConfig.PrimarySubnetID, "primary-subnet-id", "", "IBMCLOUD_VPC_SUBNET_ID", "Primary subnet ID")
-	reg.StringWithEnv(&ibmcloudVPCConfig.PrimarySecurityGroupID, "primary-security-group-id", "", "IBMCLOUD_VPC_SG_ID", "Primary security group ID")
 	reg.StringWithEnv(&ibmcloudVPCConfig.KeyID, "key-id", "", "IBMCLOUD_SSH_KEY_ID", "SSH Key ID")
 	reg.StringWithEnv(&ibmcloudVPCConfig.VpcID, "vpc-id", "", "IBMCLOUD_VPC_ID", "VPC ID")
 	reg.StringWithEnv(&ibmcloudVPCConfig.ClusterID, "cluster-id", "", "IBMCLOUD_CLUSTER_ID", "Cluster ID")
@@ -45,6 +44,7 @@ func (_ *Manager) ParseCmd(flags *flag.FlagSet) {
 	reg.CustomTypeWithEnv(&ibmcloudVPCConfig.InstanceProfiles, "profile-list", "", "IBMCLOUD_PODVM_INSTANCE_PROFILE_LIST", "List of instance profile names to be used for the Pod VMs, comma separated")
 	reg.CustomTypeWithEnv(&ibmcloudVPCConfig.Images, "image-id", "", "IBMCLOUD_PODVM_IMAGE_ID", "List of Image IDs, comma separated")
 	reg.CustomTypeWithEnv(&ibmcloudVPCConfig.Tags, "tags", "", "IBMCLOUD_TAGS", "List of tags to attach to the Pod VMs, comma separated")
+	reg.CustomTypeWithEnv(&ibmcloudVPCConfig.SecurityGroupIds, "security-group-ids", "", "IBMCLOUD_SECURITY_GROUP_IDS", "List of Security Group IDs to be used for the Pod VM, comma separated")
 }
 
 func (_ *Manager) LoadEnv() {

src/cloud-providers/ibmcloud/provider.go

@@ -151,13 +151,11 @@ func NewProvider(config *Config) (provider.Provider, error) {
 		return nil, err
 	}
 
-	if config.PrimarySecurityGroupID == "" {
-		sgID, err := fetchClusterSG(clusterV2, config.ClusterID)
-		if err != nil {
-			return nil, err
-		}
-		config.PrimarySecurityGroupID = sgID
+	sgID, err := fetchClusterSG(clusterV2, config.ClusterID)
+	if err != nil {
+		return nil, err
 	}
+	config.SecurityGroupIds = append(config.SecurityGroupIds, sgID)
 
 	provider := &ibmcloudVPCProvider{
 		vpc:           vpcV1,
@@ -253,6 +251,13 @@ func (p *ibmcloudVPCProvider) getAttachTagOptions(vpcInstanceCRN *string) (*glob
 
 func (p *ibmcloudVPCProvider) getInstancePrototype(instanceName, userData, instanceProfile, imageId string) *vpcv1.InstancePrototype {
 
+	securityGroups := make([]vpcv1.SecurityGroupIdentityIntf, 0, len(p.serviceConfig.SecurityGroupIds))
+	for i := range p.serviceConfig.SecurityGroupIds {
+		securityGroups = append(securityGroups, &vpcv1.SecurityGroupIdentityByID{
+			ID: &p.serviceConfig.SecurityGroupIds[i],
+		})
+	}
+
 	prototype := &vpcv1.InstancePrototype{
 		Name:     &instanceName,
 		Image:    &vpcv1.ImageIdentity{ID: &imageId},
@@ -262,10 +267,8 @@ func (p *ibmcloudVPCProvider) getInstancePrototype(instanceName, userData, insta
 		Keys:     []vpcv1.KeyIdentityIntf{},
 		VPC:      &vpcv1.VPCIdentity{ID: &p.serviceConfig.VpcID},
 		PrimaryNetworkInterface: &vpcv1.NetworkInterfacePrototype{
-			Subnet: &vpcv1.SubnetIdentity{ID: &p.serviceConfig.PrimarySubnetID},
-			SecurityGroups: []vpcv1.SecurityGroupIdentityIntf{
-				&vpcv1.SecurityGroupIdentityByID{ID: &p.serviceConfig.PrimarySecurityGroupID},
-			},
+			Subnet:         &vpcv1.SubnetIdentity{ID: &p.serviceConfig.PrimarySubnetID},
+			SecurityGroups: securityGroups,
 		},
 		MetadataService: &vpcv1.InstanceMetadataServicePrototype{
 			Enabled:  core.BoolPtr(true),

src/cloud-providers/ibmcloud/types.go

@@ -70,6 +70,17 @@ func (i *tags) Set(value string) error {
 	return nil
 }
 
+type securityGroupIds []string
+
+func (i *securityGroupIds) String() string {
+	return strings.Join(*i, ", ")
+}
+
+func (i *securityGroupIds) Set(value string) error {
+	*i = append(*i, toList(value, ",")...)
+	return nil
+}
+
 type Config struct {
 	ApiKey                   string
 	IAMProfileID             string
@@ -81,7 +92,7 @@ type Config struct {
 	ZoneName                 string
 	Images                   Images
 	PrimarySubnetID          string
-	PrimarySecurityGroupID   string
+	SecurityGroupIds         securityGroupIds
 	SecondarySubnetID        string
 	SecondarySecurityGroupID string
 	KeyID                    string