Skip to content

CORS-4264: Update the GCP provider to allow users to manage their own firewall rules#94

Merged
openshift-merge-bot[bot] merged 1 commit intoopenshift:mainfrom
barbacbd:CORS-4264-openshift-clone
Nov 18, 2025
Merged

CORS-4264: Update the GCP provider to allow users to manage their own firewall rules#94
openshift-merge-bot[bot] merged 1 commit intoopenshift:mainfrom
barbacbd:CORS-4264-openshift-clone

Conversation

@barbacbd
Copy link

@barbacbd barbacbd commented Nov 17, 2025
edited by damdo
Loading

cluster:
Update the scripts to include the new variables

providers/gce:

Update the config to include the new FirewallRulesManagement string that can be set to Enabled or Disabled. This variable will allow users to skip the creation, deletion, and updates to firewall rules when set to Disabled. Users may not want or have the ability to add the permissions to perform these actions on their service account. When this is the case the firewall rules should be pre created and managed by someone with permissions to achieve the same goal.

** This is a cherry-pick from the upstream CCM GCP project (kubernetes#911)

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Nov 17, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 17, 2025
edited by openshift-ci bot
Loading

@barbacbd: This pull request references CORS-4264 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

Details

In response to this:

cluster:
Update the scripts to include the new variables

providers/gce:

Update the config to include the new FirewallRulesManagement string that can be set to Enabled or Disabled. This variable will allow users to skip the creation, deletion, and updates to firewall rules when set to Disabled. Users may not want or have the ability to add the permissions to perform these actions on their service account. When this is the case the firewall rules should be pre created and managed by someone with permissions to achieve the same goal.

** This is a cherry-pick from the upstream project

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@barbacbd
Copy link
Author

barbacbd commented Nov 17, 2025

/cc @patrickdillon
/cc @theobarberbany
/cc @JoelSpeed
/cc @damdo

@damdo
Copy link
Member

damdo commented Nov 18, 2025
edited
Loading

Thanks for opening this @barbacbd

The commit will need to be called in a specific way, after the upstream PR, like so (911 is the PR number upstream, so that if it merges upstream and we resync downstream, this commit will be automatically dropped in favour of the upstream change):

UPSTREAM: 911: Update the GCP provider to allow users to manage their own firewall rules

damdo
damdo reviewed Nov 18, 2025
View reviewed changes
Copy link
Member

@damdo damdo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@openshift-ci
Copy link

openshift-ci bot commented Nov 18, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: damdo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 18, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 18, 2025
edited by openshift-ci bot
Loading

@barbacbd: This pull request references CORS-4264 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

Details

In response to this:

cluster:
Update the scripts to include the new variables

providers/gce:

Update the config to include the new FirewallRulesManagement string that can be set to Enabled or Disabled. This variable will allow users to skip the creation, deletion, and updates to firewall rules when set to Disabled. Users may not want or have the ability to add the permissions to perform these actions on their service account. When this is the case the firewall rules should be pre created and managed by someone with permissions to achieve the same goal.

** This is a cherry-pick from the upstream CCM GCP project (kubernetes#911)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@patrickdillon
Copy link

patrickdillon commented Nov 18, 2025

@barbacbd verify-commits checks that the commit structure follows a certain convention, to help with rebases.

Change the first line of your commit to:

UPSTREAM: 911:  allow users to manage their own firewall rules

Then, when someone is doing a rebase, they can drop this commit if the upstream PR has merged.

@barbacbd
UPSTREAM: 911: allow users to manage their own firewall rules
7f2fae4 
cluster:
Update the scripts to include the new variables

providers/gce:

Update the config to include the new `FirewallRulesManagement` string that can be set to
Enabled or Disabled. This variable will allow users to skip the creation, deletion, and updates to firewall
rules when set to Disabled. Users may not want or have the ability to add the permissions
to perform these actions on their service account. When this is the case the firewall rules
should be pre created and managed by someone with permissions to achieve the same goal.

** This is a cherry-pick from the upstream project
@barbacbd barbacbd force-pushed the CORS-4264-openshift-clone branch from 85a1572 to 7f2fae4 Compare November 18, 2025 11:12
@barbacbd
Copy link
Author

barbacbd commented Nov 18, 2025

/jira refresh

@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 18, 2025
edited by openshift-ci bot
Loading

@barbacbd: This pull request references CORS-4264 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@damdo
Copy link
Member

damdo commented Nov 18, 2025

/retest

@damdo
Copy link
Member

damdo commented Nov 18, 2025

/test ?

@openshift-ci
Copy link

openshift-ci bot commented Nov 18, 2025

@damdo: The following commands are available to trigger required jobs:

/test e2e-gcp-ovn

/test e2e-gcp-ovn-upgrade

/test fmt

/test images

/test okd-scos-images

/test unit

/test verify-deps

/test verify-vendor-work

The following commands are available to trigger optional jobs:

/test okd-scos-e2e-aws-ovn

/test regression-clusterinfra-gcp-ipi-ccm

/test verify-commits

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-cloud-provider-gcp-main-e2e-gcp-ovn

pull-ci-openshift-cloud-provider-gcp-main-e2e-gcp-ovn-upgrade

pull-ci-openshift-cloud-provider-gcp-main-fmt

pull-ci-openshift-cloud-provider-gcp-main-images

pull-ci-openshift-cloud-provider-gcp-main-okd-scos-images

pull-ci-openshift-cloud-provider-gcp-main-unit

pull-ci-openshift-cloud-provider-gcp-main-verify-commits

pull-ci-openshift-cloud-provider-gcp-main-verify-deps

pull-ci-openshift-cloud-provider-gcp-main-verify-vendor-work
Details

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@damdo
Copy link
Member

damdo commented Nov 18, 2025

/test regression-clusterinfra-gcp-ipi-ccm

@openshift-ci
Copy link

openshift-ci bot commented Nov 18, 2025

@barbacbd: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

damdo
damdo reviewed Nov 18, 2025
View reviewed changes
Copy link
Member

@damdo damdo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@damdo
Copy link
Member

damdo commented Nov 18, 2025

/verified by installer team and regression tests passing

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Nov 18, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 18, 2025

@damdo: This PR has been marked as verified by installer team and regression tests passing.

Details

In response to this:

/verified by installer team and regression tests passing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@damdo
Copy link
Member

damdo commented Nov 18, 2025

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 18, 2025
@openshift-merge-bot openshift-merge-bot bot merged commit 8732386 into openshift:main Nov 18, 2025
11 checks passed
@jianli-wei jianli-wei mentioned this pull request Nov 24, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@damdo damdo damdo left review comments

@JoelSpeed JoelSpeed Awaiting requested review from JoelSpeed

@patrickdillon patrickdillon Awaiting requested review from patrickdillon

@theobarberbany theobarberbany Awaiting requested review from theobarberbany

@chrischdi chrischdi Awaiting requested review from chrischdi

@mdbooth mdbooth Awaiting requested review from mdbooth

Assignees

@damdo damdo

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@barbacbd @openshift-ci-robot @damdo @patrickdillon