Skip to content

Fix SecurityGroup availability status by counting security group rules #651

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
gndrmnn wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix SecurityGroup availability status by counting security group rules #651

gndrmnn wants to merge 1 commit into from

Conversation

@gndrmnn
Copy link

@gndrmnn gndrmnn commented Jan 21, 2026

Consider this minimal example:

---
apiVersion: openstack.k-orc.cloud/v1alpha1
kind: SecurityGroup
metadata:
  name: security-group
spec:
  cloudCredentialsRef:
    cloudName: openstack
    secretName: cloud-config
  resource:
    name: security-group
    description: k-orc generated
    rules:
      - description: rule k-orc
        direction: ingress
        protocol: icmp
        # ethertype: IPv4
        # ethertype: IPv6
        remoteIPPrefix: "0.0.0.0/0"
        portRange:
          min: 1
          max: 42

If we select ethertype is IPv4, everything is fine and the security group rules as well as the security group is created successfully.

However, if we select ethertype is IPv6 the remoteIPPrefix field is (expectedly) rejected by openstack with a http error. The security group is already created at this point and, despite the rule error, enters a true availability state.

With this commit SecurityGroups now count their specified rules and compare them to the number of rules in their ORC status and the openstack resource. As the security group rules are only ever part of one security group, this should be enough to reliably determine, if all rules have been successfully created.

As the mismatch between remoteIPPrefix and ethertype is apparently to be solved "client-side" by ORC in the future, I am not sure, if and how to add a test for this? I think the ultimate reason why a security group rule is rejected by openstack in the future is not known yet, right?

Fixes #120

@github-actions github-actions bot added the semver:patch No API change label Jan 21, 2026
mandre
mandre reviewed Jan 21, 2026
View reviewed changes
Copy link
Collaborator

@mandre mandre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comparing the length of security group rules between the spec and the status indeed seems like the right approach for deciding whether the security group should be considered as available.

However I wonder if we should not reschedule a reconcile similarly to what we do in server or volume for example. That's very likely the reason why the flamingo job failed.

@gndrmnn
Fix SecurityGroup availability status by counting security group rules
e0b8b29 
SecurityGroups now count their specified rules and compare them
to the number of rules in their ORC status and the openstack resource.
As the security group rules are only ever part of one security group,
this should be enough to reliably determine if all rules have been
successfully created.

On-behalf-of: SAP nils.gondermann@sap.com
@gndrmnn
Copy link
Author

gndrmnn commented Jan 22, 2026

However I wonder if we should not reschedule a reconcile similarly to what we do in server or volume for example. That's very likely the reason why the flamingo job failed.

Got it.

Do you want me to add tests for this change? If so, is it possible to simulate an openstack error using kuttl?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mandre mandre mandre left review comments

Assignees

No one assigned

Labels

semver:patch No API change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SecurityGroup incorrectly marked available if rules fail

2 participants

@gndrmnn @mandre