feat: make allowedAddressPairs on OpenStackMachine ports mutable

Neutron ports support updating allowedAddressPairs without recreating
the server. This change allows operators to update allowedAddressPairs
on existing machines by patching the OpenStackMachineTemplate, without
triggering a rolling replacement of the nodes.

Changes:
- OpenStackMachineTemplate webhook: exclude allowedAddressPairs from
  the immutability check so the field can be updated in-place.
- OpenStackMachine webhook: same exclusion to allow the controller to
  annotate OSMs without being rejected.
- OpenStackMachine controller: deep-copy ports before mutation to avoid
  corrupting the original spec through shared slice backing arrays,
  which would trigger the spec-immutability webhook.
- Networking service: add UpdateAllowedAddressPairs() to call
  ports.Update on the Neutron API.
- OpenStackMachineTemplate controller: add reconcileAllowedAddressPairs
  which walks MachineSets → Machines → OpenStackMachines → OpenStackServers
  and calls UpdateAllowedAddressPairs() for each provisioned port.
  Idempotency is tracked via an annotation on each OpenStackMachine so
  only a metadata-only patch is needed, avoiding the spec-immutability
  webhook entirely.
- RBAC: add machinesets/machines/openstackmachines get/list/watch/patch
  permissions to the OSMT controller.
- Unit tests for reconcileAllowedAddressPairs.
- E2E test: creates a cluster with 1 CP and 1 worker (via a dedicated
  MachineDeployment with an explicit port), then patches the OSMT three
  times to accumulate allowedAddressPairs and verifies via the Neutron
  API after each patch that the port is updated without server restart.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: jfpucheu

config/rbac/role.yaml

@@ -556,9 +556,17 @@ func openStackMachineSpecToOpenStackServerSpec(openStackMachineSpec *infrav1.Ope
 
 	// If not ports are provided we create one.
 	// Ports must have a network so if none is provided we use the default network.
-	serverPorts := openStackMachineSpec.Ports
+	// Deep-copy the ports so in-place mutations below (Network injection, SecurityGroups
+	// merge) do not modify the original OpenStackMachineSpec referenced by the patchHelper
+	// baseline, which would cause a spurious spec-immutability webhook rejection.
+	var serverPorts []infrav1.PortOpts
 	if len(openStackMachineSpec.Ports) == 0 {
 		serverPorts = make([]infrav1.PortOpts, 1)
+	} else {
+		serverPorts = make([]infrav1.PortOpts, len(openStackMachineSpec.Ports))
+		for i, p := range openStackMachineSpec.Ports {
+			serverPorts[i] = *p.DeepCopy()
+		}
 	}
 
 	var clusterSubnets []infrav1.FixedIP

controllers/openstackmachine_controller.go

@@ -17,6 +17,7 @@ package controllers
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 
 	corev1 "k8s.io/api/core/v1"
@@ -25,6 +26,7 @@ import (
 	kerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/client-go/tools/record"
 	clusterv1beta1 "sigs.k8s.io/cluster-api/api/core/v1beta1"
+	clusterv1 "sigs.k8s.io/cluster-api/api/core/v1beta2"
 	"sigs.k8s.io/cluster-api/util"
 	"sigs.k8s.io/cluster-api/util/annotations"
 	v1beta1conditions "sigs.k8s.io/cluster-api/util/deprecated/v1beta1/conditions"
@@ -35,15 +37,25 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 
 	infrav1 "sigs.k8s.io/cluster-api-provider-openstack/api/v1beta1"
+	infrav1alpha1 "sigs.k8s.io/cluster-api-provider-openstack/api/v1alpha1"
 	"sigs.k8s.io/cluster-api-provider-openstack/pkg/cloud/services/compute"
+	"sigs.k8s.io/cluster-api-provider-openstack/pkg/cloud/services/networking"
 	"sigs.k8s.io/cluster-api-provider-openstack/pkg/scope"
 	controllers "sigs.k8s.io/cluster-api-provider-openstack/pkg/utils/controllers"
 )
 
-const imagePropertyForOS = "os_type"
+const (
+	imagePropertyForOS = "os_type"
+
+	// annotationAllowedAddressPairs tracks the last-applied allowedAddressPairs per
+	// OpenStackMachine (stored as JSON). Written as a metadata annotation so we never
+	// touch the immutable OSM spec, which would trigger the spec-immutability webhook.
+	annotationAllowedAddressPairs = "infrastructure.cluster.x-k8s.io/osmt-allowed-address-pairs"
+)
 
 // Set here so we can easily mock it in tests.
 var newComputeService = compute.NewService
+var newNetworkingService = networking.NewService
 
 // OpenStackMachineTemplateReconciler reconciles a OpenStackMachineTemplate object.
 // it only updates the .status field to allow auto-scaling.
@@ -57,6 +69,9 @@ type OpenStackMachineTemplateReconciler struct {
 
 // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=openstackmachinetemplates,verbs=get;list;watch
 // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=openstackmachinetemplates/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=openstackmachines,verbs=get;list;watch;patch
+// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinesets,verbs=get;list;watch
+// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machines,verbs=get;list;watch
 
 func (r *OpenStackMachineTemplateReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, reterr error) {
 	log := ctrl.LoggerFrom(ctx)
@@ -132,14 +147,14 @@ func (r *OpenStackMachineTemplateReconciler) Reconcile(ctx context.Context, req
 	scope := scope.NewWithLogger(clientScope, log)
 
 	// Handle non-deleted OpenStackMachineTemplates
-	if err := r.reconcileNormal(ctx, scope, openStackMachineTemplate); err != nil {
+	if err := r.reconcileNormal(ctx, scope, cluster.Name, openStackMachineTemplate); err != nil {
 		return ctrl.Result{}, err
 	}
 	log.V(4).Info("Successfully reconciled OpenStackMachineTemplate")
 	return ctrl.Result{}, nil
 }
 
-func (r *OpenStackMachineTemplateReconciler) reconcileNormal(ctx context.Context, scope *scope.WithLogger, openStackMachineTemplate *infrav1.OpenStackMachineTemplate) (reterr error) {
+func (r *OpenStackMachineTemplateReconciler) reconcileNormal(ctx context.Context, scope *scope.WithLogger, clusterName string, openStackMachineTemplate *infrav1.OpenStackMachineTemplate) (reterr error) {
 	log := scope.Logger()
 
 	computeService, err := newComputeService(scope)
@@ -195,6 +210,9 @@ func (r *OpenStackMachineTemplateReconciler) reconcileNormal(ctx context.Context
 	if err != nil {
 		return err
 	}
+	if imageID == nil {
+		return nil
+	}
 
 	image, err := computeService.GetImageDetails(*imageID)
 	if err != nil {
@@ -211,9 +229,151 @@ func (r *OpenStackMachineTemplateReconciler) reconcileNormal(ctx context.Context
 		}
 	}
 
+	if err := r.reconcileAllowedAddressPairs(ctx, scope, clusterName, openStackMachineTemplate); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// reconcileAllowedAddressPairs updates the allowedAddressPairs on existing Neutron ports
+// to match what is defined in the OpenStackMachineTemplate.
+// Idempotency is tracked via an annotation on each OpenStackMachine so that only a
+// metadata-only patch is needed — this avoids touching the immutable OSM spec.
+func (r *OpenStackMachineTemplateReconciler) reconcileAllowedAddressPairs(ctx context.Context, scope *scope.WithLogger, clusterName string, openStackMachineTemplate *infrav1.OpenStackMachineTemplate) error {
+	log := scope.Logger()
+
+	if len(openStackMachineTemplate.Spec.Template.Spec.Ports) == 0 || clusterName == "" {
+		return nil
+	}
+
+	// Build the desired state as JSON for idempotency comparison.
+	type portPairs = []infrav1.AddressPair
+	templatePorts := openStackMachineTemplate.Spec.Template.Spec.Ports
+	desired := make([]portPairs, len(templatePorts))
+	for i, p := range templatePorts {
+		desired[i] = p.AllowedAddressPairs
+	}
+	desiredJSON, err := json.Marshal(desired)
+	if err != nil {
+		return err
+	}
+	desiredStr := string(desiredJSON)
+
+	// List MachineSets in the namespace for this cluster.
+	machineSetList := &clusterv1.MachineSetList{}
+	if err := r.Client.List(ctx, machineSetList,
+		client.InNamespace(openStackMachineTemplate.Namespace),
+		client.MatchingLabels{clusterv1.ClusterNameLabel: clusterName},
+	); err != nil {
+		return err
+	}
+
+	// List Machines in the namespace for this cluster.
+	machineList := &clusterv1.MachineList{}
+	if err := r.Client.List(ctx, machineList,
+		client.InNamespace(openStackMachineTemplate.Namespace),
+		client.MatchingLabels{clusterv1.ClusterNameLabel: clusterName},
+	); err != nil {
+		return err
+	}
+
+	// Networking service is initialised lazily on first actual port update.
+	var networkingService *networking.Service
+
+	for i := range machineSetList.Items {
+		ms := &machineSetList.Items[i]
+		if ms.Spec.Template.Spec.InfrastructureRef.Name != openStackMachineTemplate.Name {
+			continue
+		}
+
+		for j := range machineList.Items {
+			machine := &machineList.Items[j]
+			if !isOwnedByMachineSet(machine, ms) {
+				continue
+			}
+			infraName := machine.Spec.InfrastructureRef.Name
+			if infraName == "" {
+				continue
+			}
+
+			osm := &infrav1.OpenStackMachine{}
+			if err := r.Client.Get(ctx, client.ObjectKey{
+				Namespace: openStackMachineTemplate.Namespace,
+				Name:      infraName,
+			}, osm); err != nil {
+				if apierrors.IsNotFound(err) {
+					continue
+				}
+				return err
+			}
+
+			// Skip if annotation already reflects the desired state.
+			if osm.Annotations[annotationAllowedAddressPairs] == desiredStr {
+				continue
+			}
+
+			// Port IDs are stored in the OpenStackServer status (same name as the OSM).
+			openStackServer := &infrav1alpha1.OpenStackServer{}
+			if err := r.Client.Get(ctx, client.ObjectKey{
+				Namespace: openStackMachineTemplate.Namespace,
+				Name:      infraName,
+			}, openStackServer); err != nil {
+				if apierrors.IsNotFound(err) {
+					continue
+				}
+				return err
+			}
+
+			if openStackServer.Status.Resources == nil || len(openStackServer.Status.Resources.Ports) == 0 {
+				continue
+			}
+
+			if networkingService == nil {
+				networkingService, err = newNetworkingService(scope)
+				if err != nil {
+					return err
+				}
+			}
+
+			for portIdx, portStatus := range openStackServer.Status.Resources.Ports {
+				if portIdx >= len(templatePorts) {
+					break
+				}
+				pairs := templatePorts[portIdx].AllowedAddressPairs
+				log.Info("Updating allowedAddressPairs on port", "portID", portStatus.ID,
+					"machine", osm.Name, "portIndex", portIdx)
+				if err := networkingService.UpdateAllowedAddressPairs(portStatus.ID, pairs); err != nil {
+					log.Error(err, "Failed to update allowedAddressPairs", "portID", portStatus.ID)
+					return err
+				}
+			}
+
+			// Record the applied state in an annotation (metadata-only patch).
+			osmCopy := osm.DeepCopy()
+			if osm.Annotations == nil {
+				osm.Annotations = map[string]string{}
+			}
+			osm.Annotations[annotationAllowedAddressPairs] = desiredStr
+			if err := r.Client.Patch(ctx, osm, client.MergeFrom(osmCopy)); err != nil {
+				return err
+			}
+		}
+	}
+
 	return nil
 }
 
+// isOwnedByMachineSet returns true if the Machine has an owner reference pointing to ms.
+func isOwnedByMachineSet(machine *clusterv1.Machine, ms *clusterv1.MachineSet) bool {
+	for _, ref := range machine.OwnerReferences {
+		if ref.Kind == "MachineSet" && ref.Name == ms.Name {
+			return true
+		}
+	}
+	return false
+}
+
 func (r *OpenStackMachineTemplateReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager, options controller.Options) error {
 	log := ctrl.LoggerFrom(ctx)