Skip to content

Fix: Support networks not owned by openstack project #598

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 3, 2025
Merged

Fix: Support networks not owned by openstack project #598

merged 3 commits into from
Mar 3, 2025

Conversation

bertiethorpe
Copy link
Member

Follow on for #592.

In projects which don't own their networks, port security cannot be manipulated.

Fix sets port_security_enabled default to null. When null, security groups are applied.

@bertiethorpe bertiethorpe marked this pull request as ready for review March 3, 2025 17:34
@bertiethorpe bertiethorpe requested a review from a team as a code owner March 3, 2025 17:34
JohnGarbutt
JohnGarbutt approved these changes Mar 3, 2025
View reviewed changes
Copy link
Member

@JohnGarbutt JohnGarbutt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, this looks good, in that we ensure, by default, we don't sent any values for port_security, so we don't trigger the policy violation for networks where RBAC allows you to created ports (i.e. its shared) but you are not the owner of that network.

@jovial jovial mentioned this pull request Mar 3, 2025
Closed
@bertiethorpe bertiethorpe merged commit 193a5be into main Mar 3, 2025
2 checks passed
@bertiethorpe bertiethorpe deleted the fix/port-security branch March 3, 2025 19:09
sjpb
sjpb reviewed Mar 4, 2025
View reviewed changes
environments/skeleton/{{cookiecutter.environment}}/tofu/node_group/nodes.tf
port_security_enabled = lookup(each.value, "port_security_enabled", true)
security_group_ids = lookup(each.value, "port_security_enabled", true) ? var.security_group_ids : []
port_security_enabled = lookup(each.value, "port_security_enabled", null)
security_group_ids = lookup(each.value, "port_security_enabled", null) != false ? var.security_group_ids : []
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand why this wasn't just:

security_group_ids = lookup(each.value, "port_security_enabled", true) ? var.security_group_ids : []

what am I missing here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agh you're right I think

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This commit isn't working for me, it still applies the security groups even when port_security_enabled is false. Can you please switch to @sjpb's suggestion?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#601

@bertiethorpe bertiethorpe mentioned this pull request Mar 4, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@priteau priteau priteau left review comments

@sjpb sjpb sjpb left review comments

@JohnGarbutt JohnGarbutt JohnGarbutt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bertiethorpe @priteau @JohnGarbutt @sjpb