🐛 Better checks before creating Floating IPs

[EmilienM]

What this PR does / why we need it:

When a floating is created, we need to make sure that
OpenStackCluster.Spec.DisableExternalNetwork is not set to True.
Otherwise, we'll have a nil pointer error.

• Add a check in reconcileBastion to check that external network is
  not disabled before creating the floating IP for the bastion.
• Add a check in reconcileControlPlaneEndpoint and
  reconcileAPIServerLoadBalancer to check that external
  network is not disabled (alongside the DisableAPIServerFloatingIP
  check) before creating the floating IP for the API server endpoint.
• Add a safeguard in GetOrCreateFloatingIP to return a proper error
  (instead of a nil pointer error) when
  openStackCluster.Status.ExternalNetwork is nil.
• Add API CEL to check that when DisableExternalNetwork is set and true,
  the bastion (if defined) doesn't have a floating IP defined and also
  that disableAPIServerFloatingIP (when set) is not False.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #2260

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from emilienm. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

✅ Deploy Preview for kubernetes-sigs-cluster-api-openstack ready!

Name	Link
🔨 Latest commit	5429b4b
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-cluster-api-openstack/deploys/673eabd665c4a50008dc4345
😎 Deploy Preview	https://deploy-preview-2261--kubernetes-sigs-cluster-api-openstack.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[EmilienM]

/cc mdbooth

[EmilienM]

I initially wanted to do some webhook to just disallow DisableExternalNetwork to be True without also setting DisableAPIServerFloatingIP to True but it's not backward compatible and sucks for our users, so I did that.

[EmilienM]

/test pull-cluster-api-provider-openstack-e2e-test
flake

[EmilienM]

/cherry-pick release-0.11

[k8s-infra-cherrypick-robot]

@EmilienM: once the present PR merges, I will cherry-pick it on top of release-0.11 in a new PR and assign it to you.

In response to this:

/cherry-pick release-0.11

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mdbooth]

/lgtm

Any idea how far back we need to backport this? 0.11 at least.

[EmilienM]

/lgtm

Any idea how far back we need to backport this? 0.11 at least.

I'll investigate.
EDIT: backport is clean \o/

[EmilienM]

On this one I want an eye from @lentzi90.

[EmilienM]

/cherry-pick release-0.10

[k8s-infra-cherrypick-robot]

@EmilienM: once the present PR merges, I will cherry-pick it on top of release-0.10 in a new PR and assign it to you.

In response to this:

/cherry-pick release-0.10

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[lentzi90]

I initially wanted to do some webhook to just disallow DisableExternalNetwork to be True without also setting DisableAPIServerFloatingIP to True but it's not backward compatible and sucks for our users

Sure not backwards compatible, but do you mean that it is actually possible to use that configuration? I'm thinking it is ok to break backwards compatibility if all it was doing was cause nil pointer exceptions.

[lentzi90]

/lgtm
Looks good, and no need for extra logging now that the webhook immediately tells the user what is wrong 🙂

[k8s-ci-robot]

New changes are detected. LGTM label has been removed.

[lentzi90]

I'm happy with this, but as mentioned on slack, I have one concern.
Sorry I didn't think of it earlier.

Will the user ever be the one setting the floating IP? Or are we now just going to block the controller trying to add it?

[EmilienM]

I'm happy with this, but as mentioned on slack, I have one concern. Sorry I didn't think of it earlier.

Will the user ever be the one setting the floating IP? Or are we now just going to block the controller trying to add it?

yes, a user can set the FIP:

cluster-api-provider-openstack/controllers/openstackcluster_controller.go

Lines 422 to 424 in 5429b4b

	case openStackCluster.Spec.Bastion.FloatingIP != nil:
	// Use floating IP from the spec
	floatingIP = openStackCluster.Spec.Bastion.FloatingIP