From a516c905507a2e68a271560f8c5e1d0787b249c3 Mon Sep 17 00:00:00 2001
From: Michal Gubricky <michal.gubricky@dnation.cloud>
Date: Fri, 19 Jul 2024 14:47:05 +0200
Subject: [PATCH] :sparkles: Manage Security Groups using
 OpenStackClusterTemplate (#138)

* Add security rules for Cilium

Signed-off-by: michal.gubricky <michal.gubricky@dnation.cloud>

* Remove the patch for allowAllInClusterTraffic when security groups are used

Signed-off-by: michal.gubricky <michal.gubricky@dnation.cloud>

---------

Signed-off-by: michal.gubricky <michal.gubricky@dnation.cloud>
---
 .../templates/cluster-class.yaml              |  9 ------
 .../templates/openstack-cluster-template.yaml | 32 ++++++++++++++++++-
 2 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/providers/openstack/scs/cluster-class/templates/cluster-class.yaml b/providers/openstack/scs/cluster-class/templates/cluster-class.yaml
index 864af392..2f0a5777 100644
--- a/providers/openstack/scs/cluster-class/templates/cluster-class.yaml
+++ b/providers/openstack/scs/cluster-class/templates/cluster-class.yaml
@@ -582,15 +582,6 @@ cre ate group names like oidc:engineering and oidc:infra."
             path: "/spec/template/spec/securityGroups"
             valueFrom:
               template: {{ `"[ {{ range .openstack_security_groups }} { filter: { name: {{ . }}}}, {{ end }} ]"` }}
-        - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
-            kind: OpenStackClusterTemplate
-            matchResources:
-              infrastructureCluster: true
-          jsonPatches:
-          - op: replace
-            path: "/spec/template/spec/managedSecurityGroups/allowAllInClusterTraffic"
-            value: false
     - name: cloud_name
       description: "Sets the name of the cloud to use from the clouds secret."
       enabledIf: {{ `'{{ ne .cloud_name "" }}'` }}
diff --git a/providers/openstack/scs/cluster-class/templates/openstack-cluster-template.yaml b/providers/openstack/scs/cluster-class/templates/openstack-cluster-template.yaml
index 58977526..90128212 100644
--- a/providers/openstack/scs/cluster-class/templates/openstack-cluster-template.yaml
+++ b/providers/openstack/scs/cluster-class/templates/openstack-cluster-template.yaml
@@ -14,7 +14,37 @@ spec:
         allowedCIDRs: {{ .Values.restrict_kubeapi }}
 {{- end }}
       managedSecurityGroups:
-        allowAllInClusterTraffic: true
+        allNodesSecurityGroupRules:
+        - remoteManagedGroups:
+          - controlplane
+          - worker
+          direction: ingress
+          etherType: IPv4
+          name: VXLAN (Cilium)
+          portRangeMin: 8472
+          portRangeMax: 8472
+          protocol: udp
+          description: "Allow VXLAN traffic for Cilium"
+        - remoteManagedGroups:
+          - controlplane
+          - worker
+          direction: ingress
+          etherType: IPv4
+          name: HealthCheck (Cilium)
+          portRangeMin: 4240
+          portRangeMax: 4240
+          protocol: tcp
+          description: "Allow HealthCheck traffic for Cilium"
+        - remoteManagedGroups:
+          - controlplane
+          - worker
+          direction: ingress
+          etherType: IPv4
+          name: Hubble (Cilium)
+          portRangeMin: 4244
+          portRangeMax: 4244
+          protocol: tcp
+          description: "Allow Hubble traffic for Cilium"
       managedSubnets:
         - cidr: {{ .Values.node_cidr }}
           dnsNameservers: