🐛 port: don't add any SGs when port security is disabled

[EmilienM]

What this PR does / why we need it:

When port security is disabled on a port, don't add any security group
to the port options.

Skip the security groups when resolving the ports spec.
Report an error when a port tries to be created with both security
groups and disable port security to true.
Adds unit tests coverage for these scenarios.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #2158

[netlify]

✅ Deploy Preview for kubernetes-sigs-cluster-api-openstack ready!

Name	Link
🔨 Latest commit	4a7744a
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-cluster-api-openstack/deploys/66beb0e7e69fcd0008480cbf
😎 Deploy Preview	https://deploy-preview-2159--kubernetes-sigs-cluster-api-openstack.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[mdbooth]

Change looks sound. If my assumption about the error is correct, we should add API validation instead of runtime validation, though.

[mdbooth]

IIRC if you try to add a security group to a port with port security disabled you get an error, right? i.e. It's not just that it ignores the option, but it actually won't add the security groups?

If so, we should be able to safely add API validation for this instead, because we know there is no working configuration with it set.

i.e. We should write this as CEL instead. The tests would be in apivalidations.

[EmilienM]

IIRC if you try to add a security group to a port with port security disabled you get an error, right? i.e. It's not just that it ignores the option, but it actually won't add the security groups?

yeah right. And good points on API validations. I'll check that.

[EmilienM]

I've added tests in the webhook like other fields and tests in API validations. I've let this check on purpose because:

1. it doesn't hurt, I think
2. it's safe and it makes sense to report an error and not let it through anyway.

[mdbooth]

Ack to leaving the check in.

I'd prefer we didn't add anything new to the webhooks, though, unless we absolutely have to. I take a look to see how easy the CEL is to write.

[mdbooth]

I'm going to withdraw this objection. While the CEL is simple enough to write, unfortunately because it affects both the SecurityGroups and DisablePortSecurity fields it needs to be implemented on the PortOpts struct rather than just one field. Unfortunately this struct is a monster, so I wasn't able to write the rule which doesn't exceed the complexity budget.

[EmilienM]

that was my thought when I looked at CEL and why I took the webhook way instead 😕

[mdbooth]

Is there any reason we can't do this in CEL? We haven't added any new logic to the webhooks in a while and I'd like to phase them out.

[mdbooth]

/lgtm

[EmilienM]

if you can /approve instead so I can ask @MaysaMacedo to take a look as well. Thanks

[mdbooth]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mdbooth

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mdbooth]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[EmilienM]

@MaysaMacedo it merged by accident but when time permits, please have a look and let me know if anything is wrong, we'll fix afterwards. Thanks