From 8d519d98db8a359c1258b0c28ce364648177bdbe Mon Sep 17 00:00:00 2001
From: Pierre Prinetti <pierreprinetti@redhat.com>
Date: Thu, 29 Sep 2022 11:25:25 +0200
Subject: [PATCH] OCPBUGS-1765: Apply noAllowedAddressPairs on intended subnets
 only

Before this change, setting `noAllowedAddressPairs` on a machine-pool
network could have effect on a different network.

Given this example configuration:

```yaml
networks:
- filter: {}
  noAllowedAddressPairs: false
  subnets:
  - filter: {}
    uuid: primary-subnet-uuid
- filter: {}
  noAllowedAddressPairs: true
  subnets:
  - filter: {}
    uuid: other-subnet-uuid
primarySubnet: primary-subnet-uuid
```

The filter of the second network the array is empty. This means that its
`subnet` filter has to be applied without restrictions as to which
network it's sitting on. However, the absence of a network filter also
meant that the setting `noAllowedAddressPairs` would apply to all
networks.

With this change, `noAllowedAddressPairs` is applied on a subnet basis,
meaning that only ports created in the subnets resulting from the
further `subnet` filter actually have their allowed address pairs
removed.
---
 pkg/cloud/openstack/clients/machineservice.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/pkg/cloud/openstack/clients/machineservice.go b/pkg/cloud/openstack/clients/machineservice.go
index 9c919ac0ac..4a5b635aba 100644
--- a/pkg/cloud/openstack/clients/machineservice.go
+++ b/pkg/cloud/openstack/clients/machineservice.go
@@ -569,7 +569,7 @@ func (is *InstanceService) InstanceCreate(clusterName string, name string, clust
 	}
 	// Get all network UUIDs
 	var nets []openstackconfigv1.PortOpts
-	netsWithoutAllowedAddressPairs := map[string]struct{}{}
+	subnetsWithoutAllowedAddressPairs := map[string]struct{}{}
 	for _, net := range config.Networks {
 		opts := networks.ListOpts(net.Filter)
 		opts.ID = net.UUID
@@ -578,9 +578,6 @@ func (is *InstanceService) InstanceCreate(clusterName string, name string, clust
 			return nil, err
 		}
 		for _, netID := range ids {
-			if net.NoAllowedAddressPairs {
-				netsWithoutAllowedAddressPairs[netID] = struct{}{}
-			}
 			if net.Subnets == nil {
 				nets = append(nets, openstackconfigv1.PortOpts{
 					NetworkID:    netID,
@@ -613,6 +610,9 @@ func (is *InstanceService) InstanceCreate(clusterName string, name string, clust
 					if snet.NetworkID != netID {
 						continue
 					}
+					if net.NoAllowedAddressPairs {
+						subnetsWithoutAllowedAddressPairs[snet.ID] = struct{}{}
+					}
 					nets = append(nets, openstackconfigv1.PortOpts{
 						NetworkID:    snet.NetworkID,
 						NameSuffix:   snet.ID,
@@ -655,7 +655,7 @@ func (is *InstanceService) InstanceCreate(clusterName string, name string, clust
 		}
 		portOpt.SecurityGroups = &securityGroups
 		portOpt.AllowedAddressPairs = allowedAddressPairs
-		if _, ok := netsWithoutAllowedAddressPairs[portOpt.NetworkID]; ok {
+		if _, ok := subnetsWithoutAllowedAddressPairs[portOpt.NameSuffix]; ok {
 			portOpt.AllowedAddressPairs = []openstackconfigv1.AddressPair{}
 		}