Fix Port Security feature

Allowed address pairs and security groups are now removed from the port when the port security is disabled. This ensures that no nova errors occur since this is a hard requirement of diabling port security.
openshift · Apr 13, 2021 · 223c5de · 223c5de
1 parent a277eac
commit 223c5de
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/pkg/cloud/openstack/clients/machineservice.go b/pkg/cloud/openstack/clients/machineservice.go
@@ -357,9 +357,14 @@ func getOrCreatePort(is *InstanceService, name string, portOpts openstackconfigv
 			return nil, err
 		}
 
-		if portOpts.PortSecurity != nil && *portOpts.PortSecurity == false {
+		if portOpts.PortSecurity != nil {
+			portUpdateOpts := ports.UpdateOpts{}
+			if *portOpts.PortSecurity == false {
+				portUpdateOpts.SecurityGroups = &[]string{}
+				portUpdateOpts.AllowedAddressPairs = &[]ports.AddressPair{}
+			}
 			updateOpts := portsecurity.PortUpdateOptsExt{
-				UpdateOptsBuilder:   ports.UpdateOpts{},
+				UpdateOptsBuilder:   portUpdateOpts,
 				PortSecurityEnabled: portOpts.PortSecurity,
 			}
 			err = ports.Update(is.networkClient, newPort.ID, updateOpts).ExtractInto(&portWithPortSecurityExtensions)
@@ -546,10 +551,6 @@ func (is *InstanceService) InstanceCreate(clusterName string, name string, clust
 		}
 		portOpt.SecurityGroups = &securityGroups
 		portOpt.AllowedAddressPairs = allowedAddressPairs
-		if portOpt.PortSecurity != nil && *portOpt.PortSecurity == false {
-			portOpt.SecurityGroups = &[]string{}
-			portOpt.AllowedAddressPairs = []ports.AddressPair{}
-		}
 		if _, ok := netsWithoutAllowedAddressPairs[portOpt.NetworkID]; ok {
 			portOpt.AllowedAddressPairs = []ports.AddressPair{}
 		}