[occm] Octavia loadBalancerSourceRanges does not work

[ppeereb1]

/kind bug

What happened: Hi,

I'm trying to create a service type loadbalancer with loadBalancerSourceRanges in order to limit access to the public loadbalancer from ranges we trust.

cloud-provider-config:

    [Global]
    secret-name = openstack-credentials
    secret-namespace = kube-system
    region = RegionOne
    [LoadBalancer]
    subnet-id = e39e7608-4f5b-4250-8f27-9fe51c62f77e
    floating-network-id = 8ef0eb81-cab0-4e8e-b3f9-73763b251081
    use-octavia = true
    create-monitor = true
    monitor-delay = 5s
    monitor-timeout = 3s
    monitor-max-retries = 1

service.yaml:

kind: Service
apiVersion: v1
metadata:
  annotations:
    service.beta.kubernetes.io/openstack-internal-load-balancer: 'false'
  name: hello-octavia
  namespace: default
spec:
  ports:
    - name: http
      protocol: TCP
      port: 9090
      targetPort: http
      nodePort: 30485
    - name: grpc
      protocol: TCP
      port: 10901
      targetPort: grpc
      nodePort: 30179
  loadBalancerSourceRanges:
    - 99.99.99.99/32
  type: LoadBalancer

When creating the loadbalancer I get the following error in the kube-controller-manager pod: I0302 15:30:42.861430 1 event.go:291] "Event occurred" object="quattro-monitoring/hello-octavia" kind="Service" apiVersion="v1" type="Warning" reason="SyncLoadBalancerFailed" message="Error syncing load balancer: failed to ensure load balancer: source range restrictions are not supported for openstack load balancers without managing security groups"

When looking at the code that causes the error at line: https://github.com/kubernetes/cloud-provider-openstack/blob/release-1.20/pkg/cloudprovider/providers/openstack/openstack_loadbalancer.go#L1636 if lbaas.opts.UseOctavia && openstackutil.IsOctaviaFeatureSupported(lbaas.lb, openstackutil.OctaviaFeatureVIPACL)

It looks like this if statement fails somehow but i can't see why. I specified use-octavia in the cloud-provider-config and the IsOctaviaFeatureSupported should pass ( https://github.com/kubernetes/cloud-provider-openstack/blob/18aafcca6075dfb54d620e322b267bc334e33e1b/pkg/util/openstack/loadbalancer.go#L104 ) since we have octavia api version v2.12+:

paul@laptop~$ curl  https://<openstack-url>:9876  | python -m json.tool
 <snip>
        {
            "id": "v2.12",
            "links": [
                {
                    "href": "http://<openstack-url>:9876/v2",
                    "rel": "self"
                }
            ],
            "status": "SUPPORTED",
            "updated": "2019-09-11T00:00:00Z"
        },
        {
            "id": "v2.13",
            "links": [
                {
                    "href": "http://<openstack-url>:9876/v2",
                    "rel": "self"
                }
            ],
            "status": "CURRENT",
            "updated": "2019-09-13T00:00:00Z"
        }
    ]
}

Not sure what I'm doing wrong exactly.

Regards, Paul

What you expected to happen: Able to create loadbalancer type service with loadBalancerSourceRanges

How to reproduce it:

Anything else we need to know?:

Environment:

• openstack-cloud-controller-manager version: v1.20.0+bd9e442
• Openstack version : Openstack Train
• kubernetes version: 1.20 (Openshift 4.7.0)

[lingxiankong]

Please use --v=4 in the args of openstack-cloud-controller-manager so that you can see more logs for debugging, there will be octavia version in the log: Found Octavia API versions

[ppeereb1]

So apparently Openshift4.7 stil uses the legacy-cloud-providers :unamused: