networking/v2/ports: allow list filter by security group

[EmilienM]

neutron v2 ports APIs allow to list ports by security group already:
https://docs.openstack.org/api-ref/network/v2/#show-port-details

This patch adds the SecurityGroups field to ListOpts.

One way to filter the ports by security group can be done with the
following code:

listOpts := ports.ListOpts{
	SecurityGroups: []string{"2183457b-70cc-4fd0-a2dc-95323fa19e45"}
}

allPages, err := ports.List(networkClient, listOpts).AllPages()
if err != nil {
	panic(err)
}

allPorts, err := ports.ExtractPorts(allPages)
if err != nil {
	panic(err)
}

for _, port := range allPorts {
	fmt.Printf("%+v\n", port)
}

[EmilienM]

go-apidiff 443858d530ae769aaff36f3372ebee2bf90f7c21 4bc458de28d19bc22462040ef153218a394ae7ad --print-compatible

github.com/gophercloud/gophercloud/openstack/networking/v2/ports
  Compatible changes:
  - ListOpts.SecurityGroups: added

[coveralls]

coverage: 79.123%. remained the same when pulling e767be1 on shiftstack:port-list-sg into 443858d on gophercloud:master.

[dulek]

This doesn't seem to be correct to me, listing ports doesn't list security_groups as part of the request. Moreover it doesn't seem to work on openstackclient for me:

mdulko:openshift-clusters/ $ openstack port list --security-group 53743268-7c0e-4daf-9d57-30dbd969c994        
Invalid query params: security_groups

[dulek]

Uhm, so docs seems to be missing this, but it does work after I updated my openstackclient:

Starting new HTTPS connection (1): 10.1.8.104:13696
https://10.1.8.104:13696 "GET /v2.0/ports?fields=id&fields=name&fields=mac_address&fields=fixed_ips&fields=status&security_groups=53743268-7c0e-4daf-9d57-30dbd969c994 HTTP/1.1" 200 260
RESP: [200] Content-Length: 260 Content-Type: application/json Date: Tue, 22 Aug 2023 08:19:03 GMT X-Openstack-Request-Id: req-28dc8442-9d99-406c-8322-ffbdee6c7e12
RESP BODY: {"ports":[{"id":"d5e522b9-4935-40c1-ba71-7ebc6a682ccc","name":"ovn-lb-vip-5ca0c9f0-29d7-423c-8614-df8f93e6b477","mac_address":"fa:16:3e:78:8f:c3","status":"DOWN","fixed_ips":[{"subnet_id":"4e8a10b8-366b-488b-bf31-ed8e6dc5c231","ip_address":"192.168.25.12"}]}]}
GET call to network for https://10.1.8.104:13696/v2.0/ports?fields=id&fields=name&fields=mac_address&fields=fixed_ips&fields=status&security_groups=53743268-7c0e-4daf-9d57-30dbd969c994 used request id req-28dc8442-9d99-406c-8322-ffbdee6c7e12

[EmilienM]

I've tested the code and it worked fine:

package main

import (
	"fmt"

	"github.com/gophercloud/gophercloud/openstack/networking/v2/ports"
	"github.com/gophercloud/utils/openstack/clientconfig"
)

func main() {
	client, err := clientconfig.NewServiceClient("network", nil)
	if err != nil {
		panic(err)
	}

	listOpts := ports.ListOpts{
		SecurityGroups: []string{"21381a6a-6a66-438d-bea3-5cab44441ba8"},
	}

	allPages, err := ports.List(client, listOpts).AllPages()
	if err != nil {
		panic(err)
	}

	allPorts, err := ports.ExtractPorts(allPages)
	if err != nil {
		panic(err)
	}

	for _, port := range allPorts {
		fmt.Printf("%+v\n", port)
	}
}

And it returned:

{ID:40fbcd91-ae13-4b0b-91e2-9964ce400351 NetworkID:081476d2-0ab7-4c85-85b3-262fc8e199d0 Name:api Description: AdminStateUp:true Status:DOWN MACAddress:fa:16:3e:d7:60:08 FixedIPs:[{SubnetID:42e01d6f-1c22-4b5b-aecf-c415f7c9b3ae IPAddress:192.168.25.52} {SubnetID:2521f3fd-9508-4f38-8f88-f51ee2deee8a IPAddress:2001:db8::3f}] TenantID:f1c247710c254b158032e5f56cc97357 ProjectID:f1c247710c254b158032e5f56cc97357 DeviceOwner: SecurityGroups:[21381a6a-6a66-438d-bea3-5cab44441ba8] DeviceID: AllowedAddressPairs:[] Tags:[] PropagateUplinkStatus:false ValueSpecs:map[] RevisionNumber:13 CreatedAt:2023-08-14 15:55:10 +0000 UTC UpdatedAt:2023-08-14 20:46:24 +0000 UTC}
{ID:79683b83-4dda-472e-ae70-78bd2a235618 NetworkID:081476d2-0ab7-4c85-85b3-262fc8e199d0 Name:ingress Description: AdminStateUp:true Status:DOWN MACAddress:fa:16:3e:59:36:90 FixedIPs:[{SubnetID:42e01d6f-1c22-4b5b-aecf-c415f7c9b3ae IPAddress:192.168.25.193} {SubnetID:2521f3fd-9508-4f38-8f88-f51ee2deee8a IPAddress:2001:db8::119}] TenantID:f1c247710c254b158032e5f56cc97357 ProjectID:f1c247710c254b158032e5f56cc97357 DeviceOwner: SecurityGroups:[21381a6a-6a66-438d-bea3-5cab44441ba8] DeviceID: AllowedAddressPairs:[] Tags:[] PropagateUplinkStatus:false ValueSpecs:map[] RevisionNumber:13 CreatedAt:2023-08-14 15:55:19 +0000 UTC UpdatedAt:2023-08-14 20:46:24 +0000 UTC}

[dulek]

Looks like it comes from this extension: https://github.com/openstack/neutron-lib/blob/master/neutron_lib/api/definitions/security_groups_port_filtering.py

[dulek]

/lgtm

It'll be much better to use this in cloud-provider-openstack.

[1] https://github.com/openshift/cloud-provider-openstack/blob/master/pkg/openstack/loadbalancer.go#L771-L775

[EmilienM]

@pierreprinetti for review when time permits.

[dulek]

kubernetes/cloud-provider-openstack#2355 - and it's in use already.