diff --git a/meta/io.murano/Classes/SharedIp.yaml b/meta/io.murano/Classes/SharedIp.yaml index a7bbe2add..e47f61e44 100644 --- a/meta/io.murano/Classes/SharedIp.yaml +++ b/meta/io.murano/Classes/SharedIp.yaml @@ -51,13 +51,20 @@ Methods: properties: network_id: $networkData.netId replacement_policy: AUTO - fixed_ips: - - subnet_id: $networkData.subnetId outputs: $aapPortName+'-virtualIp': value: get_attr: [$aapPortName, fixed_ips, 0, ip_address] description: format('SharedIP Address of SharedIp group {0}', id($)) + - If: $networkData.subnetId + Then: + - $t: + resources: + $aapPortName: + properties: + fixed_ips: + - subnet_id: $networkData.subnetId + - $template: $template.mergeWith($t) - $region.stack.updateTemplate($template) - If: $.assignFloatingIp Then: diff --git a/meta/io.murano/Classes/resources/ExistingNeutronNetwork.yaml b/meta/io.murano/Classes/resources/ExistingNeutronNetwork.yaml index 682415e87..c3d4b0fc8 100644 --- a/meta/io.murano/Classes/resources/ExistingNeutronNetwork.yaml +++ b/meta/io.murano/Classes/resources/ExistingNeutronNetwork.yaml @@ -65,10 +65,18 @@ Workflow: $.network_id = $this._internalNetworkId).first().name - If: $._internalSubnetworkId = null Then: - $._internalSubnetworkId: $._getSubnetworks().where( - ($.name = $this.internalSubnetworkName or - $.id = $this.internalSubnetworkName) and - $.network_id = $this._internalNetworkId).first().id + # Specify subnetwork id only if the network is owned by the + # environment owner tenant (otherwise we may not be allowed to create + # a port to that specific subnet) + - $net: $this._getNetworks().where($.id = $this._internalNetworkId).first() + - If: $net.tenant_id = std:Project.getEnvironmentOwner().id + Then: + - $._internalSubnetworkId: $._getSubnetworks().where( + ($.name = $this.internalSubnetworkName or + $.id = $this.internalSubnetworkName) and + $.network_id = $this._internalNetworkId).first().id + Else: + - $._internalSubnetworkId: null - If: $.externalNetworkName = null and $._internalNetworkId != null Then: diff --git a/meta/io.murano/Classes/resources/NeutronNetworkBase.yaml b/meta/io.murano/Classes/resources/NeutronNetworkBase.yaml index 3ab11c51b..ba50ff930 100644 --- a/meta/io.murano/Classes/resources/NeutronNetworkBase.yaml +++ b/meta/io.murano/Classes/resources/NeutronNetworkBase.yaml @@ -59,10 +59,18 @@ Methods: type: 'OS::Neutron::Port' properties: network: $netRef - fixed_ips: - - subnet: $subnetRef replacement_policy: AUTO + - If: $subnetRef + Then: + - $template: + resources: + $portName: + properties: + fixed_ips: + - subnet: $subnetRef + - $patchTemplate: $patchTemplate.mergeWith($template) + - If: bool($securityGroupName) and $securityGroupsEnabled Then: - $template: diff --git a/releasenotes/notes/shared-net-port-creation-0eda66be4444cf2f.yaml b/releasenotes/notes/shared-net-port-creation-0eda66be4444cf2f.yaml new file mode 100644 index 000000000..73c5038cd --- /dev/null +++ b/releasenotes/notes/shared-net-port-creation-0eda66be4444cf2f.yaml @@ -0,0 +1,10 @@ +--- +issues: + - If a VM being a part of some shared-ip group is attached to the network + which is not owned by the current tenant (shared network) a policy + violation may occur thus failing the deployment. + +fixes: + - Murano no longer specifies fixed-ip parameter for ports when creating VMs + attached to networks owned and shared by other tenants. Specifying this + parameter for non-owned networks could cause violation of neutron policies.