feat(openstack): add disablePortSecurity to MachineDeployment spec

[mvanhorn]

Summary

Adds a disablePortSecurity boolean to the OpenStack MachineDeployment provider spec. When set to true, the machine-controller disables port security on the instance's Neutron network ports after the instance comes up, and clears their security groups (OpenStack rejects security groups on a port with port security disabled). Default behavior is unchanged.

Why this matters

Routing-based Kubernetes CNIs such as Cilium native routing rely on a node forwarding traffic for IP/MAC addresses other than the port's own. OpenStack port security blocks that traffic, so those CNIs cannot run on worker nodes unless port security is turned off on the instance ports. As described in #2012, the OpenStack provider had no way to do this, while cluster-api already exposes the equivalent setting. This change closes that gap so operators can provision routing-CNI-ready nodes directly from a MachineDeployment.

What this PR does / why we need it

• New DisablePortSecurity providerconfig.ConfigVarBool field on RawConfig, resolved into Config.DisablePortSecurity in getConfig, mirroring the existing trustDevicePath / configDrive bool fields.
• After the server is created, when the flag is set, the provider waits for each attached network port to become active (reusing the existing port-readiness waiter) and updates it via Neutron to set port_security_enabled=false, clearing the port's security groups in the same call.
• The update is applied to every network in the networks list, not just the primary one, so the setting also takes effect on multi-NIC machines.
• When the field is omitted or false, no port update is performed and port security stays enabled.

Testing

• go test ./pkg/cloudprovider/provider/openstack/... passes, including a new table test asserting disablePortSecurity defaults to false and resolves to true when set.
• go build, go vet, and gofmt are clean for the touched packages in both the main and sdk modules.

Which issue(s) this PR fixes:

Fixes #2012

What type of PR is this?

/kind feature

Special notes for your reviewer:

The field is documented in examples/openstack-machinedeployment.yaml.

Does this PR introduce a user-facing change? Then add your Release Note here:

Add a `disablePortSecurity` option to the OpenStack provider spec that disables port security (and clears security groups) on the instance's network ports, enabling routing-based CNIs such as Cilium native routing.

Documentation:

NONE

[kubermatic-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign moadqassem for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubermatic-bot]

Hi @mvanhorn. Thanks for your PR.

I'm waiting for a kubermatic member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kron4eg]

/cc

[Copilot]

Pull request overview

Adds an OpenStack-specific disablePortSecurity boolean to the MachineDeployment provider spec, enabling operators to disable Neutron port security (and clear security groups) on instance ports after creation—needed for routing-based CNIs (e.g., Cilium native routing) while keeping default behavior unchanged.

Changes:

• Extend OpenStack provider spec/config to include disablePortSecurity and load it via the existing config-var resolver pattern.
• After server creation, optionally wait for each attached port and update it to set port_security_enabled=false and clear security groups for all configured networks (multi-NIC aware).
• Add a table test for config loading and document the new option in the example manifest.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
sdk/cloudprovider/openstack/types.go	Adds disablePortSecurity to the SDK RawConfig schema for provider specs.
pkg/cloudprovider/provider/openstack/provider.go	Loads the flag and applies Neutron port updates post-create across all attached networks.
pkg/cloudprovider/provider/openstack/provider_test.go	Adds config-loading test coverage for disablePortSecurity.
pkg/cloudprovider/provider/openstack/helper.go	Implements Neutron port update helper using the portsecurity extension.
examples/openstack-machinedeployment.yaml	Documents the new disablePortSecurity option for users.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[kron4eg]

/test all

[kron4eg]

@mvanhorn thank for the PR! Looks good and solid! Please fix mentioned typos and I'll merge it.