openstack: Remove FIPs created by the installer

eshulman2 · eshulman2 · commit c9ee29bae221 · 2025-12-08T22:13:52.000+02:00
Added cleanup for bootstrap VM FIP in the insatller as part of the
PostDestroyer to streamline FIP creation and deletion to be done by the
installer avoiding orphan FIPs.
diff --git a/pkg/infrastructure/openstack/clusterapi/clusterapi.go b/pkg/infrastructure/openstack/clusterapi/clusterapi.go
@@ -2,6 +2,7 @@ package clusterapi
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	"github.com/sirupsen/logrus"
@@ -193,10 +194,18 @@ func (p Provider) PostDestroy(ctx context.Context, in clusterapi.PostDestroyerIn
 	cloud := in.Metadata.OpenStack.Cloud
 	infraID := in.Metadata.InfraID
 
+	// Best effort approach trying to delete SG even in case FIP fails
+	var errs []error
+
+	// Delete floating IPs tagged with the cluster ID and bootstrap role
+	if err := postdestroy.FloatingIPs(ctx, cloud, infraID); err != nil {
+		errs = append(errs, err)
+	}
+
 	// Delete security groups tagged with the cluster ID and bootstrap role
 	if err := postdestroy.SecurityGroups(ctx, cloud, infraID); err != nil {
-		return fmt.Errorf("failed to destroy bootstrap security groups: %w", err)
+		errs = append(errs, err)
 	}
 
-	return nil
+	return errors.Join(errs...)
 }
diff --git a/pkg/infrastructure/openstack/postdestroy/floatingips.go b/pkg/infrastructure/openstack/postdestroy/floatingips.go
@@ -0,0 +1,68 @@
+package postdestroy
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+
+	"github.com/gophercloud/gophercloud/v2"
+	"github.com/gophercloud/gophercloud/v2/openstack/networking/v2/extensions/layer3/floatingips"
+	"github.com/sirupsen/logrus"
+
+	openstackdefaults "github.com/openshift/installer/pkg/types/openstack/defaults"
+)
+
+// FloatingIPs deletes the bootstrap floating IP that was previously disassociated
+// (but not deleted) when the bootstrap machine was destroyed by CAPO.
+func FloatingIPs(ctx context.Context, cloud string, infraID string) error {
+	clusterTag := fmt.Sprintf("openshiftClusterID=%s", infraID)
+	roleTag := "openshiftRole=bootstrap"
+	logrus.Debugf("Searching for bootstrap floating IP with tags: %s, %s", clusterTag, roleTag)
+
+	networkClient, err := openstackdefaults.NewServiceClient(ctx, "network", openstackdefaults.DefaultClientOpts(cloud))
+	if err != nil {
+		return fmt.Errorf("failed to create network client: %w", err)
+	}
+
+	// Search for floating IPs with both cluster ID and role tags
+	// OpenStack tags filter requires ALL specified tags to match (AND logic)
+	allPages, err := floatingips.List(networkClient, floatingips.ListOpts{
+		Tags: fmt.Sprintf("%s,%s", clusterTag, roleTag),
+	}).AllPages(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to list floating IPs: %w", err)
+	}
+
+	fips, err := floatingips.ExtractFloatingIPs(allPages)
+	if err != nil {
+		return fmt.Errorf("failed to extract floating IPs: %w", err)
+	}
+
+	if len(fips) == 0 {
+		logrus.Debug("No bootstrap floating IP found (may have already been deleted)")
+		return nil
+	}
+
+	// Should only find one FIP with both tags, but delete all if multiple exist
+	var errs []error
+	for _, fip := range fips {
+		logrus.Infof("Deleting bootstrap floating IP %s (ID: %s)", fip.FloatingIP, fip.ID)
+
+		err = floatingips.Delete(ctx, networkClient, fip.ID).ExtractErr()
+		if err != nil {
+			// Check if it's a "not found" error, which is acceptable
+			if gophercloud.ResponseCodeIs(err, http.StatusNotFound) {
+				logrus.Debugf("Bootstrap floating IP %s already deleted", fip.ID)
+				continue
+			}
+			logrus.Errorf("Failed to delete bootstrap floating IP %s: %v", fip.FloatingIP, err)
+			errs = append(errs, fmt.Errorf("failed to delete bootstrap floating IP %s: %w", fip.FloatingIP, err))
+			continue
+		}
+
+		logrus.Infof("Successfully deleted bootstrap floating IP %s", fip.FloatingIP)
+	}
+
+	return errors.Join(errs...)
+}
diff --git a/pkg/infrastructure/openstack/postprovision/floatingips.go b/pkg/infrastructure/openstack/postprovision/floatingips.go
@@ -85,11 +85,18 @@ func createAndAttachFIP(ctx context.Context, client *gophercloud.ServiceClient,
 		return nil, err
 	}
 
-	tag := fmt.Sprintf("openshiftClusterID=%s", infraID)
-	err = attributestags.Add(ctx, client, "floatingips", floatingIP.ID, tag).ExtractErr()
+	// Tag the floating IP with cluster ID and role for proper lifecycle management
+	clusterTag := fmt.Sprintf("openshiftClusterID=%s", infraID)
+	err = attributestags.Add(ctx, client, "floatingips", floatingIP.ID, clusterTag).ExtractErr()
 	if err != nil {
 		return nil, err
 	}
 
-	return floatingIP, err
+	roleTag := fmt.Sprintf("openshiftRole=%s", role)
+	err = attributestags.Add(ctx, client, "floatingips", floatingIP.ID, roleTag).ExtractErr()
+	if err != nil {
+		return nil, err
+	}
+
+	return floatingIP, nil
 }
