From 33e2de60e5ebd5d53e5a109e7199ff8bae9ab911 Mon Sep 17 00:00:00 2001
From: Jesse Haka <haka.jesse@gmail.com>
Date: Fri, 16 Oct 2020 14:11:22 +0300
Subject: [PATCH] do not create egress rules when using vipacl octavia

---
 pkg/model/openstackmodel/firewall.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/pkg/model/openstackmodel/firewall.go b/pkg/model/openstackmodel/firewall.go
index c688425505..b8ae43e257 100644
--- a/pkg/model/openstackmodel/firewall.go
+++ b/pkg/model/openstackmodel/firewall.go
@@ -539,8 +539,11 @@ func (b *FirewallModelBuilder) getExistingRules(sgMap map[string]*openstacktasks
 
 }
 
-func (b *FirewallModelBuilder) addDefaultEgress(c *fi.ModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup) {
-	for _, sg := range sgMap {
+func (b *FirewallModelBuilder) addDefaultEgress(c *fi.ModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup, useVIPACL bool) {
+	for name, sg := range sgMap {
+		if useVIPACL && name == b.Cluster.Spec.MasterPublicName {
+			continue
+		}
 		t := &openstacktasks.SecurityGroupRule{
 			Lifecycle:    b.Lifecycle,
 			Direction:    s(string(rules.DirEgress)),
@@ -612,7 +615,7 @@ func (b *FirewallModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		klog.Warningf("Failed to list existing security groups: %v", err)
 	}
 
-	b.addDefaultEgress(c, sgMap)
+	b.addDefaultEgress(c, sgMap, useVIPACL)
 
 	//Add API Server Rules
 	b.addHTTPSRules(c, sgMap, useVIPACL)