Fix: egress rules & tags check existing

[CodeBleu]

Issue #, if available:

Currently this provider for isolated_network and tags do not properly check for existing egress rules or tags. This causes errors to happen in Cloudstack Events constantly saying the egress rule or tag already exists

In Cloudstack Management logs (egress rules):

2025-06-13 03:41:34,847 INFO [c.c.a.ApiServer] (qtp1789718525-1648:ctx-1dcfb09c ctx-26114600 ctx-aaefd36d) (logid:fd19bc1e) There is already a firewall rule specified with protocol = udp and no ports
com.cloud.exception.NetworkRuleConflictException: There is already a firewall rule specified with protocol = tcp and no ports

In Cloudstack Management logs (tags):

2025-06-13 03:41:34,593 DEBUG [c.c.u.d.T.Transaction] (API-Job-Executor-90:ctx-29a27d87 job-503553 ctx-79468eac) (logid:ec70b352) Rolling back the transaction: Time = 5 Name = API-Job-Executor-90; called by -TransactionLegacy.rollback:890-TransactionLegacy.removeUpTo:833-TransactionLegacy.close:657-TransactionContextInterceptor.invoke:36-ReflectiveMethodInvocation.proceed:175-ExposeInvocationInterceptor.invoke:97-ReflectiveMethodInvocation.proceed:186-JdkDynamicAopProxy.invoke:215-$Proxy42.persist:-1-TaggedResourceManagerImpl$1.doInTransactionWithoutResult:219-TransactionCallbackNoReturn.doInTransaction:25-Transaction$2.doInTransaction:50
2025-06-13 03:41:34,625 ERROR [c.c.a.ApiAsyncJobDispatcher] (API-Job-Executor-90:ctx-29a27d87 job-503553) (logid:ec70b352) Unexpected exception while executing org.apache.cloudstack.api.command.user.tag.CreateTagsCmd
2025-06-13 03:41:34,627 DEBUG [o.a.c.f.j.i.AsyncJobManagerImpl] (API-Job-Executor-90:ctx-29a27d87 job-503553) (logid:ec70b352) Complete async job-503553, jobStatus: FAILED, resultCode: 530, result: org.apache.cloudstack.api.response.ExceptionResponse/null/{"uuidList":[],"errorcode":"530","errortext":"tag CAPC_cluster_741e900a-4577-40af-a442-9d7ae411b3be already on Network with id 8d65f071-aca2-46cb-bcd7-c3c5538254d7"}

Description of changes:

Updating tags and isolated_network to properly check for existing egress rules and tags and handle accordingly.

Testing performed:

Ran docker-build and docker-push and then updated my image version on the capc provider to use new image. Observed that errors went away and that it still properly adds the egress rules and tags if removed and doesn't cause any errors in Cloudstack

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: CodeBleu (2777fba, f1ec86a, b7ff8a5, 74462ee)

[netlify]

✅ Deploy Preview for kubernetes-sigs-cluster-api-cloudstack ready!

Name	Link
🔨 Latest commit	b7ff8a5
🔍 Latest deploy log	https://app.netlify.com/projects/kubernetes-sigs-cluster-api-cloudstack/deploys/685405f5ab38f40008d2a6d9
😎 Deploy Preview	https://deploy-preview-447--kubernetes-sigs-cluster-api-cloudstack.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[k8s-ci-robot]

Welcome @CodeBleu!

It looks like this is your first PR to kubernetes-sigs/cluster-api-provider-cloudstack 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/cluster-api-provider-cloudstack has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @CodeBleu. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[weizhouapache]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CodeBleu, weizhouapache

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [weizhouapache]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[vishesh92]

/ok-to-test

[Copilot]

Pull Request Overview

This PR fixes issues with egress rule and tag duplication by updating the logic to check for existing rules and tags before attempting to create new ones. Key changes include updating test expectations for tag retrieval, refactoring tag creation logic to only add missing tags, and improving firewall rule handling in isolated network operations.

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pkg/cloud/vpc_test.go	Updated test flow to include list-tags expectations.
pkg/cloud/tags_test.go	Increased list-tags call expectations to assert duplicate calls.
pkg/cloud/tags.go	Removed redundant error suppression in tag creation.
pkg/cloud/isolated_network_test.go	Enhanced test coverage for both successful and error scenarios.
pkg/cloud/isolated_network.go	Refactored firewall rule logic with helper functions for clarity.
config/crd/bases/infrastructure.cluster.x-k8s.io_*.yaml	Added firewallRulesOpened field to CRD schemas.
api/v1beta3/cloudstackisolatednetwork_types.go	Updated status to include firewallRulesOpened field.
api/v1beta2/zz_generated.conversion.go and others	Updated conversion warnings to include the new field.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 67.59259% with 35 lines in your changes missing coverage. Please review.

Project coverage is 26.25%. Comparing base (d597e80) to head (74462ee).
Report is 105 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/cloud/isolated_network.go	70.78%	21 Missing and 5 partials ⚠️
pkg/cloud/tags.go	58.82%	5 Missing and 2 partials ⚠️
api/v1beta1/zz_generated.conversion.go	0.00%	1 Missing ⚠️
api/v1beta2/zz_generated.conversion.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #447      +/-   ##
==========================================
+ Coverage   25.66%   26.25%   +0.58%     
==========================================
  Files          59       72      +13     
  Lines        5563     6844    +1281     
==========================================
+ Hits         1428     1797     +369     
- Misses       3996     4879     +883     
- Partials      139      168      +29     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[CodeBleu]

@rohityadavcloud @vishesh92 Is there anything else needed for this other than the worklow needs to run again after the changes were made from co-pilot review suggestions?

I see a new tag for v0.6.1-rc1 and was hoping this PR could make it in the next release.