security tags for infrastructure template

[mkriegs]

Is your feature request related to a problem? Please describe.

Add the security tag to VM Infra Typ, you can define the comunication pattern one Time and and just add the new nodes to the security rules in the NS and EW Firewall in vCloud Director.

SDK Pull
vmware/go-vcloud-director#467

Describe the solution you'd like

where it should be placed
Example:
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: VCDMachineTemplate
metadata:
name: capi-cluster-control-plane
namespace: default
spec:
template:
spec:
catalog: tkgm-cat
template: ubuntu-2004-kube-v1.20.8+vmware.1-tkg.1-17589475007677388652
sizingPolicy: tkgm-sizing-policy
placementPolicy: tkgm-placement-policy
storageProfile: "*"
securitytags: tkgmcluster01,tkgmuser01 ( vcd tages the worker / master VMs with security tagges per)

Describe alternatives you've considered

No response

Additional context

No response

[arunmk]

hi @mkriegs apologies for missing this so far. Can you please explain more about what you want here.

[mkriegs]

Hey @arunmk
atm you can deploy only cluster with rules FW (DFW and Gateway) based on the network (so vcd_nsxt_ip_set or Network assigned to vcd_nsxt_security_group) where the k8s cluster will be deployed.
there funktion called Dynamic Security Groups in vcd where you can tag vms. -> this vms fall in to the right rules set
vmware/go-vcloud-director#487
so if the vm not in the right rule set of DFW or Gateway FW Ruleset the deployment of the cluster may fail to pull images.
vmware/terraform-provider-vcd#894

Use case is, you can have 2 K8s in the same network -> 2 different rules for dev prod sets of FW Rules (k8s to INTNET and between nodes) and the cluster cant talk to each orther via DFW Rules.

this can be done easly if i can tag my cluster nodes via yaml as optional

i hope its more clear now