Customer use case scenario:
Tenant of RHOSP infra wants to add the whole network as "allowed-address" and they use Terraform to spin up an environment. So right now they would have to lookup the information on the VIP port they are creating, in order to make it the allowed-address. If they could just add the entire network there, they would not have to perform this lookup first.
Description of problem:
As soon as customer sets the whole tenant network as allowed-address on the instance ports, as he can't predict what the VIP IP address will be, the VIP address is reachable inside the tenant network, but no longer via its Floating IP address.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
* Network and subnet is created;
* (Named) ports for the instances are created;
* (Named) port for the virtual IP address is created;
* Network subnet of VIP-port is added as allowed-address on the instance ports;
* Floating IP addresses for the instance- and VIP-ports are allocated and assigned;
* Instances are created and configured with keepalived
ping from external to VIP FIP -> no response
The FIP of VIP should be reachable from outside
- Same setup works perfectly fine if we use single IP (VIP) in the allowed-address filed for the instance port (FIP of VIP is pingable from external side).