[PATCH access-control/cluster/common/manager/network/proxmox-widget-toolkit/qemu-server v2 00/10] fix #7294: pool: add SDN VNets as pool members

[David Riley <d.riley@proxmox.com>]

This series implements support for adding SDN VNets to resource pools,
resolving #7294 [0]. This series depends on the v4 'fix #7520: sdn:
prune orphaned ACLs and handle VNet migrations' [1].

It does not, however, add zones as pool members as requested in #7294.
Zones currently share ACL paths for managing the zone itself and
allocating VNets within it. This makes self-service VNet management
without also granting zone management (and its associated 
side-effects) difficult.

This patch series extends the pool section in the user.cfg and
introduces a new network property to the pool configuration which will
hold VNet entries:
* vnet/<zone>/<vnet>
* vnet/<zone>/<vnet>/<vlan>

The type prefix allows future extension to other network resource 
types.

To prevent potential data loss from overwriting newly added VNets, a
cluster-version check is added which ensures all nodes are running a
version that supports this feature. Note: The hardcoded version guard
should be updated to match the final target release when being
applied.

The existing version check helpers were moved from `qemu-server` to a
new module within `pve-cluster` to make them available for this
implementation, and any future developments that require gatekeeping.
Appropriate attribution has been included for the relocated code.
Please let me know if this organizational move aligns with current
design preferences or additional adjustments are needed.

---
Thanks @Gabriel, @Daniel K. and @Jakob for the feedback.

Differences from v1: 
- Access: Fix permissions propagation. 
  Pool ACL paths are setup without propagation, therefore checking
  /sdn/zones/<zone>/<vnet>/<tag> fails even if the user has the
  permission for the base path /sdn/zones/<zone>/<vnet>.
  To allow this, the roles of the base VNet path are looked up if
  the exact tagged path is not found in the pool (see patch 5/9).
- API: Add a unified property string format for VNets 
  (zone=<zone>,vnet=<vnet>,tag=<tag>]), ensuring that zone and vnet
  are strictly required and coupled.
- API CLI: Add typetext to the vnet format for better error messages
  in the CLI
- API: The registered format validation for VNets and Zones now also
  check the length.
- API: Add membership checks for network resources during add/delete
  operations (matching storage/VM behavior).
- Relocated version helpers from PVE::Cluster to PVE::Tools
- UI: Fix light mode. The icons are now light grey to match the
  storage and vm icons.
- Series is now based on v4 instead of v3 of [1]
- Minor refactors

[0] https://bugzilla.proxmox.com/show_bug.cgi?id=7294
[1] https://lore.proxmox.com/pve-devel/20260626105258.56914-1-d.riley@proxmox.com/


pve-manager:

David Riley (3):
  ui: replace var with let to match style guide for variable declaration
  fix #7294: api: pool: add SDN VNets as pool members
  fix #7294: ui: pool: add SDN VNets as pool members

 PVE/API2/Pool.pm                 | 135 +++++++++++++++++++++++++--
 www/css/ext6-pve.css             |  15 +++
 www/manager6/Utils.js            |   1 +
 www/manager6/grid/PoolMembers.js | 151 ++++++++++++++++++++++++++++---
 4 files changed, 282 insertions(+), 20 deletions(-)


proxmox-widget-toolkit:

David Riley (1):
  fix #7294: css: theme: add opacity override for pool VNet icon

 src/proxmox-dark/scss/other/_icons.scss | 12 ++++++++++++
 1 file changed, 12 insertions(+)


pve-access-control:

David Riley (1):
  fix #7294: acl: pool: add SDN VNets as pool members

 src/PVE/AccessControl.pm  | 93 ++++++++++++++++++++++++++++++++++++---
 src/PVE/RPCEnvironment.pm | 68 ++++++++++++++++++++++++++--
 src/test/parser_writer.pl | 53 ++++++++++++++++++----
 3 files changed, 198 insertions(+), 16 deletions(-)


pve-network:

David Riley (2):
  fix #7294: sdn: register api formats for zones and vnets
  fix #7294: sdn: vnet: update pool members on vnet migration and
    deletion

 src/PVE/Network/SDN.pm              | 15 +++++++++++++++
 src/PVE/Network/SDN/VnetPlugin.pm   | 25 ++++++++++++++++++++++---
 src/PVE/Network/SDN/Zones/Plugin.pm | 25 ++++++++++++++++++++++---
 3 files changed, 59 insertions(+), 6 deletions(-)


pve-common:

David Riley (1):
  tools: add helpers for version comparison

 src/PVE/Tools.pm | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)


pve-cluster:

David Riley (1):
  fix #7294: cluster: helpers: add cluster-wide version assertion

 src/PVE/Cluster.pm | 43 +++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 41 insertions(+), 2 deletions(-)


qemu-server:

David Riley (1):
  fix #7294: helpers: use cluster-wide version helper

 src/PVE/QemuMigrate.pm        |  3 ++-
 src/PVE/QemuServer/Helpers.pm | 42 ++---------------------------------
 2 files changed, 4 insertions(+), 41 deletions(-)


Summary over all repositories:
  15 files changed, 637 insertions(+), 85 deletions(-)

-- 
Generated by murpp 0.11.0