🐛 Use port_trusted_vif extension for trusted VF when available

[larainema]

What this PR does / why we need it

In recent Neutron (2024.2+), setting trusted directly in a port's binding:profile has been deprecated. A new API extension port-trusted-vif adds a dedicated trusted boolean field to the port resource, which should be used instead.

This PR adapts CAPO to use the new extension when available, with backward compatibility for older Neutron deployments.

Which issue(s) this PR fixes:
Fixes #2172

Changes

Port creation (pkg/cloud/services/networking/port.go)

• Added HasPortTrustedVIFExtension() method that checks if the port-trusted-vif Neutron extension is available (follows the same pattern as GetTrunkSupport())
• Modified EnsurePort to check for the extension when TrustedVF is set. If available, wraps the create opts with portstrustedvif.PortCreateOptsExt instead of putting trusted in binding:profile
• Modified getPortProfile to accept a usePortTrustedVIF flag so it skips adding trusted to the binding:profile when the extension handles it

Tests (pkg/cloud/services/networking/port_test.go)

• Updated existing test to mock ListExtensions returning no port-trusted-vif extension (backward compatibility path)
• Added new test case "uses port_trusted_vif extension when available instead of binding:profile" that verifies the new code path

Behavior

Neutron version	port-trusted-vif available?	Behavior
< 2024.2	No	trusted: true set in binding:profile (unchanged)
>= 2024.2	Yes	trusted: true set via dedicated port attribute

Special notes for your reviewer

1. This PR does NOT change any image versions.
2. The gophercloud v2 library already includes the portstrustedvif package, so no dependency updates are needed.
3. The extension availability check uses ListExtensions(), the same API used for trunk support checking.

References

• Neutron change: https://review.opendev.org/c/openstack/neutron/+/926068
• neutron-lib API definition: ALIAS = 'port-trusted-vif' in neutron_lib/api/definitions/port_trusted_vif.py
• gophercloud support: gophercloud/v2/openstack/networking/v2/extensions/portstrustedvif

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign lentzi90 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

✅ Deploy Preview for kubernetes-sigs-cluster-api-openstack ready!

Name	Link
🔨 Latest commit	89ad437
🔍 Latest deploy log	https://app.netlify.com/projects/kubernetes-sigs-cluster-api-openstack/deploys/69df948efc2db50007635ea1
😎 Deploy Preview	https://deploy-preview-3120--kubernetes-sigs-cluster-api-openstack.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[k8s-ci-robot]

Hi @larainema. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[nikParasyr]

/ok-to-test