metal-stack · majst01 · Oct 24, 2023 · Oct 12, 2023
@@ -13,7 +13,7 @@ const (
 	// to indicate that the firewall-controller does not connect to the firewall monitor. this way, the replica
 	// set will become healthy without a controller connection.
 	//
-	// useful for the migration when having old firewall v1 controllers that cannot update the monitor.
+	// this can be useful to silence a problem temporarily and was used in the past for migration of firewall-controller v1.
 	FirewallNoControllerConnectionAnnotation = "firewall.metal-stack.io/no-controller-connection"
 	// FirewallControllerManagedByAnnotation is used as tag for creating a firewall to indicate who is managing the firewall.
 	FirewallControllerManagedByAnnotation = "firewall.metal-stack.io/managed-by"

@@ -14,8 +14,6 @@ const (
 	FinalizerName      = "firewall.metal-stack.io/firewall-controller-manager"
 	RollSetAnnotation  = "firewall.metal-stack.io/roll-set"
 	RevisionAnnotation = "firewall.metal-stack.io/revision"
-
-	FirewallControllerMigrationSecretName = "firewall-controller-migration-secret"
 )
 
 // ConditionStatus is the status of a condition.

@@ -7,31 +7,21 @@ import (
 	"time"
 
 	v2 "github.com/metal-stack/firewall-controller-manager/api/v2"
-	"github.com/metal-stack/firewall-controller-manager/api/v2/helper"
 	"github.com/metal-stack/firewall-controller-manager/controllers"
 	"github.com/metal-stack/firewall-controller-manager/controllers/firewall"
-	"github.com/metal-stack/metal-lib/pkg/pointer"
 
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
 func (c *controller) Reconcile(r *controllers.Ctx[*v2.FirewallMonitor]) error {
-	fw, err := c.updateFirewallStatus(r)
+	_, err := c.updateFirewallStatus(r)
 	if err != nil {
 		r.Log.Error(err, "unable to update firewall status")
 		return controllers.RequeueAfter(3*time.Second, "unable to update firewall status, retrying")
 	}
 
-	err = c.offerFirewallControllerMigrationSecret(r, fw)
-	if err != nil {
-		r.Log.Error(err, "unable to offer firewall-controller migration secret")
-		return controllers.RequeueAfter(10*time.Second, "unable to offer firewall-controller migration secret, retrying")
-	}
-
 	err = c.rollSetAnnotation(r)
 	if err != nil {
 		r.Log.Error(err, "unable to handle roll set annotation")
@@ -63,70 +53,6 @@ func (c *controller) updateFirewallStatus(r *controllers.Ctx[*v2.FirewallMonitor
 	return fw, nil
 }
 
-// offerFirewallControllerMigrationSecret provides a secret that the firewall-controller can use to update from v1.x to v2.x
-//
-// this function can be removed when all firewall-controllers are running v2.x or newer.
-func (c *controller) offerFirewallControllerMigrationSecret(r *controllers.Ctx[*v2.FirewallMonitor], fw *v2.Firewall) error {
-	if metav1.GetControllerOf(fw) == nil {
-		// it can be that there is no set or deployment governing the firewall.
-		// in this case there may be no rbac resources deployed for seed access, so we cannot offer a migration secret.
-		return nil
-	}
-
-	migrationSecret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      v2.FirewallControllerMigrationSecretName,
-			Namespace: c.c.GetShootNamespace(),
-		},
-	}
-
-	isOldController := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Reason == "NotChecking" && r.Target.ControllerStatus == nil
-	if !isOldController {
-		// firewall-controller is already running with version v2.x or later, not offering migration secret
-		return client.IgnoreNotFound(c.c.GetShootClient().Delete(r.Ctx, migrationSecret))
-	}
-
-	r.Log.Info("firewall-controller seems to be running with v1.x, offering migration secret")
-
-	set, err := findCorrespondingSet(r.Ctx, c.c.GetSeedClient(), fw)
-	if err != nil {
-		return err
-	}
-
-	ref := metav1.GetControllerOf(set)
-	if ref == nil {
-		return fmt.Errorf("unable to find out associated firewall deployment in seed: no owner ref found")
-	}
-
-	kubeconfig, err := helper.GetAccessKubeconfig(&helper.AccessConfig{
-		Ctx:          r.Ctx,
-		Config:       c.c.GetSeedConfig(),
-		Namespace:    c.c.GetSeedNamespace(),
-		ApiServerURL: c.c.GetSeedAPIServerURL(),
-		Deployment: &v2.FirewallDeployment{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      ref.Name,
-				Namespace: c.c.GetSeedNamespace(),
-			},
-		},
-	})
-	if err != nil {
-		return fmt.Errorf("error creating kubeconfig for firewall-controller migration secret: %w", err)
-	}
-
-	_, err = controllerutil.CreateOrUpdate(r.Ctx, c.c.GetShootClient(), migrationSecret, func() error {
-		migrationSecret.Data = map[string][]byte{
-			"kubeconfig": kubeconfig,
-		}
-		return nil
-	})
-	if err != nil {
-		return fmt.Errorf("error ensuring firewall-controller migration secret: %w", err)
-	}
-
-	return nil
-}
-
 func (c *controller) rollSetAnnotation(r *controllers.Ctx[*v2.FirewallMonitor]) error {
 	v, ok := r.Target.Annotations[v2.RollSetAnnotation]
 	if !ok {