Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Recreate firewall on unhealthy condition #63

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

Recreate firewall on unhealthy condition #63

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
2072462
Update Certs
Honigeintopf Oct 25, 2024
65cc193
Update Readme to include "-n firewall"
Honigeintopf Oct 25, 2024
68d79ea
Created test to check if unhealty firewall is replaced when unhealthy
Honigeintopf Oct 28, 2024
fd71798
Added delte after healthtimeout is exceeded, still need to adjust int…
Honigeintopf Oct 31, 2024
0de0032
Added integration tests and deletion of fw after unhealthytimeout
Honigeintopf Nov 4, 2024
9605a18
refactor
Honigeintopf Nov 4, 2024
c6b5758
Fix Refactoring
Honigeintopf Nov 4, 2024
2fa826d
Finish refactor
Honigeintopf Nov 7, 2024
47f4029
Updated allocation timeout to longer than created timeout
Honigeintopf Nov 7, 2024
21d648c
Check if firewall is creating before setting allocation timeout
Honigeintopf Nov 7, 2024
4d9affd
Updated with seed
Honigeintopf Nov 7, 2024
0262546
update integration test
Honigeintopf Nov 8, 2024
fe0994c
Adjust test to not use retry on conflict
Honigeintopf Nov 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,4 +51,4 @@ To play with the FCM, you can also run this controller inside the [mini-lab](htt
1. Deploy the FCM into the mini-lab with `make deploy`
1. Adapt the example [firewalldeployment.yaml](config/examples/firewalldeployment.yaml) and apply with `kubectl apply -f config/examples/firewalldeployment.yaml`
1. Note that the firewall-controller will not be able to connect to the mini-lab due to network restrictions, so the firewall will not get ready.
- You can make the firewall become ready anyway by setting the annotation `kubectl annotate fw <fw-nsme> firewall.metal-stack.io/no-controller-connection=true`
- You can make the firewall become ready anyway by setting the annotation `kubectl annotate fw <fw-nsme> -n firewall firewall.metal-stack.io/no-controller-connection=true`
6 changes: 3 additions & 3 deletions config/examples/certs/ca-key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIBRabFggNFg6LUPxY5AeplDzeqZQmnsnFY9OmWQW2eGBoAoGCCqGSM49
AwEHoUQDQgAEkP91tJGv5pIytEgKOlwTeksfWC1MczdEmj8ouOiaQfFvCkLl5NB/
uRLrjoR8vDamER2UM+BumDy1XfM849aIww==
MHcCAQEEIMdzRnQT5XJYI5YdllH2IC4TDpkkoswIUSPxVggCmz8uoAoGCCqGSM49
AwEHoUQDQgAEzPBxsUSwbxKnyOHzLBxJtne4EKF2dktJ7cgiq88H4i2QWvH8Eu5f
WlSuos1/tjF7NdnZwdR3F09M3FWN2z32vw==
-----END EC PRIVATE KEY-----
16 changes: 8 additions & 8 deletions config/examples/certs/ca.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBvTCCAWSgAwIBAgIUY2eiJLpYQK4h35iDJbGsUPZlsAcwCgYIKoZIzj0EAwIw
MIIBvTCCAWSgAwIBAgIUK74MlGBl5v/PxcvYR1gX/4ZahecwCgYIKoZIzj0EAwIw
PTELMAkGA1UEBhMCREUxDzANBgNVBAgTBk11bmljaDEQMA4GA1UEBxMHQmF2YXJp
YTELMAkGA1UEAxMCY2EwHhcNMjMwNDE4MDc1NDAwWhcNMjgwNDE2MDc1NDAwWjA9
YTELMAkGA1UEAxMCY2EwHhcNMjQxMDI1MTI0MDAwWhcNMjkxMDI0MTI0MDAwWjA9
MQswCQYDVQQGEwJERTEPMA0GA1UECBMGTXVuaWNoMRAwDgYDVQQHEwdCYXZhcmlh
MQswCQYDVQQDEwJjYTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJD/dbSRr+aS
MrRICjpcE3pLH1gtTHM3RJo/KLjomkHxbwpC5eTQf7kS646EfLw2phEdlDPgbpg8
tV3zPOPWiMOjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G
A1UdDgQWBBRL7+6t0aYt/vvqePoDdyJsQ6DQ5jAKBggqhkjOPQQDAgNHADBEAiB5
4nITXzq23b7HZWf/TN22DQX+9Ajc2xOws2lwlx8TpQIgSP0zTa3yGeabqBgjmANZ
GTYZaSABLBAoQ1Lt5E6sCVs=
MQswCQYDVQQDEwJjYTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMzwcbFEsG8S
p8jh8ywcSbZ3uBChdnZLSe3IIqvPB+ItkFrx/BLuX1pUrqLNf7YxezXZ2cHUdxdP
TNxVjds99r+jQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G
A1UdDgQWBBRmKUtHhVtOaft2ka15nfnH6agg8zAKBggqhkjOPQQDAgNHADBEAiAz
dCfM0jLlTDzaEXz5z1XEg8LhJWQV5YYoF+DUlJiU/gIgfSvcno9zARAKNNH06qF0
XCzKTrC60QhD+N1wFN7X2og=
-----END CERTIFICATE-----
22 changes: 11 additions & 11 deletions config/examples/certs/tls.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICRDCCAeqgAwIBAgIUHwoSR0+noLCqqJ10vEJkTAng4GowCgYIKoZIzj0EAwIw
MIICQzCCAeqgAwIBAgIUZtyTg/sZOeE2HL7hDL6lVCo+QBcwCgYIKoZIzj0EAwIw
PTELMAkGA1UEBhMCREUxDzANBgNVBAgTBk11bmljaDEQMA4GA1UEBxMHQmF2YXJp
YTELMAkGA1UEAxMCY2EwHhcNMjMwNDE4MDc1NDAwWhcNMjQwNDE3MDc1NDAwWjBE
YTELMAkGA1UEAxMCY2EwHhcNMjQxMDI1MTI0MDAwWhcNMjUxMDI1MTI0MDAwWjBE
MQswCQYDVQQGEwJERTEPMA0GA1UECBMGTXVuaWNoMRAwDgYDVQQHEwdCYXZhcmlh
MRIwEAYDVQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARf
FNJn/7dufCbR0AC+BnTyvhn98yvOiD+ASWXaVYeBgsuB9GfUWlVyp+fjdAkgWNZd
4S4uNz6aD1G/KlE6GBFQo4HAMIG9MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUj7eN
RLAK/BYVXeJfk6iS1xyJZRowHwYDVR0jBBgwFoAUS+/urdGmLf776nj6A3cibEOg
0OYwPgYDVR0RBDcwNYIJbG9jYWxob3N0gihmaXJld2FsbC1jb250cm9sbGVyLW1h
bmFnZXIuZmlyZXdhbGwuc3ZjMAoGCCqGSM49BAMCA0gAMEUCIQDsfaRwE5W901yK
JAQfSYlT+txLN8cdseHeDLXTwBo2IAIgV0g9f6F8KbyY6dvPHkoArRbZMIa3PFyL
/rflwrZzrPY=
MRIwEAYDVQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARN
eruOjegpfrIkOew6QNy5HsOXzL+Oie/ubpUxphleQhX7/pLjGNvo8ueWDyN0ZZ0G
vxexgYUDZkXh19dg9RzQo4HAMIG9MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUyxBq
6HMZNcJlyn+b0GRQqPwvepgwHwYDVR0jBBgwFoAUZilLR4VbTmn7dpGteZ35x+mo
IPMwPgYDVR0RBDcwNYIJbG9jYWxob3N0gihmaXJld2FsbC1jb250cm9sbGVyLW1h
bmFnZXIuZmlyZXdhbGwuc3ZjMAoGCCqGSM49BAMCA0cAMEQCIEIHZ3Uj6fNvYgKv
JbI28i8nsdF3PbCGhLW6XnFABwqBAiAP9KPZf9zAAN8DHum2s1sOYTVOHGm4drkq
NLAFeNNXbg==
-----END CERTIFICATE-----
6 changes: 3 additions & 3 deletions config/examples/certs/tls.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIGkp4UEW0A/611PSa/ryMg+7c2yB11ZqtA/GR1yMaeq+oAoGCCqGSM49
AwEHoUQDQgAEXxTSZ/+3bnwm0dAAvgZ08r4Z/fMrzog/gEll2lWHgYLLgfRn1FpV
cqfn43QJIFjWXeEuLjc+mg9RvypROhgRUA==
MHcCAQEEIJZT9vmyYJDxyP3gyJpkeS02M0hgXlrrrjTCmlmUOcQ0oAoGCCqGSM49
AwEHoUQDQgAETXq7jo3oKX6yJDnsOkDcuR7Dl8y/jonv7m6VMaYZXkIV+/6S4xjb
6PLnlg8jdGWdBr8XsYGFA2ZF4dfXYPUc0A==
-----END EC PRIVATE KEY-----
72 changes: 36 additions & 36 deletions config/examples/kustomize/patch-webhooks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,45 +4,45 @@ kind: MutatingWebhookConfiguration
metadata:
name: mutating-webhook-configuration
webhooks:
- name: firewall.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVWTJlaUpMcFlRSzRoMzVpREpiR3NVUFpsc0Fjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05Nak13TkRFNE1EYzFOREF3V2hjTk1qZ3dOREUyTURjMU5EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRC9kYlNScithUwpNclJJQ2pwY0UzcExIMWd0VEhNM1JKby9LTGpvbWtIeGJ3cEM1ZVRRZjdrUzY0NkVmTHcycGhFZGxEUGdicGc4CnRWM3pQT1BXaU1PalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJMNys2dDBhWXQvdnZxZVBvRGR5SnNRNkRRNWpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCNQo0bklUWHpxMjNiN0haV2YvVE4yMkRRWCs5QWpjMnhPd3MybHdseDhUcFFJZ1NQMHpUYTN5R2VhYnFCZ2ptQU5aCkdUWVphU0FCTEJBb1ExTHQ1RTZzQ1ZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewallset.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVWTJlaUpMcFlRSzRoMzVpREpiR3NVUFpsc0Fjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05Nak13TkRFNE1EYzFOREF3V2hjTk1qZ3dOREUyTURjMU5EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRC9kYlNScithUwpNclJJQ2pwY0UzcExIMWd0VEhNM1JKby9LTGpvbWtIeGJ3cEM1ZVRRZjdrUzY0NkVmTHcycGhFZGxEUGdicGc4CnRWM3pQT1BXaU1PalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJMNys2dDBhWXQvdnZxZVBvRGR5SnNRNkRRNWpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCNQo0bklUWHpxMjNiN0haV2YvVE4yMkRRWCs5QWpjMnhPd3MybHdseDhUcFFJZ1NQMHpUYTN5R2VhYnFCZ2ptQU5aCkdUWVphU0FCTEJBb1ExTHQ1RTZzQ1ZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewalldeployment.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVWTJlaUpMcFlRSzRoMzVpREpiR3NVUFpsc0Fjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05Nak13TkRFNE1EYzFOREF3V2hjTk1qZ3dOREUyTURjMU5EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRC9kYlNScithUwpNclJJQ2pwY0UzcExIMWd0VEhNM1JKby9LTGpvbWtIeGJ3cEM1ZVRRZjdrUzY0NkVmTHcycGhFZGxEUGdicGc4CnRWM3pQT1BXaU1PalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJMNys2dDBhWXQvdnZxZVBvRGR5SnNRNkRRNWpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCNQo0bklUWHpxMjNiN0haV2YvVE4yMkRRWCs5QWpjMnhPd3MybHdseDhUcFFJZ1NQMHpUYTN5R2VhYnFCZ2ptQU5aCkdUWVphU0FCTEJBb1ExTHQ1RTZzQ1ZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewall.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVSzc0TWxHQmw1di9QeGN2WVIxZ1gvNFphaGVjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05NalF4TURJMU1USTBNREF3V2hjTk1qa3hNREkwTVRJME1EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNendjYkZFc0c4UwpwOGpoOHl3Y1NiWjN1QkNoZG5aTFNlM0lJcXZQQitJdGtGcngvQkx1WDFwVXJxTE5mN1l4ZXpYWjJjSFVkeGRQClROeFZqZHM5OXIralFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJtS1V0SGhWdE9hZnQya2ExNW5mbkg2YWdnOHpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBegpkQ2ZNMGpMbFREemFFWHo1ejFYRWc4TGhKV1FWNVlZb0YrRFVsSmlVL2dJZ2ZTdmNubzl6QVJBS05OSDA2cUYwClhDektUckM2MFFoRCtOMXdGTjdYMm9nPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewallset.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVSzc0TWxHQmw1di9QeGN2WVIxZ1gvNFphaGVjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05NalF4TURJMU1USTBNREF3V2hjTk1qa3hNREkwTVRJME1EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNendjYkZFc0c4UwpwOGpoOHl3Y1NiWjN1QkNoZG5aTFNlM0lJcXZQQitJdGtGcngvQkx1WDFwVXJxTE5mN1l4ZXpYWjJjSFVkeGRQClROeFZqZHM5OXIralFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJtS1V0SGhWdE9hZnQya2ExNW5mbkg2YWdnOHpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBegpkQ2ZNMGpMbFREemFFWHo1ejFYRWc4TGhKV1FWNVlZb0YrRFVsSmlVL2dJZ2ZTdmNubzl6QVJBS05OSDA2cUYwClhDektUckM2MFFoRCtOMXdGTjdYMm9nPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewalldeployment.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVSzc0TWxHQmw1di9QeGN2WVIxZ1gvNFphaGVjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05NalF4TURJMU1USTBNREF3V2hjTk1qa3hNREkwTVRJME1EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNendjYkZFc0c4UwpwOGpoOHl3Y1NiWjN1QkNoZG5aTFNlM0lJcXZQQitJdGtGcngvQkx1WDFwVXJxTE5mN1l4ZXpYWjJjSFVkeGRQClROeFZqZHM5OXIralFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJtS1V0SGhWdE9hZnQya2ExNW5mbkg2YWdnOHpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBegpkQ2ZNMGpMbFREemFFWHo1ejFYRWc4TGhKV1FWNVlZb0YrRFVsSmlVL2dJZ2ZTdmNubzl6QVJBS05OSDA2cUYwClhDektUckM2MFFoRCtOMXdGTjdYMm9nPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-configuration
webhooks:
- name: firewall.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVWTJlaUpMcFlRSzRoMzVpREpiR3NVUFpsc0Fjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05Nak13TkRFNE1EYzFOREF3V2hjTk1qZ3dOREUyTURjMU5EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRC9kYlNScithUwpNclJJQ2pwY0UzcExIMWd0VEhNM1JKby9LTGpvbWtIeGJ3cEM1ZVRRZjdrUzY0NkVmTHcycGhFZGxEUGdicGc4CnRWM3pQT1BXaU1PalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJMNys2dDBhWXQvdnZxZVBvRGR5SnNRNkRRNWpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCNQo0bklUWHpxMjNiN0haV2YvVE4yMkRRWCs5QWpjMnhPd3MybHdseDhUcFFJZ1NQMHpUYTN5R2VhYnFCZ2ptQU5aCkdUWVphU0FCTEJBb1ExTHQ1RTZzQ1ZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewallset.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVWTJlaUpMcFlRSzRoMzVpREpiR3NVUFpsc0Fjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05Nak13TkRFNE1EYzFOREF3V2hjTk1qZ3dOREUyTURjMU5EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRC9kYlNScithUwpNclJJQ2pwY0UzcExIMWd0VEhNM1JKby9LTGpvbWtIeGJ3cEM1ZVRRZjdrUzY0NkVmTHcycGhFZGxEUGdicGc4CnRWM3pQT1BXaU1PalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJMNys2dDBhWXQvdnZxZVBvRGR5SnNRNkRRNWpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCNQo0bklUWHpxMjNiN0haV2YvVE4yMkRRWCs5QWpjMnhPd3MybHdseDhUcFFJZ1NQMHpUYTN5R2VhYnFCZ2ptQU5aCkdUWVphU0FCTEJBb1ExTHQ1RTZzQ1ZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewalldeployment.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVWTJlaUpMcFlRSzRoMzVpREpiR3NVUFpsc0Fjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05Nak13TkRFNE1EYzFOREF3V2hjTk1qZ3dOREUyTURjMU5EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRC9kYlNScithUwpNclJJQ2pwY0UzcExIMWd0VEhNM1JKby9LTGpvbWtIeGJ3cEM1ZVRRZjdrUzY0NkVmTHcycGhFZGxEUGdicGc4CnRWM3pQT1BXaU1PalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJMNys2dDBhWXQvdnZxZVBvRGR5SnNRNkRRNWpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCNQo0bklUWHpxMjNiN0haV2YvVE4yMkRRWCs5QWpjMnhPd3MybHdseDhUcFFJZ1NQMHpUYTN5R2VhYnFCZ2ptQU5aCkdUWVphU0FCTEJBb1ExTHQ1RTZzQ1ZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewall.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVSzc0TWxHQmw1di9QeGN2WVIxZ1gvNFphaGVjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05NalF4TURJMU1USTBNREF3V2hjTk1qa3hNREkwTVRJME1EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNendjYkZFc0c4UwpwOGpoOHl3Y1NiWjN1QkNoZG5aTFNlM0lJcXZQQitJdGtGcngvQkx1WDFwVXJxTE5mN1l4ZXpYWjJjSFVkeGRQClROeFZqZHM5OXIralFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJtS1V0SGhWdE9hZnQya2ExNW5mbkg2YWdnOHpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBegpkQ2ZNMGpMbFREemFFWHo1ejFYRWc4TGhKV1FWNVlZb0YrRFVsSmlVL2dJZ2ZTdmNubzl6QVJBS05OSDA2cUYwClhDektUckM2MFFoRCtOMXdGTjdYMm9nPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewallset.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVSzc0TWxHQmw1di9QeGN2WVIxZ1gvNFphaGVjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05NalF4TURJMU1USTBNREF3V2hjTk1qa3hNREkwTVRJME1EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNendjYkZFc0c4UwpwOGpoOHl3Y1NiWjN1QkNoZG5aTFNlM0lJcXZQQitJdGtGcngvQkx1WDFwVXJxTE5mN1l4ZXpYWjJjSFVkeGRQClROeFZqZHM5OXIralFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJtS1V0SGhWdE9hZnQya2ExNW5mbkg2YWdnOHpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBegpkQ2ZNMGpMbFREemFFWHo1ejFYRWc4TGhKV1FWNVlZb0YrRFVsSmlVL2dJZ2ZTdmNubzl6QVJBS05OSDA2cUYwClhDektUckM2MFFoRCtOMXdGTjdYMm9nPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewalldeployment.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVSzc0TWxHQmw1di9QeGN2WVIxZ1gvNFphaGVjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05NalF4TURJMU1USTBNREF3V2hjTk1qa3hNREkwTVRJME1EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNendjYkZFc0c4UwpwOGpoOHl3Y1NiWjN1QkNoZG5aTFNlM0lJcXZQQitJdGtGcngvQkx1WDFwVXJxTE5mN1l4ZXpYWjJjSFVkeGRQClROeFZqZHM5OXIralFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJtS1V0SGhWdE9hZnQya2ExNW5mbkg2YWdnOHpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBegpkQ2ZNMGpMbFREemFFWHo1ejFYRWc4TGhKV1FWNVlZb0YrRFVsSmlVL2dJZ2ZTdmNubzl6QVJBS05OSDA2cUYwClhDektUckM2MFFoRCtOMXdGTjdYMm9nPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
33 changes: 25 additions & 8 deletions controllers/set/delete.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,30 +45,47 @@ func (c *controller) deleteFirewalls(r *controllers.Ctx[*v2.FirewallSet], fws ..

return nil
}

func (c *controller) deleteAfterTimeout(r *controllers.Ctx[*v2.FirewallSet], fws ...*v2.Firewall) ([]*v2.Firewall, error) {
func (c *controller) deleteIfUnhealthyOrTimeout(r *controllers.Ctx[*v2.FirewallSet], fws ...*v2.Firewall) ([]*v2.Firewall, error) {
var result []*v2.Firewall

for _, fw := range fws {
fw := fw
if c.isFirewallUnhealthy(fw) {
Copy link
Contributor

@Gerrit91 Gerrit91 Nov 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With some small changes on your newly introduced struct I think something like this would be clearer and really point out that this is about timeouts:

status := evaluateFirewallConditions(fw)

switch {
case status.CreateTimeout || status.HealthTimeout:
    r.Log.Info("firewall health or creation timeout exceeded, deleting from set", "firewall-name", fw.Name)

    err := c.deleteFirewalls(r, fw)
    if err != nil {
        return nil, err
    }

    result = append(result, fw)
}

The isProgressing that's used in setStatus would also not be required anymore as it can be derived in case all other cases do not match.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed it, what do you think now?

r.Log.Info("unhealthy firewall not recovering, deleting from set", "firewall-name", fw.Name)
err := c.deleteFirewalls(r, fw)
if err != nil {
return nil, err
}
result = append(result, fw)
continue
}

if fw.Status.Phase != v2.FirewallPhaseCreating {
continue
}

Honigeintopf marked this conversation as resolved.
Show resolved Hide resolved
connected := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Status == v2.ConditionTrue

if !connected && time.Since(fw.CreationTimestamp.Time) > c.c.GetCreateTimeout() {
r.Log.Info("firewall not getting ready, deleting from set", "firewall-name", fw.Name)

err := c.deleteFirewalls(r, fw)
if err != nil {
return nil, err
}

result = append(result, fw)
}
}

return result, nil
}

func (c *controller) isFirewallUnhealthy(fw *v2.Firewall) bool {

statusReport := evaluateFirewallConditions(fw, c.c.GetFirewallHealthTimeout())

if statusReport.IsReady {
return false
}

if statusReport.IsUnhealthy {
return true
}

return false
}
2 changes: 1 addition & 1 deletion controllers/set/reconcile.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ func (c *controller) Reconcile(r *controllers.Ctx[*v2.FirewallSet]) error {
}
}

deletedFws, err := c.deleteAfterTimeout(r, ownedFirewalls...)
deletedFws, err := c.deleteIfUnhealthyOrTimeout(r, ownedFirewalls...)
if err != nil {
return err
}
Expand Down
Loading