Remove firewall networks from cloud profile (#97)

example/controller-registration.yaml

@@ -14,7 +14,7 @@ spec:
   deployment:
     type: helm
     providerConfig:
-      chart: H4sIAAAAAAAAA+0ca3PbNjKf+SswynWm7ZxIvSz3NJObcxNf6rnE1jhuOjc3NxmIhCRGFMECpG1dmv9+iwdJkCJFyXbspuW2M6EA7GIB7C52F4AjRq99j7DumsQ4cJ59CegBHB8dyX8Byv/K7/5w1B8cDcZjUQ5fvaNn6OiLcFOChMeYIfSMURrvatdU/5VCVFz/l0vMYnuD18ED9tG0/oP+UWn9R6Ph8BnqPSAPtfAnX38c+e8J4z4NJ+i6b+Eoyn/27P7A7lse4S7zo1gWnqCfSLBGrpATNKcMxUuCXmPmkZAw9FYIEZpqmULkNiahIGaFeE0mqChs1nW5p6eejD8hlPTfo669oA/cR5P+Hw3K9n847vVb/X8McJwFnSyE8uKYINt24P9rEnqUOQs/XiYz26VrZ6EVPP9YYnflpHhdl4Yxo0EAcsTIwucxlIJm23xZ0nlk6z7en16+O7s417/ILV5HAXHq6IgNCb1UldMAh2SiqJ2Fc4ahVeLGCUsLf6FsRZj6YVmOg6bAK14QbbRIiGcB4cgcN0+iiGqDpgv9cCFtm0sZI26MctZQgTUrMql/dSaspP8xgXWAGeEP6Qke7v+NjnrD1v97DKhd/w9LEkSwQdtxdF9fsGH9+4NB2f877g17rf1/DPj0qYs8MvdDgjrCSeug7ufPVmrmu5kH1y35bgIPtgnZ2jKJBHhGAm6DI2mvyEaRkz+SGWEhAdGyfeqIrgo0akhc4yDRPH36hPzQDRIv49RGGnEHI9u4ZQYFlQmqaaH7lz1tj8IPQXhCl0h0+5IEBHNinwNzlZxlrPlr2DAUZwiJGn+OlphPGdTfog5f4sHReALdvhfdQ1eivR3jBcowIuaH8Rx1vuH/+IaXWzISUe7HlG12kYAxkiqCkzsThMEa4y4viEeigG7WJIy1458JB3cg9DCm66mV4k8EtfYf/J25v1jjqCtX+hp8IMq6FJbuhvkxOSRH0LT/j8bDov0fDMfj49b+PwZo61PQ6vdyrS/SpVa2r5AmWPmhNxEOOYjIWxxZQng8HOMJWAIV6ldb62pZ0kgcPOkKUyqLlZFRhnlSYc4F+d+gEHatGI1E65Qd2SP/UBTcCfpNENk56iI5w6g99ZI9KDTr//2zgQ36D+o/Kvt/w9Go1f/HgIdS7Excvqgyq14yFUYA3W5X/msORMqynYq2nTmx3NYEUv/WdgOaeOB94CBa4r4klE2BDvfVZCQq3LdK9lLTcwMfeIWWIRgRaKZGCPyWyieyFJh1XRKJcmAsvtpEhMupYuTXxGfEQ50G+vY2AeTzDL/TxF8VvmZZTnJaeiBXBuZh7JiIGR+/RofOCmAc1q9AyPqbJYzHB/YocQ7rU6EUt5RqqVpjdwme85ncwVI+C4VSe2L6b5Ee24lcu5kJkiR2vVQyOeyBgJH+FCKMOT9PVb/UicC0NYqdtcynFNAxaLwfb5qxdUNjPbC7SqKcE+4uiZcE9YwoBDttl1LCSbxMqajkn1dFQjSzdX39mpRbKbKpqbmCmjCupV5sVrESPAqScHWSeH68B8dG62bGaxqrTpbE/fnyTVMfqlUB64quSLgHnmxXMWCwQzQJRbL19FZkYAnbZ6W2kPZYt504qkuI628oW10xPJ/7bi54h7FSpLLdC7ikYOxYiINz1XKXFjfTLxPLVb3fM2x6aoWAaD6wJeVxWKPaFT2bROwU1xyYaHcXWjL3XjAaJQd9Tzourh49UCSCszvRBMxdVP9FNncnvCKbMu1HDjRq/f88W3PvAKDB/x+Pxlv+/9G49f8fBUy3Oc3EKQ/4VSYAe0cBX8T35xGRtpiRa1/w+ZMvXIbNG38NmyTqyZoo8F3MC6ZHF74UOqg65cCLCPEn2o+K3eWb/fgYKwKpcmgCxqTIrSwMaSyDBJ5b2D3TK5lBga1yxZO1kX2TelmdNyksw7cygYv+Yl9pLu0fYeKnOF6izl7JvM53csgq+Qw8mHyVdu0aVneGhndgtoGtPYXoh9y5ItmmLgIODO4xy9aq2yTZeu8W8zdBnXL2yEyRf/482apWifJOkc40CYIpBTEtuscKI8oqC9NO12scermEdZFTcVqjpGYJ8RQzWhaNvXlqDzShT7NtV69bd+4H5IUDDrZTPTV6vRwjNi+TEb1E4tge+rkVBW7CGKxNlxHxAzrgL4obqOYr+5bYdo75bhO63JwX0ZNfuA1weF9F/MbeFiGFXmhEVGqgmxuA2g4kykWKcZIhlGnfyCsMh49A4TVxfkNmS0pX6QJnJvvFDotdi80JAzPSFR6OyZVupX0d1WhacvMENc/nwj82ZLEwOF2dZ2OEf/uR+iHq/LVTR0v3XUXoF11VQ4WE16ZmKYvw5vTk1enlh9M3py+vzi7OP5yfvD19Nz15eZq1REieE/6T0fXEKERo7pPAuyTzYqkuF+Zukm0jdrYMd908Un7P3p68Pn0PzF5cfrh4f3r5y+XZ1RavE+TICytGZtypTJXv2gPEovPtCUslRK260XNmdaflQGEfcZFhdkxdGkzQ1ctpOdBjhNOEuaQg7llhVYyVY/yGwjonPJs1GiRr8la4ExVDVspgsLoWDdUKN9vO+6543alKFTNbq260YwR7F2EAuxEYQVK/8mJ9fJecqAjnvHnffI5EsBqKPFBWIsTHO4EA6aSiCmUJtVcJuAqLdyqnA19n0obq4tNb4iZmYvW5nhfpB7wrOHxppZwQ4fxBWAYSwE2HLW/RRSuyqb0WkF0c2MJDSG0I0Cs6CyuqpfZVdCi63OMSQhEtphEN6GIjg9BO8XJCGqCnPocS4C1/pySBbpr6N03W3pn/FDwyx0kQv6Ue4I0GPV11kHjvJ9yH89ukLDt4/wMeANbG/6CcsGeyRN77niXegtw5EdB4/3d0XDr/74+Ox238/xigVXIRo29FRFYVPX+H+uUrAJGMS5zr/gykJk0YTKn3KpOYH6XE/D4yB+BG/xzia+wHwgWU5HkyaxzwvTMGX4PJqNV/NsPuAz0EatD/IUAp/zce9tr3P48C4vjc1Gy57OKwijL/f+qG++oH6U/ktwMCmDPCLmlADtHvQzSXJYHwVLriVP81o0kk3ZYuMk7yi0f4VsHVF01dxSWXP4qRfWWZA3IQJ6rKTDpUlJhNVcRd+M6rwbuYaXaEMZSOqc/Vx42wJvIryr6SCOaSbA87G1rjqFUex8tKi0x0vu9sE+90KiYv9em4USctsaovJZLAUosf0lqKSxKVI78pDzMfezVPXZmQlh+zDLdWPhWCt/alR194omE2iHxDhowKfaoGMUVeWpqUbINSPIEPCaGg/OTEZSTm21Mn7X9E/bRhfqiSIspAqvBDnxtxU4pB9MhWwQw0BvhV5XmLraqPdKY+wKXLPxyIG5TIJLF87aJDcNe87qL7hC7pOp0NeZ3Xz2v1zEmXwN9L4vTVBJvjSIpx5WwLzGZSIAmUuzjYtW5AI4atPYBRp82VxjbyKYUbtNldVRKeQ3x6g4OgsDI3vlDQpim5l9X9Ua3uFzO+0IXOWaUTsoNDK7sxZWwLDfyA9/URTIW08Ar5XSGj8DDO4lNvrV8F1Pp/2ho9hAvYGP/1Blvvfwbt/e9Hgcr7n1obfx/RWyzvIWrrcjYthGX7ndtmaequvqEyGg1lRFfMJ8uEGmbgrxyUnn7qFbwfNOm/9kbuZQaa9H8w6pfyP71Rr73/8SiwS//T3fhJzcBTT9AfHEr6r04nHvgPwDTo/+D4eOv993H79x8eB9R9FhnbpPdX9PsJGfdU3S0pvQQWm+ZiguSuITz3yLjUchLc4A23LDO7OkF9Kw+k0KfPlmUc/utXHlmyRaVeSxcaJujIQqUEzo6GKi+zi1LdvYwJmsNEEMvavocwQf/5r1W6VSDLrOeo6mBLXBIVx3a+vrj/3DjiinDC1RUIeTpuqeM9NUWXxroYf5EjP+szP2cBnTlrLDwlZ5b4gedI0s4r6sIMiJs8Vnq6alB1mYg0F5QuAvIhvxmlcLt47Y1HGk2udGdo9zq6IPsTPn2737dvv+5R9bdG1fn7CzGygaqwbduyCq7gxFKH4emNBuFYWm5WVf38p+rxD46kgohGzkdOw1RW84c4lS3kE5l+T51R6vcr/WHP2nomkq9KMgMdTKziMPt/s3sjdVCsL7ipZl1ZYZlPREoPRIznIQF1cdCNcLxM67K3Hz/0XvuKx8KbjvxFR6eHvncGI/S9+E8wUvcwILuLrxRTnvZWXtuvaFhx814orBrG9v347Ha8/i1jh2xo2RcxStWVbpk5yR6dVDBSfi6SWdRYFlgVD0EqqOhHG+m3eophZX+7Qckm0cuWdqGNe+tWtdBCCy200EILLbTQQgsttNBCCy200EILLbTQQgsttNBCCy200EILLbTQQgsttNDCVwz/B4y9xyoAeAAA
+      chart: H4sIAAAAAAAAA+0ca3PbNjKf+SswynWm7ZxIvSz3NJObcxNf6rnE1jhuOjc3NxmIhCRGFMECpG1dmv9+iwdJkCJFyXbspuW2M6EA7GIB7C52F4AjRq99j7DumsQ4cJ59CegBHB8dyX8Byv/K7/5w1B8cDcZjUQ5fvaNn6OiLcFOChMeYIfSMURrvatdU/5VCVFz/l0vMYnuD18ED9tG0/oP+UWn9R6Ph8BnqPSAPtfAnX38c+e8J4z4NJ+i6b+Eoyn/27P7AHlse4S7zo1gWnqCfSLBGrpATNKcMxUuCXmPmkZAw9FYIEZpqmULkNiahIGaFeE0mqChs1nW5p6eejD8hlPTfo669oA/cR5P+Hw3K9n847vVb/X8McJwFnSyE8uKYINt24P9rEnqUOQs/XiYz26VrZ6EVPP9YYnflpHhdl4Yxo0EAcsTIwucxlIJm23xZ0nlk6z7en16+O7s417/ILV5HAXHq6IgNCb1UldMAh2SiqJ2Fc4ahVeLGCUsLf6FsRZj6YVmOg6bAK14QbbRIiGcB4cgcN0+iiGqDpgv9cCFtm0sZI26MctZQgTUrMql/dSaspP8xgXWAGeEP6Qke7v+NjnrD1v97DKhd/w9LEkSwQdtxdF9fsGH9+4NB2f877g17rf1/DPj0qYs8MvdDgjrCSeug7ufPVmrmu5kH1y35bgIPtgnZ2jKJBHhGAm6DI2mvyEaRkz+SGWEhAdGyfeqIrgo0akhc4yDRPH36hPzQDRIv49RGGnEHI9u4ZQYFlQmqaaH7lz1tj8IPQXhCl0h0+5IEBHNinwNzlZxlrPlr2DAUZwiJGn+OlphPGdTfog5f4sHReALdvhfdQ1eivR3jBcowIuaH8Rx1vuH/+IaXWzISUe7HlG12kYAxkiqCkzsThMEa4y4viEeigG7WJIy1458JB3cg9DCm66mV4k8EtfYf/J25v1jjqCtX+hp8IMq6FJbuhvkxOSRH0LT/j8bDov0fDMfj49b+PwZo61PQ6vdyrS/SpVa2r5AmWPmhNxEOOYjIWxxZQng8HOMJWAIV6ldb62pZ0kgcPOkKUyqLlZFRhnlSYc4F+d+gEHatGI1E65Qd2SP/UBTcCfpNENk56iI5w6g99ZI9KDTr//2zgQ36D+o/Kvt/w9Go1f/HgIdS7Excvqgyq14yFUYA3W5X/msORMqynYq2nTmx3NYEUv/WdgOaeOB94CBa4r4klE2BDvfVZCQq3LdK9lLTcwMfeIWWIRgRaKZGCPyWyieyFJh1XRKJcmAsvtpEhMupYuTXxGfEQ50G+vY2AeTzDL/TxF8VvmZZTnJaeiBXBuZh7JiIGR+/RofOCmAc1q9AyPqbJYzHB/YocQ7rU6EUt5RqqVpjdwme85ncwVI+C4VSe2L6b5Ee24lcu5kJkiR2vVQyOeyBgJH+FCKMOT9PVb/UicC0NYqdtcynFNAxaLwfb5qxdUNjPbC7SqKcE+4uiZcE9YwoBDttl1LCSbxMqajkn1dFQjSzdX39mpRbKbKpqbmCmjCupV5sVrESPAqScHWSeH68B8dG62bGaxqrTpbE/fnyTVMfqlUB64quSLgHnmxXMWCwQzQJRbL19FZkYAnbZ6W2kPZYt504qkuI628oW10xPJ/7bi54h7FSpLLdC7ikYOxYiINz1XKXFjfTLxPLVb3fM2x6aoWAaD6wJeVxWKPaFT2bROwU1xyYaHcXWjL3XjAaJQd9Tzourh49UCSCszvRBMxdVP9FNncnvCKbMu1HDjRq/f88W3PvAKDB/x+Pxlv+/9G49f8fBUy3Oc3EKQ/4VSYAe0cBX8T35xGRtpiRa1/w+ZMvXIbNG38NmyTqyZoo8F3MC6ZHF74UOqg65cCLCPEn2o+K3eWb/fgYKwKpcmgCxqTIrSwMaSyDBJ5b2D3TK5lBga1yxZO1kX2TelmdNyksw7cygYv+Yl9pLu0fYeKnOF6izl7JvM53csgq+Qw8mHyVdu0aVneGhndgtoGtPYXoh9y5ItmmLgIODO4xy9aq2yTZeu8W8zdBnXL2yEyRf/482apWifJOkc40CYIpBTEtuscKI8oqC9NO12scermEdZFTcVqjpGYJ8RQzWhaNvXlqDzShT7NtV69bd+4H5IUDDrZTPTV6vRwjNi+TEb1E4tge+rkVBW7CGKxNlxHxAzrgL4obqOYr+5bYdo75bhO63JwX0ZNfuA1weF9F/MbeFiGFXmhEVGqgmxuA2g4kykWKcZIhlGnfyCsMh49A4TVxfkNmS0pX6QJnJvvFDotdi80JAzPSFR6OyZVupX0d1WhacvMENc/nwj82ZLEwOF2dZ2OEf/uR+iHq/LVTR0v3XUXoF11VQ4WE16ZmKYvw5vTk1enlh9M3py+vzi7OP5yfvD19Nz15eZq1REieE/6T0fXEKERo7pPAuyTzYqkuF+Zukm0jdrYMd908Un7P3p68Pn0PzF5cfrh4f3r5y+XZ1RavE+TICytGZtypTJXv2gPEovPtCUslRK260XNmdaflQGEfcZFhdkxdGkzQ1ctpOdBjhNOEuaQg7llhVYyVY/yGwjonPJs1GiRr8la4ExVDVspgsLoWDdUKN9vO+6543alKFTNbq260YwR7F2EAuxEYQVK/8mJ9fJecqAjnvHnffI5EsBqKPFBWIsTHO4EA6aSiCmUJtVcJuAqLdyqnA19n0obq4tNb4iZmYvW5nhfpB7wrOHxppZwQ4fxBWAYSwE2HLW/RRSuyqb0WkF0c2MJDSG0I0Cs6CyuqpfZVdCi63OMSQhEtphEN6GIjg9BO8XJCGqCnPocS4C1/pySBbpr6N03W3pn/FDwyx0kQv6Ue4I0GPV11kHjvJ9yH89ukLDt4/wMeANbG/6CcsGeyRN77niXegtw5EdB4/3d0XDr/74+Ox238/xigVXIRo29FRFYVPX+H+uUrAJGMS5zr/gykJk0YTKn3KpOYH6XE/D4yB+BG/xzia+wHwgWU5HkyaxzwvTMGX4PJqNV/NsPuAz0EatD/IUAp/zce9tr3P48C4vjc1Gy57OKwijL/f+qG++oH6U/ktwMCmDPCLmlADtHvQzSXJYHwVLriVP81o0kk3ZYuMk7yi0f4VsHVF01dxSWXP4qRfWWZA3IQJ6rKTDpUlJhNVcRd+M6rwbuYaXaEMZSOqc/Vx42wJvIryr6SCOaSbA87G1rjqFUex8tKi0x0vu9sE+90KiYv9em4USctsaovJZLAUosf0lqKSxKVI78pDzMfezVPXZmQlh+zDLdWPhWCt/alR194omE2iHxDhowKfaoGMUVeWpqUbINSPIEPCaGg/OTEZSTm21Mn7X9E/bRhfqiSIspAqvBDnxtxU4pB9MhWwQw0BvhV5XmLraqPdKY+wKXLPxyIG5TIJLF87aJDcNe87qL7hC7pOp0NeZ3Xz2v1zEmXwN9L4vTVBJvjSIpx5WwLzGZSIAmUuzjYtW5AI4atPYBRp82VxjbyKYUbtNldVRKeQ3x6g4OgsDI3vlDQpim5l9X9Ua3uFzO+0IXOWaUTsoNDK7sxZWwLDfyA9/URTIW08Ar5XSGj8DDO4lNvrV8F1Pp/2ho9hAvYGP/1Blvvfwbt/e9Hgcr7n1obfx/RWyzvIWrrcjYthGX7ndtmaequvqEyGg1lRFfMJ8uEGmbgrxyUnn7qFbwfNOm/9kbuZQaa9H8w6pfyP71Rr73/8SiwS//T3fhJzcBTT9AfHEr6r04nHvgPwDTo/+D4eOv993H79x8eB9R9FhnbpPdX9PsJGfdU3S0pvQQWm+ZiguSuITz3yLjUchLc4A23LDO7OkF9Kw+k0KfPlmUc/utXHlmyRaVeSxcaJujIQqUEzo6GKi+zi1LdvYwJmsNEEMvavocwQf/5r1W6VSDLrOeo6mBLXBIVx3a+vrj/3DjiinDC1RUIeTpuqeM9NUWXxroYf5EjP+szP2cBnTlrLDwlZ5b4gedI0s4r6sIMiJs8Vnq6alB1mYg0F5QuAvIhvxmlcLt47Y1HGk2udGdo9zq6IPsTPn2737dvv+5R9bdG1fn7CzGygaqwbduyCq7gxFKH4emNBuFYWm5WVf38p+rxD46kgohGzkdOw1RW84c4lS3kE5l+T51R6vcr/WHP2nomkq9KMgMdTKziMPt/s3sjdVCsL7ipZl1ZYZlPREoPRIznIQF1cdCNcLxM67K3Hz/0XvuKx8KbjvxFR6eHvncGI/S9+E8wUvcwILuLrxRTnvZWXtuvaFhx814orBrG9v347Ha8/i1jh2xo2RcxStWVbpk5yR6dVDBSfi6SWdRYFlgVD0EqqOhHG+m3eophZX+7Qckm0cuWdqGNe+tWtdBCCy200EILLbTQQgsttNBCCy200EILLbTQQgsttNBCCy200EILLbTQQgsttNDCVwz/B5YNy2gAeAAA
       values:
         image:
-          tag: v0.12.1
+          tag: v0.12.6

go.mod

@@ -22,7 +22,7 @@ require (
 	github.com/imdario/mergo v0.3.8
 	github.com/metal-stack/firewall-controller v0.1.8
 	github.com/metal-stack/machine-controller-manager-provider-metal v0.1.3
-	github.com/metal-stack/metal-go v0.8.3
+	github.com/metal-stack/metal-go v0.9.2
 	github.com/metal-stack/metal-lib v0.6.1
 	github.com/onsi/ginkgo v1.14.1
 	github.com/onsi/gomega v1.10.2

go.sum

@@ -664,6 +664,8 @@ github.com/metal-stack/masterdata-api v0.7.3 h1:w2+UlvqQuJGcVlaKUjdWp6sA01ufOY+0
 github.com/metal-stack/masterdata-api v0.7.3/go.mod h1:AT5m6KOkP6iyqwbDgGa1aQVdSn9bU7PkifjAmaNDLac=
 github.com/metal-stack/metal-go v0.8.3 h1:qY0QVkegUOh8l+wMVvVwDWNekntiD7ZuXuTeKjxrQjY=
 github.com/metal-stack/metal-go v0.8.3/go.mod h1:5emMVOjVD2tj6OxCBUYB8Xo1ruBnoP6idwypVV1pzec=
+github.com/metal-stack/metal-go v0.9.2 h1:fCbxQamPwaCJLmWFBDRjk5xpyy3/VFyPOKZ++BXnfM4=
+github.com/metal-stack/metal-go v0.9.2/go.mod h1:5emMVOjVD2tj6OxCBUYB8Xo1ruBnoP6idwypVV1pzec=
 github.com/metal-stack/metal-lib v0.5.0 h1:C3QScS7+wNWMiERB+j0x06WpRuTHW6A3rpuILMOAgss=
 github.com/metal-stack/metal-lib v0.5.0/go.mod h1:Vxr1OwM8fef1gtIv9fUiVU4Gq5mkd4ElHMpTjfuuSFQ=
 github.com/metal-stack/metal-lib v0.6.1 h1:6MUqkx2gPd5cafc3a5MLkGmoRhW3zb03qYzsZUyh6pU=

pkg/apis/metal/types_cloudprofile.go

@@ -28,10 +28,7 @@ type MetalControlPlane struct {
 }
 
 // Partition contains configuration specific for this metal stack control plane partition
-type Partition struct {
-	// FirewallNetworks contains a map of valid networks within this partition
-	FirewallNetworks map[string]string
-}
+type Partition struct{}
 
 // IAMConfig contains the config for all AuthN/AuthZ related components
 type IAMConfig struct {

pkg/apis/metal/v1alpha1/types_cloudprofile.go

@@ -28,10 +28,7 @@ type MetalControlPlane struct {
 }
 
 // Partition contains configuration specific for this metal stack control plane partition
-type Partition struct {
-	// FirewallNetworks contains a map of valid networks within this partition
-	FirewallNetworks map[string]string `json:"firewallNetworks,omitempty"`
-}
+type Partition struct{}
 
 // IAMConfig contains the config for all AuthN/AuthZ related components
 type IAMConfig struct {

pkg/apis/metal/validation/infrastructure.go

@@ -6,6 +6,7 @@ import (
 	"github.com/gardener/gardener/pkg/apis/core"
 	gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
 	apismetal "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal"
+	"github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/helper"
 
 	apivalidation "k8s.io/apimachinery/pkg/api/validation"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -50,6 +51,11 @@ func ValidateInfrastructureConfigAgainstCloudProfile(infra *apismetal.Infrastruc
 		allErrs = append(allErrs, field.Invalid(firewallPath.Child("image"), infra.Firewall.Image, fmt.Sprintf("supported values: %v", availableFirewallImages.List())))
 	}
 
+	_, _, err := helper.FindMetalControlPlane(cloudProfileConfig, infra.PartitionID)
+	if err != nil {
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("partitionID"), infra.PartitionID, "cloud profile does not define the given shoot partition"))
+	}
+
 	return allErrs
 }
 
@@ -97,14 +103,21 @@ func ValidateInfrastructureConfig(infra *apismetal.InfrastructureConfig) field.E
 }
 
 // ValidateInfrastructureConfigUpdate validates a InfrastructureConfig object.
-func ValidateInfrastructureConfigUpdate(oldConfig, newConfig *apismetal.InfrastructureConfig) field.ErrorList {
+func ValidateInfrastructureConfigUpdate(oldConfig, newConfig *apismetal.InfrastructureConfig, cloudProfileConfig *apismetal.CloudProfileConfig) field.ErrorList {
 	allErrs := field.ErrorList{}
 
 	allErrs = append(allErrs, apivalidation.ValidateImmutableField(newConfig.ProjectID, oldConfig.ProjectID, field.NewPath("projectID"))...)
 	allErrs = append(allErrs, apivalidation.ValidateImmutableField(newConfig.PartitionID, oldConfig.PartitionID, field.NewPath("partitionID"))...)
 
+	firewallPath := field.NewPath("firewall")
+
 	if len(newConfig.Firewall.Networks) == 0 {
-		allErrs = append(allErrs, field.Required(field.NewPath("firewall.networks"), "at least one external network needs to be defined as otherwise the cluster will under no circumstances be able to bootstrap"))
+		allErrs = append(allErrs, field.Required(firewallPath.Child("networks"), "at least one external network needs to be defined as otherwise the cluster will under no circumstances be able to bootstrap"))
+	}
+
+	_, _, err := helper.FindMetalControlPlane(cloudProfileConfig, newConfig.PartitionID)
+	if err != nil {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("partitionID"), newConfig.PartitionID, "cloud profile does not define the given shoot partition"))
 	}
 
 	return allErrs

pkg/apis/metal/validation/infrastructure_test.go

@@ -69,9 +69,7 @@ var _ = Describe("InfrastructureConfig validation", func() {
 						"prod": {
 							FirewallImages: []string{"image"},
 							Partitions: map[string]apismetal.Partition{
-								"partition-a": {
-									FirewallNetworks: map[string]string{"internet": "partition-a-network"},
-								},
+								"partition-a": {},
 							},
 						},
 					},
@@ -104,17 +102,6 @@ var _ = Describe("InfrastructureConfig validation", func() {
 					"Detail": Equal("supported values: [image]"),
 				}))))
 			})
-
-			It("should forbid because no firewall networks given", func() {
-				infrastructureConfig.Firewall.Networks = nil
-				errorList := ValidateInfrastructureConfigAgainstCloudProfile(infrastructureConfig, shoot, cloudProfile, cloudProfileConfig, field.NewPath("spec"))
-
-				Expect(errorList).To(ContainElement(PointTo(MatchFields(IgnoreExtras, Fields{
-					"Type":   Equal(field.ErrorTypeRequired),
-					"Field":  Equal("spec.firewall.networks"),
-					"Detail": Equal("at least one external network needs to be defined as otherwise the cluster will under no circumstances be able to bootstrap"),
-				}))))
-			})
 		})
 	})
 
@@ -183,17 +170,33 @@ var _ = Describe("InfrastructureConfig validation", func() {
 	})
 
 	Describe("#ValidateInfrastructureConfigUpdate", func() {
+		var (
+			cloudProfileConfig *apismetal.CloudProfileConfig
+		)
+		BeforeEach(func() {
+			cloudProfileConfig = &apismetal.CloudProfileConfig{
+				MetalControlPlanes: map[string]apismetal.MetalControlPlane{
+					"prod": {
+						FirewallImages: []string{"image"},
+						Partitions: map[string]apismetal.Partition{
+							"partition-a": {},
+						},
+					},
+				},
+			}
+		})
+
 		It("should return no errors for an unchanged config", func() {
-			Expect(ValidateInfrastructureConfigUpdate(infrastructureConfig, infrastructureConfig)).To(BeEmpty())
+			Expect(ValidateInfrastructureConfigUpdate(infrastructureConfig, infrastructureConfig, cloudProfileConfig)).To(BeEmpty())
 		})
 
 		It("should not allow changing partition", func() {
 			newInfrastructureConfig := infrastructureConfig.DeepCopy()
 			newInfrastructureConfig.PartitionID = "unknown"
 
-			errorList := ValidateInfrastructureConfigUpdate(infrastructureConfig, newInfrastructureConfig)
+			errorList := ValidateInfrastructureConfigUpdate(infrastructureConfig, newInfrastructureConfig, cloudProfileConfig)
 
-			Expect(errorList).To(ConsistOf(PointTo(MatchFields(IgnoreExtras, Fields{
+			Expect(errorList).To(ContainElements(PointTo(MatchFields(IgnoreExtras, Fields{
 				"Type":  Equal(field.ErrorTypeInvalid),
 				"Field": Equal("partitionID"),
 			}))))
@@ -203,7 +206,7 @@ var _ = Describe("InfrastructureConfig validation", func() {
 			newInfrastructureConfig := infrastructureConfig.DeepCopy()
 			newInfrastructureConfig.ProjectID = "unknown"
 
-			errorList := ValidateInfrastructureConfigUpdate(infrastructureConfig, newInfrastructureConfig)
+			errorList := ValidateInfrastructureConfigUpdate(infrastructureConfig, newInfrastructureConfig, cloudProfileConfig)
 
 			Expect(errorList).To(ConsistOf(PointTo(MatchFields(IgnoreExtras, Fields{
 				"Type":  Equal(field.ErrorTypeInvalid),
@@ -215,24 +218,14 @@ var _ = Describe("InfrastructureConfig validation", func() {
 			newInfrastructureConfig := infrastructureConfig.DeepCopy()
 			newInfrastructureConfig.Firewall.Networks = []string{}
 
-			errorList := ValidateInfrastructureConfigUpdate(infrastructureConfig, newInfrastructureConfig)
+			errorList := ValidateInfrastructureConfigUpdate(infrastructureConfig, newInfrastructureConfig, cloudProfileConfig)
 
 			Expect(errorList).To(ConsistOf(PointTo(MatchFields(IgnoreExtras, Fields{
 				"Type":   Equal(field.ErrorTypeRequired),
 				"Field":  Equal("firewall.networks"),
 				"Detail": Equal("at least one external network needs to be defined as otherwise the cluster will under no circumstances be able to bootstrap"),
 			}))))
 		})
-
-		It("order of networks does not matter", func() {
-			infrastructureConfig.Firewall.Networks = []string{"a", "b"}
-			newInfrastructureConfig := infrastructureConfig.DeepCopy()
-			newInfrastructureConfig.Firewall.Networks = []string{"b", "a"}
-
-			errorList := ValidateInfrastructureConfigUpdate(infrastructureConfig, newInfrastructureConfig)
-
-			Expect(errorList).To(BeEmpty())
-		})
 	})
 
 })