Skip to content

Commit

Permalink
feat: firewall controller manager
Browse files Browse the repository at this point in the history
  • Loading branch information
@vknabel
vknabel committed Nov 21, 2024
1 parent b52af90 commit 1276a3e
Show file tree
Hide file tree
Showing 2 changed files with 388 additions and 0 deletions.
17 changes: 17 additions & 0 deletions capi-lab/roles/firewall-controller-manager/defaults/main.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,19 @@
---
firewall_controller_manager_namespace: "firewall-controller-manager"

firewall_controller_manager_image: ghcr.io/metal-stack/firewall-controller-manager
firewall_controller_manager_image_pull_policy: Always
firewall_controller_manager_replicas: 1
# firewall_controller_manager_pod_annotations:

firewall_controller_manager_seed_api_url:
firewall_controller_manager_shoot_api_url:
firewall_controller_manager_cluster_id:
firewall_controller_manager_metalapi_url:
firewall_controller_manager_generic_token_kubeconfig_secret_name:
firewall_controller_manager_ssh_key_secret_name:

firewall_controller_manager_shoot_access_token_secret: "shoot-access-firewall-controller-manager"

firewall_controller_manager_secrets_server:
firewall_controller_manager_ca_bundle:
371 changes: 371 additions & 0 deletions capi-lab/roles/firewall-controller-manager/templates/firewall-controller-manager.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,371 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: firewall-controller-manager
namespace: {{ firewall_controller_manager_namespace }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: firewall-controller-manager
namespace: {{ firewall_controller_manager_namespace }}
rules:
- apiGroups:
- firewall.metal-stack.io
resources:
- firewalls
- firewalls/status
- firewallsets
- firewallsets/status
- firewalldeployments
- firewalldeployments/status
verbs:
- '*'
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- update
- patch
- create
- apiGroups:
- ""
resources:
- secrets
- serviceaccounts
verbs:
- get
- list
- watch
- update
- patch
- create
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- get
- list
- watch
- update
- patch
- create
- apiGroups:
- ""
resources:
- events
verbs:
- get
- list
- watch
- update
- patch
- create
- apiGroups:
- extensions.gardener.cloud
resources:
- infrastructures
- extensions
verbs:
- get
- apiGroups:
- extensions.gardener.cloud
resources:
- infrastructures/status
verbs:
- patch
- apiGroups:
- extensions.gardener.cloud
resources:
- extensions
verbs:
- update
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: firewall-controller-manager
namespace: {{ firewall_controller_manager_namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: firewall-controller-manager
subjects:
- kind: ServiceAccount
name: firewall-controller-manager
namespace: {{ firewall_controller_manager_namespace }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: firewall-controller-manager
namespace: {{ firewall_controller_manager_namespace }}
labels:
app: firewall-controller-manager
spec:
selector:
matchLabels:
app: firewall-controller-manager
replicas: {{ firewall_controller_manager_replicas }}
template:
metadata:
labels:
app: firewall-controller-manager
networking.gardener.cloud/from-prometheus: "allowed"
networking.gardener.cloud/to-dns: "allowed"
networking.gardener.cloud/to-public-networks: "allowed"
networking.gardener.cloud/to-private-networks: "allowed"
networking.gardener.cloud/to-shoot-apiserver: "allowed"
networking.gardener.cloud/to-runtime-apiserver: "allowed"
networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: "allowed"
{% if firewall_controller_manager_pod_annotations %}
annotations:
{{ firewall_controller_manager_pod_annotations | to_nice_yaml | indent(width=8, first=true) }}
{% end %}
spec:
serviceAccountName: firewall-controller-manager
containers:
- name: firewall-controller-manager
image: {{ firewall_controller_manager_image }}
imagePullPolicy: {{ firewall_controller_manager_image_pull_policy }}
args:
- -cert-dir=/certs
- -log-level=info
- -seed-api-url={{ firewall_controller_manager_seed_api_url }}
- -shoot-api-url={{ firewall_controller_manager_shootapiURL }}
- -internal-shoot-api-url=https://kube-apiserver
- -cluster-id={{ firewall_controller_manager_clusterID }}
- -enable-leader-election
- -metal-api-url={{ firewall_controller_manager_metalapi_url }}
- -namespace={{ firewall_controller_manager_namespace }}
- -shoot-kubeconfig-secret-name={{ firewall_controller_manager_generic_token_kubeconfig_secret_name }}
- -shoot-token-secret-name=shoot-access-firewall-controller-manager
- -ssh-key-secret-name={{ firewall_controller_manager_ssh_key_secret_name }}
- -shoot-token-path=/token
env:
- name: METAL_AUTH_HMAC
valueFrom:
secretKeyRef:
name: cloudprovider
key: metalAPIHMac
livenessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
volumeMounts:
- name: webhook-certs
mountPath: "/certs"
readOnly: true
- name: token-dir
mountPath: "/token"
resources:
limits:
cpu: 400m
memory: 400Mi
requests:
cpu: 100m
memory: 20Mi
volumes:
- name: webhook-certs
secret:
secretName: {{ firewall_controller_manager_secrets_server }}
- name: token-dir
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: firewall-controller-manager
namespace: {{ firewall_controller_manager_namespace }}
labels:
app: firewall-controller-manager
annotations:
networking.resources.gardener.cloud/from-world-to-ports: '[{"protocol":"TCP","port":9443}]'
networking.resources.gardener.cloud/from-all-webhook-targets-allowed-ports: '[{"protocol":"TCP","port":9443}]'
networking.resources.gardener.cloud/from-all-seed-scrape-targets-allowed-ports: '[{"protocol":"TCP","port":2112}]'
spec:
type: ClusterIP
ports:
- name: webhooks
port: 9443
protocol: TCP
- name: metrics
port: 2112
protocol: TCP
selector:
app: firewall-controller-manager
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: firewall-controller-manager-{{ firewall_controller_manager_namespace }}
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ firewall_controller_manager_ca_bundle | b64encode }}
service:
name: firewall-controller-manager
namespace: {{ firewall_controller_manager_namespace }}
port: 9443
path: /mutate-firewall-metal-stack-io-v2-firewall
failurePolicy: Fail
name: firewall.metal-stack.io
objectSelector:
matchLabels:
gardener-shoot-namespace: {{ firewall_controller_manager_namespace }}
rules:
- apiGroups:
- firewall.metal-stack.io
apiVersions:
- v2
operations:
- CREATE
resources:
- firewalls
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ firewall_controller_manager_caBundle | b64encode }}
service:
name: firewall-controller-manager
namespace: {{ firewall_controller_manager_namespace }}
port: 9443
path: /mutate-firewall-metal-stack-io-v2-firewallset
failurePolicy: Fail
name: firewallset.metal-stack.io
objectSelector:
matchLabels:
gardener-shoot-namespace: {{ firewall_controller_manager_namespace }}
rules:
- apiGroups:
- firewall.metal-stack.io
apiVersions:
- v2
operations:
- CREATE
resources:
- firewallsets
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ firewall_controller_manager_ca_bundle | b64encode }}
service:
name: firewall-controller-manager
namespace: {{ firewall_controller_manager_namespace }}
port: 9443
path: /mutate-firewall-metal-stack-io-v2-firewalldeployment
failurePolicy: Fail
name: firewalldeployment.metal-stack.io
objectSelector:
matchLabels:
gardener-shoot-namespace: {{ firewall_controller_manager_namespace }}
rules:
- apiGroups:
- firewall.metal-stack.io
apiVersions:
- v2
operations:
- CREATE
resources:
- firewalldeployments
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: firewall-controller-manager-{{ firewall_controller_manager_namespace }}
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ firewall_controller_manager_ca_bundle | b64encode }}
service:
name: firewall-controller-manager
namespace: {{ firewall_controller_manager_namespace }}
port: 9443
path: /validate-firewall-metal-stack-io-v2-firewall
failurePolicy: Fail
name: firewall.metal-stack.io
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: {{ firewall_controller_manager_namespace }}
rules:
- apiGroups:
- firewall.metal-stack.io
apiVersions:
- v2
operations:
- CREATE
- UPDATE
resources:
- firewalls
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ firewall_controller_manager_ca_bundle | b64encode }}
service:
name: firewall-controller-manager
namespace: {{ firewall_controller_manager_namespace }}
port: 9443
path: /validate-firewall-metal-stack-io-v2-firewallset
failurePolicy: Fail
name: firewallset.metal-stack.io
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: {{ firewall_controller_manager_namespace }}
rules:
- apiGroups:
- firewall.metal-stack.io
apiVersions:
- v2
operations:
- CREATE
- UPDATE
resources:
- firewallsets
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ firewall_controller_manager_ca_bundle | b64encode }}
service:
name: firewall-controller-manager
namespace: {{ firewall_controller_manager_namespace }}
port: 9443
path: /validate-firewall-metal-stack-io-v2-firewalldeployment
failurePolicy: Fail
name: firewalldeployment.metal-stack.io
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: {{ firewall_controller_manager_namespace }}
rules:
- apiGroups:
- firewall.metal-stack.io
apiVersions:
- v2
operations:
- CREATE
- UPDATE
resources:
- firewalldeployments
sideEffects: None

0 comments on commit 1276a3e

Please sign in to comment.