Firewall controller manager (#9)

capi-lab/deploy.yaml

@@ -14,5 +14,8 @@
     - name: prometheus
     - name: firewall-controller-manager
       vars:
-        firewall_controller_manager_namespace: cap-metal-stack
+        firewall_controller_manager_namespace: capms-system
+        firewall_controller_manager_ca: "{{ lookup('file', playbook_dir + '/fcm-certs/ca.pem') }}"
+        firewall_controller_manager_cert: "{{ lookup('file', playbook_dir + '/fcm-certs/tls.crt') }}"
+        firewall_controller_manager_cert_key: "{{ lookup('file', playbook_dir + '/fcm-certs/tls.key') }}"
     - name: cluster-api-provider-metal-stack

capi-lab/fcm-certs/ca-config.json

@@ -0,0 +1,18 @@
+{
+    "signing": {
+        "default": {
+            "expiry": "168h"
+        },
+        "profiles": {
+            "client-server": {
+                "expiry": "8760h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "server auth",
+                    "client auth"
+                ]
+            }
+        }
+    }
+}

capi-lab/fcm-certs/ca-csr.json

@@ -0,0 +1,14 @@
+{
+    "CN": "ca",
+    "key": {
+        "algo": "ecdsa",
+        "size": 256
+    },
+    "names": [
+        {
+            "C": "DE",
+            "L": "Bavaria",
+            "ST": "Munich"
+        }
+    ]
+}

capi-lab/fcm-certs/ca-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIFUGS1Xbmf1C9NcitDjcU3yfM3JUSS8SAeIHAvkHgofhoAoGCCqGSM49
+AwEHoUQDQgAEYPaD8+nz3ffhuV3iq3958NFnO28pCIfXiZOCVLyQYsvlr88eFbrN
+vjEHXAmvxTp5X2hlY5dbVh/CPC6FJbBFCw==
+-----END EC PRIVATE KEY-----

capi-lab/fcm-certs/ca.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBvjCCAWSgAwIBAgIUQBnjRL2py37bbgxj2/pB9TYZdSMwCgYIKoZIzj0EAwIw
+PTELMAkGA1UEBhMCREUxDzANBgNVBAgTBk11bmljaDEQMA4GA1UEBxMHQmF2YXJp
+YTELMAkGA1UEAxMCY2EwHhcNMjQxMTIxMTIxMjAwWhcNMjkxMTIwMTIxMjAwWjA9
+MQswCQYDVQQGEwJERTEPMA0GA1UECBMGTXVuaWNoMRAwDgYDVQQHEwdCYXZhcmlh
+MQswCQYDVQQDEwJjYTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGD2g/Pp8933
+4bld4qt/efDRZztvKQiH14mTglS8kGLL5a/PHhW6zb4xB1wJr8U6eV9oZWOXW1Yf
+wjwuhSWwRQujQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G
+A1UdDgQWBBT0JWN2t5PTJEOyBBbfGqjUdrsMXTAKBggqhkjOPQQDAgNIADBFAiEA
+ojnyHUbtmkx1xnuon+VFZKjccZxyoMaU/0u2Sz0MhWwCICrpHbQTNLoL8Q48UfJK
+33EilS1z6lxn/nM6+ql8WVfO
+-----END CERTIFICATE-----

capi-lab/fcm-certs/roll.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+echo "generating example certs"
+cfssl genkey -initca ca-csr.json | cfssljson -bare ca
+cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client-server tls.json | cfssljson -bare tls
+rm *.csr
+mv tls.pem tls.crt
+mv tls-key.pem tls.key

capi-lab/fcm-certs/tls.crt

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIIChjCCAiugAwIBAgIUfIGP//S9eEv3UtQ/ZlfTc579jdowCgYIKoZIzj0EAwIw
+PTELMAkGA1UEBhMCREUxDzANBgNVBAgTBk11bmljaDEQMA4GA1UEBxMHQmF2YXJp
+YTELMAkGA1UEAxMCY2EwHhcNMjQxMTIxMTIxMjAwWhcNMjUxMTIxMTIxMjAwWjBE
+MQswCQYDVQQGEwJERTEPMA0GA1UECBMGTXVuaWNoMRAwDgYDVQQHEwdCYXZhcmlh
+MRIwEAYDVQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQJ
+MoYtsmZB2s53fzS+LXf/rFSI6sHiKJ4kbenK04agoarAsIGniCPgRb4MUj2LvhC5
+1xJJncCC21QVUZCXZb+lo4IBADCB/TAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
+FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFNDY
+PWHrOS2a1CtLw91V3cKk+Y6NMB8GA1UdIwQYMBaAFPQlY3a3k9MkQ7IEFt8aqNR2
+uwxdMH4GA1UdEQR3MHWCCWxvY2FsaG9zdIIsZmlyZXdhbGwtY29udHJvbGxlci1t
+YW5hZ2VyLmNhcG1zLXN5c3RlbS5zdmOCOmZpcmV3YWxsLWNvbnRyb2xsZXItbWFu
+YWdlci5jYXBtcy1zeXN0ZW0uc3ZjLmNsdXN0ZXIubG9jYWwwCgYIKoZIzj0EAwID
+SQAwRgIhAKlzsenMaiXH+IqONSjxL/Bk5Xk7HM+sWfbTyVoOHXnhAiEA0nd2f04Z
+R36a+jGSXPxMgR2OOmScjfOUk3xnDDInMQE=
+-----END CERTIFICATE-----

capi-lab/fcm-certs/tls.json

@@ -0,0 +1,19 @@
+{
+  "CN": "localhost",
+  "hosts": [
+    "localhost",
+    "firewall-controller-manager.capms-system.svc",
+    "firewall-controller-manager.capms-system.svc.cluster.local"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "names": [
+    {
+      "C": "DE",
+      "L": "Bavaria",
+      "ST": "Munich"
+    }
+  ]
+}

capi-lab/fcm-certs/tls.key

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICCR8PczdJo8Tjpum62cO2hrlS0irQRVAgYhzcAr9raXoAoGCCqGSM49
+AwEHoUQDQgAECTKGLbJmQdrOd380vi13/6xUiOrB4iieJG3pytOGoKGqwLCBp4gj
+4EW+DFI9i74QudcSSZ3AgttUFVGQl2W/pQ==
+-----END EC PRIVATE KEY-----

capi-lab/roles/firewall-controller-manager/defaults/main.yaml

@@ -1,2 +1,29 @@
 ---
 firewall_controller_manager_namespace: "firewall-controller-manager"
+
+firewall_controller_manager_image_pull_policy: Always
+firewall_controller_manager_replicas: 1
+# firewall_controller_manager_pod_annotations:
+
+firewall_controller_manager_seed_api_url: https://kubernetes
+firewall_controller_manager_shoot_api_url:
+firewall_controller_manager_cluster_id:
+
+firewall_controller_manager_metalapi_url: http://metal-api.metal-control-plane.svc.cluster.local:8080
+firewall_controller_manager_metalapi_hmac: metal-admin
+
+firewall_controller_manager_generic_token_kubeconfig_secret_name:
+firewall_controller_manager_ssh_key_secret_name:
+
+firewall_controller_manager_shoot_access_token_secret: "shoot-access-firewall-controller-manager"
+
+firewall_controller_manager_ca:
+firewall_controller_manager_cert:
+firewall_controller_manager_cert_key:
+
+firewall_controller_manager_pod_annotations: {}
+
+firewall_controller_manager_crd_fetch_base_url: "https://raw.githubusercontent.com/metal-stack/firewall-controller-manager/refs/heads/"
+# TODO:
+# firewall_controller_manager_crd_fetch_base_url: "https://raw.githubusercontent.com/metal-stack/firewall-controller-manager/refs/tags/"
+firewall_controller_manager_image_tag: initial-firewall-ruleset

capi-lab/roles/firewall-controller-manager/tasks/main.yaml

@@ -8,22 +8,36 @@
       apiVersion: v1
       kind: Namespace
       metadata:
-        name: "{{ firewall_controller_manager_namespace }}"
+        name: "{{ item }}"
         labels:
-          name: "{{ firewall_controller_manager_namespace }}"
+          name: "{{ item }}"
+  loop:
+    - "{{ firewall_controller_manager_namespace }}"
+    - firewall
 
 - name: Deploy firewall-controller-manager CRDs
   k8s:
-    definition: "{{ lookup('url', 'https://raw.githubusercontent.com/metal-stack/firewall-controller-manager/refs/tags/' + firewall_controller_manager_image_tag + '/config/crds/' + item, split_lines=False) }}"
+    definition: "{{ lookup('url', firewall_controller_manager_crd_fetch_base_url + firewall_controller_manager_image_tag + '/config/crds/' + item, split_lines=False) }}"
     namespace: "{{ firewall_controller_manager_namespace }}"
+    apply: true
   loop:
     - firewall.metal-stack.io_firewalldeployments.yaml
     - firewall.metal-stack.io_firewallmonitors.yaml
     - firewall.metal-stack.io_firewalls.yaml
     - firewall.metal-stack.io_firewallsets.yaml
 
-# - name: Deploy firewall-controller-manager
-#   k8s:
-#     definition:
-
-#     namespace: "{{ firewall_controller_manager_namespace }}"
+- name: Deploy firewall-controller-manager
+  k8s:
+    definition: "{{ lookup('template', item) }}"
+    namespace: "{{ firewall_controller_manager_namespace }}"
+    apply: true
+  loop:
+    - sa.yaml
+    - cluster-role.yaml
+    - cluster-role-binding.yaml
+    - mutatingwebhookconfiguration.yaml
+    - validatingwebhookconfiguration.yaml
+    - secret.yaml
+    - secret-ca.yaml
+    - deployment.yaml
+    - service.yaml

capi-lab/roles/firewall-controller-manager/templates/cluster-role-binding.yaml

@@ -0,0 +1,13 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: firewall-controller-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: firewall-controller-manager
+subjects:
+- kind: ServiceAccount
+  name: firewall-controller-manager
+  namespace: {{ firewall_controller_manager_namespace }}

capi-lab/roles/firewall-controller-manager/templates/cluster-role.yaml

@@ -0,0 +1,87 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: firewall-controller-manager
+rules:
+- apiGroups:
+  - firewall.metal-stack.io
+  resources:
+  - firewalls
+  - firewalls/status
+  - firewallsets
+  - firewallsets/status
+  - firewalldeployments
+  - firewalldeployments/status
+  - firewallmonitors
+  - firewallmonitors/status
+  verbs:
+  - '*'
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - serviceaccounts
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - create
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  - rolebindings
+  - clusterroles
+  - clusterrolebindings
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - create
+- apiGroups:
+  - extensions.gardener.cloud
+  resources:
+  - infrastructures
+  - extensions
+  verbs:
+  - get
+- apiGroups:
+  - extensions.gardener.cloud
+  resources:
+  - infrastructures/status
+  verbs:
+  - patch
+- apiGroups:
+  - extensions.gardener.cloud
+  resources:
+  - extensions
+  verbs:
+  - update

capi-lab/roles/firewall-controller-manager/templates/deployment.yaml

@@ -0,0 +1,78 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: firewall-controller-manager
+  namespace: {{ firewall_controller_manager_namespace }}
+  labels:
+    app: firewall-controller-manager
+spec:
+  selector:
+    matchLabels:
+      app: firewall-controller-manager
+  replicas: {{ firewall_controller_manager_replicas }}
+  template:
+    metadata:
+      labels:
+        app: firewall-controller-manager
+{% if firewall_controller_manager_pod_annotations %}
+      annotations:
+{{ firewall_controller_manager_pod_annotations | to_nice_yaml | indent(width=8, first=true) }}
+{% endif %}
+    spec:
+      serviceAccountName: firewall-controller-manager
+      containers:
+      - name: firewall-controller-manager
+        image: {{ firewall_controller_manager_image_name }}:{{ firewall_controller_manager_image_tag }}
+        imagePullPolicy: {{ firewall_controller_manager_image_pull_policy }}
+        args:
+          - -cert-dir=/certs
+          - -log-level=info
+          - -seed-api-url={{ firewall_controller_manager_seed_api_url }}
+          # - -shoot-api-url={{ firewall_controller_manager_shoot_api_url }}
+          # - -internal-shoot-api-url=https://kube-apiserver
+          # - -cluster-id={{ firewall_controller_manager_cluster_id }}
+          - -enable-leader-election
+          - -metal-api-url={{ firewall_controller_manager_metalapi_url }}
+          - -namespace={{ firewall_controller_manager_namespace }}
+          - -shoot-kubeconfig-secret-name=none
+          - -shoot-token-secret-name=none
+          - -ssh-key-secret-name=none
+          # - -shoot-token-path=/token
+        env:
+          - name: METAL_AUTH_HMAC
+            valueFrom:
+              secretKeyRef:
+                name: firewall-controller-manager-config
+                key: api-hmac
+        livenessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        volumeMounts:
+        - name: webhook-certs
+          mountPath: "/certs"
+          readOnly: true
+        - name: token-dir
+          mountPath: "/token"
+        resources:
+          limits:
+            cpu: 400m
+            memory: 400Mi
+          requests:
+            cpu: 100m
+            memory: 20Mi
+      volumes:
+      - name: webhook-certs
+        secret:
+          secretName: firewall-controller-manager-certs
+      - name: token-dir
+        emptyDir: {}