test(fw): rely on capms firewall instead of manual one

Author: vknabel

DEVELOPMENT.md

@@ -18,10 +18,10 @@ Next install our CAPMS provider into the cluster.
 make push-to-capi-lab
 ```
 
-Before creating a cluster some manual steps are required beforehand: you need to allocate a node network and a firewall.
+Before creating a cluster some manual steps are required beforehand: you need to allocate a node network.
 
 ```bash
-make -C capi-lab node-network firewall control-plane-ip
+make -C capi-lab node-network control-plane-ip
 ```
 
 A basic cluster configuration that relies on `config/clusterctl-templates/cluster-template.yaml` and uses the aforementioned node network can be generated and applied to the management cluster using a make target.
@@ -181,16 +181,14 @@ export WORKER_MACHINE_COUNT=1
 export repo_path=$HOME/path/to/cluster-api-provider-metal-stack
 export project_name=
 export tenant_name=
-export firewall_id=
 ```
 
-Create firewall if needed:
+Create project, node network and control plane ip if needed:
 
 ```bash
 metalctl project create --name $project_name --tenant $tenant_name --description "Cluster API test project"
 metalctl network allocate --description "Node network for $CLUSTER_NAME" --name $CLUSTER_NAME --project $METAL_PROJECT_ID --partition $METAL_PARTITION
 metalctl network ip create --network internet --project $METAL_PROJECT_ID --name "$CLUSTER_NAME-vip" --type static -o template --template "{{ .ipaddress }}"
-metalctl firewall create --description "Firewall for $CLUSTER_NAME cluster" --name firewall-$CLUSTER_NAME --hostname firewall-$CLUSTER_NAME --project $METAL_PROJECT_ID --partition $METAL_PARTITION --image $FIREWALL_MACHINE_IMAGE  --size $FIREWALL_MACHINE_SIZE --firewall-rules-file $repo_path/config/target-cluster/firewall-rules.yaml --networks internet,$METAL_NODE_NETWORK_ID
 ```
 
 ```bash
@@ -201,12 +199,6 @@ clusterctl init --infrastructure metal-stack --kubeconfig kind-bootstrap.kubecon
 clusterctl generate cluster $CLUSTER_NAME --infrastructure metal-stack > cluster-$CLUSTER_NAME.yaml
 kubectl apply -n $NAMESPACE -f cluster-$CLUSTER_NAME.yaml
 
-# once the control plane node is in phoned home
-metalctl machine consolepassword $firewall_id
-metalctl machine console --ipmi $firewall_id
-# sudo systemctl restart frr
-# ~.
-
 kubectl --kubeconfig kind-bootstrap.kubeconfig -n $NAMESPACE get metalstackmachines.infrastructure.cluster.x-k8s.io
 export control_plane_machine_id=
 metalctl machine console --ipmi $control_plane_machine_id

README.md

@@ -15,7 +15,7 @@ Currently, we provide the following custom resources:
 We plan to cover more resources in the future:
 
 - Node Networks
-- Firewall Deployments
+- Complete Firewall Deployments using the [Firewall Controller Manager](https://github.com/metal-stack/firewall-controller-manager)
 - Improved configuration suggestion of CNIs
 
 > [!note]
@@ -76,15 +76,6 @@ Allocate a VIP for the control plane.
 export CONTROL_PLANE_IP=$(metalctl network ip create --network internet --project $METAL_PROJECT_ID --name "$CLUSTER_NAME-vip" --type static -o template --template "{{ .ipaddress }}")
 ```
 
-A firewall needs to be created with appropriate firewall rules. An example can be found at [firewall-rules.yaml](config/target-cluster/firewall-rules.yaml).
-```bash
-# export environment variable for the firewall image and size
-export FIREWALL_MACHINE_IMAGE=<firewall-image>
-export FIREWALL_MACHINE_SIZE=<machine-size>
-
-metalctl firewall create --description "Firewall for $CLUSTER_NAME" --name "$CLUSTER_NAME-fw" --hostname "$CLUSTER_NAME-fw" --project $METAL_PROJECT_ID --partition $METAL_PARTITION --image $FIREWALL_MACHINE_IMAGE  --size $FIREWALL_MACHINE_SIZE --firewall-rules-file=<rules.yaml> --networks internet,$METAL_NODE_NETWORK_ID
-```
-
 For your first cluster, it is advised to start with our generated template. Ensure that the namespaced cluster name is unique within the metal stack project.
 
 ```bash
@@ -96,6 +87,8 @@ export CONTROL_PLANE_MACHINE_IMAGE=<machine-image>
 export CONTROL_PLANE_MACHINE_SIZE=<machine-size>
 export WORKER_MACHINE_IMAGE=<machine-image>
 export WORKER_MACHINE_SIZE=<machine-size>
+export FIREWALL_MACHINE_IMAGE=<machine-image>
+export FIREWALL_MACHINE_SIZE=<machine-size>
 
 # generate manifest
 clusterctl generate cluster $CLUSTER_NAME --kubernetes-version v1.32.9 --infrastructure metal-stack

capi-lab/Makefile

@@ -59,10 +59,6 @@ controller:
 	kubectl --kubeconfig=$(KUBECONFIG) patch deployments.apps -n cap-metal-stack metal-stack-controller-manager --patch='{"spec":{"template":{"spec":{"containers":[{"name": "manager","imagePullPolicy":"IfNotPresent","image":"$(IMG)"}]}}}}'
 	kubectl --kubeconfig=$(KUBECONFIG) delete pod -n cap-metal-stack -l control-plane=metal-stack-controller-manager
 
-.PHONY: firewall
-firewall:
-	metalctl firewall create --description fw --name fw --hostname fw --project 00000000-0000-0000-0000-000000000001 --partition mini-lab --image firewall-ubuntu-3.0 --size v1-small-x86 --firewall-rules-file=firewall-rules.yaml --networks internet-mini-lab,$(shell metalctl network list --name $(CLUSTER_NAME) -o template --template '{{ .id }}')
-
 .PHONY: node-network
 node-network:
 	metalctl network allocate --description "node network for $(CLUSTER_NAME) cluster" --name $(CLUSTER_NAME) --project 00000000-0000-0000-0000-000000000001 --partition mini-lab

test/e2e/frmwrk/cluster_upgrade_kubernetes_test.go

@@ -200,8 +200,8 @@ func capi_e2e_ClusterUpgradeConformanceSpec(ctx context.Context, inputGetter fun
 				Namespace:                namespace.Name,
 				ClusterName:              clusterName,
 				KubernetesVersion:        input.E2EConfig.MustGetVariable(capi_e2e.KubernetesVersionUpgradeFrom),
-				ControlPlaneMachineCount: ptr.To[int64](controlPlaneMachineCount),
-				WorkerMachineCount:       ptr.To[int64](workerMachineCount),
+				ControlPlaneMachineCount: ptr.To(controlPlaneMachineCount),
+				WorkerMachineCount:       ptr.To(workerMachineCount),
 			},
 			ControlPlaneWaiters:     input.ControlPlaneWaiters,
 			WaitForClusterIntervals: input.E2EConfig.GetIntervals(specName, "wait-cluster"), WaitForControlPlaneIntervals: input.E2EConfig.GetIntervals(specName, "wait-control-plane"),

test/e2e/frmwrk/shared_cluster.go

@@ -12,9 +12,7 @@ import (
 	. "github.com/onsi/ginkgo/v2" //nolint:staticcheck
 	. "github.com/onsi/gomega"    //nolint:staticcheck
 
-	metalfw "github.com/metal-stack/metal-go/api/client/firewall"
 	metalip "github.com/metal-stack/metal-go/api/client/ip"
-	metalmachine "github.com/metal-stack/metal-go/api/client/machine"
 	metalnetwork "github.com/metal-stack/metal-go/api/client/network"
 	metalmodels "github.com/metal-stack/metal-go/api/models"
 
@@ -130,15 +128,13 @@ func (e2e *E2ECluster) teardownNamespace(ctx context.Context) {
 func (e2e *E2ECluster) SetupMetalStackPreconditions(ctx context.Context) {
 	By("Setup Preconditions")
 	e2e.setupNodeNetwork(ctx)
-	e2e.setupFirewall(ctx)
 	e2e.setupControlPlaneIP(ctx)
 }
 
 func (e2e *E2ECluster) Teardown(ctx context.Context) {
 	e2e.teardownAddons(ctx)
 	e2e.teardownCluster(ctx)
 	e2e.teardownControlPlaneIP(ctx)
-	e2e.teardownFirewall(ctx)
 	e2e.teardownNodeNetwork(ctx)
 	e2e.teardownNamespace(ctx)
 }
@@ -173,94 +169,6 @@ func (e2e *E2ECluster) teardownNodeNetwork(ctx context.Context) {
 	e2e.Refs.NodeNetwork = nil
 }
 
-func (e2e *E2ECluster) setupFirewall(ctx context.Context) {
-	By("Setup Firewall")
-
-	fcr := &metalmodels.V1FirewallCreateRequest{
-		Name:        e2e.ClusterName + "-fw",
-		Hostname:    e2e.ClusterName + "-fw",
-		Description: "Firewall for " + e2e.ClusterName,
-		Partitionid: &e2e.E2EContext.Environment.partition,
-		Projectid:   &e2e.E2EContext.Environment.projectID,
-		Sizeid:      &e2e.FirewallSize,
-		Imageid:     &e2e.FirewallImage,
-		Tags: []string{
-			fmt.Sprintf("%s=%s.%s", capmsv1alpha1.TagInfraClusterResource, e2e.NamespaceName, e2e.ClusterName),
-			fmt.Sprintf("%s=%s", "e2e-test", e2e.SpecName),
-		},
-		Networks: []*metalmodels.V1MachineAllocationNetwork{
-			{
-				Networkid: ptr.To(e2e.E2EContext.Environment.publicNetwork),
-			},
-			{
-				Networkid: e2e.Refs.NodeNetwork.ID,
-			},
-		},
-		// At the moment we just go with vastly broad firewall rules.
-		// In production this should be limited down.
-		FirewallRules: &metalmodels.V1FirewallRules{
-			Egress: []*metalmodels.V1FirewallEgressRule{
-				{
-					Comment:  "allow outgoing HTTP and HTTPS traffic",
-					Protocol: "TCP",
-					Ports:    []int32{80, 443},
-					To:       []string{"0.0.0.0/0"},
-				},
-				{
-					Comment:  "allow outgoing DNS traffic via TCP",
-					Protocol: "TCP",
-					Ports:    []int32{53},
-					To:       []string{"0.0.0.0/0"},
-				},
-				{
-					Comment:  "allow outgoing traffic to control plane for ccm",
-					Protocol: "TCP",
-					Ports:    []int32{8080},
-					To:       []string{"0.0.0.0/0"},
-				},
-				{
-					Comment:  "allow outgoing DNS and NTP traffic via UDP",
-					Protocol: "UDP",
-					Ports:    []int32{53, 123},
-					To:       []string{"0.0.0.0/0"},
-				},
-			},
-			Ingress: []*metalmodels.V1FirewallIngressRule{
-				{
-					Comment:  "allow incoming HTTPS and HTTPS traffic",
-					Protocol: "TCP",
-					From:     []string{"0.0.0.0/0"},
-					To:       []string{"0.0.0.0/0"},
-					Ports:    []int32{80, 443},
-				},
-			},
-		},
-	}
-
-	Eventually(func() error {
-		fw, err := e2e.E2EContext.Environment.Metal.Firewall().AllocateFirewall(metalfw.NewAllocateFirewallParamsWithContext(ctx).WithBody(fcr), nil)
-		if err != nil {
-			return err
-		}
-
-		e2e.Refs.Firewall = fw.Payload
-		return nil
-	}, e2e.E2EContext.E2EConfig.GetIntervals("metal-stack", "wait-firewall-allocate")...).ShouldNot(HaveOccurred(), "firewall not available")
-
-	GinkgoWriter.Printf("Firewall allocated with ID: %s\n", *e2e.Refs.Firewall.ID)
-}
-
-func (e2e *E2ECluster) teardownFirewall(ctx context.Context) {
-	if e2e.Refs.Firewall == nil || e2e.Refs.Firewall.ID == nil {
-		return
-	}
-
-	_, err := e2e.E2EContext.Environment.Metal.Machine().FreeMachine(metalmachine.NewFreeMachineParamsWithContext(ctx).WithID(*e2e.Refs.Firewall.ID), nil)
-	Expect(err).ToNot(HaveOccurred(), "failed to free firewall machine")
-
-	e2e.Refs.Firewall = nil
-}
-
 func (e2e *E2ECluster) setupControlPlaneIP(ctx context.Context) {
 	if e2e.ControlPlaneIP != "" {
 		return