Static Firewall Deployments (#118)

Author: vknabel

DEVELOPMENT.md

@@ -18,10 +18,10 @@ Next install our CAPMS provider into the cluster.
 make push-to-capi-lab
 ```
 
-Before creating a cluster some manual steps are required beforehand: you need to allocate a node network and a firewall.
+Before creating a cluster some manual steps are required beforehand: you need to allocate a node network.
 
 ```bash
-make -C capi-lab node-network firewall control-plane-ip
+make -C capi-lab node-network control-plane-ip
 ```
 
 A basic cluster configuration that relies on `config/clusterctl-templates/cluster-template.yaml` and uses the aforementioned node network can be generated and applied to the management cluster using a make target.
@@ -181,16 +181,14 @@ export WORKER_MACHINE_COUNT=1
 export repo_path=$HOME/path/to/cluster-api-provider-metal-stack
 export project_name=
 export tenant_name=
-export firewall_id=
 ```
 
-Create firewall if needed:
+Create project, node network and control plane ip if needed:
 
 ```bash
 metalctl project create --name $project_name --tenant $tenant_name --description "Cluster API test project"
 metalctl network allocate --description "Node network for $CLUSTER_NAME" --name $CLUSTER_NAME --project $METAL_PROJECT_ID --partition $METAL_PARTITION
 metalctl network ip create --network internet --project $METAL_PROJECT_ID --name "$CLUSTER_NAME-vip" --type static -o template --template "{{ .ipaddress }}"
-metalctl firewall create --description "Firewall for $CLUSTER_NAME cluster" --name firewall-$CLUSTER_NAME --hostname firewall-$CLUSTER_NAME --project $METAL_PROJECT_ID --partition $METAL_PARTITION --image $FIREWALL_MACHINE_IMAGE  --size $FIREWALL_MACHINE_SIZE --firewall-rules-file $repo_path/config/target-cluster/firewall-rules.yaml --networks internet,$METAL_NODE_NETWORK_ID
 ```
 
 ```bash
@@ -201,12 +199,6 @@ clusterctl init --infrastructure metal-stack --kubeconfig kind-bootstrap.kubecon
 clusterctl generate cluster $CLUSTER_NAME --infrastructure metal-stack > cluster-$CLUSTER_NAME.yaml
 kubectl apply -n $NAMESPACE -f cluster-$CLUSTER_NAME.yaml
 
-# once the control plane node is in phoned home
-metalctl machine consolepassword $firewall_id
-metalctl machine console --ipmi $firewall_id
-# sudo systemctl restart frr
-# ~.
-
 kubectl --kubeconfig kind-bootstrap.kubeconfig -n $NAMESPACE get metalstackmachines.infrastructure.cluster.x-k8s.io
 export control_plane_machine_id=
 metalctl machine console --ipmi $control_plane_machine_id

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.23 AS builder
+FROM golang:1.24 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -15,6 +15,7 @@ RUN go mod download
 COPY cmd/main.go cmd/main.go
 COPY api/ api/
 COPY internal/ internal/
+COPY util/ util/
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command

Makefile

@@ -271,7 +271,7 @@ KUSTOMIZE_VERSION ?= v5.4.3
 CONTROLLER_TOOLS_VERSION ?= v0.16.4
 ENVTEST_VERSION ?= release-0.19
 GOLANGCI_LINT_VERSION ?= v1.61.0
-GINKGO_VERSION ?= v2.23.3
+GINKGO_VERSION ?= v2.23.4
 
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.

README.md

@@ -11,11 +11,14 @@ Currently, we provide the following custom resources:
 
 - [`MetalStackCluster`](./api/v1alpha1/metalstackcluster_types.go) can be used as [infrastructure cluster](https://cluster-api.sigs.k8s.io/developer/providers/contracts/infra-cluster) and ensures that there is a control plane IP for the cluster.
 - [`MetalStackMachine`](./api/v1alpha1/metalstackmachine_types.go) bridges between [infrastructure machines](https://cluster-api.sigs.k8s.io/developer/providers/contracts/infra-machine) and metal-stack machines.
+- [`MetalStackMachineTemplate`](./api/v1alpha1/metalstackmachinetemplate_types.go) can be used to define reusable machine specifications for `MetalStackMachine` resources.
+- [`MetalStackFirewallDeployment`](./api/v1alpha1/metalstackfirewalldeployment_types.go) can be used to define firewall deployments for a cluster.
+- [`MetalStackFirewallTemplate`](./api/v1alpha1/metalstackfirewalltemplate_types.go) defines the configuration of deployed firewalls.
 
 We plan to cover more resources in the future:
 
 - Node Networks
-- Firewall Deployments
+- Complete Firewall Deployments using the [Firewall Controller Manager](https://github.com/metal-stack/firewall-controller-manager)
 - Improved configuration suggestion of CNIs
 
 > [!note]
@@ -76,15 +79,6 @@ Allocate a VIP for the control plane.
 export CONTROL_PLANE_IP=$(metalctl network ip create --network internet --project $METAL_PROJECT_ID --name "$CLUSTER_NAME-vip" --type static -o template --template "{{ .ipaddress }}")
 ```
 
-A firewall needs to be created with appropriate firewall rules. An example can be found at [firewall-rules.yaml](config/target-cluster/firewall-rules.yaml).
-```bash
-# export environment variable for the firewall image and size
-export FIREWALL_MACHINE_IMAGE=<firewall-image>
-export FIREWALL_MACHINE_SIZE=<machine-size>
-
-metalctl firewall create --description "Firewall for $CLUSTER_NAME" --name "$CLUSTER_NAME-fw" --hostname "$CLUSTER_NAME-fw" --project $METAL_PROJECT_ID --partition $METAL_PARTITION --image $FIREWALL_MACHINE_IMAGE  --size $FIREWALL_MACHINE_SIZE --firewall-rules-file=<rules.yaml> --networks internet,$METAL_NODE_NETWORK_ID
-```
-
 For your first cluster, it is advised to start with our generated template. Ensure that the namespaced cluster name is unique within the metal stack project.
 
 ```bash
@@ -96,6 +90,8 @@ export CONTROL_PLANE_MACHINE_IMAGE=<machine-image>
 export CONTROL_PLANE_MACHINE_SIZE=<machine-size>
 export WORKER_MACHINE_IMAGE=<machine-image>
 export WORKER_MACHINE_SIZE=<machine-size>
+export FIREWALL_MACHINE_IMAGE=<machine-image>
+export FIREWALL_MACHINE_SIZE=<machine-size>
 
 # generate manifest
 clusterctl generate cluster $CLUSTER_NAME --kubernetes-version v1.32.9 --infrastructure metal-stack

api/v1alpha1/metalstackcluster_types.go

@@ -28,15 +28,16 @@ import (
 )
 
 const (
+	MetalStackClusterKind = "MetalStackCluster"
 	// ClusterFinalizer allows to clean up resources associated with before removing it from the apiserver.
 	ClusterFinalizer = "metal-stack.infrastructure.cluster.x-k8s.io/cluster"
 
 	TagInfraClusterResource = "metal-stack.infrastructure.cluster.x-k8s.io/cluster-resource"
 
 	ClusterControlPlaneEndpointDefaultPort = 443
 
-	ClusterControlPlaneIPEnsured clusterv1.ConditionType = "ClusterControlPlaneIPEnsured"
 	ClusterPaused                clusterv1.ConditionType = clusterv1.PausedV1Beta2Condition
+	ClusterControlPlaneIPEnsured clusterv1.ConditionType = "ClusterControlPlaneIPEnsured"
 )
 
 var (
@@ -50,7 +51,7 @@ var (
 type MetalStackClusterSpec struct {
 	// ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.
 	// +optional
-	ControlPlaneEndpoint APIEndpoint `json:"controlPlaneEndpoint,omitempty"`
+	ControlPlaneEndpoint APIEndpoint `json:"controlPlaneEndpoint,omitzero"`
 
 	// ProjectID is the project id of the project in metal-stack in which the associated metal-stack resources are created.
 	ProjectID string `json:"projectID"`
@@ -66,6 +67,17 @@ type MetalStackClusterSpec struct {
 
 	// Partition is the data center partition in which the resources are created.
 	Partition string `json:"partition"`
+
+	// FirewallDeploymentRef references a MetalStackFirewallDeployment resource which manages the firewall for this cluster.
+	// This feature is currently in public preview.
+	// +optional
+	FirewallDeploymentRef *MetalStackFirewallDeploymentRef `json:"firewallDeploymentRef,omitempty"`
+}
+
+// MetalStackFirewallDeploymentRef contains a reference to a MetalStackFirewallDeployment resource.
+type MetalStackFirewallDeploymentRef struct {
+	// Name is the name of the MetalStackFirewallDeployment resource.
+	Name string `json:"name"`
 }
 
 // APIEndpoint represents a reachable Kubernetes API endpoint.

api/v1alpha1/metalstackfirewalldeployment_types.go

@@ -0,0 +1,93 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+)
+
+const (
+	MetalStackFirewallDeploymentKind = "MetalStackFirewallDeployment"
+	// FirewallDeploymentFinalizer allows to clean up resources associated with before removing it from the apiserver.
+	FirewallDeploymentFinalizer = "metal-stack.infrastructure.cluster.x-k8s.io/firewall-deployment"
+
+	TagFirewallDeploymentResource = "metal-stack.infrastructure.cluster.x-k8s.io/firewall-deployment-resource"
+
+	ClusterFirewallDeploymentEnsured clusterv1.ConditionType = "ClusterFirewallDeploymentEnsured"
+)
+
+// MetalStackFirewallDeploymentSpec defines the desired state of MetalStackFirewallDeployment
+type MetalStackFirewallDeploymentSpec struct {
+	// FirewallTemplateRef references the MetalStackFirewallTemplate to use for the firewall deployment.
+	FirewallTemplateRef MetalStackFirewallTemplateRef `json:"firewallTemplateRef"`
+	// ManagedResourceRef references the resource that represents the firewall deployment. At this moment it is a metal-stack firewall id.
+	// It is planned to reference a FirewallDeployment.
+	// +optional
+	ManagedResourceRef *MetalStackManagedResourceRef `json:"managedResourceRef,omitempty"`
+
+	// AutoUpdate defines the behavior for automatic updates.
+	AutoUpdate *MetalStackFirewallAutoUpdate `json:"autoUpdate,omitempty"`
+}
+
+type MetalStackFirewallAutoUpdate struct {
+	MachineImage bool `json:"machineImage,omitempty"`
+}
+
+// MetalStackManagedResourceRef references a MetalStackManagedResource.
+type MetalStackManagedResourceRef struct {
+	// Name of the MetalStackManagedResource.
+	Name string `json:"name"`
+}
+
+// MetalStackFirewallTemplateRef references a MetalStackFirewallTemplate.
+type MetalStackFirewallTemplateRef struct {
+	// Name of the MetalStackFirewallTemplate.
+	Name string `json:"name"`
+}
+
+// MetalStackFirewallDeploymentStatus defines the observed state of MetalStackFirewallDeployment
+type MetalStackFirewallDeploymentStatus struct {
+	// +kubebuilder:default=false
+	Ready bool `json:"ready"`
+
+	// Conditions defines current service state of the MetalStackCluster.
+	// +optional
+	Conditions clusterv1.Conditions `json:"conditions,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Namespaced,categories=cluster-api,shortName=msfwdeploy
+// +kubebuilder:printcolumn:name="Cluster",type="string",JSONPath=".metadata.labels.cluster\\.x-k8s\\.io/cluster-name",description="Cluster to which this MetalStackCluster belongs"
+// +kubebuilder:printcolumn:name="Template",type="string",JSONPath=".spec.firewallTemplateRef.name",description="Name of the MetalStackFirewallTemplate used"
+// +kubebuilder:printcolumn:name="Deployment",type="string",JSONPath=".spec.managedResourceRef.name",description="Name of the managed FirewallDeployment"
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.ready",description="Indicates if the MetalStackFirewallDeployment is ready"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age of the MetalStackFirewallDeployment"
+
+// MetalStackFirewallDeployment is the Schema for the MetalStackFirewallDeployments API
+type MetalStackFirewallDeployment struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   MetalStackFirewallDeploymentSpec   `json:"spec,omitzero"`
+	Status MetalStackFirewallDeploymentStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+type MetalStackFirewallDeploymentList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []MetalStackFirewallDeployment `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&MetalStackFirewallDeployment{}, &MetalStackFirewallDeploymentList{})
+}
+
+func (c *MetalStackFirewallDeployment) GetConditions() clusterv1.Conditions {
+	return c.Status.Conditions
+}
+
+func (c *MetalStackFirewallDeployment) SetConditions(conditions clusterv1.Conditions) {
+	c.Status.Conditions = conditions
+}

api/v1alpha1/metalstackfirewalltemplate_types.go

@@ -0,0 +1,38 @@
+package v1alpha1
+
+import (
+	fcmv2 "github.com/metal-stack/firewall-controller-manager/api/v2"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	MetalStackFirewallTemplateKind = "MetalStackFirewallTemplate"
+)
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Namespaced,categories=cluster-api,shortName=msfwtemplate
+// +kubebuilder:printcolumn:name="Partition",type="string",JSONPath=".spec.partition",description="The Metal Stack partition where the firewall will be created"
+// +kubebuilder:printcolumn:name="Project",type="string",JSONPath=".spec.project",description="The Metal Stack project where the firewall will be created"
+// +kubebuilder:printcolumn:name="Image",type="string",JSONPath=".spec.image",description="The Metal Stack firewall image"
+// +kubebuilder:printcolumn:name="Size",type="string",JSONPath=".spec.size",description="The Metal Stack firewall size"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="The age of the firewall template"
+type MetalStackFirewallTemplate struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec defines the firewall deployment template spec used to create firewalls for the cluster.
+	Spec fcmv2.FirewallSpec `json:"spec"`
+}
+
+// +kubebuilder:object:root=true
+
+type MetalStackFirewallTemplateList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []MetalStackFirewallTemplate `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&MetalStackFirewallTemplate{}, &MetalStackFirewallTemplateList{})
+}

api/v1alpha1/metalstackmachine_types.go

@@ -23,6 +23,7 @@ import (
 )
 
 const (
+	MetalStackMachineKind = "MetalStackMachine"
 	// MachineFinalizer allows to clean up resources associated with before removing it from the apiserver.
 	MachineFinalizer = "metal-stack.infrastructure.cluster.x-k8s.io/machine"