Fixes.

Author: Gerrit91

capi-lab/firewall-controller-manager/deployment.yaml

@@ -33,6 +33,7 @@ spec:
           - -shoot-kubeconfig-secret-name=none
           - -shoot-token-secret-name=none
           - -ssh-key-secret-name=none
+          - -ssh-key-secret-namespace=none
           # - -shoot-token-path=/token
         env:
           - name: METAL_AUTH_HMAC

capi-lab/firewall-controller-manager/kustomization.yaml

@@ -17,16 +17,17 @@ resources:
 - validatingwebhookconfiguration.yaml
 - webhook-certs.yaml
 
-labels:
-- includeSelectors: true
-  pairs:
-    clusterctl.cluster.x-k8s.io/move: ""
-    # or cluster.x-k8s.io/provider: infrastructure-metal-stack?
-
 patches:
-
-configurations:
-- kustomizeconfig.yaml
+- patch: |-
+    apiVersion: apiextensions.k8s.io/v1
+    kind: CustomResourceDefinition
+    metadata:
+      name: firewalls.firewall.metal-stack.io
+      labels:
+        clusterctl.cluster.x-k8s.io/move: ""
+  target:
+    kind: CustomResourceDefinition
+    name: firewalls.firewall.metal-stack.io
 
 replacements:
  - source:

capi-lab/firewall-controller-manager/kustomizeconfig.yaml

@@ -572,6 +572,12 @@ func (r *clusterReconciler) ensureFirewallDeployment(nodeNetworkID, sshPubKey st
 					Protocol: fcmv2.NetworkProtocolTCP,
 					To:       []string{"0.0.0.0/0"},
 				},
+				{
+					Comment:  "allow outgoing traffic to control plane for ccm",
+					Ports:    []int32{8080},
+					Protocol: fcmv2.NetworkProtocolTCP,
+					To:       []string{"0.0.0.0/0"},
+				},
 				{
 					Comment:  "allow outgoing dns via tcp",
 					Ports:    []int32{53},