Firewall controller manager (#9)

Author: vknabel

capi-lab/deploy.yaml

@@ -14,5 +14,8 @@
     - name: prometheus
     - name: firewall-controller-manager
       vars:
-        firewall_controller_manager_namespace: cap-metal-stack
+        firewall_controller_manager_namespace: capms-system
+        firewall_controller_manager_ca: "{{ lookup('file', playbook_dir + '/fcm-certs/ca.pem') }}"
+        firewall_controller_manager_cert: "{{ lookup('file', playbook_dir + '/fcm-certs/tls.crt') }}"
+        firewall_controller_manager_cert_key: "{{ lookup('file', playbook_dir + '/fcm-certs/tls.key') }}"
     - name: cluster-api-provider-metal-stack

capi-lab/fcm-certs/ca-config.json

@@ -0,0 +1,18 @@
+{
+    "signing": {
+        "default": {
+            "expiry": "168h"
+        },
+        "profiles": {
+            "client-server": {
+                "expiry": "8760h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "server auth",
+                    "client auth"
+                ]
+            }
+        }
+    }
+}

capi-lab/fcm-certs/ca-csr.json

@@ -0,0 +1,14 @@
+{
+    "CN": "ca",
+    "key": {
+        "algo": "ecdsa",
+        "size": 256
+    },
+    "names": [
+        {
+            "C": "DE",
+            "L": "Bavaria",
+            "ST": "Munich"
+        }
+    ]
+}

capi-lab/fcm-certs/ca-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIFUGS1Xbmf1C9NcitDjcU3yfM3JUSS8SAeIHAvkHgofhoAoGCCqGSM49
+AwEHoUQDQgAEYPaD8+nz3ffhuV3iq3958NFnO28pCIfXiZOCVLyQYsvlr88eFbrN
+vjEHXAmvxTp5X2hlY5dbVh/CPC6FJbBFCw==
+-----END EC PRIVATE KEY-----

capi-lab/fcm-certs/ca.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBvjCCAWSgAwIBAgIUQBnjRL2py37bbgxj2/pB9TYZdSMwCgYIKoZIzj0EAwIw
+PTELMAkGA1UEBhMCREUxDzANBgNVBAgTBk11bmljaDEQMA4GA1UEBxMHQmF2YXJp
+YTELMAkGA1UEAxMCY2EwHhcNMjQxMTIxMTIxMjAwWhcNMjkxMTIwMTIxMjAwWjA9
+MQswCQYDVQQGEwJERTEPMA0GA1UECBMGTXVuaWNoMRAwDgYDVQQHEwdCYXZhcmlh
+MQswCQYDVQQDEwJjYTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGD2g/Pp8933
+4bld4qt/efDRZztvKQiH14mTglS8kGLL5a/PHhW6zb4xB1wJr8U6eV9oZWOXW1Yf
+wjwuhSWwRQujQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G
+A1UdDgQWBBT0JWN2t5PTJEOyBBbfGqjUdrsMXTAKBggqhkjOPQQDAgNIADBFAiEA
+ojnyHUbtmkx1xnuon+VFZKjccZxyoMaU/0u2Sz0MhWwCICrpHbQTNLoL8Q48UfJK
+33EilS1z6lxn/nM6+ql8WVfO
+-----END CERTIFICATE-----

capi-lab/fcm-certs/roll.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+echo "generating example certs"
+cfssl genkey -initca ca-csr.json | cfssljson -bare ca
+cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client-server tls.json | cfssljson -bare tls
+rm *.csr
+mv tls.pem tls.crt
+mv tls-key.pem tls.key

capi-lab/fcm-certs/tls.crt

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIIChjCCAiugAwIBAgIUfIGP//S9eEv3UtQ/ZlfTc579jdowCgYIKoZIzj0EAwIw
+PTELMAkGA1UEBhMCREUxDzANBgNVBAgTBk11bmljaDEQMA4GA1UEBxMHQmF2YXJp
+YTELMAkGA1UEAxMCY2EwHhcNMjQxMTIxMTIxMjAwWhcNMjUxMTIxMTIxMjAwWjBE
+MQswCQYDVQQGEwJERTEPMA0GA1UECBMGTXVuaWNoMRAwDgYDVQQHEwdCYXZhcmlh
+MRIwEAYDVQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQJ
+MoYtsmZB2s53fzS+LXf/rFSI6sHiKJ4kbenK04agoarAsIGniCPgRb4MUj2LvhC5
+1xJJncCC21QVUZCXZb+lo4IBADCB/TAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
+FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFNDY
+PWHrOS2a1CtLw91V3cKk+Y6NMB8GA1UdIwQYMBaAFPQlY3a3k9MkQ7IEFt8aqNR2
+uwxdMH4GA1UdEQR3MHWCCWxvY2FsaG9zdIIsZmlyZXdhbGwtY29udHJvbGxlci1t
+YW5hZ2VyLmNhcG1zLXN5c3RlbS5zdmOCOmZpcmV3YWxsLWNvbnRyb2xsZXItbWFu
+YWdlci5jYXBtcy1zeXN0ZW0uc3ZjLmNsdXN0ZXIubG9jYWwwCgYIKoZIzj0EAwID
+SQAwRgIhAKlzsenMaiXH+IqONSjxL/Bk5Xk7HM+sWfbTyVoOHXnhAiEA0nd2f04Z
+R36a+jGSXPxMgR2OOmScjfOUk3xnDDInMQE=
+-----END CERTIFICATE-----

capi-lab/fcm-certs/tls.json

@@ -0,0 +1,19 @@
+{
+  "CN": "localhost",
+  "hosts": [
+    "localhost",
+    "firewall-controller-manager.capms-system.svc",
+    "firewall-controller-manager.capms-system.svc.cluster.local"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "names": [
+    {
+      "C": "DE",
+      "L": "Bavaria",
+      "ST": "Munich"
+    }
+  ]
+}

capi-lab/fcm-certs/tls.key

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICCR8PczdJo8Tjpum62cO2hrlS0irQRVAgYhzcAr9raXoAoGCCqGSM49
+AwEHoUQDQgAECTKGLbJmQdrOd380vi13/6xUiOrB4iieJG3pytOGoKGqwLCBp4gj
+4EW+DFI9i74QudcSSZ3AgttUFVGQl2W/pQ==
+-----END EC PRIVATE KEY-----

capi-lab/roles/firewall-controller-manager/defaults/main.yaml

@@ -1,2 +1,29 @@
 ---
 firewall_controller_manager_namespace: "firewall-controller-manager"
+
+firewall_controller_manager_image_pull_policy: Always
+firewall_controller_manager_replicas: 1
+# firewall_controller_manager_pod_annotations:
+
+firewall_controller_manager_seed_api_url: https://kubernetes
+firewall_controller_manager_shoot_api_url:
+firewall_controller_manager_cluster_id:
+
+firewall_controller_manager_metalapi_url: http://metal-api.metal-control-plane.svc.cluster.local:8080
+firewall_controller_manager_metalapi_hmac: metal-admin
+
+firewall_controller_manager_generic_token_kubeconfig_secret_name:
+firewall_controller_manager_ssh_key_secret_name:
+
+firewall_controller_manager_shoot_access_token_secret: "shoot-access-firewall-controller-manager"
+
+firewall_controller_manager_ca:
+firewall_controller_manager_cert:
+firewall_controller_manager_cert_key:
+
+firewall_controller_manager_pod_annotations: {}
+
+firewall_controller_manager_crd_fetch_base_url: "https://raw.githubusercontent.com/metal-stack/firewall-controller-manager/refs/heads/"
+# TODO:
+# firewall_controller_manager_crd_fetch_base_url: "https://raw.githubusercontent.com/metal-stack/firewall-controller-manager/refs/tags/"
+firewall_controller_manager_image_tag: initial-firewall-ruleset