Merge branch 'main' into firewall-health-check

Author: Honigeintopf

.github/workflows/docker.yaml

@@ -31,16 +31,16 @@ jobs:
     - name: Checkout
       uses: actions/checkout@v4
 
-    - name: Set up Go 1.23
+    - name: Set up Go 1.24
       uses: actions/setup-go@v5
       with:
-        go-version: '1.23'
+        go-version: '1.24'
         cache: false
 
     - name: Lint
-      uses: golangci/golangci-lint-action@v6
+      uses: golangci/golangci-lint-action@v7
       with:
-        args: --build-tags integration -p bugs -p unused --timeout=10m
+        args: --build-tags integration --timeout=10m
 
     - name: Make tag
       run: |
@@ -63,10 +63,10 @@ jobs:
     - name: Checkout
       uses: actions/checkout@v4
 
-    - name: Set up Go 1.23
+    - name: Set up Go 1.24
       uses: actions/setup-go@v5
       with:
-        go-version: '1.23'
+        go-version: '1.24'
 
     - name: Test
       run: |

Dockerfile

@@ -1,11 +1,10 @@
 # Build the firewall-controller-manager binary
-FROM golang:1.23 as builder
+FROM golang:1.24 AS builder
 
 WORKDIR /work
 COPY . .
 RUN make
 
-FROM alpine:3.20
-COPY --from=builder /work/bin/firewall-controller-manager .
-USER 65534
+FROM gcr.io/distroless/static-debian12:nonroot
+COPY --from=builder /work/bin/firewall-controller-manager /firewall-controller-manager
 ENTRYPOINT ["/firewall-controller-manager"]

Dockerfile.dev

@@ -1,4 +1,4 @@
-FROM alpine:3.19
+FROM alpine:3.21
 COPY bin/firewall-controller-manager /firewall-controller-manager
 USER 65534
 ENTRYPOINT ["/firewall-controller-manager"]

api/v2/helper/seed_access.go

@@ -4,20 +4,17 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/Masterminds/semver/v3"
 	v2 "github.com/metal-stack/firewall-controller-manager/api/v2"
 	controllerclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/rest"
 	configlatest "k8s.io/client-go/tools/clientcmd/api/latest"
 	configv1 "k8s.io/client-go/tools/clientcmd/api/v1"
 
 	"k8s.io/apimachinery/pkg/runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
@@ -58,11 +55,6 @@ func ensureSeedRBAC(ctx context.Context, seedConfig *rest.Config, deploy *v2.Fir
 		}
 	)
 
-	k8sVersion, err := determineK8sVersion(seedConfig)
-	if err != nil {
-		return fmt.Errorf("unable to determine seed k8s version: %w", err)
-	}
-
 	seed, err := controllerclient.New(seedConfig, controllerclient.Options{
 		Scheme: scheme,
 	})
@@ -80,24 +72,22 @@ func ensureSeedRBAC(ctx context.Context, seedConfig *rest.Config, deploy *v2.Fir
 		return fmt.Errorf("error ensuring service account: %w", err)
 	}
 
-	if versionGreaterOrEqual124(k8sVersion) {
-		serviceAccountSecret := &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      name,
-				Namespace: deploy.Namespace,
-			},
-		}
+	serviceAccountSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: deploy.Namespace,
+		},
+	}
 
-		_, err := controllerutil.CreateOrUpdate(ctx, seed, serviceAccountSecret, func() error {
-			serviceAccountSecret.Annotations = map[string]string{
-				"kubernetes.io/service-account.name": serviceAccount.Name,
-			}
-			serviceAccountSecret.Type = corev1.SecretTypeServiceAccountToken
-			return nil
-		})
-		if err != nil {
-			return fmt.Errorf("error ensuring service account token secret: %w", err)
+	_, err = controllerutil.CreateOrUpdate(ctx, seed, serviceAccountSecret, func() error {
+		serviceAccountSecret.Annotations = map[string]string{
+			"kubernetes.io/service-account.name": serviceAccount.Name,
 		}
+		serviceAccountSecret.Type = corev1.SecretTypeServiceAccountToken
+		return nil
+	})
+	if err != nil {
+		return fmt.Errorf("error ensuring service account token secret: %w", err)
 	}
 
 	var shootAccessSecretNames []string
@@ -176,11 +166,6 @@ func ensureShootRBAC(ctx context.Context, shootConfig *rest.Config, shootNamespa
 		}
 	)
 
-	k8sVersion, err := determineK8sVersion(shootConfig)
-	if err != nil {
-		return fmt.Errorf("unable to determine shoot k8s version: %w", err)
-	}
-
 	shoot, err := controllerclient.New(shootConfig, controllerclient.Options{
 		Scheme: scheme,
 	})
@@ -195,24 +180,22 @@ func ensureShootRBAC(ctx context.Context, shootConfig *rest.Config, shootNamespa
 		return fmt.Errorf("error ensuring service account: %w", err)
 	}
 
-	if versionGreaterOrEqual124(k8sVersion) {
-		serviceAccountSecret := &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      name,
-				Namespace: shootNamespace,
-			},
-		}
+	serviceAccountSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: shootNamespace,
+		},
+	}
 
-		_, err := controllerutil.CreateOrUpdate(ctx, shoot, serviceAccountSecret, func() error {
-			serviceAccountSecret.Annotations = map[string]string{
-				"kubernetes.io/service-account.name": serviceAccount.Name,
-			}
-			serviceAccountSecret.Type = corev1.SecretTypeServiceAccountToken
-			return nil
-		})
-		if err != nil {
-			return fmt.Errorf("error ensuring service account token secret: %w", err)
+	_, err = controllerutil.CreateOrUpdate(ctx, shoot, serviceAccountSecret, func() error {
+		serviceAccountSecret.Annotations = map[string]string{
+			"kubernetes.io/service-account.name": serviceAccount.Name,
 		}
+		serviceAccountSecret.Type = corev1.SecretTypeServiceAccountToken
+		return nil
+	})
+	if err != nil {
+		return fmt.Errorf("error ensuring service account token secret: %w", err)
 	}
 
 	_, err = controllerutil.CreateOrUpdate(ctx, shoot, clusterRole, func() error {
@@ -271,34 +254,6 @@ func ensureShootRBAC(ctx context.Context, shootConfig *rest.Config, shootNamespa
 	return nil
 }
 
-func determineK8sVersion(config *rest.Config) (*semver.Version, error) {
-	discoveryClient, err := discovery.NewDiscoveryClientForConfig(config)
-	if err != nil {
-		return nil, fmt.Errorf("unable to create discovery client: %w", err)
-	}
-
-	version, err := discoveryClient.ServerVersion()
-	if err != nil {
-		return nil, fmt.Errorf("unable to discover server version: %w", err)
-	}
-
-	k8sVersion, err := semver.NewVersion(version.GitVersion)
-	if err != nil {
-		return nil, fmt.Errorf("unable to parse kubernetes version version: %w", err)
-	}
-
-	return k8sVersion, nil
-}
-
-func versionGreaterOrEqual124(v *semver.Version) bool {
-	constraint, err := semver.NewConstraint(">=v1.24.0")
-	if err != nil {
-		return false
-	}
-
-	return constraint.Check(v)
-}
-
 type AccessConfig struct {
 	Ctx          context.Context
 	Config       *rest.Config
@@ -344,62 +299,26 @@ func GetAccessKubeconfig(c *AccessConfig) ([]byte, error) {
 		return nil, err
 	}
 
-	k8sVersion, err := determineK8sVersion(c.Config)
-	if err != nil {
-		return nil, fmt.Errorf("unable to determine k8s version: %w", err)
-	}
-
 	cl, err := controllerclient.New(c.Config, controllerclient.Options{
 		Scheme: scheme,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("unable to create client: %w", err)
 	}
 
-	if versionGreaterOrEqual124(k8sVersion) {
-		saSecret := &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      name,
-				Namespace: c.Namespace,
-			},
-		}
-		err := cl.Get(c.Ctx, client.ObjectKeyFromObject(saSecret), saSecret, &client.GetOptions{})
-		if err != nil {
-			return nil, err
-		}
-
-		token = string(saSecret.Data["token"])
-		ca = saSecret.Data["ca.crt"]
-	} else {
-		sa := &corev1.ServiceAccount{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      name,
-				Namespace: c.Namespace,
-			},
-		}
-		err := cl.Get(c.Ctx, client.ObjectKeyFromObject(sa), sa, &client.GetOptions{})
-		if err != nil {
-			return nil, err
-		}
-
-		if len(sa.Secrets) == 0 {
-			return nil, fmt.Errorf("service account %q contains no valid token secret", sa.Name)
-		}
-
-		saSecret := &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      sa.Secrets[0].Name,
-				Namespace: c.Namespace,
-			},
-		}
-		err = cl.Get(c.Ctx, client.ObjectKeyFromObject(saSecret), saSecret, &client.GetOptions{})
-		if err != nil {
-			return nil, err
-		}
-
-		token = string(saSecret.Data["token"])
-		ca = saSecret.Data["ca.crt"]
+	saSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: c.Namespace,
+		},
 	}
+	err = cl.Get(c.Ctx, controllerclient.ObjectKeyFromObject(saSecret), saSecret, &controllerclient.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	token = string(saSecret.Data["token"])
+	ca = saSecret.Data["ca.crt"]
 
 	if token == "" {
 		return nil, fmt.Errorf("no token was created")

api/v2/helper/shoot_access.go

@@ -13,7 +13,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/rest"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 	controllerclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	"k8s.io/client-go/tools/clientcmd"
@@ -22,7 +21,7 @@ import (
 )
 
 type ShootAccessHelper struct {
-	seed      client.Client
+	seed      controllerclient.Client
 	access    *v2.ShootAccess
 	tokenPath string
 
@@ -31,7 +30,7 @@ type ShootAccessHelper struct {
 
 // NewShootAccessHelper provides shoot access functions based on shoot access secrets,
 // i.e. Gardener's generic kubeconfig and token secret.
-func NewShootAccessHelper(seed client.Client, access *v2.ShootAccess) *ShootAccessHelper {
+func NewShootAccessHelper(seed controllerclient.Client, access *v2.ShootAccess) *ShootAccessHelper {
 	return &ShootAccessHelper{
 		seed:   seed,
 		access: access,
@@ -90,7 +89,7 @@ func (s *ShootAccessHelper) Config(ctx context.Context) (*configv1.Config, error
 		},
 	}
 
-	err := s.seed.Get(ctx, client.ObjectKeyFromObject(kubeconfigTemplate), kubeconfigTemplate)
+	err := s.seed.Get(ctx, controllerclient.ObjectKeyFromObject(kubeconfigTemplate), kubeconfigTemplate)
 	if err != nil {
 		return nil, fmt.Errorf("unable to read generic kubeconfig secret: %w", err)
 	}
@@ -152,7 +151,7 @@ func (s *ShootAccessHelper) RESTConfig(ctx context.Context) (*rest.Config, error
 	return restConfig, nil
 }
 
-func (s *ShootAccessHelper) Client(ctx context.Context) (client.Client, error) {
+func (s *ShootAccessHelper) Client(ctx context.Context) (controllerclient.Client, error) {
 	var (
 		config *rest.Config
 		err    error
@@ -185,7 +184,7 @@ func (s *ShootAccessHelper) readTokenSecret(ctx context.Context) (string, error)
 		},
 	}
 
-	err := s.seed.Get(ctx, client.ObjectKeyFromObject(tokenSecret), tokenSecret)
+	err := s.seed.Get(ctx, controllerclient.ObjectKeyFromObject(tokenSecret), tokenSecret)
 	if err != nil {
 		return "", fmt.Errorf("unable to read token secret: %w", err)
 	}

api/v2/types_utils.go

@@ -40,7 +40,7 @@ const (
 	ConditionUnknown ConditionStatus = "Unknown"
 )
 
-type Conditions []Condition
+type Conditions []Condition // nolint:recvcheck
 
 // NewCondition creates a new condition.
 func NewCondition(t ConditionType, status ConditionStatus, reason, message string) Condition {

controllers/firewall/status.go

@@ -161,10 +161,10 @@ func SetFirewallStatusFromMonitor(fw *v2.Firewall, mon *v2.FirewallMonitor) {
 		cond := v2.NewCondition(v2.FirewallControllerConnected, v2.ConditionFalse, "NotConnected", "Controller has not yet connected to shoot.")
 		fw.Status.Conditions.Set(cond)
 	} else if time.Since(connection.Updated.Time) > 5*time.Minute {
-		cond := v2.NewCondition(v2.FirewallControllerConnected, v2.ConditionFalse, "StoppedReconciling", fmt.Sprintf("Controller has stopped reconciling since %s to shoot.", connection.Updated.Time.String()))
+		cond := v2.NewCondition(v2.FirewallControllerConnected, v2.ConditionFalse, "StoppedReconciling", fmt.Sprintf("Controller has stopped reconciling since %s to shoot.", connection.Updated.String()))
 		fw.Status.Conditions.Set(cond)
 	} else {
-		cond := v2.NewCondition(v2.FirewallControllerConnected, v2.ConditionTrue, "Connected", fmt.Sprintf("Controller reconciled shoot at %s.", connection.Updated.Time.String()))
+		cond := v2.NewCondition(v2.FirewallControllerConnected, v2.ConditionTrue, "Connected", fmt.Sprintf("Controller reconciled shoot at %s.", connection.Updated.String()))
 		fw.Status.Conditions.Set(cond)
 	}
 
@@ -173,10 +173,10 @@ func SetFirewallStatusFromMonitor(fw *v2.Firewall, mon *v2.FirewallMonitor) {
 		cond := v2.NewCondition(v2.FirewallControllerSeedConnected, v2.ConditionFalse, "NotConnected", "Controller has not yet connected to seed.")
 		fw.Status.Conditions.Set(cond)
 	} else if time.Since(connection.SeedUpdated.Time) > 5*time.Minute {
-		cond := v2.NewCondition(v2.FirewallControllerSeedConnected, v2.ConditionFalse, "StoppedReconciling", fmt.Sprintf("Controller has stopped reconciling since %s to seed.", connection.SeedUpdated.Time.String()))
+		cond := v2.NewCondition(v2.FirewallControllerSeedConnected, v2.ConditionFalse, "StoppedReconciling", fmt.Sprintf("Controller has stopped reconciling since %s to seed.", connection.SeedUpdated.String()))
 		fw.Status.Conditions.Set(cond)
 	} else {
-		cond := v2.NewCondition(v2.FirewallControllerSeedConnected, v2.ConditionTrue, "Connected", fmt.Sprintf("Controller reconciled firewall at %s.", connection.SeedUpdated.Time.String()))
+		cond := v2.NewCondition(v2.FirewallControllerSeedConnected, v2.ConditionTrue, "Connected", fmt.Sprintf("Controller reconciled firewall at %s.", connection.SeedUpdated.String()))
 		fw.Status.Conditions.Set(cond)
 	}
 

controllers/generic_controller.go

@@ -161,8 +161,6 @@ func (g GenericController[O]) Reconcile(ctx context.Context, req ctrl.Request) (
 			if statusErr != nil {
 				log.Error(statusErr, "status could not be updated")
 			}
-
-			return
 		}()
 	}