docs(MEP16): FCM contents adjustments (#142)

Author: vknabel

docs/contributing/01-Proposals/MEP16/README.md

@@ -204,12 +204,16 @@ spec:
               firewall:
                 source: static
         - path: /etc/firewall-controller/seed.yaml
-          secretRef:
-            name: seed-kubeconfig
-            generateFirewallControllerKubeconfig: true
+          contentFrom:
+            firewallControllerKubeconfigSecret:
+              name: seed-kubeconfig
+              key: kubeconfig
+
         - path: /etc/firewall-controller/shoot.yaml
-          secretRef:
-            name: shoot-kubeconfig
+          contentFrom:
+            secretRef:
+              name: shoot-kubeconfig
+              key: kubeconfig
 ```
 
 ### Gardener Extension Provider Metal Stack
@@ -236,11 +240,17 @@ spec:
   firewallTemplate:
     userdataContents:
       - path: /etc/firewall-controller/config.yaml
-        secretName: ${CLUSTER_NAME}-firewall-controller-config
+        contentFrom:
+          secretRef:
+            name: ${CLUSTER_NAME}-firewall-controller-config
+            key: controllerConfig
 
       - path: /etc/firewall-controller/workload.yaml
-        # this is the kubeconfig generated by kubeadm
-        secretName: ${CLUSTER_NAME}-kubeconfig
+        contentFrom:
+          # this is the kubeconfig generated by kubeadm
+          secretRef:
+            name: ${CLUSTER_NAME}-kubeconfig
+            key: value
 ---
 kind: Secret
 metadata:
@@ -294,25 +304,29 @@ In case this control surfaces as a requirement, it would need to be implemented
 
 In general this proposal is not thought to be implemented in one batch. Instead an incremental approach is required.
 
-1. Enhance firewall-controller
+1. Enhance firewall-controller-manager
+
+   - Add `FirewallDeployment.spec.template.spec.userdataContents`
+
+2. Enhance firewall-controller
 
    - Reduce coupling between controllers
    - Introduce controller config
    - Abstract module to write into distinct nftable rules for every controller
    - Implement `sources.static`, but not `sources.metal`
    - GEPM should set `FirewallDeployment.spec.template.spec.userdataContents`
 
-2. Allow Cluster API to use the FCM with static ruleset
+3. Allow Cluster API to use the FCM with static ruleset
 
    - Add `firewall.metal-stack.io/paused` annotation (managed by CAPMS during `clusterctl move`, theoretically useful for Gardener shoot migration as well to avoid shallow deletion).
    - Reconcile multiple `FirewallDeployment` resources across multiple namespaces. For Gardener the old behavior of reconciling only one namespace should persist.
    - Allow setting the `firewall.metal-stack.io/no-controller-connection` annotation through the `FirewallDeployment` (either through the template or inheritance).
    - Add `MetalStackCluster.spec.firewallTemplate`.
    - Make `MetalStackCluster.spec.nodeNetworkID` optional if `spec.firewallTemplate` given.
 
-3. Add `sources.metal` as configuration option.
+4. Add `sources.metal` as configuration option.
 
    - Allow updates of firewall rules in the metal-apiserver.
    - Depends on [MEP-4](../MEP4/README.md) metal-apiserver progress
 
-4. Potentially migrate the GEPM to use `sources.metal`
+5. Potentially migrate the GEPM to use `sources.metal`