From 2072462b4a7755c84aecc2a48744f70474197352 Mon Sep 17 00:00:00 2001 From: Honigeintopf Date: Fri, 25 Oct 2024 14:49:54 +0200 Subject: [PATCH 01/13] Update Certs --- config/examples/certs/ca-key.pem | 6 +- config/examples/certs/ca.pem | 16 ++--- config/examples/certs/tls.crt | 22 +++--- config/examples/certs/tls.key | 6 +- config/examples/kustomize/patch-webhooks.yaml | 72 +++++++++---------- 5 files changed, 61 insertions(+), 61 deletions(-) diff --git a/config/examples/certs/ca-key.pem b/config/examples/certs/ca-key.pem index 8f5fb66..542f656 100644 --- a/config/examples/certs/ca-key.pem +++ b/config/examples/certs/ca-key.pem @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MHcCAQEEIBRabFggNFg6LUPxY5AeplDzeqZQmnsnFY9OmWQW2eGBoAoGCCqGSM49 -AwEHoUQDQgAEkP91tJGv5pIytEgKOlwTeksfWC1MczdEmj8ouOiaQfFvCkLl5NB/ -uRLrjoR8vDamER2UM+BumDy1XfM849aIww== +MHcCAQEEIMdzRnQT5XJYI5YdllH2IC4TDpkkoswIUSPxVggCmz8uoAoGCCqGSM49 +AwEHoUQDQgAEzPBxsUSwbxKnyOHzLBxJtne4EKF2dktJ7cgiq88H4i2QWvH8Eu5f +WlSuos1/tjF7NdnZwdR3F09M3FWN2z32vw== -----END EC PRIVATE KEY----- diff --git a/config/examples/certs/ca.pem b/config/examples/certs/ca.pem index dbb0bc8..01cbd20 100644 --- a/config/examples/certs/ca.pem +++ b/config/examples/certs/ca.pem @@ -1,12 +1,12 @@ -----BEGIN CERTIFICATE----- -MIIBvTCCAWSgAwIBAgIUY2eiJLpYQK4h35iDJbGsUPZlsAcwCgYIKoZIzj0EAwIw +MIIBvTCCAWSgAwIBAgIUK74MlGBl5v/PxcvYR1gX/4ZahecwCgYIKoZIzj0EAwIw PTELMAkGA1UEBhMCREUxDzANBgNVBAgTBk11bmljaDEQMA4GA1UEBxMHQmF2YXJp -YTELMAkGA1UEAxMCY2EwHhcNMjMwNDE4MDc1NDAwWhcNMjgwNDE2MDc1NDAwWjA9 +YTELMAkGA1UEAxMCY2EwHhcNMjQxMDI1MTI0MDAwWhcNMjkxMDI0MTI0MDAwWjA9 MQswCQYDVQQGEwJERTEPMA0GA1UECBMGTXVuaWNoMRAwDgYDVQQHEwdCYXZhcmlh -MQswCQYDVQQDEwJjYTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJD/dbSRr+aS -MrRICjpcE3pLH1gtTHM3RJo/KLjomkHxbwpC5eTQf7kS646EfLw2phEdlDPgbpg8 -tV3zPOPWiMOjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G -A1UdDgQWBBRL7+6t0aYt/vvqePoDdyJsQ6DQ5jAKBggqhkjOPQQDAgNHADBEAiB5 -4nITXzq23b7HZWf/TN22DQX+9Ajc2xOws2lwlx8TpQIgSP0zTa3yGeabqBgjmANZ -GTYZaSABLBAoQ1Lt5E6sCVs= +MQswCQYDVQQDEwJjYTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMzwcbFEsG8S +p8jh8ywcSbZ3uBChdnZLSe3IIqvPB+ItkFrx/BLuX1pUrqLNf7YxezXZ2cHUdxdP +TNxVjds99r+jQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G +A1UdDgQWBBRmKUtHhVtOaft2ka15nfnH6agg8zAKBggqhkjOPQQDAgNHADBEAiAz +dCfM0jLlTDzaEXz5z1XEg8LhJWQV5YYoF+DUlJiU/gIgfSvcno9zARAKNNH06qF0 +XCzKTrC60QhD+N1wFN7X2og= -----END CERTIFICATE----- diff --git a/config/examples/certs/tls.crt b/config/examples/certs/tls.crt index 58f1a0f..8df5e63 100644 --- a/config/examples/certs/tls.crt +++ b/config/examples/certs/tls.crt @@ -1,15 +1,15 @@ -----BEGIN CERTIFICATE----- -MIICRDCCAeqgAwIBAgIUHwoSR0+noLCqqJ10vEJkTAng4GowCgYIKoZIzj0EAwIw +MIICQzCCAeqgAwIBAgIUZtyTg/sZOeE2HL7hDL6lVCo+QBcwCgYIKoZIzj0EAwIw PTELMAkGA1UEBhMCREUxDzANBgNVBAgTBk11bmljaDEQMA4GA1UEBxMHQmF2YXJp -YTELMAkGA1UEAxMCY2EwHhcNMjMwNDE4MDc1NDAwWhcNMjQwNDE3MDc1NDAwWjBE +YTELMAkGA1UEAxMCY2EwHhcNMjQxMDI1MTI0MDAwWhcNMjUxMDI1MTI0MDAwWjBE MQswCQYDVQQGEwJERTEPMA0GA1UECBMGTXVuaWNoMRAwDgYDVQQHEwdCYXZhcmlh -MRIwEAYDVQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARf -FNJn/7dufCbR0AC+BnTyvhn98yvOiD+ASWXaVYeBgsuB9GfUWlVyp+fjdAkgWNZd -4S4uNz6aD1G/KlE6GBFQo4HAMIG9MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU -BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUj7eN -RLAK/BYVXeJfk6iS1xyJZRowHwYDVR0jBBgwFoAUS+/urdGmLf776nj6A3cibEOg -0OYwPgYDVR0RBDcwNYIJbG9jYWxob3N0gihmaXJld2FsbC1jb250cm9sbGVyLW1h -bmFnZXIuZmlyZXdhbGwuc3ZjMAoGCCqGSM49BAMCA0gAMEUCIQDsfaRwE5W901yK -JAQfSYlT+txLN8cdseHeDLXTwBo2IAIgV0g9f6F8KbyY6dvPHkoArRbZMIa3PFyL -/rflwrZzrPY= +MRIwEAYDVQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARN +eruOjegpfrIkOew6QNy5HsOXzL+Oie/ubpUxphleQhX7/pLjGNvo8ueWDyN0ZZ0G +vxexgYUDZkXh19dg9RzQo4HAMIG9MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU +BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUyxBq +6HMZNcJlyn+b0GRQqPwvepgwHwYDVR0jBBgwFoAUZilLR4VbTmn7dpGteZ35x+mo +IPMwPgYDVR0RBDcwNYIJbG9jYWxob3N0gihmaXJld2FsbC1jb250cm9sbGVyLW1h +bmFnZXIuZmlyZXdhbGwuc3ZjMAoGCCqGSM49BAMCA0cAMEQCIEIHZ3Uj6fNvYgKv +JbI28i8nsdF3PbCGhLW6XnFABwqBAiAP9KPZf9zAAN8DHum2s1sOYTVOHGm4drkq +NLAFeNNXbg== -----END CERTIFICATE----- diff --git a/config/examples/certs/tls.key b/config/examples/certs/tls.key index 6af5725..7e37484 100644 --- a/config/examples/certs/tls.key +++ b/config/examples/certs/tls.key @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MHcCAQEEIGkp4UEW0A/611PSa/ryMg+7c2yB11ZqtA/GR1yMaeq+oAoGCCqGSM49 -AwEHoUQDQgAEXxTSZ/+3bnwm0dAAvgZ08r4Z/fMrzog/gEll2lWHgYLLgfRn1FpV -cqfn43QJIFjWXeEuLjc+mg9RvypROhgRUA== +MHcCAQEEIJZT9vmyYJDxyP3gyJpkeS02M0hgXlrrrjTCmlmUOcQ0oAoGCCqGSM49 +AwEHoUQDQgAETXq7jo3oKX6yJDnsOkDcuR7Dl8y/jonv7m6VMaYZXkIV+/6S4xjb +6PLnlg8jdGWdBr8XsYGFA2ZF4dfXYPUc0A== -----END EC PRIVATE KEY----- diff --git a/config/examples/kustomize/patch-webhooks.yaml b/config/examples/kustomize/patch-webhooks.yaml index 5a5d127..9ab2d62 100644 --- a/config/examples/kustomize/patch-webhooks.yaml +++ b/config/examples/kustomize/patch-webhooks.yaml @@ -4,45 +4,45 @@ kind: MutatingWebhookConfiguration metadata: name: mutating-webhook-configuration webhooks: -- name: firewall.metal-stack.io - clientConfig: - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVWTJlaUpMcFlRSzRoMzVpREpiR3NVUFpsc0Fjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05Nak13TkRFNE1EYzFOREF3V2hjTk1qZ3dOREUyTURjMU5EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRC9kYlNScithUwpNclJJQ2pwY0UzcExIMWd0VEhNM1JKby9LTGpvbWtIeGJ3cEM1ZVRRZjdrUzY0NkVmTHcycGhFZGxEUGdicGc4CnRWM3pQT1BXaU1PalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJMNys2dDBhWXQvdnZxZVBvRGR5SnNRNkRRNWpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCNQo0bklUWHpxMjNiN0haV2YvVE4yMkRRWCs5QWpjMnhPd3MybHdseDhUcFFJZ1NQMHpUYTN5R2VhYnFCZ2ptQU5aCkdUWVphU0FCTEJBb1ExTHQ1RTZzQ1ZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - service: - name: firewall-controller-manager - namespace: firewall -- name: firewallset.metal-stack.io - clientConfig: - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVWTJlaUpMcFlRSzRoMzVpREpiR3NVUFpsc0Fjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05Nak13TkRFNE1EYzFOREF3V2hjTk1qZ3dOREUyTURjMU5EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRC9kYlNScithUwpNclJJQ2pwY0UzcExIMWd0VEhNM1JKby9LTGpvbWtIeGJ3cEM1ZVRRZjdrUzY0NkVmTHcycGhFZGxEUGdicGc4CnRWM3pQT1BXaU1PalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJMNys2dDBhWXQvdnZxZVBvRGR5SnNRNkRRNWpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCNQo0bklUWHpxMjNiN0haV2YvVE4yMkRRWCs5QWpjMnhPd3MybHdseDhUcFFJZ1NQMHpUYTN5R2VhYnFCZ2ptQU5aCkdUWVphU0FCTEJBb1ExTHQ1RTZzQ1ZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - service: - name: firewall-controller-manager - namespace: firewall -- name: firewalldeployment.metal-stack.io - clientConfig: - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVWTJlaUpMcFlRSzRoMzVpREpiR3NVUFpsc0Fjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05Nak13TkRFNE1EYzFOREF3V2hjTk1qZ3dOREUyTURjMU5EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRC9kYlNScithUwpNclJJQ2pwY0UzcExIMWd0VEhNM1JKby9LTGpvbWtIeGJ3cEM1ZVRRZjdrUzY0NkVmTHcycGhFZGxEUGdicGc4CnRWM3pQT1BXaU1PalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJMNys2dDBhWXQvdnZxZVBvRGR5SnNRNkRRNWpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCNQo0bklUWHpxMjNiN0haV2YvVE4yMkRRWCs5QWpjMnhPd3MybHdseDhUcFFJZ1NQMHpUYTN5R2VhYnFCZ2ptQU5aCkdUWVphU0FCTEJBb1ExTHQ1RTZzQ1ZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - service: - name: firewall-controller-manager - namespace: firewall + - name: firewall.metal-stack.io + clientConfig: + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVSzc0TWxHQmw1di9QeGN2WVIxZ1gvNFphaGVjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05NalF4TURJMU1USTBNREF3V2hjTk1qa3hNREkwTVRJME1EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNendjYkZFc0c4UwpwOGpoOHl3Y1NiWjN1QkNoZG5aTFNlM0lJcXZQQitJdGtGcngvQkx1WDFwVXJxTE5mN1l4ZXpYWjJjSFVkeGRQClROeFZqZHM5OXIralFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJtS1V0SGhWdE9hZnQya2ExNW5mbkg2YWdnOHpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBegpkQ2ZNMGpMbFREemFFWHo1ejFYRWc4TGhKV1FWNVlZb0YrRFVsSmlVL2dJZ2ZTdmNubzl6QVJBS05OSDA2cUYwClhDektUckM2MFFoRCtOMXdGTjdYMm9nPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + service: + name: firewall-controller-manager + namespace: firewall + - name: firewallset.metal-stack.io + clientConfig: + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVSzc0TWxHQmw1di9QeGN2WVIxZ1gvNFphaGVjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05NalF4TURJMU1USTBNREF3V2hjTk1qa3hNREkwTVRJME1EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNendjYkZFc0c4UwpwOGpoOHl3Y1NiWjN1QkNoZG5aTFNlM0lJcXZQQitJdGtGcngvQkx1WDFwVXJxTE5mN1l4ZXpYWjJjSFVkeGRQClROeFZqZHM5OXIralFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJtS1V0SGhWdE9hZnQya2ExNW5mbkg2YWdnOHpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBegpkQ2ZNMGpMbFREemFFWHo1ejFYRWc4TGhKV1FWNVlZb0YrRFVsSmlVL2dJZ2ZTdmNubzl6QVJBS05OSDA2cUYwClhDektUckM2MFFoRCtOMXdGTjdYMm9nPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + service: + name: firewall-controller-manager + namespace: firewall + - name: firewalldeployment.metal-stack.io + clientConfig: + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVSzc0TWxHQmw1di9QeGN2WVIxZ1gvNFphaGVjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05NalF4TURJMU1USTBNREF3V2hjTk1qa3hNREkwTVRJME1EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNendjYkZFc0c4UwpwOGpoOHl3Y1NiWjN1QkNoZG5aTFNlM0lJcXZQQitJdGtGcngvQkx1WDFwVXJxTE5mN1l4ZXpYWjJjSFVkeGRQClROeFZqZHM5OXIralFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJtS1V0SGhWdE9hZnQya2ExNW5mbkg2YWdnOHpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBegpkQ2ZNMGpMbFREemFFWHo1ejFYRWc4TGhKV1FWNVlZb0YrRFVsSmlVL2dJZ2ZTdmNubzl6QVJBS05OSDA2cUYwClhDektUckM2MFFoRCtOMXdGTjdYMm9nPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + service: + name: firewall-controller-manager + namespace: firewall --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: validating-webhook-configuration webhooks: -- name: firewall.metal-stack.io - clientConfig: - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVWTJlaUpMcFlRSzRoMzVpREpiR3NVUFpsc0Fjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05Nak13TkRFNE1EYzFOREF3V2hjTk1qZ3dOREUyTURjMU5EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRC9kYlNScithUwpNclJJQ2pwY0UzcExIMWd0VEhNM1JKby9LTGpvbWtIeGJ3cEM1ZVRRZjdrUzY0NkVmTHcycGhFZGxEUGdicGc4CnRWM3pQT1BXaU1PalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJMNys2dDBhWXQvdnZxZVBvRGR5SnNRNkRRNWpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCNQo0bklUWHpxMjNiN0haV2YvVE4yMkRRWCs5QWpjMnhPd3MybHdseDhUcFFJZ1NQMHpUYTN5R2VhYnFCZ2ptQU5aCkdUWVphU0FCTEJBb1ExTHQ1RTZzQ1ZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - service: - name: firewall-controller-manager - namespace: firewall -- name: firewallset.metal-stack.io - clientConfig: - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVWTJlaUpMcFlRSzRoMzVpREpiR3NVUFpsc0Fjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05Nak13TkRFNE1EYzFOREF3V2hjTk1qZ3dOREUyTURjMU5EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRC9kYlNScithUwpNclJJQ2pwY0UzcExIMWd0VEhNM1JKby9LTGpvbWtIeGJ3cEM1ZVRRZjdrUzY0NkVmTHcycGhFZGxEUGdicGc4CnRWM3pQT1BXaU1PalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJMNys2dDBhWXQvdnZxZVBvRGR5SnNRNkRRNWpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCNQo0bklUWHpxMjNiN0haV2YvVE4yMkRRWCs5QWpjMnhPd3MybHdseDhUcFFJZ1NQMHpUYTN5R2VhYnFCZ2ptQU5aCkdUWVphU0FCTEJBb1ExTHQ1RTZzQ1ZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - service: - name: firewall-controller-manager - namespace: firewall -- name: firewalldeployment.metal-stack.io - clientConfig: - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVWTJlaUpMcFlRSzRoMzVpREpiR3NVUFpsc0Fjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05Nak13TkRFNE1EYzFOREF3V2hjTk1qZ3dOREUyTURjMU5EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRC9kYlNScithUwpNclJJQ2pwY0UzcExIMWd0VEhNM1JKby9LTGpvbWtIeGJ3cEM1ZVRRZjdrUzY0NkVmTHcycGhFZGxEUGdicGc4CnRWM3pQT1BXaU1PalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJMNys2dDBhWXQvdnZxZVBvRGR5SnNRNkRRNWpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCNQo0bklUWHpxMjNiN0haV2YvVE4yMkRRWCs5QWpjMnhPd3MybHdseDhUcFFJZ1NQMHpUYTN5R2VhYnFCZ2ptQU5aCkdUWVphU0FCTEJBb1ExTHQ1RTZzQ1ZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - service: - name: firewall-controller-manager - namespace: firewall + - name: firewall.metal-stack.io + clientConfig: + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVSzc0TWxHQmw1di9QeGN2WVIxZ1gvNFphaGVjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05NalF4TURJMU1USTBNREF3V2hjTk1qa3hNREkwTVRJME1EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNendjYkZFc0c4UwpwOGpoOHl3Y1NiWjN1QkNoZG5aTFNlM0lJcXZQQitJdGtGcngvQkx1WDFwVXJxTE5mN1l4ZXpYWjJjSFVkeGRQClROeFZqZHM5OXIralFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJtS1V0SGhWdE9hZnQya2ExNW5mbkg2YWdnOHpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBegpkQ2ZNMGpMbFREemFFWHo1ejFYRWc4TGhKV1FWNVlZb0YrRFVsSmlVL2dJZ2ZTdmNubzl6QVJBS05OSDA2cUYwClhDektUckM2MFFoRCtOMXdGTjdYMm9nPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + service: + name: firewall-controller-manager + namespace: firewall + - name: firewallset.metal-stack.io + clientConfig: + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVSzc0TWxHQmw1di9QeGN2WVIxZ1gvNFphaGVjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05NalF4TURJMU1USTBNREF3V2hjTk1qa3hNREkwTVRJME1EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNendjYkZFc0c4UwpwOGpoOHl3Y1NiWjN1QkNoZG5aTFNlM0lJcXZQQitJdGtGcngvQkx1WDFwVXJxTE5mN1l4ZXpYWjJjSFVkeGRQClROeFZqZHM5OXIralFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJtS1V0SGhWdE9hZnQya2ExNW5mbkg2YWdnOHpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBegpkQ2ZNMGpMbFREemFFWHo1ejFYRWc4TGhKV1FWNVlZb0YrRFVsSmlVL2dJZ2ZTdmNubzl6QVJBS05OSDA2cUYwClhDektUckM2MFFoRCtOMXdGTjdYMm9nPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + service: + name: firewall-controller-manager + namespace: firewall + - name: firewalldeployment.metal-stack.io + clientConfig: + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVSzc0TWxHQmw1di9QeGN2WVIxZ1gvNFphaGVjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05NalF4TURJMU1USTBNREF3V2hjTk1qa3hNREkwTVRJME1EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNendjYkZFc0c4UwpwOGpoOHl3Y1NiWjN1QkNoZG5aTFNlM0lJcXZQQitJdGtGcngvQkx1WDFwVXJxTE5mN1l4ZXpYWjJjSFVkeGRQClROeFZqZHM5OXIralFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJtS1V0SGhWdE9hZnQya2ExNW5mbkg2YWdnOHpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBegpkQ2ZNMGpMbFREemFFWHo1ejFYRWc4TGhKV1FWNVlZb0YrRFVsSmlVL2dJZ2ZTdmNubzl6QVJBS05OSDA2cUYwClhDektUckM2MFFoRCtOMXdGTjdYMm9nPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + service: + name: firewall-controller-manager + namespace: firewall From 65cc19329eb80a9af1e5dff5096968a6ed06a6fa Mon Sep 17 00:00:00 2001 From: Honigeintopf Date: Fri, 25 Oct 2024 14:52:13 +0200 Subject: [PATCH 02/13] Update Readme to include "-n firewall" --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 27c45bc..190459d 100644 --- a/README.md +++ b/README.md @@ -51,4 +51,4 @@ To play with the FCM, you can also run this controller inside the [mini-lab](htt 1. Deploy the FCM into the mini-lab with `make deploy` 1. Adapt the example [firewalldeployment.yaml](config/examples/firewalldeployment.yaml) and apply with `kubectl apply -f config/examples/firewalldeployment.yaml` 1. Note that the firewall-controller will not be able to connect to the mini-lab due to network restrictions, so the firewall will not get ready. - - You can make the firewall become ready anyway by setting the annotation `kubectl annotate fw firewall.metal-stack.io/no-controller-connection=true` + - You can make the firewall become ready anyway by setting the annotation `kubectl annotate fw -n firewall firewall.metal-stack.io/no-controller-connection=true` From 68d79ea7cb1377ccdf0006f7121cc389ed1636f6 Mon Sep 17 00:00:00 2001 From: Honigeintopf Date: Mon, 28 Oct 2024 16:55:42 +0100 Subject: [PATCH 03/13] Created test to check if unhealty firewall is replaced when unhealthy --- integration/integration_test.go | 49 +++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/integration/integration_test.go b/integration/integration_test.go index daf0296..b4f6421 100644 --- a/integration/integration_test.go +++ b/integration/integration_test.go @@ -162,6 +162,53 @@ var _ = Context("integration test", Ordered, func() { Expect(client.IgnoreAlreadyExists(k8sClient.Create(ctx, shootTokenSecret.DeepCopy()))).To(Succeed()) }) + When("creating a firewall deployment that simulates unhealthiness", Ordered, func() { + var fwSet *v2.FirewallSet + + BeforeAll(func() { + // Create the Firewall Deployment + fwDeployment := deployment() + Expect(k8sClient.Create(ctx, fwDeployment)).To(Succeed()) + + // Wait for the FirewallSet to be created + Eventually(func() error { + fwSetList := &v2.FirewallSetList{} + err := k8sClient.List(ctx, fwSetList, client.InNamespace(namespaceName)) + if err != nil { + return err + } + if len(fwSetList.Items) == 0 { + return fmt.Errorf("no firewall sets found") + } + fwSet = &fwSetList.Items[0] + return nil + }, 15*time.Second, interval).Should(Succeed(), "FirewallSet should be created") + }) + + It("should update the deployment status to reflect the unhealthy replica", func() { + // Simulate unhealthiness by updating the FirewallSet status + fwSet.Status.UnhealthyReplicas = 1 + Expect(k8sClient.Status().Update(ctx, fwSet)).To(Succeed()) + + // Wait for the deployment status to reflect the unhealthy replica + Eventually(func() int { + fetchedDeployment := &v2.FirewallDeployment{} + Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(deployment()), fetchedDeployment)).To(Succeed()) + return fetchedDeployment.Status.UnhealthyReplicas + }, 15*time.Second, interval).Should(Equal(1), "unhealthy replicas should be reported") + }) + + It("should eventually replace the unhealthy firewall", func() { + // Wait for the controller to replace the unhealthy firewall + Eventually(func() bool { + fwSetList := &v2.FirewallSetList{} + Expect(k8sClient.List(ctx, fwSetList, client.InNamespace(namespaceName))).To(Succeed()) + // Check if a new FirewallSet has been created + return len(fwSetList.Items) > 1 + }, 60*time.Second, interval).Should(BeTrue(), "A new FirewallSet should be created to replace the unhealthy one") + }) + }) + Describe("the rolling update", Ordered, func() { When("creating a firewall deployment", Ordered, func() { It("the creation works", func() { @@ -1910,5 +1957,7 @@ var _ = Context("integration test", Ordered, func() { }) }) }) + }) + }) From fd71798c937689ae9c2695a47fa106c23b443ab5 Mon Sep 17 00:00:00 2001 From: Honigeintopf Date: Thu, 31 Oct 2024 16:30:09 +0100 Subject: [PATCH 04/13] Added delte after healthtimeout is exceeded, still need to adjust integration tests --- controllers/set/delete.go | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/controllers/set/delete.go b/controllers/set/delete.go index 8843ff4..fa8f985 100644 --- a/controllers/set/delete.go +++ b/controllers/set/delete.go @@ -58,6 +58,20 @@ func (c *controller) deleteAfterTimeout(r *controllers.Ctx[*v2.FirewallSet], fws connected := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Status == v2.ConditionTrue + if c.isFirewallUnhealthy(fw) { + allocationTimestamp := pointer.SafeDeref(fw.Status.MachineStatus).AllocationTimestamp + if time.Since(allocationTimestamp.Time) > c.c.GetFirewallHealthTimeout() { + r.Log.Info("unhealthy firewall not recovering, deleting from set", "firewall-name", fw.Name) + + err := c.deleteFirewalls(r, fw) + if err != nil { + return nil, err + } + + result = append(result, fw) + continue + } + } if !connected && time.Since(fw.CreationTimestamp.Time) > c.c.GetCreateTimeout() { r.Log.Info("firewall not getting ready, deleting from set", "firewall-name", fw.Name) @@ -67,8 +81,19 @@ func (c *controller) deleteAfterTimeout(r *controllers.Ctx[*v2.FirewallSet], fws } result = append(result, fw) + } } return result, nil } + +func (c *controller) isFirewallUnhealthy(fw *v2.Firewall) bool { + created := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallCreated)).Status == v2.ConditionTrue + ready := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallReady)).Status == v2.ConditionTrue + connected := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Status == v2.ConditionTrue + seedConnected := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerSeedConnected)).Status == v2.ConditionTrue + distance := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallDistanceConfigured)).Status == v2.ConditionTrue + + return !(created && ready && connected && seedConnected && distance) +} From 0de0032727a286b53691594928f2a1e3864b64a1 Mon Sep 17 00:00:00 2001 From: Honigeintopf Date: Mon, 4 Nov 2024 14:40:51 +0100 Subject: [PATCH 05/13] Added integration tests and deletion of fw after unhealthytimeout --- controllers/set/delete.go | 51 ++++++------ controllers/set/reconcile.go | 2 +- integration/integration_test.go | 116 +++++++++++++++++----------- integration/metal_resources_test.go | 86 +++++++++++++++++++++ integration/suite_test.go | 2 +- 5 files changed, 186 insertions(+), 71 deletions(-) diff --git a/controllers/set/delete.go b/controllers/set/delete.go index fa8f985..4988449 100644 --- a/controllers/set/delete.go +++ b/controllers/set/delete.go @@ -46,32 +46,28 @@ func (c *controller) deleteFirewalls(r *controllers.Ctx[*v2.FirewallSet], fws .. return nil } -func (c *controller) deleteAfterTimeout(r *controllers.Ctx[*v2.FirewallSet], fws ...*v2.Firewall) ([]*v2.Firewall, error) { +func (c *controller) deleteIfUnhealthyOrTimeout(r *controllers.Ctx[*v2.FirewallSet], fws ...*v2.Firewall) ([]*v2.Firewall, error) { var result []*v2.Firewall for _, fw := range fws { fw := fw - if fw.Status.Phase != v2.FirewallPhaseCreating { - continue - } - connected := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Status == v2.ConditionTrue if c.isFirewallUnhealthy(fw) { - allocationTimestamp := pointer.SafeDeref(fw.Status.MachineStatus).AllocationTimestamp - if time.Since(allocationTimestamp.Time) > c.c.GetFirewallHealthTimeout() { - r.Log.Info("unhealthy firewall not recovering, deleting from set", "firewall-name", fw.Name) - - err := c.deleteFirewalls(r, fw) - if err != nil { - return nil, err - } - - result = append(result, fw) - continue + r.Log.Info("unhealthy firewall not recovering, deleting from set", "firewall-name", fw.Name) + err := c.deleteFirewalls(r, fw) + if err != nil { + return nil, err } + result = append(result, fw) + continue } + + if fw.Status.Phase != v2.FirewallPhaseCreating { + continue + } + if !connected && time.Since(fw.CreationTimestamp.Time) > c.c.GetCreateTimeout() { r.Log.Info("firewall not getting ready, deleting from set", "firewall-name", fw.Name) @@ -89,11 +85,22 @@ func (c *controller) deleteAfterTimeout(r *controllers.Ctx[*v2.FirewallSet], fws } func (c *controller) isFirewallUnhealthy(fw *v2.Firewall) bool { - created := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallCreated)).Status == v2.ConditionTrue - ready := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallReady)).Status == v2.ConditionTrue - connected := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Status == v2.ConditionTrue - seedConnected := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerSeedConnected)).Status == v2.ConditionTrue - distance := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallDistanceConfigured)).Status == v2.ConditionTrue - return !(created && ready && connected && seedConnected && distance) + var ( + created = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallCreated)).Status == v2.ConditionTrue + ready = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallReady)).Status == v2.ConditionTrue + connected = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Status == v2.ConditionTrue + seedConnected = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerSeedConnected)).Status == v2.ConditionTrue + distance = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallDistanceConfigured)).Status == v2.ConditionTrue + ) + + if created && ready && connected && seedConnected && distance { + return false + } + + if created && time.Since(pointer.SafeDeref(fw.Status.MachineStatus).AllocationTimestamp.Time) > c.c.GetFirewallHealthTimeout() { + return true + } + + return false } diff --git a/controllers/set/reconcile.go b/controllers/set/reconcile.go index 6591ea3..53ca2dd 100644 --- a/controllers/set/reconcile.go +++ b/controllers/set/reconcile.go @@ -109,7 +109,7 @@ func (c *controller) Reconcile(r *controllers.Ctx[*v2.FirewallSet]) error { } } - deletedFws, err := c.deleteAfterTimeout(r, ownedFirewalls...) + deletedFws, err := c.deleteIfUnhealthyOrTimeout(r, ownedFirewalls...) if err != nil { return err } diff --git a/integration/integration_test.go b/integration/integration_test.go index b4f6421..7d48b99 100644 --- a/integration/integration_test.go +++ b/integration/integration_test.go @@ -162,53 +162,6 @@ var _ = Context("integration test", Ordered, func() { Expect(client.IgnoreAlreadyExists(k8sClient.Create(ctx, shootTokenSecret.DeepCopy()))).To(Succeed()) }) - When("creating a firewall deployment that simulates unhealthiness", Ordered, func() { - var fwSet *v2.FirewallSet - - BeforeAll(func() { - // Create the Firewall Deployment - fwDeployment := deployment() - Expect(k8sClient.Create(ctx, fwDeployment)).To(Succeed()) - - // Wait for the FirewallSet to be created - Eventually(func() error { - fwSetList := &v2.FirewallSetList{} - err := k8sClient.List(ctx, fwSetList, client.InNamespace(namespaceName)) - if err != nil { - return err - } - if len(fwSetList.Items) == 0 { - return fmt.Errorf("no firewall sets found") - } - fwSet = &fwSetList.Items[0] - return nil - }, 15*time.Second, interval).Should(Succeed(), "FirewallSet should be created") - }) - - It("should update the deployment status to reflect the unhealthy replica", func() { - // Simulate unhealthiness by updating the FirewallSet status - fwSet.Status.UnhealthyReplicas = 1 - Expect(k8sClient.Status().Update(ctx, fwSet)).To(Succeed()) - - // Wait for the deployment status to reflect the unhealthy replica - Eventually(func() int { - fetchedDeployment := &v2.FirewallDeployment{} - Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(deployment()), fetchedDeployment)).To(Succeed()) - return fetchedDeployment.Status.UnhealthyReplicas - }, 15*time.Second, interval).Should(Equal(1), "unhealthy replicas should be reported") - }) - - It("should eventually replace the unhealthy firewall", func() { - // Wait for the controller to replace the unhealthy firewall - Eventually(func() bool { - fwSetList := &v2.FirewallSetList{} - Expect(k8sClient.List(ctx, fwSetList, client.InNamespace(namespaceName))).To(Succeed()) - // Check if a new FirewallSet has been created - return len(fwSetList.Items) > 1 - }, 60*time.Second, interval).Should(BeTrue(), "A new FirewallSet should be created to replace the unhealthy one") - }) - }) - Describe("the rolling update", Ordered, func() { When("creating a firewall deployment", Ordered, func() { It("the creation works", func() { @@ -1960,4 +1913,73 @@ var _ = Context("integration test", Ordered, func() { }) + When("creating a firewall set that simulates unhealthiness", Ordered, func() { + var firewallSet *v2.FirewallSet + + BeforeAll(func() { + swapMetalClient(&metalclient.MetalMockFns{ + Firewall: func(m *mock.Mock) { + m.On("AllocateFirewall", mock.Anything, nil).Return(&metalfirewall.AllocateFirewallOK{Payload: firewall3}, nil).Maybe() + m.On("FindFirewall", mock.Anything, nil).Return(&metalfirewall.FindFirewallOK{Payload: firewall3}, nil).Maybe() + m.On("FindFirewalls", mock.Anything, nil).Return(&metalfirewall.FindFirewallsOK{Payload: []*models.V1FirewallResponse{firewall3}}, nil).Maybe() + }, + Network: func(m *mock.Mock) { + m.On("FindNetwork", mock.Anything, nil).Return(&network.FindNetworkOK{Payload: network1}, nil).Maybe() + }, + Machine: func(m *mock.Mock) { + m.On("UpdateMachine", mock.Anything, nil).Return(&machine.UpdateMachineOK{Payload: &models.V1MachineResponse{}}, nil).Maybe() + m.On("FreeMachine", mock.Anything, nil).Return(&machine.FreeMachineOK{Payload: &models.V1MachineResponse{ID: firewall3.ID}}, nil).Maybe() + }, + Image: func(m *mock.Mock) { + m.On("FindLatestImage", mock.Anything, nil).Return(&image.FindLatestImageOK{Payload: image1}, nil).Maybe() + }, + }) + + Expect(k8sClient.Create(ctx, deployment())).To(Succeed()) + Eventually(func() error { + firewallSetList := &v2.FirewallSetList{} + err := k8sClient.List(ctx, firewallSetList, client.InNamespace(namespaceName)) + if err != nil { + return err + } + if len(firewallSetList.Items) == 0 { + return fmt.Errorf("no firewall sets found") + } + firewallSet = &firewallSetList.Items[0] + return nil + }, 15*time.Second, interval).Should(Succeed(), "FirewallSet should be created") + }) + + It("should simulate unhealthiness and trigger deletion", func() { + firewallList := &v2.FirewallList{} + Eventually(func() int { + + err := k8sClient.List(ctx, firewallList, client.InNamespace(firewallSet.Namespace)) + if err != nil { + return 0 + } + return len(firewallList.Items) + }, 15*time.Second, interval).Should(BeNumerically(">", 0), "Should have at least one firewall") + + By("waiting for the firewall to be deleted") + Eventually(func() bool { + for _, fw := range firewallList.Items { + err := k8sClient.Get(ctx, client.ObjectKeyFromObject(&fw), &v2.Firewall{}) + if !apierrors.IsNotFound(err) { + return false + } + } + return true + }, 10*time.Second, interval).Should(BeTrue(), "All Firewalls should be deleted") + + By("verifying that a new firewall has been created") + Eventually(func() int { + newFirewallList := &v2.FirewallList{} + Expect(k8sClient.List(ctx, newFirewallList, client.InNamespace(firewallSet.Namespace))).To(Succeed()) + return len(newFirewallList.Items) + }, 10*time.Second, interval).Should(Equal(1), "A new firewall should be created") + }) + + }) + }) diff --git a/integration/metal_resources_test.go b/integration/metal_resources_test.go index ef87655..00b2c86 100644 --- a/integration/metal_resources_test.go +++ b/integration/metal_resources_test.go @@ -311,6 +311,92 @@ var ( Vrf: 50, Vrfshared: true, } + firewall3 = &models.V1FirewallResponse{ + Allocation: &models.V1MachineAllocation{ + BootInfo: &models.V1BootInfo{ + Bootloaderid: pointer.Pointer("bootloaderid"), + Cmdline: pointer.Pointer("cmdline"), + ImageID: pointer.Pointer("imageid"), + Initrd: pointer.Pointer("initrd"), + Kernel: pointer.Pointer("kernel"), + OsPartition: pointer.Pointer("ospartition"), + PrimaryDisk: pointer.Pointer("primarydisk"), + }, + Created: pointer.Pointer(strfmt.DateTime(testTime.Add(-20 * 24 * time.Hour))), + Creator: pointer.Pointer("creator"), + Description: "firewall allocation 3", + Filesystemlayout: fsl1, + Hostname: pointer.Pointer("firewall-hostname-3"), + Image: image1, + Name: pointer.Pointer("firewall-3"), + Networks: []*models.V1MachineNetwork{ + { + Asn: pointer.Pointer(int64(200)), + Destinationprefixes: []string{"2.2.2.2"}, + Ips: []string{"1.1.1.1"}, + Nat: pointer.Pointer(false), + Networkid: pointer.Pointer("private"), + Networktype: pointer.Pointer(net.PrivatePrimaryUnshared), + Prefixes: []string{"prefixes"}, + Private: pointer.Pointer(true), + Underlay: pointer.Pointer(false), + Vrf: pointer.Pointer(int64(100)), + }, + }, + Project: pointer.Pointer("project-1"), + Reinstall: pointer.Pointer(false), + Role: pointer.Pointer(models.V1MachineAllocationRoleFirewall), + SSHPubKeys: []string{"sshpubkey"}, + Succeeded: pointer.Pointer(true), + UserData: "---userdata---", + }, + Bios: &models.V1MachineBIOS{ + Date: pointer.Pointer("biosdata"), + Vendor: pointer.Pointer("biosvendor"), + Version: pointer.Pointer("biosversion"), + }, + Description: "firewall 1", + Events: &models.V1MachineRecentProvisioningEvents{ + CrashLoop: pointer.Pointer(true), + FailedMachineReclaim: pointer.Pointer(true), + LastErrorEvent: &models.V1MachineProvisioningEvent{ + Event: pointer.Pointer("Crashed"), + Message: "crash", + Time: strfmt.DateTime(testTime.Add(-10 * 24 * time.Hour)), + }, + LastEventTime: strfmt.DateTime(testTime.Add(-7 * 24 * time.Hour)), + Log: []*models.V1MachineProvisioningEvent{ + { + Event: pointer.Pointer("Phoned Home"), + Message: "phoning home", + Time: strfmt.DateTime(testTime.Add(-7 * 24 * time.Hour)), + }, + }, + }, + Hardware: &models.V1MachineHardware{ + CPUCores: pointer.Pointer(int32(16)), + Disks: []*models.V1MachineBlockDevice{}, + Memory: pointer.Pointer(int64(32)), + Nics: []*models.V1MachineNic{}, + }, + ID: pointer.Pointer("3"), + Ledstate: &models.V1ChassisIdentifyLEDState{ + Description: pointer.Pointer(""), + Value: pointer.Pointer(""), + }, + Liveliness: pointer.Pointer("Unhealthy"), + Name: "firewall-3", + Partition: partition1, + Rackid: "rack-1", + Size: size1, + State: &models.V1MachineState{ + Description: pointer.Pointer("state"), + Issuer: "issuer", + MetalHammerVersion: pointer.Pointer("version"), + Value: pointer.Pointer(""), + }, + Tags: []string{"a"}, + } ) // we are sharing a client for the tests, so we need to make sure we do not run contradicting tests in parallel diff --git a/integration/suite_test.go b/integration/suite_test.go index 608e49f..e3834a9 100644 --- a/integration/suite_test.go +++ b/integration/suite_test.go @@ -130,7 +130,7 @@ var _ = BeforeSuite(func() { ClusterTag: fmt.Sprintf("%s=%s", tag.ClusterID, "cluster-a"), SafetyBackoff: 10 * time.Second, ProgressDeadline: 10 * time.Minute, - FirewallHealthTimeout: 20 * time.Minute, + FirewallHealthTimeout: 19 * 24 * time.Hour, CreateTimeout: 10 * time.Minute, }) Expect(err).ToNot(HaveOccurred()) From 9605a18a1b032500201974274e49678158b622d0 Mon Sep 17 00:00:00 2001 From: Honigeintopf Date: Mon, 4 Nov 2024 15:31:00 +0100 Subject: [PATCH 06/13] refactor --- controllers/set/delete.go | 31 +++------------------------ controllers/set/status.go | 45 +++++++++++++++++++++++---------------- 2 files changed, 30 insertions(+), 46 deletions(-) diff --git a/controllers/set/delete.go b/controllers/set/delete.go index 4988449..f0129fe 100644 --- a/controllers/set/delete.go +++ b/controllers/set/delete.go @@ -45,15 +45,10 @@ func (c *controller) deleteFirewalls(r *controllers.Ctx[*v2.FirewallSet], fws .. return nil } - func (c *controller) deleteIfUnhealthyOrTimeout(r *controllers.Ctx[*v2.FirewallSet], fws ...*v2.Firewall) ([]*v2.Firewall, error) { var result []*v2.Firewall for _, fw := range fws { - fw := fw - - connected := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Status == v2.ConditionTrue - if c.isFirewallUnhealthy(fw) { r.Log.Info("unhealthy firewall not recovering, deleting from set", "firewall-name", fw.Name) err := c.deleteFirewalls(r, fw) @@ -67,40 +62,20 @@ func (c *controller) deleteIfUnhealthyOrTimeout(r *controllers.Ctx[*v2.FirewallS if fw.Status.Phase != v2.FirewallPhaseCreating { continue } - + connected := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Status == v2.ConditionTrue if !connected && time.Since(fw.CreationTimestamp.Time) > c.c.GetCreateTimeout() { r.Log.Info("firewall not getting ready, deleting from set", "firewall-name", fw.Name) - err := c.deleteFirewalls(r, fw) if err != nil { return nil, err } - result = append(result, fw) - } } - return result, nil } func (c *controller) isFirewallUnhealthy(fw *v2.Firewall) bool { - - var ( - created = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallCreated)).Status == v2.ConditionTrue - ready = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallReady)).Status == v2.ConditionTrue - connected = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Status == v2.ConditionTrue - seedConnected = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerSeedConnected)).Status == v2.ConditionTrue - distance = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallDistanceConfigured)).Status == v2.ConditionTrue - ) - - if created && ready && connected && seedConnected && distance { - return false - } - - if created && time.Since(pointer.SafeDeref(fw.Status.MachineStatus).AllocationTimestamp.Time) > c.c.GetFirewallHealthTimeout() { - return true - } - - return false + statusReport := evaluateFirewallConditions(fw, c.c.GetFirewallHealthTimeout()) + return statusReport.IsUnhealthy } diff --git a/controllers/set/status.go b/controllers/set/status.go index a71b8d2..c74aae2 100644 --- a/controllers/set/status.go +++ b/controllers/set/status.go @@ -8,35 +8,44 @@ import ( "github.com/metal-stack/metal-lib/pkg/pointer" ) +type FirewallConditionStatus struct { + IsReady, IsProgressing, IsUnhealthy bool +} + +func evaluateFirewallConditions(fw *v2.Firewall, healthTimeout time.Duration) FirewallConditionStatus { + created := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallCreated)).Status == v2.ConditionTrue + ready := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallReady)).Status == v2.ConditionTrue + connected := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Status == v2.ConditionTrue + seedConnected := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerSeedConnected)).Status == v2.ConditionTrue + distance := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallDistanceConfigured)).Status == v2.ConditionTrue + + allConditionsMet := created && ready && connected && seedConnected && distance + allocationTimeExceeded := created && time.Since(pointer.SafeDeref(fw.Status.MachineStatus).AllocationTimestamp.Time) < healthTimeout + unhealthyTimeExceeded := created && time.Since(pointer.SafeDeref(fw.Status.MachineStatus).AllocationTimestamp.Time) > healthTimeout + + return FirewallConditionStatus{ + IsReady: allConditionsMet, + IsProgressing: created && allocationTimeExceeded, + IsUnhealthy: !allConditionsMet || unhealthyTimeExceeded, + } +} + func (c *controller) setStatus(r *controllers.Ctx[*v2.FirewallSet], ownedFirewalls []*v2.Firewall) error { r.Target.Status.TargetReplicas = r.Target.Spec.Replicas - r.Target.Status.ReadyReplicas = 0 r.Target.Status.ProgressingReplicas = 0 r.Target.Status.UnhealthyReplicas = 0 for _, fw := range ownedFirewalls { - var ( - fw = fw - - created = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallCreated)).Status == v2.ConditionTrue - ready = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallReady)).Status == v2.ConditionTrue - connected = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Status == v2.ConditionTrue - seedConnected = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerSeedConnected)).Status == v2.ConditionTrue - distance = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallDistanceConfigured)).Status == v2.ConditionTrue - ) + statusReport := evaluateFirewallConditions(fw, c.c.GetFirewallHealthTimeout()) - if created && ready && connected && seedConnected && distance { + if statusReport.IsReady { r.Target.Status.ReadyReplicas++ - continue - } - - if created && time.Since(pointer.SafeDeref(fw.Status.MachineStatus).AllocationTimestamp.Time) < c.c.GetFirewallHealthTimeout() { + } else if statusReport.IsProgressing { r.Target.Status.ProgressingReplicas++ - continue + } else { + r.Target.Status.UnhealthyReplicas++ } - - r.Target.Status.UnhealthyReplicas++ } revision, err := controllers.Revision(r.Target) From c6b57588e619305e31255184e1b29473fb497177 Mon Sep 17 00:00:00 2001 From: Honigeintopf Date: Mon, 4 Nov 2024 15:59:58 +0100 Subject: [PATCH 07/13] Fix Refactoring --- controllers/set/delete.go | 12 +++++++++++- controllers/set/status.go | 13 +++++++------ 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/controllers/set/delete.go b/controllers/set/delete.go index f0129fe..36918e4 100644 --- a/controllers/set/delete.go +++ b/controllers/set/delete.go @@ -76,6 +76,16 @@ func (c *controller) deleteIfUnhealthyOrTimeout(r *controllers.Ctx[*v2.FirewallS } func (c *controller) isFirewallUnhealthy(fw *v2.Firewall) bool { + statusReport := evaluateFirewallConditions(fw, c.c.GetFirewallHealthTimeout()) - return statusReport.IsUnhealthy + + if statusReport.IsReady { + return false + } + + if statusReport.IsUnhealthy { + return true + } + + return false } diff --git a/controllers/set/status.go b/controllers/set/status.go index c74aae2..d2076fe 100644 --- a/controllers/set/status.go +++ b/controllers/set/status.go @@ -25,8 +25,8 @@ func evaluateFirewallConditions(fw *v2.Firewall, healthTimeout time.Duration) Fi return FirewallConditionStatus{ IsReady: allConditionsMet, - IsProgressing: created && allocationTimeExceeded, - IsUnhealthy: !allConditionsMet || unhealthyTimeExceeded, + IsProgressing: allocationTimeExceeded, + IsUnhealthy: unhealthyTimeExceeded, } } @@ -38,14 +38,15 @@ func (c *controller) setStatus(r *controllers.Ctx[*v2.FirewallSet], ownedFirewal for _, fw := range ownedFirewalls { statusReport := evaluateFirewallConditions(fw, c.c.GetFirewallHealthTimeout()) - if statusReport.IsReady { r.Target.Status.ReadyReplicas++ - } else if statusReport.IsProgressing { + continue + } + if statusReport.IsProgressing { r.Target.Status.ProgressingReplicas++ - } else { - r.Target.Status.UnhealthyReplicas++ + continue } + r.Target.Status.UnhealthyReplicas++ } revision, err := controllers.Revision(r.Target) From 2fa826d6bd4b918ac82fd056ee1bdabeef0c76c0 Mon Sep 17 00:00:00 2001 From: Honigeintopf Date: Thu, 7 Nov 2024 12:18:52 +0100 Subject: [PATCH 08/13] Finish refactor --- controllers/set/delete.go | 38 +++++------------------- controllers/set/status.go | 61 ++++++++++++++++++++++++++------------- 2 files changed, 48 insertions(+), 51 deletions(-) diff --git a/controllers/set/delete.go b/controllers/set/delete.go index 36918e4..31dc198 100644 --- a/controllers/set/delete.go +++ b/controllers/set/delete.go @@ -6,7 +6,6 @@ import ( v2 "github.com/metal-stack/firewall-controller-manager/api/v2" "github.com/metal-stack/firewall-controller-manager/controllers" - "github.com/metal-stack/metal-lib/pkg/pointer" ) func (c *controller) Delete(r *controllers.Ctx[*v2.FirewallSet]) error { @@ -49,43 +48,20 @@ func (c *controller) deleteIfUnhealthyOrTimeout(r *controllers.Ctx[*v2.FirewallS var result []*v2.Firewall for _, fw := range fws { - if c.isFirewallUnhealthy(fw) { - r.Log.Info("unhealthy firewall not recovering, deleting from set", "firewall-name", fw.Name) - err := c.deleteFirewalls(r, fw) - if err != nil { - return nil, err - } - result = append(result, fw) - continue - } + status := c.evaluateFirewallConditions(fw) + + switch { + case status.CreateTimeout || status.HealthTimeout: + r.Log.Info("firewall health or creation timeout exceeded, deleting from set", "firewall-name", fw.Name) - if fw.Status.Phase != v2.FirewallPhaseCreating { - continue - } - connected := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Status == v2.ConditionTrue - if !connected && time.Since(fw.CreationTimestamp.Time) > c.c.GetCreateTimeout() { - r.Log.Info("firewall not getting ready, deleting from set", "firewall-name", fw.Name) err := c.deleteFirewalls(r, fw) if err != nil { return nil, err } + result = append(result, fw) } - } - return result, nil -} - -func (c *controller) isFirewallUnhealthy(fw *v2.Firewall) bool { - statusReport := evaluateFirewallConditions(fw, c.c.GetFirewallHealthTimeout()) - - if statusReport.IsReady { - return false - } - - if statusReport.IsUnhealthy { - return true } - - return false + return result, nil } diff --git a/controllers/set/status.go b/controllers/set/status.go index d2076fe..e46a810 100644 --- a/controllers/set/status.go +++ b/controllers/set/status.go @@ -8,25 +8,44 @@ import ( "github.com/metal-stack/metal-lib/pkg/pointer" ) -type FirewallConditionStatus struct { - IsReady, IsProgressing, IsUnhealthy bool +type firewallConditionStatus struct { + IsReady bool + CreateTimeout bool + HealthTimeout bool } -func evaluateFirewallConditions(fw *v2.Firewall, healthTimeout time.Duration) FirewallConditionStatus { - created := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallCreated)).Status == v2.ConditionTrue - ready := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallReady)).Status == v2.ConditionTrue - connected := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Status == v2.ConditionTrue - seedConnected := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerSeedConnected)).Status == v2.ConditionTrue - distance := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallDistanceConfigured)).Status == v2.ConditionTrue +func (c *controller) evaluateFirewallConditions(fw *v2.Firewall) firewallConditionStatus { + unhealthyTimeout := c.c.GetFirewallHealthTimeout() + allocationTimeout := c.c.GetCreateTimeout() - allConditionsMet := created && ready && connected && seedConnected && distance - allocationTimeExceeded := created && time.Since(pointer.SafeDeref(fw.Status.MachineStatus).AllocationTimestamp.Time) < healthTimeout - unhealthyTimeExceeded := created && time.Since(pointer.SafeDeref(fw.Status.MachineStatus).AllocationTimestamp.Time) > healthTimeout + var ( + created = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallCreated)).Status == v2.ConditionTrue + ready = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallReady)).Status == v2.ConditionTrue + connected = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Status == v2.ConditionTrue + seedConnected = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerSeedConnected)).Status == v2.ConditionTrue + distanceConfigured = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallDistanceConfigured)).Status == v2.ConditionTrue + allConditionsMet = created && ready && connected && seedConnected && distanceConfigured + createTimeoutExceeded bool + healthTimeoutExceeded bool + ) - return FirewallConditionStatus{ + allocationTimestamp := pointer.SafeDeref(fw.Status.MachineStatus).AllocationTimestamp.Time + timeSinceAllocation := time.Since(allocationTimestamp) + + if created && timeSinceAllocation > allocationTimeout { + createTimeoutExceeded = true + return firewallConditionStatus{CreateTimeout: true} + } + + if created && timeSinceAllocation > unhealthyTimeout { + healthTimeoutExceeded = true + return firewallConditionStatus{HealthTimeout: true} + } + + return firewallConditionStatus{ IsReady: allConditionsMet, - IsProgressing: allocationTimeExceeded, - IsUnhealthy: unhealthyTimeExceeded, + CreateTimeout: createTimeoutExceeded, + HealthTimeout: healthTimeoutExceeded, } } @@ -37,16 +56,18 @@ func (c *controller) setStatus(r *controllers.Ctx[*v2.FirewallSet], ownedFirewal r.Target.Status.UnhealthyReplicas = 0 for _, fw := range ownedFirewalls { - statusReport := evaluateFirewallConditions(fw, c.c.GetFirewallHealthTimeout()) - if statusReport.IsReady { + statusReport := c.evaluateFirewallConditions(fw) + + switch { + case statusReport.IsReady: r.Target.Status.ReadyReplicas++ continue - } - if statusReport.IsProgressing { - r.Target.Status.ProgressingReplicas++ + case statusReport.CreateTimeout || statusReport.HealthTimeout: + r.Target.Status.UnhealthyReplicas++ continue } - r.Target.Status.UnhealthyReplicas++ + + r.Target.Status.ProgressingReplicas++ } revision, err := controllers.Revision(r.Target) From 47f40299d677d815b9d068305bedc16ef1481f26 Mon Sep 17 00:00:00 2001 From: Honigeintopf Date: Thu, 7 Nov 2024 12:50:16 +0100 Subject: [PATCH 09/13] Updated allocation timeout to longer than created timeout --- controllers/set/status.go | 24 ++++++++++++------------ integration/suite_test.go | 2 +- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/controllers/set/status.go b/controllers/set/status.go index e46a810..61b3686 100644 --- a/controllers/set/status.go +++ b/controllers/set/status.go @@ -19,33 +19,33 @@ func (c *controller) evaluateFirewallConditions(fw *v2.Firewall) firewallConditi allocationTimeout := c.c.GetCreateTimeout() var ( - created = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallCreated)).Status == v2.ConditionTrue - ready = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallReady)).Status == v2.ConditionTrue - connected = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Status == v2.ConditionTrue - seedConnected = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerSeedConnected)).Status == v2.ConditionTrue - distanceConfigured = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallDistanceConfigured)).Status == v2.ConditionTrue - allConditionsMet = created && ready && connected && seedConnected && distanceConfigured - createTimeoutExceeded bool - healthTimeoutExceeded bool + created = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallCreated)).Status == v2.ConditionTrue + ready = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallReady)).Status == v2.ConditionTrue + connected = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Status == v2.ConditionTrue + seedConnected = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerSeedConnected)).Status == v2.ConditionTrue + distanceConfigured = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallDistanceConfigured)).Status == v2.ConditionTrue + allConditionsMet = created && ready && connected && seedConnected && distanceConfigured ) allocationTimestamp := pointer.SafeDeref(fw.Status.MachineStatus).AllocationTimestamp.Time timeSinceAllocation := time.Since(allocationTimestamp) + if allConditionsMet { + return firewallConditionStatus{IsReady: true} + } + if created && timeSinceAllocation > allocationTimeout { - createTimeoutExceeded = true return firewallConditionStatus{CreateTimeout: true} } if created && timeSinceAllocation > unhealthyTimeout { - healthTimeoutExceeded = true return firewallConditionStatus{HealthTimeout: true} } return firewallConditionStatus{ IsReady: allConditionsMet, - CreateTimeout: createTimeoutExceeded, - HealthTimeout: healthTimeoutExceeded, + CreateTimeout: false, + HealthTimeout: false, } } diff --git a/integration/suite_test.go b/integration/suite_test.go index e3834a9..8683098 100644 --- a/integration/suite_test.go +++ b/integration/suite_test.go @@ -131,7 +131,7 @@ var _ = BeforeSuite(func() { SafetyBackoff: 10 * time.Second, ProgressDeadline: 10 * time.Minute, FirewallHealthTimeout: 19 * 24 * time.Hour, - CreateTimeout: 10 * time.Minute, + CreateTimeout: 19 * 24 * time.Hour, }) Expect(err).ToNot(HaveOccurred()) From 21d648cb66bbef50cee5ab0d68371b3bb9e469fc Mon Sep 17 00:00:00 2001 From: Honigeintopf Date: Thu, 7 Nov 2024 13:18:08 +0100 Subject: [PATCH 10/13] Check if firewall is creating before setting allocation timeout --- controllers/set/status.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/controllers/set/status.go b/controllers/set/status.go index 61b3686..b02e11c 100644 --- a/controllers/set/status.go +++ b/controllers/set/status.go @@ -35,7 +35,12 @@ func (c *controller) evaluateFirewallConditions(fw *v2.Firewall) firewallConditi } if created && timeSinceAllocation > allocationTimeout { - return firewallConditionStatus{CreateTimeout: true} + + // If the firewall is still creating, don't set a timeout + if fw.Status.Phase != v2.FirewallPhaseCreating { + return firewallConditionStatus{CreateTimeout: true} + } + } if created && timeSinceAllocation > unhealthyTimeout { From 4d9affd6403debf7b999a5f0b8e7ed3aea03c38e Mon Sep 17 00:00:00 2001 From: Honigeintopf Date: Thu, 7 Nov 2024 14:20:01 +0100 Subject: [PATCH 11/13] Updated with seed --- controllers/set/status.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controllers/set/status.go b/controllers/set/status.go index b02e11c..ad3aa83 100644 --- a/controllers/set/status.go +++ b/controllers/set/status.go @@ -27,7 +27,7 @@ func (c *controller) evaluateFirewallConditions(fw *v2.Firewall) firewallConditi allConditionsMet = created && ready && connected && seedConnected && distanceConfigured ) - allocationTimestamp := pointer.SafeDeref(fw.Status.MachineStatus).AllocationTimestamp.Time + allocationTimestamp := pointer.SafeDeref(fw.Status.ControllerStatus).SeedUpdated.Time timeSinceAllocation := time.Since(allocationTimestamp) if allConditionsMet { @@ -43,7 +43,7 @@ func (c *controller) evaluateFirewallConditions(fw *v2.Firewall) firewallConditi } - if created && timeSinceAllocation > unhealthyTimeout { + if unhealthyTimeout != 0 && created && timeSinceAllocation > unhealthyTimeout { return firewallConditionStatus{HealthTimeout: true} } From 026254622c37f4984475f9b46f95ada5cea95666 Mon Sep 17 00:00:00 2001 From: Honigeintopf Date: Fri, 8 Nov 2024 10:32:23 +0100 Subject: [PATCH 12/13] update integration test --- controllers/set/status.go | 19 +++++++++--------- integration/integration_test.go | 34 ++++++++++++++++++++++++++++----- 2 files changed, 38 insertions(+), 15 deletions(-) diff --git a/controllers/set/status.go b/controllers/set/status.go index ad3aa83..3ed9291 100644 --- a/controllers/set/status.go +++ b/controllers/set/status.go @@ -27,26 +27,25 @@ func (c *controller) evaluateFirewallConditions(fw *v2.Firewall) firewallConditi allConditionsMet = created && ready && connected && seedConnected && distanceConfigured ) - allocationTimestamp := pointer.SafeDeref(fw.Status.ControllerStatus).SeedUpdated.Time - timeSinceAllocation := time.Since(allocationTimestamp) + seedUpdatedTime := pointer.SafeDeref(fw.Status.ControllerStatus).SeedUpdated.Time + timeSinceReconcile := time.Since(seedUpdatedTime) if allConditionsMet { return firewallConditionStatus{IsReady: true} } - if created && timeSinceAllocation > allocationTimeout { - - // If the firewall is still creating, don't set a timeout - if fw.Status.Phase != v2.FirewallPhaseCreating { - return firewallConditionStatus{CreateTimeout: true} - } - + // duration after which a firewall in the creation phase will be recreated, exceeded + if fw.Status.Phase == v2.FirewallPhaseCreating && timeSinceReconcile > allocationTimeout { + c.log.Info("create timeout reached") + return firewallConditionStatus{CreateTimeout: true} } - if unhealthyTimeout != 0 && created && timeSinceAllocation > unhealthyTimeout { + if seedConnected && unhealthyTimeout != 0 && created && timeSinceReconcile > unhealthyTimeout { + c.log.Info("unhealthy timeout reached") return firewallConditionStatus{HealthTimeout: true} } + //if everything returns false, it is progressing return firewallConditionStatus{ IsReady: allConditionsMet, CreateTimeout: false, diff --git a/integration/integration_test.go b/integration/integration_test.go index 7d48b99..28928a5 100644 --- a/integration/integration_test.go +++ b/integration/integration_test.go @@ -15,6 +15,7 @@ import ( corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/util/retry" testcommon "github.com/metal-stack/firewall-controller-manager/integration/common" @@ -1936,6 +1937,7 @@ var _ = Context("integration test", Ordered, func() { }) Expect(k8sClient.Create(ctx, deployment())).To(Succeed()) + Eventually(func() error { firewallSetList := &v2.FirewallSetList{} err := k8sClient.List(ctx, firewallSetList, client.InNamespace(namespaceName)) @@ -1953,7 +1955,6 @@ var _ = Context("integration test", Ordered, func() { It("should simulate unhealthiness and trigger deletion", func() { firewallList := &v2.FirewallList{} Eventually(func() int { - err := k8sClient.List(ctx, firewallList, client.InNamespace(firewallSet.Namespace)) if err != nil { return 0 @@ -1961,13 +1962,36 @@ var _ = Context("integration test", Ordered, func() { return len(firewallList.Items) }, 15*time.Second, interval).Should(BeNumerically(">", 0), "Should have at least one firewall") - By("waiting for the firewall to be deleted") Eventually(func() bool { - for _, fw := range firewallList.Items { - err := k8sClient.Get(ctx, client.ObjectKeyFromObject(&fw), &v2.Firewall{}) - if !apierrors.IsNotFound(err) { + for _, item := range firewallList.Items { + var fw v2.Firewall + err := k8sClient.Get(ctx, client.ObjectKeyFromObject(&item), &fw) + if err != nil { + fmt.Printf("Failed to get firewall: %v\n", err) return false } + + if fw.Status.ControllerStatus == nil { + fw.Status.ControllerStatus = &v2.ControllerConnection{} + } + //add a fake concile so the unhealty firewall gets deleted + fw.Status.ControllerStatus.SeedUpdated.Time = time.Now().Add(-20 * 24 * time.Hour) + err = retry.RetryOnConflict(retry.DefaultRetry, func() error { + if err := k8sClient.Get(ctx, client.ObjectKeyFromObject(&fw), &fw); err != nil { + return err + } + if fw.Status.ControllerStatus == nil { + fw.Status.ControllerStatus = &v2.ControllerConnection{} + } + fw.Status.ControllerStatus.SeedUpdated.Time = time.Now().Add(-20 * 24 * time.Hour) + return k8sClient.Status().Update(ctx, &fw) + }) + + if err != nil { + fmt.Printf("Failed to update firewall status: %v\n", err) + return false + } + } return true }, 10*time.Second, interval).Should(BeTrue(), "All Firewalls should be deleted") From fe0994c2b2f25d01dce81b7c4f277d6d8be5c6b9 Mon Sep 17 00:00:00 2001 From: Honigeintopf Date: Fri, 8 Nov 2024 10:41:36 +0100 Subject: [PATCH 13/13] Adjust test to not use retry on conflict --- integration/integration_test.go | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/integration/integration_test.go b/integration/integration_test.go index 28928a5..cc46940 100644 --- a/integration/integration_test.go +++ b/integration/integration_test.go @@ -15,7 +15,6 @@ import ( corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/client-go/util/retry" testcommon "github.com/metal-stack/firewall-controller-manager/integration/common" @@ -1962,13 +1961,13 @@ var _ = Context("integration test", Ordered, func() { return len(firewallList.Items) }, 15*time.Second, interval).Should(BeNumerically(">", 0), "Should have at least one firewall") - Eventually(func() bool { + Eventually(func() error { for _, item := range firewallList.Items { var fw v2.Firewall err := k8sClient.Get(ctx, client.ObjectKeyFromObject(&item), &fw) if err != nil { fmt.Printf("Failed to get firewall: %v\n", err) - return false + return err } if fw.Status.ControllerStatus == nil { @@ -1976,25 +1975,22 @@ var _ = Context("integration test", Ordered, func() { } //add a fake concile so the unhealty firewall gets deleted fw.Status.ControllerStatus.SeedUpdated.Time = time.Now().Add(-20 * 24 * time.Hour) - err = retry.RetryOnConflict(retry.DefaultRetry, func() error { - if err := k8sClient.Get(ctx, client.ObjectKeyFromObject(&fw), &fw); err != nil { - return err - } - if fw.Status.ControllerStatus == nil { - fw.Status.ControllerStatus = &v2.ControllerConnection{} - } - fw.Status.ControllerStatus.SeedUpdated.Time = time.Now().Add(-20 * 24 * time.Hour) - return k8sClient.Status().Update(ctx, &fw) - }) - + if err := k8sClient.Get(ctx, client.ObjectKeyFromObject(&fw), &fw); err != nil { + return err + } + if fw.Status.ControllerStatus == nil { + fw.Status.ControllerStatus = &v2.ControllerConnection{} + } + fw.Status.ControllerStatus.SeedUpdated.Time = time.Now().Add(-20 * 24 * time.Hour) + err = k8sClient.Status().Update(ctx, &fw) if err != nil { fmt.Printf("Failed to update firewall status: %v\n", err) - return false + return err } - } - return true - }, 10*time.Second, interval).Should(BeTrue(), "All Firewalls should be deleted") + + return nil + }, 10*time.Second, interval).Should(Succeed(), "All Firewalls should be deleted") By("verifying that a new firewall has been created") Eventually(func() int {