Skip to content

Recreate firewall on unhealthy condition #63

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Honigeintopf wants to merge 30 commits into
base: main
Choose a base branch
from
Open

Recreate firewall on unhealthy condition #63

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
2072462
Update Certs
Honigeintopf Oct 25, 2024
65cc193
Update Readme to include "-n firewall"
Honigeintopf Oct 25, 2024
68d79ea
Created test to check if unhealty firewall is replaced when unhealthy
Honigeintopf Oct 28, 2024
fd71798
Added delte after healthtimeout is exceeded, still need to adjust int…
Honigeintopf Oct 31, 2024
0de0032
Added integration tests and deletion of fw after unhealthytimeout
Honigeintopf Nov 4, 2024
9605a18
refactor
Honigeintopf Nov 4, 2024
c6b5758
Fix Refactoring
Honigeintopf Nov 4, 2024
2fa826d
Finish refactor
Honigeintopf Nov 7, 2024
47f4029
Updated allocation timeout to longer than created timeout
Honigeintopf Nov 7, 2024
21d648c
Check if firewall is creating before setting allocation timeout
Honigeintopf Nov 7, 2024
4d9affd
Updated with seed
Honigeintopf Nov 7, 2024
0262546
update integration test
Honigeintopf Nov 8, 2024
fe0994c
Adjust test to not use retry on conflict
Honigeintopf Nov 8, 2024
3c98792
Merge branch 'main' into firewall-health-check
Honigeintopf May 19, 2025
41371c9
Merge branch 'main' into firewall-health-check
majst01 Oct 28, 2025
aec1033
Update integration/integration_test.go
Honigeintopf Jan 22, 2026
15bdf7b
check for allocation timeout set
Honigeintopf Jan 22, 2026
0510288
Merge branch 'main' into firewall-health-check
Gerrit91 Jan 22, 2026
8a4f4dc
Update controllers/set/status.go
Honigeintopf Jan 23, 2026
31b364e
Update controllers/set/status.go
Honigeintopf Jan 23, 2026
6e4d69c
Update controllers/set/status.go
Honigeintopf Jan 23, 2026
3d92644
Apply suggestions from code review
Honigeintopf Jan 27, 2026
1323e3f
set seed reconcile time
Honigeintopf Feb 4, 2026
8472f4e
remove annotation of fw to set reconcile connected but never reconciled.
Honigeintopf Feb 4, 2026
8cf61d4
only apply health timeoput if we actually have a seed connected once
Honigeintopf Feb 4, 2026
851fb18
allow 0s timeout to disable health timeout
Honigeintopf Feb 4, 2026
f4574a6
set health timeout if cond not met and fw phase running
Honigeintopf Feb 9, 2026
f6afb92
new condition foir fw
Honigeintopf Feb 10, 2026
d6f38a2
use monitor specific conditions
Honigeintopf Feb 10, 2026
1e2328f
Update api/v2/types_firewall.go
Honigeintopf Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,4 +51,4 @@ To play with the FCM, you can also run this controller inside the [mini-lab](htt
1. Deploy the FCM into the mini-lab with `make deploy`
1. Adapt the example [firewalldeployment.yaml](config/examples/firewalldeployment.yaml) and apply with `kubectl apply -f config/examples/firewalldeployment.yaml`
1. Note that the firewall-controller will not be able to connect to the mini-lab due to network restrictions, so the firewall will not get ready.
- You can make the firewall become ready anyway by setting the annotation `kubectl annotate fw <fw-nsme> firewall.metal-stack.io/no-controller-connection=true`
- You can make the firewall become ready anyway by setting the annotation `kubectl annotate fw <fw-nsme> -n firewall firewall.metal-stack.io/no-controller-connection=true`
4 changes: 2 additions & 2 deletions api/v2/config/controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -182,10 +182,10 @@ func (c *NewControllerConfig) validate() error {
if c.ProgressDeadline <= 0 {
return fmt.Errorf("progress deadline must be specified")
}
if c.FirewallHealthTimeout <= 0 {
if c.FirewallHealthTimeout < 0 {
return fmt.Errorf("firewall health timeout must be specified")
}
if c.CreateTimeout <= 0 {
if c.CreateTimeout < 0 {
return fmt.Errorf("create timeout must be specified")
}

Expand Down
3 changes: 3 additions & 0 deletions api/v2/types_firewall.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,9 @@ const (
FirewallMonitorDeployed ConditionType = "MonitorDeployed"
// FirewallDistanceConfigured indicates that the firewall-controller has configured the given firewall distance.
FirewallDistanceConfigured ConditionType = "Distance"
// FirewallProvisioned indicates that all health conditions have been met at least once.
// Once set to true, it stays true and is used to detect condition degradation.
FirewallHealthy ConditionType = "Healthy"
)

// ShootAccess contains secret references to construct a shoot client in the firewall-controller to update its firewall monitor.
Expand Down
6 changes: 3 additions & 3 deletions config/examples/certs/ca-key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIBRabFggNFg6LUPxY5AeplDzeqZQmnsnFY9OmWQW2eGBoAoGCCqGSM49
AwEHoUQDQgAEkP91tJGv5pIytEgKOlwTeksfWC1MczdEmj8ouOiaQfFvCkLl5NB/
uRLrjoR8vDamER2UM+BumDy1XfM849aIww==
MHcCAQEEIMdzRnQT5XJYI5YdllH2IC4TDpkkoswIUSPxVggCmz8uoAoGCCqGSM49
AwEHoUQDQgAEzPBxsUSwbxKnyOHzLBxJtne4EKF2dktJ7cgiq88H4i2QWvH8Eu5f
WlSuos1/tjF7NdnZwdR3F09M3FWN2z32vw==
-----END EC PRIVATE KEY-----
16 changes: 8 additions & 8 deletions config/examples/certs/ca.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBvTCCAWSgAwIBAgIUY2eiJLpYQK4h35iDJbGsUPZlsAcwCgYIKoZIzj0EAwIw
MIIBvTCCAWSgAwIBAgIUK74MlGBl5v/PxcvYR1gX/4ZahecwCgYIKoZIzj0EAwIw
PTELMAkGA1UEBhMCREUxDzANBgNVBAgTBk11bmljaDEQMA4GA1UEBxMHQmF2YXJp
YTELMAkGA1UEAxMCY2EwHhcNMjMwNDE4MDc1NDAwWhcNMjgwNDE2MDc1NDAwWjA9
YTELMAkGA1UEAxMCY2EwHhcNMjQxMDI1MTI0MDAwWhcNMjkxMDI0MTI0MDAwWjA9
MQswCQYDVQQGEwJERTEPMA0GA1UECBMGTXVuaWNoMRAwDgYDVQQHEwdCYXZhcmlh
MQswCQYDVQQDEwJjYTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJD/dbSRr+aS
MrRICjpcE3pLH1gtTHM3RJo/KLjomkHxbwpC5eTQf7kS646EfLw2phEdlDPgbpg8
tV3zPOPWiMOjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G
A1UdDgQWBBRL7+6t0aYt/vvqePoDdyJsQ6DQ5jAKBggqhkjOPQQDAgNHADBEAiB5
4nITXzq23b7HZWf/TN22DQX+9Ajc2xOws2lwlx8TpQIgSP0zTa3yGeabqBgjmANZ
GTYZaSABLBAoQ1Lt5E6sCVs=
MQswCQYDVQQDEwJjYTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMzwcbFEsG8S
p8jh8ywcSbZ3uBChdnZLSe3IIqvPB+ItkFrx/BLuX1pUrqLNf7YxezXZ2cHUdxdP
TNxVjds99r+jQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G
A1UdDgQWBBRmKUtHhVtOaft2ka15nfnH6agg8zAKBggqhkjOPQQDAgNHADBEAiAz
dCfM0jLlTDzaEXz5z1XEg8LhJWQV5YYoF+DUlJiU/gIgfSvcno9zARAKNNH06qF0
XCzKTrC60QhD+N1wFN7X2og=
-----END CERTIFICATE-----
22 changes: 11 additions & 11 deletions config/examples/certs/tls.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICRDCCAeqgAwIBAgIUHwoSR0+noLCqqJ10vEJkTAng4GowCgYIKoZIzj0EAwIw
MIICQzCCAeqgAwIBAgIUZtyTg/sZOeE2HL7hDL6lVCo+QBcwCgYIKoZIzj0EAwIw
PTELMAkGA1UEBhMCREUxDzANBgNVBAgTBk11bmljaDEQMA4GA1UEBxMHQmF2YXJp
YTELMAkGA1UEAxMCY2EwHhcNMjMwNDE4MDc1NDAwWhcNMjQwNDE3MDc1NDAwWjBE
YTELMAkGA1UEAxMCY2EwHhcNMjQxMDI1MTI0MDAwWhcNMjUxMDI1MTI0MDAwWjBE
MQswCQYDVQQGEwJERTEPMA0GA1UECBMGTXVuaWNoMRAwDgYDVQQHEwdCYXZhcmlh
MRIwEAYDVQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARf
FNJn/7dufCbR0AC+BnTyvhn98yvOiD+ASWXaVYeBgsuB9GfUWlVyp+fjdAkgWNZd
4S4uNz6aD1G/KlE6GBFQo4HAMIG9MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUj7eN
RLAK/BYVXeJfk6iS1xyJZRowHwYDVR0jBBgwFoAUS+/urdGmLf776nj6A3cibEOg
0OYwPgYDVR0RBDcwNYIJbG9jYWxob3N0gihmaXJld2FsbC1jb250cm9sbGVyLW1h
bmFnZXIuZmlyZXdhbGwuc3ZjMAoGCCqGSM49BAMCA0gAMEUCIQDsfaRwE5W901yK
JAQfSYlT+txLN8cdseHeDLXTwBo2IAIgV0g9f6F8KbyY6dvPHkoArRbZMIa3PFyL
/rflwrZzrPY=
MRIwEAYDVQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARN
eruOjegpfrIkOew6QNy5HsOXzL+Oie/ubpUxphleQhX7/pLjGNvo8ueWDyN0ZZ0G
vxexgYUDZkXh19dg9RzQo4HAMIG9MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUyxBq
6HMZNcJlyn+b0GRQqPwvepgwHwYDVR0jBBgwFoAUZilLR4VbTmn7dpGteZ35x+mo
IPMwPgYDVR0RBDcwNYIJbG9jYWxob3N0gihmaXJld2FsbC1jb250cm9sbGVyLW1h
bmFnZXIuZmlyZXdhbGwuc3ZjMAoGCCqGSM49BAMCA0cAMEQCIEIHZ3Uj6fNvYgKv
JbI28i8nsdF3PbCGhLW6XnFABwqBAiAP9KPZf9zAAN8DHum2s1sOYTVOHGm4drkq
NLAFeNNXbg==
-----END CERTIFICATE-----
6 changes: 3 additions & 3 deletions config/examples/certs/tls.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIGkp4UEW0A/611PSa/ryMg+7c2yB11ZqtA/GR1yMaeq+oAoGCCqGSM49
AwEHoUQDQgAEXxTSZ/+3bnwm0dAAvgZ08r4Z/fMrzog/gEll2lWHgYLLgfRn1FpV
cqfn43QJIFjWXeEuLjc+mg9RvypROhgRUA==
MHcCAQEEIJZT9vmyYJDxyP3gyJpkeS02M0hgXlrrrjTCmlmUOcQ0oAoGCCqGSM49
AwEHoUQDQgAETXq7jo3oKX6yJDnsOkDcuR7Dl8y/jonv7m6VMaYZXkIV+/6S4xjb
6PLnlg8jdGWdBr8XsYGFA2ZF4dfXYPUc0A==
-----END EC PRIVATE KEY-----
72 changes: 36 additions & 36 deletions config/examples/kustomize/patch-webhooks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,45 +4,45 @@ kind: MutatingWebhookConfiguration
metadata:
name: mutating-webhook-configuration
webhooks:
- name: firewall.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVWTJlaUpMcFlRSzRoMzVpREpiR3NVUFpsc0Fjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05Nak13TkRFNE1EYzFOREF3V2hjTk1qZ3dOREUyTURjMU5EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRC9kYlNScithUwpNclJJQ2pwY0UzcExIMWd0VEhNM1JKby9LTGpvbWtIeGJ3cEM1ZVRRZjdrUzY0NkVmTHcycGhFZGxEUGdicGc4CnRWM3pQT1BXaU1PalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJMNys2dDBhWXQvdnZxZVBvRGR5SnNRNkRRNWpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCNQo0bklUWHpxMjNiN0haV2YvVE4yMkRRWCs5QWpjMnhPd3MybHdseDhUcFFJZ1NQMHpUYTN5R2VhYnFCZ2ptQU5aCkdUWVphU0FCTEJBb1ExTHQ1RTZzQ1ZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewallset.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVWTJlaUpMcFlRSzRoMzVpREpiR3NVUFpsc0Fjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05Nak13TkRFNE1EYzFOREF3V2hjTk1qZ3dOREUyTURjMU5EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRC9kYlNScithUwpNclJJQ2pwY0UzcExIMWd0VEhNM1JKby9LTGpvbWtIeGJ3cEM1ZVRRZjdrUzY0NkVmTHcycGhFZGxEUGdicGc4CnRWM3pQT1BXaU1PalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJMNys2dDBhWXQvdnZxZVBvRGR5SnNRNkRRNWpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCNQo0bklUWHpxMjNiN0haV2YvVE4yMkRRWCs5QWpjMnhPd3MybHdseDhUcFFJZ1NQMHpUYTN5R2VhYnFCZ2ptQU5aCkdUWVphU0FCTEJBb1ExTHQ1RTZzQ1ZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewalldeployment.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVWTJlaUpMcFlRSzRoMzVpREpiR3NVUFpsc0Fjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05Nak13TkRFNE1EYzFOREF3V2hjTk1qZ3dOREUyTURjMU5EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRC9kYlNScithUwpNclJJQ2pwY0UzcExIMWd0VEhNM1JKby9LTGpvbWtIeGJ3cEM1ZVRRZjdrUzY0NkVmTHcycGhFZGxEUGdicGc4CnRWM3pQT1BXaU1PalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJMNys2dDBhWXQvdnZxZVBvRGR5SnNRNkRRNWpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCNQo0bklUWHpxMjNiN0haV2YvVE4yMkRRWCs5QWpjMnhPd3MybHdseDhUcFFJZ1NQMHpUYTN5R2VhYnFCZ2ptQU5aCkdUWVphU0FCTEJBb1ExTHQ1RTZzQ1ZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewall.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVSzc0TWxHQmw1di9QeGN2WVIxZ1gvNFphaGVjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05NalF4TURJMU1USTBNREF3V2hjTk1qa3hNREkwTVRJME1EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNendjYkZFc0c4UwpwOGpoOHl3Y1NiWjN1QkNoZG5aTFNlM0lJcXZQQitJdGtGcngvQkx1WDFwVXJxTE5mN1l4ZXpYWjJjSFVkeGRQClROeFZqZHM5OXIralFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJtS1V0SGhWdE9hZnQya2ExNW5mbkg2YWdnOHpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBegpkQ2ZNMGpMbFREemFFWHo1ejFYRWc4TGhKV1FWNVlZb0YrRFVsSmlVL2dJZ2ZTdmNubzl6QVJBS05OSDA2cUYwClhDektUckM2MFFoRCtOMXdGTjdYMm9nPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewallset.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVSzc0TWxHQmw1di9QeGN2WVIxZ1gvNFphaGVjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05NalF4TURJMU1USTBNREF3V2hjTk1qa3hNREkwTVRJME1EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNendjYkZFc0c4UwpwOGpoOHl3Y1NiWjN1QkNoZG5aTFNlM0lJcXZQQitJdGtGcngvQkx1WDFwVXJxTE5mN1l4ZXpYWjJjSFVkeGRQClROeFZqZHM5OXIralFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJtS1V0SGhWdE9hZnQya2ExNW5mbkg2YWdnOHpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBegpkQ2ZNMGpMbFREemFFWHo1ejFYRWc4TGhKV1FWNVlZb0YrRFVsSmlVL2dJZ2ZTdmNubzl6QVJBS05OSDA2cUYwClhDektUckM2MFFoRCtOMXdGTjdYMm9nPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewalldeployment.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVSzc0TWxHQmw1di9QeGN2WVIxZ1gvNFphaGVjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05NalF4TURJMU1USTBNREF3V2hjTk1qa3hNREkwTVRJME1EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNendjYkZFc0c4UwpwOGpoOHl3Y1NiWjN1QkNoZG5aTFNlM0lJcXZQQitJdGtGcngvQkx1WDFwVXJxTE5mN1l4ZXpYWjJjSFVkeGRQClROeFZqZHM5OXIralFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJtS1V0SGhWdE9hZnQya2ExNW5mbkg2YWdnOHpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBegpkQ2ZNMGpMbFREemFFWHo1ejFYRWc4TGhKV1FWNVlZb0YrRFVsSmlVL2dJZ2ZTdmNubzl6QVJBS05OSDA2cUYwClhDektUckM2MFFoRCtOMXdGTjdYMm9nPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-configuration
webhooks:
- name: firewall.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVWTJlaUpMcFlRSzRoMzVpREpiR3NVUFpsc0Fjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05Nak13TkRFNE1EYzFOREF3V2hjTk1qZ3dOREUyTURjMU5EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRC9kYlNScithUwpNclJJQ2pwY0UzcExIMWd0VEhNM1JKby9LTGpvbWtIeGJ3cEM1ZVRRZjdrUzY0NkVmTHcycGhFZGxEUGdicGc4CnRWM3pQT1BXaU1PalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJMNys2dDBhWXQvdnZxZVBvRGR5SnNRNkRRNWpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCNQo0bklUWHpxMjNiN0haV2YvVE4yMkRRWCs5QWpjMnhPd3MybHdseDhUcFFJZ1NQMHpUYTN5R2VhYnFCZ2ptQU5aCkdUWVphU0FCTEJBb1ExTHQ1RTZzQ1ZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewallset.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVWTJlaUpMcFlRSzRoMzVpREpiR3NVUFpsc0Fjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05Nak13TkRFNE1EYzFOREF3V2hjTk1qZ3dOREUyTURjMU5EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRC9kYlNScithUwpNclJJQ2pwY0UzcExIMWd0VEhNM1JKby9LTGpvbWtIeGJ3cEM1ZVRRZjdrUzY0NkVmTHcycGhFZGxEUGdicGc4CnRWM3pQT1BXaU1PalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJMNys2dDBhWXQvdnZxZVBvRGR5SnNRNkRRNWpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCNQo0bklUWHpxMjNiN0haV2YvVE4yMkRRWCs5QWpjMnhPd3MybHdseDhUcFFJZ1NQMHpUYTN5R2VhYnFCZ2ptQU5aCkdUWVphU0FCTEJBb1ExTHQ1RTZzQ1ZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewalldeployment.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVWTJlaUpMcFlRSzRoMzVpREpiR3NVUFpsc0Fjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05Nak13TkRFNE1EYzFOREF3V2hjTk1qZ3dOREUyTURjMU5EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKRC9kYlNScithUwpNclJJQ2pwY0UzcExIMWd0VEhNM1JKby9LTGpvbWtIeGJ3cEM1ZVRRZjdrUzY0NkVmTHcycGhFZGxEUGdicGc4CnRWM3pQT1BXaU1PalFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJMNys2dDBhWXQvdnZxZVBvRGR5SnNRNkRRNWpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCNQo0bklUWHpxMjNiN0haV2YvVE4yMkRRWCs5QWpjMnhPd3MybHdseDhUcFFJZ1NQMHpUYTN5R2VhYnFCZ2ptQU5aCkdUWVphU0FCTEJBb1ExTHQ1RTZzQ1ZzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewall.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVSzc0TWxHQmw1di9QeGN2WVIxZ1gvNFphaGVjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05NalF4TURJMU1USTBNREF3V2hjTk1qa3hNREkwTVRJME1EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNendjYkZFc0c4UwpwOGpoOHl3Y1NiWjN1QkNoZG5aTFNlM0lJcXZQQitJdGtGcngvQkx1WDFwVXJxTE5mN1l4ZXpYWjJjSFVkeGRQClROeFZqZHM5OXIralFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJtS1V0SGhWdE9hZnQya2ExNW5mbkg2YWdnOHpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBegpkQ2ZNMGpMbFREemFFWHo1ejFYRWc4TGhKV1FWNVlZb0YrRFVsSmlVL2dJZ2ZTdmNubzl6QVJBS05OSDA2cUYwClhDektUckM2MFFoRCtOMXdGTjdYMm9nPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewallset.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVSzc0TWxHQmw1di9QeGN2WVIxZ1gvNFphaGVjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05NalF4TURJMU1USTBNREF3V2hjTk1qa3hNREkwTVRJME1EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNendjYkZFc0c4UwpwOGpoOHl3Y1NiWjN1QkNoZG5aTFNlM0lJcXZQQitJdGtGcngvQkx1WDFwVXJxTE5mN1l4ZXpYWjJjSFVkeGRQClROeFZqZHM5OXIralFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJtS1V0SGhWdE9hZnQya2ExNW5mbkg2YWdnOHpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBegpkQ2ZNMGpMbFREemFFWHo1ejFYRWc4TGhKV1FWNVlZb0YrRFVsSmlVL2dJZ2ZTdmNubzl6QVJBS05OSDA2cUYwClhDektUckM2MFFoRCtOMXdGTjdYMm9nPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
- name: firewalldeployment.metal-stack.io
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ2VENDQVdTZ0F3SUJBZ0lVSzc0TWxHQmw1di9QeGN2WVIxZ1gvNFphaGVjd0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ1JFVXhEekFOQmdOVkJBZ1RCazExYm1samFERVFNQTRHQTFVRUJ4TUhRbUYyWVhKcApZVEVMTUFrR0ExVUVBeE1DWTJFd0hoY05NalF4TURJMU1USTBNREF3V2hjTk1qa3hNREkwTVRJME1EQXdXakE5Ck1Rc3dDUVlEVlFRR0V3SkVSVEVQTUEwR0ExVUVDQk1HVFhWdWFXTm9NUkF3RGdZRFZRUUhFd2RDWVhaaGNtbGgKTVFzd0NRWURWUVFERXdKallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNendjYkZFc0c4UwpwOGpoOHl3Y1NiWjN1QkNoZG5aTFNlM0lJcXZQQitJdGtGcngvQkx1WDFwVXJxTE5mN1l4ZXpYWjJjSFVkeGRQClROeFZqZHM5OXIralFqQkFNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEcKQTFVZERnUVdCQlJtS1V0SGhWdE9hZnQya2ExNW5mbkg2YWdnOHpBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBegpkQ2ZNMGpMbFREemFFWHo1ejFYRWc4TGhKV1FWNVlZb0YrRFVsSmlVL2dJZ2ZTdmNubzl6QVJBS05OSDA2cUYwClhDektUckM2MFFoRCtOMXdGTjdYMm9nPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: firewall-controller-manager
namespace: firewall
5 changes: 5 additions & 0 deletions controllers/firewall/reconcile.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,11 @@ func (c *controller) Reconcile(r *controllers.Ctx[*v2.Firewall]) error {
}

SetFirewallStatusFromMonitor(r.Target, mon)

if isAllConditionsMet(r.Target) {
cond := v2.NewCondition(v2.FirewallHealthy, v2.ConditionTrue, "Healthy", "All firewall conditions have been met.")
Copy link
Contributor

@Gerrit91 Gerrit91 Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be done in SetFirewallStatusFromMonitor. The case needs to be handled when FirewallNoControllerConnectionAnnotation is set in this same function. Otherwise, for these firewalls the health timeout would not work (i.e. when metal-api reports machine dead).

r.Target.Status.Conditions.Set(cond)
}
}()

fws, err := c.firewallCache.Get(r.Ctx, r.Target)
Expand Down
16 changes: 16 additions & 0 deletions controllers/firewall/status.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,3 +192,19 @@ func SetFirewallStatusFromMonitor(fw *v2.Firewall, mon *v2.FirewallMonitor) {
fw.Status.Conditions.Set(cond)
}
}

func isAllConditionsMet(fw *v2.Firewall) bool {
for _, ct := range []v2.ConditionType{
v2.FirewallCreated,
v2.FirewallReady,
v2.FirewallControllerConnected,
v2.FirewallControllerSeedConnected,
v2.FirewallDistanceConfigured,
} {
cond := fw.Status.Conditions.Get(ct)
if cond == nil || cond.Status != v2.ConditionTrue {
return false
}
}
return true
}
Loading