diff --git a/api/v2/types_firewall.go b/api/v2/types_firewall.go index e135276..35b1db8 100644 --- a/api/v2/types_firewall.go +++ b/api/v2/types_firewall.go @@ -13,7 +13,7 @@ const ( // to indicate that the firewall-controller does not connect to the firewall monitor. this way, the replica // set will become healthy without a controller connection. // - // useful for the migration when having old firewall v1 controllers that cannot update the monitor. + // this can be useful to silence a problem temporarily and was used in the past for migration of firewall-controller v1. FirewallNoControllerConnectionAnnotation = "firewall.metal-stack.io/no-controller-connection" // FirewallControllerManagedByAnnotation is used as tag for creating a firewall to indicate who is managing the firewall. FirewallControllerManagedByAnnotation = "firewall.metal-stack.io/managed-by" diff --git a/api/v2/types_utils.go b/api/v2/types_utils.go index 957a380..42130e7 100644 --- a/api/v2/types_utils.go +++ b/api/v2/types_utils.go @@ -14,8 +14,6 @@ const ( FinalizerName = "firewall.metal-stack.io/firewall-controller-manager" RollSetAnnotation = "firewall.metal-stack.io/roll-set" RevisionAnnotation = "firewall.metal-stack.io/revision" - - FirewallControllerMigrationSecretName = "firewall-controller-migration-secret" ) // ConditionStatus is the status of a condition. diff --git a/controllers/monitor/reconcile.go b/controllers/monitor/reconcile.go index a60abab..3583881 100644 --- a/controllers/monitor/reconcile.go +++ b/controllers/monitor/reconcile.go @@ -7,31 +7,21 @@ import ( "time" v2 "github.com/metal-stack/firewall-controller-manager/api/v2" - "github.com/metal-stack/firewall-controller-manager/api/v2/helper" "github.com/metal-stack/firewall-controller-manager/controllers" "github.com/metal-stack/firewall-controller-manager/controllers/firewall" - "github.com/metal-stack/metal-lib/pkg/pointer" - corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" ) func (c *controller) Reconcile(r *controllers.Ctx[*v2.FirewallMonitor]) error { - fw, err := c.updateFirewallStatus(r) + _, err := c.updateFirewallStatus(r) if err != nil { r.Log.Error(err, "unable to update firewall status") return controllers.RequeueAfter(3*time.Second, "unable to update firewall status, retrying") } - err = c.offerFirewallControllerMigrationSecret(r, fw) - if err != nil { - r.Log.Error(err, "unable to offer firewall-controller migration secret") - return controllers.RequeueAfter(10*time.Second, "unable to offer firewall-controller migration secret, retrying") - } - err = c.rollSetAnnotation(r) if err != nil { r.Log.Error(err, "unable to handle roll set annotation") @@ -63,70 +53,6 @@ func (c *controller) updateFirewallStatus(r *controllers.Ctx[*v2.FirewallMonitor return fw, nil } -// offerFirewallControllerMigrationSecret provides a secret that the firewall-controller can use to update from v1.x to v2.x -// -// this function can be removed when all firewall-controllers are running v2.x or newer. -func (c *controller) offerFirewallControllerMigrationSecret(r *controllers.Ctx[*v2.FirewallMonitor], fw *v2.Firewall) error { - if metav1.GetControllerOf(fw) == nil { - // it can be that there is no set or deployment governing the firewall. - // in this case there may be no rbac resources deployed for seed access, so we cannot offer a migration secret. - return nil - } - - migrationSecret := &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: v2.FirewallControllerMigrationSecretName, - Namespace: c.c.GetShootNamespace(), - }, - } - - isOldController := pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Reason == "NotChecking" && r.Target.ControllerStatus == nil - if !isOldController { - // firewall-controller is already running with version v2.x or later, not offering migration secret - return client.IgnoreNotFound(c.c.GetShootClient().Delete(r.Ctx, migrationSecret)) - } - - r.Log.Info("firewall-controller seems to be running with v1.x, offering migration secret") - - set, err := findCorrespondingSet(r.Ctx, c.c.GetSeedClient(), fw) - if err != nil { - return err - } - - ref := metav1.GetControllerOf(set) - if ref == nil { - return fmt.Errorf("unable to find out associated firewall deployment in seed: no owner ref found") - } - - kubeconfig, err := helper.GetAccessKubeconfig(&helper.AccessConfig{ - Ctx: r.Ctx, - Config: c.c.GetSeedConfig(), - Namespace: c.c.GetSeedNamespace(), - ApiServerURL: c.c.GetSeedAPIServerURL(), - Deployment: &v2.FirewallDeployment{ - ObjectMeta: metav1.ObjectMeta{ - Name: ref.Name, - Namespace: c.c.GetSeedNamespace(), - }, - }, - }) - if err != nil { - return fmt.Errorf("error creating kubeconfig for firewall-controller migration secret: %w", err) - } - - _, err = controllerutil.CreateOrUpdate(r.Ctx, c.c.GetShootClient(), migrationSecret, func() error { - migrationSecret.Data = map[string][]byte{ - "kubeconfig": kubeconfig, - } - return nil - }) - if err != nil { - return fmt.Errorf("error ensuring firewall-controller migration secret: %w", err) - } - - return nil -} - func (c *controller) rollSetAnnotation(r *controllers.Ctx[*v2.FirewallMonitor]) error { v, ok := r.Target.Annotations[v2.RollSetAnnotation] if !ok {