Skip to content

Commit

Permalink
Update firewall CRDs. (#395)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Gerrit91
Gerrit91 authored Apr 2, 2024
1 parent 1469f40 commit f3ef90c
Show file tree
Hide file tree
Showing 4 changed files with 165 additions and 167 deletions.
92 changes: 45 additions & 47 deletions ...ll/templates/firewall-controller-manager/firewall.metal-stack.io_firewalldeployments.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.3
creationTimestamp: null
controller-gen.kubebuilder.io/version: v0.14.0
name: firewalldeployments.firewall.metal-stack.io
spec:
group: firewall.metal-stack.io
Expand Down Expand Up @@ -41,36 +40,42 @@ spec:
rolling update for the managed firewalls.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec contains the firewall deployment specification.
properties:
replicas:
description: Replicas is the amount of firewall replicas targeted
to be running. Defaults to 1.
description: |-
Replicas is the amount of firewall replicas targeted to be running.
Defaults to 1.
type: integer
selector:
additionalProperties:
type: string
description: Selector is a label query over firewalls that should
match the replicas count. If selector is empty, it is defaulted
to the labels present on the firewall template. Label keys and values
that must match in order to be controlled by this replication controller,
if empty defaulted to labels on firewall template.
description: |-
Selector is a label query over firewalls that should match the replicas count.
If selector is empty, it is defaulted to the labels present on the firewall template.
Label keys and values that must match in order to be controlled by this replication
controller, if empty defaulted to labels on firewall template.
type: object
strategy:
description: Strategy describes the strategy how firewalls are updated
in case the update requires a physical recreation of the firewalls.
description: |-
Strategy describes the strategy how firewalls are updated in case the update requires a physical recreation of the firewalls.
Defaults to RollingUpdate strategy.
type: string
template:
Expand Down Expand Up @@ -100,11 +105,10 @@ spec:
description: Spec contains the firewall specification.
properties:
allowedNetworks:
description: AllowedNetworks defines dedicated networks for
which the firewall allows in- and outgoing traffic. The
firewall-controller only enforces this setting in combination
with NetworkAccessType set to forbidden. The node network
is always allowed.
description: |-
AllowedNetworks defines dedicated networks for which the firewall allows in- and outgoing traffic.
The firewall-controller only enforces this setting in combination with NetworkAccessType set to forbidden.
The node network is always allowed.
properties:
egress:
description: Egress defines a list of cidrs which are
Expand Down Expand Up @@ -161,15 +165,14 @@ spec:
type: object
type: array
image:
description: Image is the os image of the firewall. An update
on this field requires the recreation of the physical firewall
and can therefore lead to traffic interruption for the cluster.
description: |-
Image is the os image of the firewall.
An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster.
type: string
internalPrefixes:
description: InternalPrefixes specify prefixes which are considered
local to the partition or all regions. This is used for
the traffic counters. Traffic to/from these prefixes is
counted as internal traffic.
description: |-
InternalPrefixes specify prefixes which are considered local to the partition or all regions. This is used for the traffic counters.
Traffic to/from these prefixes is counted as internal traffic.
items:
type: string
type: array
Expand All @@ -186,12 +189,10 @@ spec:
accepted connections in the droptailer log.
type: boolean
networks:
description: Networks are the networks to which this firewall
is connected. An update on this field requires the recreation
of the physical firewall and can therefore lead to traffic
interruption for the cluster. Detailed information about
the networks are fetched continuously during runtime and
stored in the status.firewallNetworks.
description: |-
Networks are the networks to which this firewall is connected.
An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster.
Detailed information about the networks are fetched continuously during runtime and stored in the status.firewallNetworks.
items:
type: string
type: array
Expand Down Expand Up @@ -232,24 +233,21 @@ spec:
type: object
type: array
size:
description: Size is the machine size of the firewall. An
update on this field requires the recreation of the physical
firewall and can therefore lead to traffic interruption
for the cluster.
description: |-
Size is the machine size of the firewall.
An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster.
type: string
sshPublicKeys:
description: SSHPublicKeys are public keys which are added
to the firewall's authorized keys file on creation. It gets
defaulted to the public key of ssh secret as provided by
the controller flags.
description: |-
SSHPublicKeys are public keys which are added to the firewall's authorized keys file on creation.
It gets defaulted to the public key of ssh secret as provided by the controller flags.
items:
type: string
type: array
userdata:
description: Userdata contains the userdata used for the creation
of the firewall. It gets defaulted to a userdata matching
for the firewall-controller with connection to Gardener
shoot and seed.
description: |-
Userdata contains the userdata used for the creation of the firewall.
It gets defaulted to a userdata matching for the firewall-controller with connection to Gardener shoot and seed.
type: string
required:
- image
Expand Down
51 changes: 27 additions & 24 deletions ...ewall/templates/firewall-controller-manager/firewall.metal-stack.io_firewallmonitors.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.3
creationTimestamp: null
controller-gen.kubebuilder.io/version: v0.14.0
name: firewallmonitors.firewall.metal-stack.io
spec:
group: firewall.metal-stack.io
Expand Down Expand Up @@ -36,14 +35,16 @@ spec:
name: v2
schema:
openAPIV3Schema:
description: FirewallMonitor is typically deployed into the shoot cluster
in comparison to the other resources of this controller which are deployed
into the seed cluster's shoot namespace.
description: |-
FirewallMonitor is typically deployed into the shoot cluster in comparison to the other resources of this controller
which are deployed into the seed cluster's shoot namespace.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
conditions:
description: Conditions contain the latest available observations of a
Expand Down Expand Up @@ -89,19 +90,18 @@ spec:
controllerVersion:
type: string
distance:
description: FirewallDistance defines the as-path length of firewalls,
influencing how strong they attract network traffic for routing
traffic in and out of the cluster. This is of particular interest
during rolling firewall updates, i.e. when there is more than a
single firewall running in front of the cluster. During a rolling
update, new firewalls start with a longer distance such that traffic
is only attracted by the existing firewalls ("firewall staging").
When the new firewall has connected successfully to the firewall
monitor, the deployment controller throws away the old firewalls
and the new firewall takes over the routing. The deployment controller
will then shorten the distance of the new firewall. This approach
reduces service interruption of the external user traffic of the
cluster (for firewall-controller versions that support this feature).
description: |-
FirewallDistance defines the as-path length of firewalls, influencing how strong they attract
network traffic for routing traffic in and out of the cluster.
This is of particular interest during rolling firewall updates, i.e. when there is
more than a single firewall running in front of the cluster.
During a rolling update, new firewalls start with a longer distance such that
traffic is only attracted by the existing firewalls ("firewall staging").
When the new firewall has connected successfully to the firewall monitor, the deployment
controller throws away the old firewalls and the new firewall takes over the routing.
The deployment controller will then shorten the distance of the new firewall.
This approach reduces service interruption of the external user traffic of the cluster
(for firewall-controller versions that support this feature).
type: integer
distanceSupported:
type: boolean
Expand Down Expand Up @@ -209,9 +209,12 @@ spec:
description: Image is the os image of the firewall.
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
logAcceptedConnections:
description: LogAcceptedConnections if set to true, also log accepted
Expand Down
Loading

0 comments on commit f3ef90c

Please sign in to comment.