From a018b3e258c9ffd619ccb16c56484fe673ed27b2 Mon Sep 17 00:00:00 2001 From: Vegard Engen Date: Sat, 19 Apr 2025 20:34:56 +0200 Subject: [PATCH 1/3] Fix log statement that created panic --- internal/controller/firewallrule_controller.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/internal/controller/firewallrule_controller.go b/internal/controller/firewallrule_controller.go index 3727c70..daec052 100644 --- a/internal/controller/firewallrule_controller.go +++ b/internal/controller/firewallrule_controller.go @@ -258,9 +258,10 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request log.Error(err, fmt.Sprintf("Failed to create %s", createdFirewallGroupCRD.Name)) return ctrl.Result{RequeueAfter: 10 * time.Minute}, err } else { + time.Sleep(10 * time.Second) _ = r.Get(ctx, types.NamespacedName{Name: createdFirewallGroupCRD.Name, Namespace: createdFirewallGroupCRD.Namespace}, &firewallGroupCRD) } - log.Info("Adding %+v", firewallGroupCRD) + log.Info(fmt.Sprintf("Adding %+v", firewallGroupCRD)) myFirewallGroups = append(myFirewallGroups, firewallGroupCRD) found := false for _, managedFirewallGroup := range firewallRule.Status.ResourcesManaged.FirewallGroups { From 6b85bf78c0f7018f393679bcc27282c231f714ab Mon Sep 17 00:00:00 2001 From: Vegard Engen Date: Sun, 20 Apr 2025 10:30:21 +0200 Subject: [PATCH 2/3] Add status fields and finalizer --- api/v1beta1/firewallrule_types.go | 15 +- .../unifi.engen.priv.no_firewallrules.yaml | 13 +- .../controller/firewallgroup_controller.go | 4 + .../controller/firewallrule_controller.go | 445 ++++++++++++------ 4 files changed, 325 insertions(+), 152 deletions(-) diff --git a/api/v1beta1/firewallrule_types.go b/api/v1beta1/firewallrule_types.go index 9fb72c6..54ab304 100644 --- a/api/v1beta1/firewallrule_types.go +++ b/api/v1beta1/firewallrule_types.go @@ -40,9 +40,6 @@ import ( //} type FirewallRuleSpec struct { - // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster - // Important: Run "make" to regenerate code after modifying this file - Name string `json:"name"` Source FirewallSource `json:"source"` Destination FirewallDestination `json:"destination"` @@ -52,9 +49,6 @@ type FirewallRuleSpec struct { // FirewallRuleStatus defines the observed state of FirewallRule. type FirewallRuleStatus struct { - // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster - // Important: Run "make" to regenerate code after modifying this file - ResourcesManaged *FirewallRuleResourcesManaged `json:"resources_managed,omitempty"` } @@ -64,9 +58,12 @@ type FirewallRuleResourcesManaged struct { } type UnifiFirewallRuleEntry struct { - From string `json:"from"` - To string `json:"to"` - RuleID string `json:"rule_id"` + From string `json:"from"` + To string `json:"to"` + TcpIpv4ID string `json:"tcpipv4_id"` + UdpIpv4ID string `json:"udpipv4_id"` + TcpIpv6ID string `json:"tcpipv6_id"` + UdpIpv6ID string `json:"udpipv6_id"` } // +kubebuilder:object:root=true diff --git a/config/crd/bases/unifi.engen.priv.no_firewallrules.yaml b/config/crd/bases/unifi.engen.priv.no_firewallrules.yaml index ffb7612..b6d8c1b 100644 --- a/config/crd/bases/unifi.engen.priv.no_firewallrules.yaml +++ b/config/crd/bases/unifi.engen.priv.no_firewallrules.yaml @@ -110,14 +110,23 @@ spec: properties: from: type: string - rule_id: + tcpipv4_id: + type: string + tcpipv6_id: type: string to: type: string + udpipv4_id: + type: string + udpipv6_id: + type: string required: - from - - rule_id + - tcpipv4_id + - tcpipv6_id - to + - udpipv4_id + - udpipv6_id type: object type: array type: object diff --git a/internal/controller/firewallgroup_controller.go b/internal/controller/firewallgroup_controller.go index 05529b9..105b3ae 100644 --- a/internal/controller/firewallgroup_controller.go +++ b/internal/controller/firewallgroup_controller.go @@ -97,6 +97,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R log.Info("Running finalizer logic for FirewallGroup", "name", firewallGroup.Name) if len(firewallGroup.Status.ResourcesManaged.IPV4Object.ID) > 0 { + log.Info(fmt.Sprintf("Trying to delete ipv4 object %s", firewallGroup.Status.ResourcesManaged.IPV4Object.ID)) err := r.UnifiClient.Client.DeleteFirewallGroup(context.Background(), r.UnifiClient.SiteID, firewallGroup.Status.ResourcesManaged.IPV4Object.ID) if err != nil { msg := strings.ToLower(err.Error()) @@ -123,6 +124,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R } } if len(firewallGroup.Status.ResourcesManaged.IPV6Object.ID) > 0 { + log.Info(fmt.Sprintf("Trying to delete ipv6 object %s", firewallGroup.Status.ResourcesManaged.IPV6Object.ID)) err := r.UnifiClient.Client.DeleteFirewallGroup(context.Background(), r.UnifiClient.SiteID, firewallGroup.Status.ResourcesManaged.IPV6Object.ID) if err != nil { msg := strings.ToLower(err.Error()) @@ -149,6 +151,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R } } if len(firewallGroup.Status.ResourcesManaged.TCPPortsObject.ID) > 0 { + log.Info(fmt.Sprintf("Trying to delete tcp object %s", firewallGroup.Status.ResourcesManaged.TCPPortsObject.ID)) err := r.UnifiClient.Client.DeleteFirewallGroup(context.Background(), r.UnifiClient.SiteID, firewallGroup.Status.ResourcesManaged.TCPPortsObject.ID) if err != nil { msg := strings.ToLower(err.Error()) @@ -175,6 +178,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R } } if len(firewallGroup.Status.ResourcesManaged.UDPPortsObject.ID) > 0 { + log.Info(fmt.Sprintf("Trying to delete udp object %s", firewallGroup.Status.ResourcesManaged.UDPPortsObject.ID)) err := r.UnifiClient.Client.DeleteFirewallGroup(context.Background(), r.UnifiClient.SiteID, firewallGroup.Status.ResourcesManaged.UDPPortsObject.ID) if err != nil { msg := strings.ToLower(err.Error()) diff --git a/internal/controller/firewallrule_controller.go b/internal/controller/firewallrule_controller.go index daec052..a132a9b 100644 --- a/internal/controller/firewallrule_controller.go +++ b/internal/controller/firewallrule_controller.go @@ -28,6 +28,7 @@ import ( "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" "sigs.k8s.io/controller-runtime/pkg/handler" "sigs.k8s.io/controller-runtime/pkg/log" @@ -45,6 +46,8 @@ type FirewallRuleReconciler struct { ConfigLoader *config.ConfigLoaderType } +const firewallRuleFinalizer = "finalizer.unifi.engen.priv.no/firewallrule" + // +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallrules,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallrules/status,verbs=get;update;patch // +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallrules/finalizers,verbs=update @@ -115,6 +118,101 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request } log.Info(firewallRule.Spec.Name) + if firewallRule.DeletionTimestamp != nil { + if controllerutil.ContainsFinalizer(&firewallRule, firewallRuleFinalizer) { + err := r.UnifiClient.Reauthenticate() + if err != nil { + return ctrl.Result{}, err + } + log.Info("Running finalizer logic for FirewallRule", "name", firewallRule.Name) + + if len(firewallRule.Status.ResourcesManaged.UnifiFirewallRules) > 0 { + for i, UnifiFirewallRule := range firewallRule.Status.ResourcesManaged.UnifiFirewallRules { + if len(UnifiFirewallRule.TcpIpv4ID) > 0 { + err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallRule.TcpIpv4ID) + if err != nil { + return ctrl.Result{RequeueAfter: 10 * time.Minute}, err + } else { + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].TcpIpv4ID = "" + if err := r.Status().Update(ctx, &firewallRule); err != nil { + return ctrl.Result{RequeueAfter: 10 * time.Minute}, err + } + } + } + if len(UnifiFirewallRule.UdpIpv4ID) > 0 { + err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallRule.UdpIpv4ID) + if err != nil { + return ctrl.Result{RequeueAfter: 10 * time.Minute}, err + } else { + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].UdpIpv4ID = "" + if err := r.Status().Update(ctx, &firewallRule); err != nil { + return ctrl.Result{RequeueAfter: 10 * time.Minute}, err + } + } + } + if len(UnifiFirewallRule.TcpIpv6ID) > 0 { + err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallRule.TcpIpv6ID) + if err != nil { + return ctrl.Result{RequeueAfter: 10 * time.Minute}, err + } else { + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].TcpIpv6ID = "" + if err := r.Status().Update(ctx, &firewallRule); err != nil { + return ctrl.Result{RequeueAfter: 10 * time.Minute}, err + } + } + } + if len(UnifiFirewallRule.UdpIpv6ID) > 0 { + err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallRule.UdpIpv6ID) + if err != nil { + return ctrl.Result{RequeueAfter: 10 * time.Minute}, err + } else { + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].UdpIpv6ID = "" + if err := r.Status().Update(ctx, &firewallRule); err != nil { + return ctrl.Result{RequeueAfter: 10 * time.Minute}, err + } + } + } + } + } + + if len(firewallRule.Status.ResourcesManaged.FirewallGroups) > 0 { + for i, firewallGroup := range firewallRule.Status.ResourcesManaged.FirewallGroups { + var firewallGroupCRD unifiv1beta1.FirewallGroup + if firewallGroup.Name != "" { + if err := r.Get(ctx, types.NamespacedName{Name: firewallGroup.Name, Namespace: firewallGroupCRD.Namespace}, &firewallGroupCRD); err != nil { + return ctrl.Result{RequeueAfter: 10 * time.Minute}, err + } + if err := r.Delete(ctx, &firewallGroupCRD); err != nil { + log.Error(err, "Could not delete firewall group") + return ctrl.Result{RequeueAfter: 10 * time.Minute}, err + } + firewallRule.Status.ResourcesManaged.FirewallGroups[i].Name = "" + firewallRule.Status.ResourcesManaged.FirewallGroups[i].Namespace = "" + if err := r.Status().Update(ctx, &firewallRule); err != nil { + return ctrl.Result{RequeueAfter: 10 * time.Minute}, err + } + } + } + } + controllerutil.RemoveFinalizer(&firewallRule, firewallRuleFinalizer) + if err := r.Update(ctx, &firewallRule); err != nil { + return ctrl.Result{}, err + } + + log.Info("Successfully finalized FirewallGroup") + } + return ctrl.Result{}, nil + } + if !controllerutil.ContainsFinalizer(&firewallRule, firewallRuleFinalizer) { + controllerutil.AddFinalizer(&firewallRule, firewallRuleFinalizer) + if err := r.Update(ctx, &firewallRule); err != nil { + return ctrl.Result{}, err + } + } + + firewallruleindex := make(map[string]int) + + nextIndex := 0 if firewallRule.Status.ResourcesManaged == nil { firewallGroupsManaged := []unifiv1beta1.FirewallGroupEntry{} unifiFirewallRules := []unifiv1beta1.UnifiFirewallRuleEntry{} @@ -122,6 +220,11 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request UnifiFirewallRules: unifiFirewallRules, FirewallGroups: firewallGroupsManaged, } + } else { + for index, firewallRuleEntry := range firewallRule.Status.ResourcesManaged.UnifiFirewallRules { + firewallruleindex[firewallRuleEntry.From+"/"+firewallRuleEntry.To] = index + nextIndex = nextIndex + 1 + } } err = r.UnifiClient.Reauthenticate() if err != nil { @@ -297,35 +400,53 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request if i, found := zoneCRDNames[namespace+"/"+zoneEntry.Name]; found { log.Info(fmt.Sprintf("Creating firewallrules for %s", zoneCRDs.Items[i].Name)) for _, firewallGroup := range myFirewallGroups { + i, found := firewallruleindex["zone:"+zoneCRDs.Items[i].Name+"/"+firewallGroup.Name] + if !found { + firewallRuleEntry := unifiv1beta1.UnifiFirewallRuleEntry{ + From: "zone:" + zoneCRDs.Items[i].Name, + To: firewallGroup.Name, + TcpIpv4ID: "", + UdpIpv4ID: "", + TcpIpv6ID: "", + UdpIpv6ID: "", + } + firewallRule.Status.ResourcesManaged.UnifiFirewallRules = append(firewallRule.Status.ResourcesManaged.UnifiFirewallRules, firewallRuleEntry) + i = nextIndex + nextIndex = nextIndex + 1 + } + if len(firewallGroup.Status.ResolvedIPV4Addresses) > 0 { if len(firewallGroup.Status.ResolvedTCPPorts) > 0 { rulename := "k8s-fw-" + firewallRule.Name + "-" + zoneCRDs.Items[i].Name + "-" + firewallGroup.Name + "-ipv4-tcp" if _, found := unifiFirewallruleNames[rulename]; !found { log.Info(fmt.Sprintf("Creating ipv4 tcp firewallrule for %s to %s: %s", zoneCRDs.Items[i].Name, firewallGroup.Name, rulename)) - firewallRule := fillDefaultRule() - firewallRule.Name = rulename - firewallRule.Source.PortMatchingType = "ANY" - firewallRule.Source.ZoneID = zoneCRDs.Items[i].Spec.ID - firewallRule.Source.MatchingTarget = "ANY" - firewallRule.Protocol = "tcp" - firewallRule.IPVersion = "IPV4" - firewallRule.Description = fmt.Sprintf("Allow tcp IPV4 from %s to %s", zoneCRDs.Items[i].Name, firewallGroup.Name) - firewallRule.Destination.MatchingTargetType = "OBJECT" - firewallRule.Destination.IPGroupID = firewallGroup.Status.ResourcesManaged.IPV4Object.ID - firewallRule.Destination.MatchingTarget = "IP" - firewallRule.Destination.PortMatchingType = "OBJECT" - firewallRule.Destination.PortGroupID = firewallGroup.Status.ResourcesManaged.TCPPortsObject.ID - firewallRule.Destination.ZoneID = kubernetesZoneID + unifiFirewallRule := fillDefaultRule() + unifiFirewallRule.Name = rulename + unifiFirewallRule.Source.PortMatchingType = "ANY" + unifiFirewallRule.Source.ZoneID = zoneCRDs.Items[i].Spec.ID + unifiFirewallRule.Source.MatchingTarget = "ANY" + unifiFirewallRule.Protocol = "tcp" + unifiFirewallRule.IPVersion = "IPV4" + unifiFirewallRule.Description = fmt.Sprintf("Allow tcp IPV4 from %s to %s", zoneCRDs.Items[i].Name, firewallGroup.Name) + unifiFirewallRule.Destination.MatchingTargetType = "OBJECT" + unifiFirewallRule.Destination.IPGroupID = firewallGroup.Status.ResourcesManaged.IPV4Object.ID + unifiFirewallRule.Destination.MatchingTarget = "IP" + unifiFirewallRule.Destination.PortMatchingType = "OBJECT" + unifiFirewallRule.Destination.PortGroupID = firewallGroup.Status.ResourcesManaged.TCPPortsObject.ID + unifiFirewallRule.Destination.ZoneID = kubernetesZoneID - log.Info(fmt.Sprintf("Trying to create firewall rule from zone %s to %s: %+v", zoneCRDs.Items[i].Name, firewallGroup.Name, firewallRule)) - pretty, _ := json.MarshalIndent(firewallRule, "", " ") + log.Info(fmt.Sprintf("Trying to create firewall rule from zone %s to %s: %+v", zoneCRDs.Items[i].Name, firewallGroup.Name, unifiFirewallRule)) + pretty, _ := json.MarshalIndent(unifiFirewallRule, "", " ") log.Info(string(pretty)) - _, err := r.UnifiClient.Client.CreateFirewallPolicy(context.Background(), r.UnifiClient.SiteID, &firewallRule) + updatedRule, err := r.UnifiClient.Client.CreateFirewallPolicy(context.Background(), r.UnifiClient.SiteID, &unifiFirewallRule) if err != nil { log.Error(err, "Could not create firewall policy") return ctrl.Result{}, err } - + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].TcpIpv4ID = updatedRule.ID + if err = r.Status().Update(ctx, &firewallRule); err != nil { + return ctrl.Result{}, err + } } else { log.Info(fmt.Sprintf("Firewall rule for ipv4 tcp %s to %s already exists", zoneCRDs.Items[i].Name, firewallGroup.Name)) } @@ -334,29 +455,33 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request rulename := "k8s-fw-" + firewallRule.Name + "-" + zoneCRDs.Items[i].Name + "-" + firewallGroup.Name + "-ipv4-udp" if _, found := unifiFirewallruleNames[rulename]; !found { log.Info(fmt.Sprintf("Creating ipv4 udp firewallrule for %s to %s: %s", zoneCRDs.Items[i].Name, firewallGroup.Name, rulename)) - firewallRule := fillDefaultRule() - firewallRule.Name = rulename - firewallRule.Source.PortMatchingType = "ANY" - firewallRule.Source.ZoneID = zoneCRDs.Items[i].Spec.ID - firewallRule.Source.MatchingTarget = "ANY" - firewallRule.Protocol = "udp" - firewallRule.IPVersion = "IPV4" - firewallRule.Description = fmt.Sprintf("Allow udp IPV4 from %s to %s", zoneCRDs.Items[i].Name, firewallGroup.Name) - firewallRule.Destination.MatchingTargetType = "OBJECT" - firewallRule.Destination.IPGroupID = firewallGroup.Status.ResourcesManaged.IPV4Object.ID - firewallRule.Destination.MatchingTarget = "IP" - firewallRule.Destination.PortMatchingType = "OBJECT" - firewallRule.Destination.PortGroupID = firewallGroup.Status.ResourcesManaged.UDPPortsObject.ID - firewallRule.Destination.ZoneID = kubernetesZoneID + unifiFirewallRule := fillDefaultRule() + unifiFirewallRule.Name = rulename + unifiFirewallRule.Source.PortMatchingType = "ANY" + unifiFirewallRule.Source.ZoneID = zoneCRDs.Items[i].Spec.ID + unifiFirewallRule.Source.MatchingTarget = "ANY" + unifiFirewallRule.Protocol = "udp" + unifiFirewallRule.IPVersion = "IPV4" + unifiFirewallRule.Description = fmt.Sprintf("Allow udp IPV4 from %s to %s", zoneCRDs.Items[i].Name, firewallGroup.Name) + unifiFirewallRule.Destination.MatchingTargetType = "OBJECT" + unifiFirewallRule.Destination.IPGroupID = firewallGroup.Status.ResourcesManaged.IPV4Object.ID + unifiFirewallRule.Destination.MatchingTarget = "IP" + unifiFirewallRule.Destination.PortMatchingType = "OBJECT" + unifiFirewallRule.Destination.PortGroupID = firewallGroup.Status.ResourcesManaged.UDPPortsObject.ID + unifiFirewallRule.Destination.ZoneID = kubernetesZoneID - log.Info(fmt.Sprintf("Trying to create firewall rule from zone %s to %s: %+v", zoneCRDs.Items[i].Name, firewallGroup.Name, firewallRule)) - pretty, _ := json.MarshalIndent(firewallRule, "", " ") + log.Info(fmt.Sprintf("Trying to create firewall rule from zone %s to %s: %+v", zoneCRDs.Items[i].Name, firewallGroup.Name, unifiFirewallRule)) + pretty, _ := json.MarshalIndent(unifiFirewallRule, "", " ") log.Info(string(pretty)) - _, err := r.UnifiClient.Client.CreateFirewallPolicy(context.Background(), r.UnifiClient.SiteID, &firewallRule) + updatedRule, err := r.UnifiClient.Client.CreateFirewallPolicy(context.Background(), r.UnifiClient.SiteID, &unifiFirewallRule) if err != nil { log.Error(err, "Could not create firewall policy") return ctrl.Result{}, err } + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].UdpIpv4ID = updatedRule.ID + if err := r.Status().Update(ctx, &firewallRule); err != nil { + return ctrl.Result{}, err + } } else { log.Info(fmt.Sprintf("Firewall rule for ipv4 udp %s to %s already exists", zoneCRDs.Items[i].Name, firewallGroup.Name)) @@ -368,29 +493,33 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request rulename := "k8s-fw-" + firewallRule.Name + "-" + zoneCRDs.Items[i].Name + "-" + firewallGroup.Name + "-ipv6-tcp" if _, found := unifiFirewallruleNames[rulename]; !found { log.Info(fmt.Sprintf("Creating ipv6 tcp firewallrule for %s to %s: %s", zoneCRDs.Items[i].Name, firewallGroup.Name, rulename)) - firewallRule := fillDefaultRule() - firewallRule.Name = rulename - firewallRule.Source.PortMatchingType = "ANY" - firewallRule.Source.ZoneID = zoneCRDs.Items[i].Spec.ID - firewallRule.Source.MatchingTarget = "ANY" - firewallRule.Protocol = "tcp" - firewallRule.IPVersion = "IPV6" - firewallRule.Description = fmt.Sprintf("Allow tcp IPV6 from %s to %s", zoneCRDs.Items[i].Name, firewallGroup.Name) - firewallRule.Destination.MatchingTargetType = "OBJECT" - firewallRule.Destination.IPGroupID = firewallGroup.Status.ResourcesManaged.IPV6Object.ID - firewallRule.Destination.MatchingTarget = "IP" - firewallRule.Destination.PortMatchingType = "OBJECT" - firewallRule.Destination.PortGroupID = firewallGroup.Status.ResourcesManaged.TCPPortsObject.ID - firewallRule.Destination.ZoneID = kubernetesZoneID + unifiFirewallRule := fillDefaultRule() + unifiFirewallRule.Name = rulename + unifiFirewallRule.Source.PortMatchingType = "ANY" + unifiFirewallRule.Source.ZoneID = zoneCRDs.Items[i].Spec.ID + unifiFirewallRule.Source.MatchingTarget = "ANY" + unifiFirewallRule.Protocol = "tcp" + unifiFirewallRule.IPVersion = "IPV6" + unifiFirewallRule.Description = fmt.Sprintf("Allow tcp IPV6 from %s to %s", zoneCRDs.Items[i].Name, firewallGroup.Name) + unifiFirewallRule.Destination.MatchingTargetType = "OBJECT" + unifiFirewallRule.Destination.IPGroupID = firewallGroup.Status.ResourcesManaged.IPV6Object.ID + unifiFirewallRule.Destination.MatchingTarget = "IP" + unifiFirewallRule.Destination.PortMatchingType = "OBJECT" + unifiFirewallRule.Destination.PortGroupID = firewallGroup.Status.ResourcesManaged.TCPPortsObject.ID + unifiFirewallRule.Destination.ZoneID = kubernetesZoneID - log.Info(fmt.Sprintf("Trying to create firewall rule from zone %s to %s: %+v", zoneCRDs.Items[i].Name, firewallGroup.Name, firewallRule)) - pretty, _ := json.MarshalIndent(firewallRule, "", " ") + log.Info(fmt.Sprintf("Trying to create firewall rule from zone %s to %s: %+v", zoneCRDs.Items[i].Name, firewallGroup.Name, unifiFirewallRule)) + pretty, _ := json.MarshalIndent(unifiFirewallRule, "", " ") log.Info(string(pretty)) - _, err := r.UnifiClient.Client.CreateFirewallPolicy(context.Background(), r.UnifiClient.SiteID, &firewallRule) + updatedRule, err := r.UnifiClient.Client.CreateFirewallPolicy(context.Background(), r.UnifiClient.SiteID, &unifiFirewallRule) if err != nil { log.Error(err, "Could not create firewall policy") return ctrl.Result{}, err } + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].TcpIpv6ID = updatedRule.ID + if err := r.Status().Update(ctx, &firewallRule); err != nil { + return ctrl.Result{}, err + } } else { log.Info(fmt.Sprintf("Firewall rule for ipv6 tcp %s to %s already exists", zoneCRDs.Items[i].Name, firewallGroup.Name)) @@ -400,29 +529,33 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request rulename := "k8s-fw-" + firewallRule.Name + "-" + zoneCRDs.Items[i].Name + "-" + firewallGroup.Name + "-ipv6-udp" if _, found := unifiFirewallruleNames[rulename]; !found { log.Info(fmt.Sprintf("Creating ipv6 udp firewallrule for %s to %s: %s", zoneCRDs.Items[i].Name, firewallGroup.Name, rulename)) - firewallRule := fillDefaultRule() - firewallRule.Name = rulename - firewallRule.Source.PortMatchingType = "ANY" - firewallRule.Source.ZoneID = zoneCRDs.Items[i].Spec.ID - firewallRule.Source.MatchingTarget = "ANY" - firewallRule.Protocol = "udp" - firewallRule.IPVersion = "IPV6" - firewallRule.Description = fmt.Sprintf("Allow udp IPV6 from %s to %s", zoneCRDs.Items[i].Name, firewallGroup.Name) - firewallRule.Destination.MatchingTargetType = "OBJECT" - firewallRule.Destination.IPGroupID = firewallGroup.Status.ResourcesManaged.IPV6Object.ID - firewallRule.Destination.MatchingTarget = "IP" - firewallRule.Destination.PortMatchingType = "OBJECT" - firewallRule.Destination.PortGroupID = firewallGroup.Status.ResourcesManaged.UDPPortsObject.ID - firewallRule.Destination.ZoneID = kubernetesZoneID + unifiFirewallRule := fillDefaultRule() + unifiFirewallRule.Name = rulename + unifiFirewallRule.Source.PortMatchingType = "ANY" + unifiFirewallRule.Source.ZoneID = zoneCRDs.Items[i].Spec.ID + unifiFirewallRule.Source.MatchingTarget = "ANY" + unifiFirewallRule.Protocol = "udp" + unifiFirewallRule.IPVersion = "IPV6" + unifiFirewallRule.Description = fmt.Sprintf("Allow udp IPV6 from %s to %s", zoneCRDs.Items[i].Name, firewallGroup.Name) + unifiFirewallRule.Destination.MatchingTargetType = "OBJECT" + unifiFirewallRule.Destination.IPGroupID = firewallGroup.Status.ResourcesManaged.IPV6Object.ID + unifiFirewallRule.Destination.MatchingTarget = "IP" + unifiFirewallRule.Destination.PortMatchingType = "OBJECT" + unifiFirewallRule.Destination.PortGroupID = firewallGroup.Status.ResourcesManaged.UDPPortsObject.ID + unifiFirewallRule.Destination.ZoneID = kubernetesZoneID - log.Info(fmt.Sprintf("Trying to create firewall rule from zone %s to %s: %+v", zoneCRDs.Items[i].Name, firewallGroup.Name, firewallRule)) - pretty, _ := json.MarshalIndent(firewallRule, "", " ") + log.Info(fmt.Sprintf("Trying to create firewall rule from zone %s to %s: %+v", zoneCRDs.Items[i].Name, firewallGroup.Name, unifiFirewallRule)) + pretty, _ := json.MarshalIndent(unifiFirewallRule, "", " ") log.Info(string(pretty)) - _, err := r.UnifiClient.Client.CreateFirewallPolicy(context.Background(), r.UnifiClient.SiteID, &firewallRule) + updatedRule, err := r.UnifiClient.Client.CreateFirewallPolicy(context.Background(), r.UnifiClient.SiteID, &unifiFirewallRule) if err != nil { log.Error(err, "Could not create firewall policy") return ctrl.Result{}, err } + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].UdpIpv6ID = updatedRule.ID + if err := r.Status().Update(ctx, &firewallRule); err != nil { + return ctrl.Result{}, err + } } else { log.Info(fmt.Sprintf("Firewall rule for ipv6 udp %s to %s already exists", zoneCRDs.Items[i].Name, firewallGroup.Name)) @@ -440,36 +573,54 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request if i, found := networkCRDNames[namespace+"/"+networkEntry.Name]; found { log.Info(fmt.Sprintf("Creating firewallrules for %s", networkCRDs.Items[i].Name)) for _, firewallGroup := range myFirewallGroups { + i, found := firewallruleindex["network:"+networkCRDs.Items[i].Name+"/"+firewallGroup.Name] + if !found { + firewallRuleEntry := unifiv1beta1.UnifiFirewallRuleEntry{ + From: "zone:" + networkCRDs.Items[i].Name, + To: firewallGroup.Name, + TcpIpv4ID: "", + UdpIpv4ID: "", + TcpIpv6ID: "", + UdpIpv6ID: "", + } + firewallRule.Status.ResourcesManaged.UnifiFirewallRules = append(firewallRule.Status.ResourcesManaged.UnifiFirewallRules, firewallRuleEntry) + i = nextIndex + nextIndex = nextIndex + 1 + } if len(firewallGroup.Status.ResolvedIPV4Addresses) > 0 { if len(firewallGroup.Status.ResolvedTCPPorts) > 0 { rulename := "k8s-fw-" + firewallRule.Name + "-" + networkCRDs.Items[i].Name + "-" + firewallGroup.Name + "-ipv4-tcp" if _, found := unifiFirewallruleNames[rulename]; !found { log.Info(fmt.Sprintf("Creating ipv4 tcp firewallrule for %s to %s: %s", networkCRDs.Items[i].Name, firewallGroup.Name, rulename)) - firewallRule := fillDefaultRule() - firewallRule.Name = rulename - firewallRule.Source.NetworkIDs = []string{networkCRDs.Items[i].Spec.ID} - firewallRule.Source.PortMatchingType = "ANY" - firewallRule.Source.ZoneID = networkCRDs.Items[i].Status.FirewallZoneID - firewallRule.Source.MatchingTarget = "NETWORK" - firewallRule.Protocol = "tcp" - firewallRule.IPVersion = "IPV4" - firewallRule.Description = fmt.Sprintf("Allow tcp IPV4 from %s to %s", networkCRDs.Items[i].Name, firewallGroup.Name) - firewallRule.Destination.MatchingTargetType = "OBJECT" - firewallRule.Destination.IPGroupID = firewallGroup.Status.ResourcesManaged.IPV4Object.ID - firewallRule.Destination.MatchingTarget = "IP" - firewallRule.Destination.PortMatchingType = "OBJECT" - firewallRule.Destination.PortGroupID = firewallGroup.Status.ResourcesManaged.TCPPortsObject.ID - firewallRule.Destination.ZoneID = kubernetesZoneID + unifiFirewallRule := fillDefaultRule() + unifiFirewallRule.Name = rulename + unifiFirewallRule.Source.NetworkIDs = []string{networkCRDs.Items[i].Spec.ID} + unifiFirewallRule.Source.PortMatchingType = "ANY" + unifiFirewallRule.Source.ZoneID = networkCRDs.Items[i].Status.FirewallZoneID + unifiFirewallRule.Source.MatchingTarget = "NETWORK" + unifiFirewallRule.Protocol = "tcp" + unifiFirewallRule.IPVersion = "IPV4" + unifiFirewallRule.Description = fmt.Sprintf("Allow tcp IPV4 from %s to %s", networkCRDs.Items[i].Name, firewallGroup.Name) + unifiFirewallRule.Destination.MatchingTargetType = "OBJECT" + unifiFirewallRule.Destination.IPGroupID = firewallGroup.Status.ResourcesManaged.IPV4Object.ID + unifiFirewallRule.Destination.MatchingTarget = "IP" + unifiFirewallRule.Destination.PortMatchingType = "OBJECT" + unifiFirewallRule.Destination.PortGroupID = firewallGroup.Status.ResourcesManaged.TCPPortsObject.ID + unifiFirewallRule.Destination.ZoneID = kubernetesZoneID - log.Info(fmt.Sprintf("Trying to create firewall rule from network %s to %s: %+v", networkCRDs.Items[i].Name, firewallGroup.Name, firewallRule)) - pretty, _ := json.MarshalIndent(firewallRule, "", " ") + log.Info(fmt.Sprintf("Trying to create firewall rule from network %s to %s: %+v", networkCRDs.Items[i].Name, firewallGroup.Name, unifiFirewallRule)) + pretty, _ := json.MarshalIndent(unifiFirewallRule, "", " ") log.Info(string(pretty)) - _, err := r.UnifiClient.Client.CreateFirewallPolicy(context.Background(), r.UnifiClient.SiteID, &firewallRule) + updatedRule, err := r.UnifiClient.Client.CreateFirewallPolicy(context.Background(), r.UnifiClient.SiteID, &unifiFirewallRule) if err != nil { log.Error(err, "Could not create firewall policy") return ctrl.Result{}, err } + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].TcpIpv4ID = updatedRule.ID + if err := r.Status().Update(ctx, &firewallRule); err != nil { + return ctrl.Result{}, err + } } else { log.Info(fmt.Sprintf("Firewall rule for ipv4 tcp %s to %s already exists", networkCRDs.Items[i].Name, firewallGroup.Name)) } @@ -478,30 +629,34 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request rulename := "k8s-fw-" + firewallRule.Name + "-" + networkCRDs.Items[i].Name + "-" + firewallGroup.Name + "-ipv4-udp" if _, found := unifiFirewallruleNames[rulename]; !found { log.Info(fmt.Sprintf("Creating ipv4 udp firewallrule for %s to %s: %s", networkCRDs.Items[i].Name, firewallGroup.Name, rulename)) - firewallRule := fillDefaultRule() - firewallRule.Name = rulename - firewallRule.Source.NetworkIDs = []string{networkCRDs.Items[i].Spec.ID} - firewallRule.Source.PortMatchingType = "ANY" - firewallRule.Source.ZoneID = networkCRDs.Items[i].Status.FirewallZoneID - firewallRule.Source.MatchingTarget = "NETWORK" - firewallRule.Protocol = "udp" - firewallRule.IPVersion = "IPV4" - firewallRule.Description = fmt.Sprintf("Allow udp IPV4 from %s to %s", networkCRDs.Items[i].Name, firewallGroup.Name) - firewallRule.Destination.MatchingTargetType = "OBJECT" - firewallRule.Destination.IPGroupID = firewallGroup.Status.ResourcesManaged.IPV4Object.ID - firewallRule.Destination.MatchingTarget = "IP" - firewallRule.Destination.PortMatchingType = "OBJECT" - firewallRule.Destination.PortGroupID = firewallGroup.Status.ResourcesManaged.UDPPortsObject.ID - firewallRule.Destination.ZoneID = kubernetesZoneID + unifiFirewallRule := fillDefaultRule() + unifiFirewallRule.Name = rulename + unifiFirewallRule.Source.NetworkIDs = []string{networkCRDs.Items[i].Spec.ID} + unifiFirewallRule.Source.PortMatchingType = "ANY" + unifiFirewallRule.Source.ZoneID = networkCRDs.Items[i].Status.FirewallZoneID + unifiFirewallRule.Source.MatchingTarget = "NETWORK" + unifiFirewallRule.Protocol = "udp" + unifiFirewallRule.IPVersion = "IPV4" + unifiFirewallRule.Description = fmt.Sprintf("Allow udp IPV4 from %s to %s", networkCRDs.Items[i].Name, firewallGroup.Name) + unifiFirewallRule.Destination.MatchingTargetType = "OBJECT" + unifiFirewallRule.Destination.IPGroupID = firewallGroup.Status.ResourcesManaged.IPV4Object.ID + unifiFirewallRule.Destination.MatchingTarget = "IP" + unifiFirewallRule.Destination.PortMatchingType = "OBJECT" + unifiFirewallRule.Destination.PortGroupID = firewallGroup.Status.ResourcesManaged.UDPPortsObject.ID + unifiFirewallRule.Destination.ZoneID = kubernetesZoneID - log.Info(fmt.Sprintf("Trying to create firewall rule from network %s to %s: %+v", networkCRDs.Items[i].Name, firewallGroup.Name, firewallRule)) - pretty, _ := json.MarshalIndent(firewallRule, "", " ") + log.Info(fmt.Sprintf("Trying to create firewall rule from network %s to %s: %+v", networkCRDs.Items[i].Name, firewallGroup.Name, unifiFirewallRule)) + pretty, _ := json.MarshalIndent(unifiFirewallRule, "", " ") log.Info(string(pretty)) - _, err := r.UnifiClient.Client.CreateFirewallPolicy(context.Background(), r.UnifiClient.SiteID, &firewallRule) + updatedRule, err := r.UnifiClient.Client.CreateFirewallPolicy(context.Background(), r.UnifiClient.SiteID, &unifiFirewallRule) if err != nil { log.Error(err, "Could not create firewall policy") return ctrl.Result{}, err } + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].UdpIpv4ID = updatedRule.ID + if err := r.Status().Update(ctx, &firewallRule); err != nil { + return ctrl.Result{}, err + } } else { log.Info(fmt.Sprintf("Firewall rule for ipv4 udp %s to %s already exists", networkCRDs.Items[i].Name, firewallGroup.Name)) @@ -513,30 +668,34 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request rulename := "k8s-fw-" + firewallRule.Name + "-" + networkCRDs.Items[i].Name + "-" + firewallGroup.Name + "-ipv6-tcp" if _, found := unifiFirewallruleNames[rulename]; !found { log.Info(fmt.Sprintf("Creating ipv6 tcp firewallrule for %s to %s: %s", networkCRDs.Items[i].Name, firewallGroup.Name, rulename)) - firewallRule := fillDefaultRule() - firewallRule.Name = rulename - firewallRule.Source.NetworkIDs = []string{networkCRDs.Items[i].Spec.ID} - firewallRule.Source.PortMatchingType = "ANY" - firewallRule.Source.ZoneID = networkCRDs.Items[i].Status.FirewallZoneID - firewallRule.Source.MatchingTarget = "NETWORK" - firewallRule.Protocol = "tcp" - firewallRule.IPVersion = "IPV6" - firewallRule.Description = fmt.Sprintf("Allow tcp IPV6 from %s to %s", networkCRDs.Items[i].Name, firewallGroup.Name) - firewallRule.Destination.MatchingTargetType = "OBJECT" - firewallRule.Destination.IPGroupID = firewallGroup.Status.ResourcesManaged.IPV6Object.ID - firewallRule.Destination.MatchingTarget = "IP" - firewallRule.Destination.PortMatchingType = "OBJECT" - firewallRule.Destination.PortGroupID = firewallGroup.Status.ResourcesManaged.TCPPortsObject.ID - firewallRule.Destination.ZoneID = kubernetesZoneID + unifiFirewallRule := fillDefaultRule() + unifiFirewallRule.Name = rulename + unifiFirewallRule.Source.NetworkIDs = []string{networkCRDs.Items[i].Spec.ID} + unifiFirewallRule.Source.PortMatchingType = "ANY" + unifiFirewallRule.Source.ZoneID = networkCRDs.Items[i].Status.FirewallZoneID + unifiFirewallRule.Source.MatchingTarget = "NETWORK" + unifiFirewallRule.Protocol = "tcp" + unifiFirewallRule.IPVersion = "IPV6" + unifiFirewallRule.Description = fmt.Sprintf("Allow tcp IPV6 from %s to %s", networkCRDs.Items[i].Name, firewallGroup.Name) + unifiFirewallRule.Destination.MatchingTargetType = "OBJECT" + unifiFirewallRule.Destination.IPGroupID = firewallGroup.Status.ResourcesManaged.IPV6Object.ID + unifiFirewallRule.Destination.MatchingTarget = "IP" + unifiFirewallRule.Destination.PortMatchingType = "OBJECT" + unifiFirewallRule.Destination.PortGroupID = firewallGroup.Status.ResourcesManaged.TCPPortsObject.ID + unifiFirewallRule.Destination.ZoneID = kubernetesZoneID - log.Info(fmt.Sprintf("Trying to create firewall rule from network %s to %s: %+v", networkCRDs.Items[i].Name, firewallGroup.Name, firewallRule)) - pretty, _ := json.MarshalIndent(firewallRule, "", " ") + log.Info(fmt.Sprintf("Trying to create firewall rule from network %s to %s: %+v", networkCRDs.Items[i].Name, firewallGroup.Name, unifiFirewallRule)) + pretty, _ := json.MarshalIndent(unifiFirewallRule, "", " ") log.Info(string(pretty)) - _, err := r.UnifiClient.Client.CreateFirewallPolicy(context.Background(), r.UnifiClient.SiteID, &firewallRule) + updatedRule, err := r.UnifiClient.Client.CreateFirewallPolicy(context.Background(), r.UnifiClient.SiteID, &unifiFirewallRule) if err != nil { log.Error(err, "Could not create firewall policy") return ctrl.Result{}, err } + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].TcpIpv6ID = updatedRule.ID + if err := r.Status().Update(ctx, &firewallRule); err != nil { + return ctrl.Result{}, err + } } else { log.Info(fmt.Sprintf("Firewall rule for ipv6 tcp %s to %s already exists", networkCRDs.Items[i].Name, firewallGroup.Name)) @@ -546,30 +705,34 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request rulename := "k8s-fw-" + firewallRule.Name + "-" + networkCRDs.Items[i].Name + "-" + firewallGroup.Name + "-ipv6-udp" if _, found := unifiFirewallruleNames[rulename]; !found { log.Info(fmt.Sprintf("Creating ipv6 udp firewallrule for %s to %s: %s", networkCRDs.Items[i].Name, firewallGroup.Name, rulename)) - firewallRule := fillDefaultRule() - firewallRule.Name = rulename - firewallRule.Source.NetworkIDs = []string{networkCRDs.Items[i].Spec.ID} - firewallRule.Source.PortMatchingType = "ANY" - firewallRule.Source.ZoneID = networkCRDs.Items[i].Status.FirewallZoneID - firewallRule.Source.MatchingTarget = "NETWORK" - firewallRule.Protocol = "udp" - firewallRule.IPVersion = "IPV6" - firewallRule.Description = fmt.Sprintf("Allow udp IPV6 from %s to %s", networkCRDs.Items[i].Name, firewallGroup.Name) - firewallRule.Destination.MatchingTargetType = "OBJECT" - firewallRule.Destination.IPGroupID = firewallGroup.Status.ResourcesManaged.IPV6Object.ID - firewallRule.Destination.MatchingTarget = "IP" - firewallRule.Destination.PortMatchingType = "OBJECT" - firewallRule.Destination.PortGroupID = firewallGroup.Status.ResourcesManaged.UDPPortsObject.ID - firewallRule.Destination.ZoneID = kubernetesZoneID + unifiFirewallRule := fillDefaultRule() + unifiFirewallRule.Name = rulename + unifiFirewallRule.Source.NetworkIDs = []string{networkCRDs.Items[i].Spec.ID} + unifiFirewallRule.Source.PortMatchingType = "ANY" + unifiFirewallRule.Source.ZoneID = networkCRDs.Items[i].Status.FirewallZoneID + unifiFirewallRule.Source.MatchingTarget = "NETWORK" + unifiFirewallRule.Protocol = "udp" + unifiFirewallRule.IPVersion = "IPV6" + unifiFirewallRule.Description = fmt.Sprintf("Allow udp IPV6 from %s to %s", networkCRDs.Items[i].Name, firewallGroup.Name) + unifiFirewallRule.Destination.MatchingTargetType = "OBJECT" + unifiFirewallRule.Destination.IPGroupID = firewallGroup.Status.ResourcesManaged.IPV6Object.ID + unifiFirewallRule.Destination.MatchingTarget = "IP" + unifiFirewallRule.Destination.PortMatchingType = "OBJECT" + unifiFirewallRule.Destination.PortGroupID = firewallGroup.Status.ResourcesManaged.UDPPortsObject.ID + unifiFirewallRule.Destination.ZoneID = kubernetesZoneID - log.Info(fmt.Sprintf("Trying to create firewall rule from network %s to %s: %+v", networkCRDs.Items[i].Name, firewallGroup.Name, firewallRule)) - pretty, _ := json.MarshalIndent(firewallRule, "", " ") + log.Info(fmt.Sprintf("Trying to create firewall rule from network %s to %s: %+v", networkCRDs.Items[i].Name, firewallGroup.Name, unifiFirewallRule)) + pretty, _ := json.MarshalIndent(unifiFirewallRule, "", " ") log.Info(string(pretty)) - _, err := r.UnifiClient.Client.CreateFirewallPolicy(context.Background(), r.UnifiClient.SiteID, &firewallRule) + updatedRule, err := r.UnifiClient.Client.CreateFirewallPolicy(context.Background(), r.UnifiClient.SiteID, &unifiFirewallRule) if err != nil { log.Error(err, "Could not create firewall policy") return ctrl.Result{}, err } + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].UdpIpv6ID = updatedRule.ID + if err := r.Status().Update(ctx, &firewallRule); err != nil { + return ctrl.Result{}, err + } } else { log.Info(fmt.Sprintf("Firewall rule for ipv6 udp %s to %s already exists", networkCRDs.Items[i].Name, firewallGroup.Name)) From 52afa7365df8681d732619d64fc567f45eccf956 Mon Sep 17 00:00:00 2001 From: Vegard Engen Date: Sun, 20 Apr 2025 13:06:26 +0200 Subject: [PATCH 3/3] Fix reconciler logic. --- .../controller/firewallrule_controller.go | 38 ++++++++++--------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/internal/controller/firewallrule_controller.go b/internal/controller/firewallrule_controller.go index a132a9b..7b4c27c 100644 --- a/internal/controller/firewallrule_controller.go +++ b/internal/controller/firewallrule_controller.go @@ -22,6 +22,7 @@ import ( // "strings" "encoding/json" "time" + "strings" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" @@ -128,10 +129,10 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request if len(firewallRule.Status.ResourcesManaged.UnifiFirewallRules) > 0 { for i, UnifiFirewallRule := range firewallRule.Status.ResourcesManaged.UnifiFirewallRules { + log.Info(fmt.Sprintf("From: %s to: %s TcpIpv4: %s UdpIpv4: %s TcpIpv6: %s UdpIpv6: %s", UnifiFirewallRule.From, UnifiFirewallRule.To, UnifiFirewallRule.TcpIpv4ID, UnifiFirewallRule.UdpIpv4ID, UnifiFirewallRule.TcpIpv6ID, UnifiFirewallRule.UdpIpv6ID)) if len(UnifiFirewallRule.TcpIpv4ID) > 0 { err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallRule.TcpIpv4ID) - if err != nil { - return ctrl.Result{RequeueAfter: 10 * time.Minute}, err + if err != nil && !strings.Contains(err.Error(), "not found") { } else { firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].TcpIpv4ID = "" if err := r.Status().Update(ctx, &firewallRule); err != nil { @@ -141,7 +142,7 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request } if len(UnifiFirewallRule.UdpIpv4ID) > 0 { err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallRule.UdpIpv4ID) - if err != nil { + if err != nil && !strings.Contains(err.Error(), "not found") { return ctrl.Result{RequeueAfter: 10 * time.Minute}, err } else { firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].UdpIpv4ID = "" @@ -152,7 +153,7 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request } if len(UnifiFirewallRule.TcpIpv6ID) > 0 { err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallRule.TcpIpv6ID) - if err != nil { + if err != nil && !strings.Contains(err.Error(), "not found") { return ctrl.Result{RequeueAfter: 10 * time.Minute}, err } else { firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].TcpIpv6ID = "" @@ -163,7 +164,7 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request } if len(UnifiFirewallRule.UdpIpv6ID) > 0 { err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallRule.UdpIpv6ID) - if err != nil { + if err != nil && !strings.Contains(err.Error(), "not found") { return ctrl.Result{RequeueAfter: 10 * time.Minute}, err } else { firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].UdpIpv6ID = "" @@ -179,7 +180,7 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request for i, firewallGroup := range firewallRule.Status.ResourcesManaged.FirewallGroups { var firewallGroupCRD unifiv1beta1.FirewallGroup if firewallGroup.Name != "" { - if err := r.Get(ctx, types.NamespacedName{Name: firewallGroup.Name, Namespace: firewallGroupCRD.Namespace}, &firewallGroupCRD); err != nil { + if err := r.Get(ctx, types.NamespacedName{Name: firewallGroup.Name, Namespace: firewallGroup.Namespace}, &firewallGroupCRD); err != nil { return ctrl.Result{RequeueAfter: 10 * time.Minute}, err } if err := r.Delete(ctx, &firewallGroupCRD); err != nil { @@ -400,7 +401,8 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request if i, found := zoneCRDNames[namespace+"/"+zoneEntry.Name]; found { log.Info(fmt.Sprintf("Creating firewallrules for %s", zoneCRDs.Items[i].Name)) for _, firewallGroup := range myFirewallGroups { - i, found := firewallruleindex["zone:"+zoneCRDs.Items[i].Name+"/"+firewallGroup.Name] + found := false + index, found := firewallruleindex["zone:"+zoneCRDs.Items[i].Name+"/"+firewallGroup.Name] if !found { firewallRuleEntry := unifiv1beta1.UnifiFirewallRuleEntry{ From: "zone:" + zoneCRDs.Items[i].Name, @@ -411,7 +413,7 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request UdpIpv6ID: "", } firewallRule.Status.ResourcesManaged.UnifiFirewallRules = append(firewallRule.Status.ResourcesManaged.UnifiFirewallRules, firewallRuleEntry) - i = nextIndex + index = nextIndex nextIndex = nextIndex + 1 } @@ -443,7 +445,7 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request log.Error(err, "Could not create firewall policy") return ctrl.Result{}, err } - firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].TcpIpv4ID = updatedRule.ID + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[index].TcpIpv4ID = updatedRule.ID if err = r.Status().Update(ctx, &firewallRule); err != nil { return ctrl.Result{}, err } @@ -478,7 +480,7 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request log.Error(err, "Could not create firewall policy") return ctrl.Result{}, err } - firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].UdpIpv4ID = updatedRule.ID + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[index].UdpIpv4ID = updatedRule.ID if err := r.Status().Update(ctx, &firewallRule); err != nil { return ctrl.Result{}, err } @@ -516,7 +518,7 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request log.Error(err, "Could not create firewall policy") return ctrl.Result{}, err } - firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].TcpIpv6ID = updatedRule.ID + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[index].TcpIpv6ID = updatedRule.ID if err := r.Status().Update(ctx, &firewallRule); err != nil { return ctrl.Result{}, err } @@ -552,7 +554,7 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request log.Error(err, "Could not create firewall policy") return ctrl.Result{}, err } - firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].UdpIpv6ID = updatedRule.ID + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[index].UdpIpv6ID = updatedRule.ID if err := r.Status().Update(ctx, &firewallRule); err != nil { return ctrl.Result{}, err } @@ -573,7 +575,7 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request if i, found := networkCRDNames[namespace+"/"+networkEntry.Name]; found { log.Info(fmt.Sprintf("Creating firewallrules for %s", networkCRDs.Items[i].Name)) for _, firewallGroup := range myFirewallGroups { - i, found := firewallruleindex["network:"+networkCRDs.Items[i].Name+"/"+firewallGroup.Name] + index, found := firewallruleindex["network:"+networkCRDs.Items[i].Name+"/"+firewallGroup.Name] if !found { firewallRuleEntry := unifiv1beta1.UnifiFirewallRuleEntry{ From: "zone:" + networkCRDs.Items[i].Name, @@ -584,7 +586,7 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request UdpIpv6ID: "", } firewallRule.Status.ResourcesManaged.UnifiFirewallRules = append(firewallRule.Status.ResourcesManaged.UnifiFirewallRules, firewallRuleEntry) - i = nextIndex + index = nextIndex nextIndex = nextIndex + 1 } if len(firewallGroup.Status.ResolvedIPV4Addresses) > 0 { @@ -617,7 +619,7 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request return ctrl.Result{}, err } - firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].TcpIpv4ID = updatedRule.ID + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[index].TcpIpv4ID = updatedRule.ID if err := r.Status().Update(ctx, &firewallRule); err != nil { return ctrl.Result{}, err } @@ -653,7 +655,7 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request log.Error(err, "Could not create firewall policy") return ctrl.Result{}, err } - firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].UdpIpv4ID = updatedRule.ID + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[index].UdpIpv4ID = updatedRule.ID if err := r.Status().Update(ctx, &firewallRule); err != nil { return ctrl.Result{}, err } @@ -692,7 +694,7 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request log.Error(err, "Could not create firewall policy") return ctrl.Result{}, err } - firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].TcpIpv6ID = updatedRule.ID + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[index].TcpIpv6ID = updatedRule.ID if err := r.Status().Update(ctx, &firewallRule); err != nil { return ctrl.Result{}, err } @@ -729,7 +731,7 @@ func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request log.Error(err, "Could not create firewall policy") return ctrl.Result{}, err } - firewallRule.Status.ResourcesManaged.UnifiFirewallRules[i].UdpIpv6ID = updatedRule.ID + firewallRule.Status.ResourcesManaged.UnifiFirewallRules[index].UdpIpv6ID = updatedRule.ID if err := r.Status().Update(ctx, &firewallRule); err != nil { return ctrl.Result{}, err }