klauvsteinen/unifi-network-operator
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Tracking only Firewall Zone API done

Browse Source
This commit is contained in:
Vegard Engen
2025-04-14 10:38:29 +02:00
parent 4af8b3f78c
commit c681a0c987
29 changed files with 3106 additions and 209 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
internal/controller/firewallgroup_controller.go
View File

@@ -23,17 +23,16 @@ import (
"reflect"
"strings"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/log"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/reconcile"
"sigs.k8s.io/controller-runtime/pkg/handler"
// "sigs.k8s.io/controller-runtime/pkg/source"
"sigs.k8s.io/controller-runtime/pkg/log"
"sigs.k8s.io/controller-runtime/pkg/reconcile"
// "sigs.k8s.io/controller-runtime/pkg/source"
goUnifi "github.com/vegardengen/go-unifi/unifi"
unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
@@ -112,7 +111,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
return reconcile.Result{}, err
}
}
for _, service := range services.Items {
for _, service := range services.Items {
if val, found := service.Annotations["unifi.engen.priv.no/firewall-group"]; found && val == nwObj.Name && service.Status.LoadBalancer.Ingress != nil {
for _, ingress := range service.Status.LoadBalancer.Ingress {
if ingress.IP != "" {
@@ -120,7 +119,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
if isIPv6(ip) {
ipv6 = append(ipv6, ip)
} else {
ipv4= append(ipv4, ip)
ipv4 = append(ipv4, ip)
}
}
}
@@ -129,7 +128,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
nwObj.Status.ResolvedAddresses = ipv4
nwObj.Status.ResolvedAddresses = append(nwObj.Status.ResolvedAddresses, ipv6...)
currentTime := metav1.Now()
nwObj.Status.LastSyncTime = &currentTime;
nwObj.Status.LastSyncTime = &currentTime
nwObj.Status.SyncedWithUnifi = true
err := r.UnifiClient.Reauthenticate()
@@ -265,7 +264,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
return reconcile.Result{}, err
}
}
if err := r.Status().Update(ctx, &nwObj); err != nil {
if err := r.Status().Update(ctx, &nwObj); err != nil {
log.Error(err, "unable to update FirewallGroup status")
return reconcile.Result{}, err
}
@@ -278,43 +277,44 @@ func isIPv6(ip string) bool {
return strings.Contains(ip, ":")
}
func (r *FirewallGroupReconciler) mapServiceToFirewallGroups(ctx context.Context, obj client.Object) []reconcile.Request {
var requests []reconcile.Request
service, ok := obj.(*corev1.Service)
if !ok {
return requests
}
var requests []reconcile.Request
service, ok := obj.(*corev1.Service)
if !ok {
return requests
}
var allFirewallGroups unifiv1beta1.FirewallGroupList
var allFirewallGroups unifiv1beta1.FirewallGroupList
if err := r.List(ctx, &allFirewallGroups); err != nil {
return nil
}
if err := r.List(ctx, &allFirewallGroups); err != nil {
return nil
}
for _, fwg := range allFirewallGroups.Items {
if fwg.Spec.MatchServicesInAllNamespaces || fwg.Namespace == service.Namespace {
annotationKey := "unifi.engen.priv.no/firewall-group"
annotationVal := fwg.Name
if val, ok := service.Annotations[annotationKey]; ok && (annotationVal == "" || val == annotationVal) {
requests = append(requests, ctrl.Request{
NamespacedName: types.NamespacedName{
Name: fwg.Name,
Namespace: fwg.Namespace,
},
})
}
}
}
for _, fwg := range allFirewallGroups.Items {
if fwg.Spec.MatchServicesInAllNamespaces || fwg.Namespace == service.Namespace {
annotationKey := "unifi.engen.priv.no/firewall-group"
annotationVal := fwg.Name
if val, ok := service.Annotations[annotationKey]; ok && (annotationVal == "" || val == annotationVal) {
requests = append(requests, ctrl.Request{
NamespacedName: types.NamespacedName{
Name: fwg.Name,
Namespace: fwg.Namespace,
},
})
}
}
}
return requests
return requests
}
// SetupWithManager sets up the controller with the Manager.
func (r *FirewallGroupReconciler) SetupWithManager(mgr ctrl.Manager) error {
return ctrl.NewControllerManagedBy(mgr).
For(&unifiv1beta1.FirewallGroup{}).
Named("firewallgroup").
Watches(
&corev1.Service{},
handler.EnqueueRequestsFromMapFunc(r.mapServiceToFirewallGroups),
).
Complete(r)
return ctrl.NewControllerManagedBy(mgr).
For(&unifiv1beta1.FirewallGroup{}).
Named("firewallgroup").
Watches(
&corev1.Service{},
handler.EnqueueRequestsFromMapFunc(r.mapServiceToFirewallGroups),
).
Complete(r)
}

63
internal/controller/firewallrule_controller.go Normal file
View File

@@ -0,0 +1,63 @@
/*
Copyright 2025 Vegard Engen.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package controller
import (
"context"
"k8s.io/apimachinery/pkg/runtime"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/log"
unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
)
// FirewallRuleReconciler reconciles a FirewallRule object
type FirewallRuleReconciler struct {
client.Client
Scheme *runtime.Scheme
}
// +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallrules,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallrules/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallrules/finalizers,verbs=update
// Reconcile is part of the main kubernetes reconciliation loop which aims to
// move the current state of the cluster closer to the desired state.
// TODO(user): Modify the Reconcile function to compare the state specified by
// the FirewallRule object against the actual cluster state, and then
// perform operations to make the cluster state reflect the state specified by
// the user.
//
// For more details, check Reconcile and its Result here:
// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.20.2/pkg/reconcile
func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
_ = log.FromContext(ctx)
// TODO(user): your logic here
return ctrl.Result{}, nil
}
// SetupWithManager sets up the controller with the Manager.
func (r *FirewallRuleReconciler) SetupWithManager(mgr ctrl.Manager) error {
return ctrl.NewControllerManagedBy(mgr).
For(&unifiv1beta1.FirewallRule{}).
Named("firewallrule").
Complete(r)
}

84
internal/controller/firewallrule_controller_test.go Normal file
View File

@@ -0,0 +1,84 @@
/*
Copyright 2025 Vegard Engen.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package controller
import (
"context"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/controller-runtime/pkg/reconcile"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
)
var _ = Describe("FirewallRule Controller", func() {
Context("When reconciling a resource", func() {
const resourceName = "test-resource"
ctx := context.Background()
typeNamespacedName := types.NamespacedName{
Name: resourceName,
Namespace: "default", // TODO(user):Modify as needed
}
firewallrule := &unifiv1beta1.FirewallRule{}
BeforeEach(func() {
By("creating the custom resource for the Kind FirewallRule")
err := k8sClient.Get(ctx, typeNamespacedName, firewallrule)
if err != nil && errors.IsNotFound(err) {
resource := &unifiv1beta1.FirewallRule{
ObjectMeta: metav1.ObjectMeta{
Name: resourceName,
Namespace: "default",
},
// TODO(user): Specify other spec details if needed.
}
Expect(k8sClient.Create(ctx, resource)).To(Succeed())
}
})
AfterEach(func() {
// TODO(user): Cleanup logic after each test, like removing the resource instance.
resource := &unifiv1beta1.FirewallRule{}
err := k8sClient.Get(ctx, typeNamespacedName, resource)
Expect(err).NotTo(HaveOccurred())
By("Cleanup the specific resource instance FirewallRule")
Expect(k8sClient.Delete(ctx, resource)).To(Succeed())
})
It("should successfully reconcile the resource", func() {
By("Reconciling the created resource")
controllerReconciler := &FirewallRuleReconciler{
Client: k8sClient,
Scheme: k8sClient.Scheme(),
}
_, err := controllerReconciler.Reconcile(ctx, reconcile.Request{
NamespacedName: typeNamespacedName,
})
Expect(err).NotTo(HaveOccurred())
// TODO(user): Add more specific assertions depending on your controller's reconciliation logic.
// Example: If you expect a certain status condition after reconciliation, verify it here.
})
})
})

156
internal/controller/firewallzone_controller.go Normal file
View File

@@ -0,0 +1,156 @@
/*
Copyright 2025 Vegard Engen.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package controller
import (
"context"
"fmt"
"strings"
"regexp"
"time"
"k8s.io/apimachinery/pkg/runtime"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/log"
unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
"github.com/vegardengen/unifi-network-operator/internal/unifi"
)
// FirewallZoneReconciler reconciles a FirewallZone object
type FirewallZoneReconciler struct {
client.Client
Scheme *runtime.Scheme
UnifiClient *unifi.UnifiClient
}
func toKubeName(input string) string {
// Lowercase the input
name := strings.ToLower(input)
// Replace any non-alphanumeric characters with dashes
re := regexp.MustCompile(`[^a-z0-9\-\.]+`)
name = re.ReplaceAllString(name, "-")
// Trim leading and trailing non-alphanumerics
name = strings.Trim(name, "-.")
// Ensure it's not empty and doesn't exceed 253 characters
if len(name) == 0 {
name = "default"
} else if len(name) > 253 {
name = name[:253]
}
return name
}
// +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallzones,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallzones/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallzones/finalizers,verbs=update
// Reconcile is part of the main kubernetes reconciliation loop which aims to
// move the current state of the cluster closer to the desired state.
// TODO(user): Modify the Reconcile function to compare the state specified by
// the FirewallZone object against the actual cluster state, and then
// perform operations to make the cluster state reflect the state specified by
// the user.
//
// For more details, check Reconcile and its Result here:
// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.20.2/pkg/reconcile
func (r *FirewallZoneReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
log := log.FromContext(ctx)
var fwzCRDs unifiv1beta1.FirewallZoneList
_ = r.List(ctx, &fwzCRDs)
firewall_zones, err := r.UnifiClient.Client.ListFirewallZones(context.Background(), r.UnifiClient.SiteID)
if err != nil {
log.Error(err, "Could not list firewall zones")
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
}
log.Info(fmt.Sprintf("Number of resources: %d Number of zones in Unifi: %d", len(fwzCRDs.Items), len(firewall_zones)))
firewallZoneNamesUnifi := make(map[string]struct{})
for _, zone := range firewall_zones {
firewallZoneNamesUnifi[zone.Name] = struct{}{}
}
// Step 2: Collect zones in fwzCRDs that are NOT in firewall_zones
for _, zone := range fwzCRDs.Items {
if _, found := firewallZoneNamesUnifi[zone.Spec.Name]; !found {
err := r.Delete(ctx, &zone)
if err != nil {
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
}
}
}
firewallZoneNamesCRDs := make(map[string]struct{})
for _, zoneCRD := range fwzCRDs.Items {
firewallZoneNamesCRDs[zoneCRD.Spec.Name] = struct{}{}
}
for _, unifizone := range firewall_zones {
log.Info(fmt.Sprintf("%+v\n", unifizone))
if _, found := firewallZoneNamesCRDs[unifizone.Name]; !found {
zoneCRD := &unifiv1beta1.FirewallZone {
ObjectMeta : ctrl.ObjectMeta {
Name: toKubeName(unifizone.Name),
Namespace: "default",
},
Spec: unifiv1beta1.FirewallZoneSpec {
Name : unifizone.Name,
ID : unifizone.ID,
DefaultZone: unifizone.DefaultZone,
ZoneKey : unifizone.ZoneKey,
NetworkIDs : unifizone.NetworkIDs,
},
}
err := r.Create(ctx, zoneCRD)
if err != nil {
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
}
} else {
for _, zoneCRD := range fwzCRDs.Items {
if zoneCRD.Spec.Name == unifizone.Name {
zoneCRD.Spec = unifiv1beta1.FirewallZoneSpec {
Name : unifizone.Name,
ID : unifizone.ID,
DefaultZone: unifizone.DefaultZone,
ZoneKey : unifizone.ZoneKey,
NetworkIDs : unifizone.NetworkIDs,
}
err := r.Update(ctx, &zoneCRD)
if err != nil {
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
}
}
}
}
}
return ctrl.Result{RequeueAfter: 10 * time.Minute}, nil
}
// SetupWithManager sets up the controller with the Manager.
func (r *FirewallZoneReconciler) SetupWithManager(mgr ctrl.Manager) error {
return ctrl.NewControllerManagedBy(mgr).
For(&unifiv1beta1.FirewallZone{}).
Named("firewallzone").
Complete(r)
}

84
internal/controller/firewallzone_controller_test.go Normal file
View File

@@ -0,0 +1,84 @@
/*
Copyright 2025 Vegard Engen.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package controller
import (
"context"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/controller-runtime/pkg/reconcile"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
)
var _ = Describe("FirewallZone Controller", func() {
Context("When reconciling a resource", func() {
const resourceName = "test-resource"
ctx := context.Background()
typeNamespacedName := types.NamespacedName{
Name: resourceName,
Namespace: "default", // TODO(user):Modify as needed
}
firewallzone := &unifiv1beta1.FirewallZone{}
BeforeEach(func() {
By("creating the custom resource for the Kind FirewallZone")
err := k8sClient.Get(ctx, typeNamespacedName, firewallzone)
if err != nil && errors.IsNotFound(err) {
resource := &unifiv1beta1.FirewallZone{
ObjectMeta: metav1.ObjectMeta{
Name: resourceName,
Namespace: "default",
},
// TODO(user): Specify other spec details if needed.
}
Expect(k8sClient.Create(ctx, resource)).To(Succeed())
}
})
AfterEach(func() {
// TODO(user): Cleanup logic after each test, like removing the resource instance.
resource := &unifiv1beta1.FirewallZone{}
err := k8sClient.Get(ctx, typeNamespacedName, resource)
Expect(err).NotTo(HaveOccurred())
By("Cleanup the specific resource instance FirewallZone")
Expect(k8sClient.Delete(ctx, resource)).To(Succeed())
})
It("should successfully reconcile the resource", func() {
By("Reconciling the created resource")
controllerReconciler := &FirewallZoneReconciler{
Client: k8sClient,
Scheme: k8sClient.Scheme(),
}
_, err := controllerReconciler.Reconcile(ctx, reconcile.Request{
NamespacedName: typeNamespacedName,
})
Expect(err).NotTo(HaveOccurred())
// TODO(user): Add more specific assertions depending on your controller's reconciliation logic.
// Example: If you expect a certain status condition after reconciliation, verify it here.
})
})
})

18
internal/controller/networkconfiguration_controller.go
View File

@@ -78,7 +78,23 @@ func (r *NetworkconfigurationReconciler) Reconcile(ctx context.Context, req ctrl
if existing, found := k8sNetworks[networkID]; found {
log.Info(fmt.Sprintf("Found network match: %s/%s", existing.Spec.NetworkID, networkID))
} else {
log.Info(fmt.Sprintf("New network: %s with ID %s", network.Name, network.ID))
if network.Purpose == "corporate" {
log.Info(fmt.Sprintf("New network: %s with ID %s", network.Name, network.ID))
var networkObject unifiv1.Networkconfiguration
networkObject.Name = network.Name
networkObject.Spec.Name = network.Name
networkObject.Spec.NetworkID = network.ID
networkObject.Spec.IPSubnet = network.IPSubnet
networkObject.Spec.Ipv6InterfaceType = network.IPV6InterfaceType
networkObject.Spec.Ipv6PdAutoPrefixidEnabled = network.IPV6PDAutoPrefixidEnabled
networkObject.Spec.Ipv6RaEnabled = network.IPV6RaEnabled
networkObject.Spec.Ipv6SettingPreference = network.IPV6SettingPreference
networkObject.Spec.Ipv6Subnet = network.IPV6Subnet
networkObject.Spec.Purpose = network.Purpose
networkObject.Spec.Networkgroup = network.NetworkGroup
networkObject.Spec.SettingPreference = network.SettingPreference
networkObject.Spec.VlanEnabled = network.VLANEnabled
}
}
}