Fix configmap role

Handle ports in specification and in load balancer services

api/v1beta1/firewallgroup_types.go

@@ -36,6 +36,7 @@ type FirewallGroupSpec struct {
 	// ManualAddresses is a list of manual IPs or CIDRs (IPv4 or IPv6)
 	// +optional
 	ManualAddresses []string `json:"manualAddresses,omitempty"`
+	ManualPorts []string `json:"manualPorts,omitempty"`
 
 	// AutoIncludeSelector defines which services to extract addresses from
 	// +optional

cmd/main.go

@@ -40,6 +40,7 @@ import (
 	unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
 	"github.com/vegardengen/unifi-network-operator/internal/controller"
 	"github.com/vegardengen/unifi-network-operator/internal/unifi"
+	"github.com/vegardengen/unifi-network-operator/internal/config"
 	// +kubebuilder:scaffold:imports
 )
 
@@ -203,6 +204,8 @@ func main() {
 		os.Exit(1)
 	}
 
+       configLoader := config.NewConfigLoader(mgr.GetClient())
+
 	// Unifi client
 	setupLog.Info("Setting up UniFi client")
 	unifiClient, err := unifi.CreateUnifiClient()
@@ -216,6 +219,7 @@ func main() {
 		Client:      mgr.GetClient(),
 		Scheme:      mgr.GetScheme(),
 		UnifiClient: unifiClient,
+		ConfigLoader: configLoader,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Networkconfiguration")
 		os.Exit(1)
@@ -224,6 +228,7 @@ func main() {
 		Client: mgr.GetClient(),
 		Scheme: mgr.GetScheme(),
 		UnifiClient: unifiClient,
+		ConfigLoader: configLoader,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "FirewallZone")
 		os.Exit(1)
@@ -231,6 +236,8 @@ func main() {
 	if err = (&controller.FirewallRuleReconciler{
 		Client: mgr.GetClient(),
 		Scheme: mgr.GetScheme(),
+		UnifiClient: unifiClient,
+		ConfigLoader: configLoader,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "FirewallRule")
 		os.Exit(1)
@@ -241,6 +248,7 @@ func main() {
 		Client:      mgr.GetClient(),
 		Scheme:      mgr.GetScheme(),
 		UnifiClient: unifiClient,
+		ConfigLoader: configLoader,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "FirewallGroup")
 		os.Exit(1)

config/crd/bases/unifi.engen.priv.no_firewallgroups.yaml

@@ -99,6 +99,10 @@ spec:
                 items:
                   type: string
                 type: array
+              manualPorts:
+                items:
+                  type: string
+                type: array
               matchServicesInAllNamespaces:
                 type: boolean
               name:

config/rbac/role.yaml

@@ -7,6 +7,7 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - configmaps
   - services
   verbs:
   - get

internal/config/config.go

@@ -0,0 +1,45 @@
+package config
+
+import (
+    "context"
+    "sync"
+
+    corev1 "k8s.io/api/core/v1"
+    "k8s.io/apimachinery/pkg/types"
+    "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+type ConfigLoaderType struct {
+    Client client.Client
+
+    mu      sync.Mutex
+    loaded  bool
+    config  *corev1.ConfigMap
+    err     error
+}
+
+func NewConfigLoader(k8sClient client.Client) *ConfigLoaderType {
+    return &ConfigLoaderType{Client: k8sClient}
+}
+
+func (c *ConfigLoaderType) GetConfig(ctx context.Context, name string) (*corev1.ConfigMap, error) {
+    c.mu.Lock()
+    defer c.mu.Unlock()
+
+    if c.loaded {
+        return c.config, c.err
+    }
+
+    cm := &corev1.ConfigMap{}
+    err := c.Client.Get(ctx, types.NamespacedName{
+        Name:      name,
+        Namespace: "unifi-network-operator-system",
+    }, cm)
+
+    c.loaded = true
+    c.config = cm
+    c.err = err
+
+    return cm, err
+}
+

internal/controller/firewallgroup_controller.go

@@ -21,7 +21,10 @@ import (
 	"fmt"
 	"net"
 	"reflect"
+	"slices"
+	"strconv"
 	"strings"
+	"regexp"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -37,6 +40,7 @@ import (
 	goUnifi "github.com/vegardengen/go-unifi/unifi"
 	unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
 	"github.com/vegardengen/unifi-network-operator/internal/unifi"
+	"github.com/vegardengen/unifi-network-operator/internal/config"
 )
 
 // FirewallGroupReconciler reconciles a FirewallGroup object
@@ -44,12 +48,14 @@ type FirewallGroupReconciler struct {
 	client.Client
 	Scheme      *runtime.Scheme
 	UnifiClient *unifi.UnifiClient
+	ConfigLoader *config.ConfigLoaderType
 }
 
 // +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallgroups,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallgroups/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallgroups/finalizers,verbs=update
 // +kubebuilder:rbac:groups="",resources=services,verbs=list;get;watch
+// +kubebuilder:rbac:groups="",resources=configmaps,verbs=list;get;watch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
@@ -63,12 +69,21 @@ type FirewallGroupReconciler struct {
 
 func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error) {
 	log := log.FromContext(ctx)
+	
+	cfg, err := r.ConfigLoader.GetConfig(ctx, "unifi-operator-config")
+        if err != nil {
+            return ctrl.Result{}, err
+        }
+
+        defaultNs := cfg.Data["defaultNamespace"]
+	log.Info(defaultNs)
+
 	var nwObj unifiv1beta1.FirewallGroup
 	if err := r.Get(ctx, req.NamespacedName, &nwObj); err != nil {
 		return reconcile.Result{}, client.IgnoreNotFound(err)
 	}
 	log.Info(nwObj.Spec.Name)
-	var ipv4, ipv6 []string
+	var ipv4, ipv6, tcpports, udpports []string
 
 	for _, addressEntry := range nwObj.Spec.ManualAddresses {
 		ip := net.ParseIP(addressEntry)
@@ -98,6 +113,26 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
 			}
 		}
 	}
+
+	for _, portEntry := range nwObj.Spec.ManualPorts {
+		port_type := "tcp"
+		port := portEntry
+		if match, _ := regexp.MatchString("(?:tcp|udp)\\/?)\\d+", string(portEntry)); match {
+		  fields := strings.Split("/",portEntry)
+		  port_type = fields[0]
+		  port = fields[1]
+		}
+		if(port_type == "tcp") {
+		  if !slices.Contains(tcpports, port) {
+			tcpports = append(tcpports, port)
+	          }
+		}
+		if(port_type == "udp") {
+		  if !slices.Contains(udpports, port) {
+			tcpports = append(udpports, port)
+	          }
+		}
+	}
 	var services corev1.ServiceList
 	if nwObj.Spec.MatchServicesInAllNamespaces {
 		if err := r.List(ctx, &services); err != nil {
@@ -123,6 +158,22 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
 					}
 				}
 			}
+			if service.Spec.Ports != nil {
+				for _, portSpec := range service.Spec.Ports {
+					log.Info(fmt.Sprintf("portSpec: %+v", portSpec))
+					log.Info(fmt.Sprintf("Port: %s %d", strconv.Itoa(int(portSpec.Port)), portSpec.Port))
+					if(portSpec.Protocol == "TCP") {
+					  if !slices.Contains(tcpports, strconv.Itoa(int(portSpec.Port))) {
+						tcpports = append(tcpports, strconv.Itoa(int(portSpec.Port)))
+					  }
+					}
+					if(portSpec.Protocol == "UDP") {
+					  if !slices.Contains(udpports, strconv.Itoa(int(portSpec.Port))) {
+						udpports = append(udpports, strconv.Itoa(int(portSpec.Port)))
+					  }
+					}
+				}
+			}
 		}
 	}
 	nwObj.Status.ResolvedAddresses = ipv4
@@ -131,7 +182,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
 	nwObj.Status.LastSyncTime = &currentTime
 	nwObj.Status.SyncedWithUnifi = true
 
-	err := r.UnifiClient.Reauthenticate()
+	err = r.UnifiClient.Reauthenticate()
 	if err != nil {
 		return reconcile.Result{}, err
 	}
@@ -142,8 +193,12 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
 	}
 	ipv4_name := "k8s-" + nwObj.Spec.Name + "-ipv4"
 	ipv6_name := "k8s-" + nwObj.Spec.Name + "-ipv6"
+	tcpports_name := "k8s-" + nwObj.Spec.Name + "-tcpports"
+	udpports_name := "k8s-" + nwObj.Spec.Name + "-udpports"
 	ipv4_done := false
 	ipv6_done := false
+	tcpports_done := false
+	udpports_done := false
 	for _, firewall_group := range firewall_groups {
 		if firewall_group.Name == ipv4_name {
 			if len(ipv4) == 0 {
@@ -215,6 +270,76 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
 				ipv6_done = true
 			}
 		}
+		if firewall_group.Name == tcpports_name {
+			if len(tcpports) == 0 {
+				log.Info(fmt.Sprintf("Delete %s", tcpports_name))
+				err := r.UnifiClient.Client.DeleteFirewallGroup(context.Background(), r.UnifiClient.SiteID, firewall_group.ID)
+				if err != nil {
+					msg := strings.ToLower(err.Error())
+					log.Info(msg)
+					if strings.Contains(msg, "api.err.objectreferredby") {
+						log.Info("Firewall group is in use. Invoking workaround...!")
+						firewall_group.GroupMembers = []string{"127.0.0.1"}
+						firewall_group.Name = firewall_group.Name + "-deleted"
+						_, updateerr := r.UnifiClient.Client.UpdateFirewallGroup(context.Background(), r.UnifiClient.SiteID, &firewall_group)
+						if updateerr != nil {
+							log.Error(updateerr, "Could neither delete or rename firewall group")
+							return reconcile.Result{}, updateerr
+						}
+					} else {
+						log.Error(err, "Could not delete firewall group")
+						return reconcile.Result{}, err
+					}
+				}
+				tcpports_done = true
+			} else {
+				if !reflect.DeepEqual(firewall_group.GroupMembers, tcpports) {
+					firewall_group.GroupMembers = tcpports
+					log.Info(fmt.Sprintf("Updating %s", tcpports_name))
+					_, err := r.UnifiClient.Client.UpdateFirewallGroup(context.Background(), r.UnifiClient.SiteID, &firewall_group)
+					if err != nil {
+						log.Error(err, "Could not update firewall group")
+						return reconcile.Result{}, err
+					}
+				}
+				tcpports_done = true
+			}
+		}
+		if firewall_group.Name == udpports_name {
+			if len(udpports) == 0 {
+				log.Info(fmt.Sprintf("Delete %s", udpports_name))
+				err := r.UnifiClient.Client.DeleteFirewallGroup(context.Background(), r.UnifiClient.SiteID, firewall_group.ID)
+				if err != nil {
+					msg := strings.ToLower(err.Error())
+					log.Info(msg)
+					if strings.Contains(msg, "api.err.objectreferredby") {
+						log.Info("Firewall group is in use. Invoking workaround...!")
+						firewall_group.GroupMembers = []string{"127.0.0.1"}
+						firewall_group.Name = firewall_group.Name + "-deleted"
+						_, updateerr := r.UnifiClient.Client.UpdateFirewallGroup(context.Background(), r.UnifiClient.SiteID, &firewall_group)
+						if updateerr != nil {
+							log.Error(updateerr, "Could neither delete or rename firewall group")
+							return reconcile.Result{}, updateerr
+						}
+					} else {
+						log.Error(err, "Could not delete firewall group")
+						return reconcile.Result{}, err
+					}
+				}
+				udpports_done = true
+			} else {
+				if !reflect.DeepEqual(firewall_group.GroupMembers, udpports) {
+					firewall_group.GroupMembers = udpports
+					log.Info(fmt.Sprintf("Updating %s", udpports_name))
+					_, err := r.UnifiClient.Client.UpdateFirewallGroup(context.Background(), r.UnifiClient.SiteID, &firewall_group)
+					if err != nil {
+						log.Error(err, "Could not update firewall group")
+						return reconcile.Result{}, err
+					}
+				}
+				udpports_done = true
+			}
+		}
 		if firewall_group.Name == ipv4_name+"-deleted" && len(ipv4) > 0 {
 			firewall_group.Name = ipv4_name
 			firewall_group.GroupMembers = ipv4
@@ -237,6 +362,28 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
 			}
 			ipv6_done = true
 		}
+		if firewall_group.Name == tcpports_name+"-deleted" && len(tcpports) > 0 {
+			firewall_group.Name = tcpports_name
+			firewall_group.GroupMembers = tcpports
+			log.Info(fmt.Sprintf("Creating %s (from previously deleted)", tcpports_name))
+			_, err := r.UnifiClient.Client.UpdateFirewallGroup(context.Background(), r.UnifiClient.SiteID, &firewall_group)
+			if err != nil {
+				log.Error(err, "Could not update firewall group")
+				return reconcile.Result{}, err
+			}
+			tcpports_done = true
+		}
+		if firewall_group.Name == udpports_name+"-deleted" && len(udpports) > 0 {
+			firewall_group.Name = udpports_name
+			firewall_group.GroupMembers = udpports
+			log.Info(fmt.Sprintf("Creating %s (from previously deleted)", udpports_name))
+			_, err := r.UnifiClient.Client.UpdateFirewallGroup(context.Background(), r.UnifiClient.SiteID, &firewall_group)
+			if err != nil {
+				log.Error(err, "Could not update firewall group")
+				return reconcile.Result{}, err
+			}
+			udpports_done = true
+		}
 	}
 	if len(ipv4) > 0 && !ipv4_done {
 		log.Info(fmt.Sprintf("Creating %s", ipv4_name))
@@ -264,12 +411,40 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
 			return reconcile.Result{}, err
 		}
 	}
+	if len(tcpports) > 0 && !tcpports_done {
+		log.Info(fmt.Sprintf("Creating %s", tcpports_name))
+		var firewall_group goUnifi.FirewallGroup
+		firewall_group.Name = tcpports_name
+		firewall_group.SiteID = r.UnifiClient.SiteID
+		firewall_group.GroupMembers = tcpports
+		firewall_group.GroupType = "port-group"
+		log.Info(fmt.Sprintf("Trying to apply: %+v", firewall_group))
+		_, err := r.UnifiClient.Client.CreateFirewallGroup(context.Background(), r.UnifiClient.SiteID, &firewall_group)
+		if err != nil {
+			log.Error(err, "Could not create firewall group")
+			return reconcile.Result{}, err
+		}
+	}
+	if len(udpports) > 0 && !udpports_done {
+		log.Info(fmt.Sprintf("Creating %s", udpports_name))
+		var firewall_group goUnifi.FirewallGroup
+		firewall_group.Name = udpports_name
+		firewall_group.SiteID = r.UnifiClient.SiteID
+		firewall_group.GroupMembers = udpports
+		firewall_group.GroupType = "port-group"
+		log.Info(fmt.Sprintf("Trying to apply: %+v", firewall_group))
+		_, err := r.UnifiClient.Client.CreateFirewallGroup(context.Background(), r.UnifiClient.SiteID, &firewall_group)
+		if err != nil {
+			log.Error(err, "Could not create firewall group")
+			return reconcile.Result{}, err
+		}
+	}
 	if err := r.Status().Update(ctx, &nwObj); err != nil {
 		log.Error(err, "unable to update FirewallGroup status")
 		return reconcile.Result{}, err
 	}
 
-	log.Info("Successfully updated FirewallGroup status with collected IP addresses")
+	log.Info("Successfully updated FirewallGroup status with collected IP addresses and ports")
 
 	return reconcile.Result{}, nil
 }

internal/controller/firewallrule_controller.go

@@ -25,17 +25,22 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
+	"github.com/vegardengen/unifi-network-operator/internal/unifi"
+	"github.com/vegardengen/unifi-network-operator/internal/config"
 )
 
 // FirewallRuleReconciler reconciles a FirewallRule object
 type FirewallRuleReconciler struct {
 	client.Client
 	Scheme *runtime.Scheme
+	UnifiClient      *unifi.UnifiClient
+	ConfigLoader *config.ConfigLoaderType
 }
 
 // +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallrules,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallrules/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallrules/finalizers,verbs=update
+// +kubebuilder:rbac:groups="",resources=configmaps,verbs=list;get;watch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
@@ -47,10 +52,18 @@ type FirewallRuleReconciler struct {
 // For more details, check Reconcile and its Result here:
 // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.20.2/pkg/reconcile
 func (r *FirewallRuleReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	_ = log.FromContext(ctx)
+	log := log.FromContext(ctx)
 
 	// TODO(user): your logic here
 
+	cfg, err := r.ConfigLoader.GetConfig(ctx, "unifi-operator-config")
+        if err != nil {
+            return ctrl.Result{}, err
+        }
+
+        defaultNs := cfg.Data["defaultNamespace"]
+	log.Info(defaultNs)
+
 	return ctrl.Result{}, nil
 }
 

internal/controller/firewallzone_controller.go

@@ -30,6 +30,7 @@ import (
 
 	unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
 	"github.com/vegardengen/unifi-network-operator/internal/unifi"
+	"github.com/vegardengen/unifi-network-operator/internal/config"
 )
 
 // FirewallZoneReconciler reconciles a FirewallZone object
@@ -37,6 +38,7 @@ type FirewallZoneReconciler struct {
 	client.Client
 	Scheme      *runtime.Scheme
 	UnifiClient *unifi.UnifiClient
+	ConfigLoader *config.ConfigLoaderType
 }
 
 func toKubeName(input string) string {
@@ -64,6 +66,7 @@ func toKubeName(input string) string {
 // +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallzones,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallzones/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallzones/finalizers,verbs=update
+// +kubebuilder:rbac:groups="",resources=configmaps,verbs=list;get;watch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
@@ -77,8 +80,15 @@ func toKubeName(input string) string {
 func (r *FirewallZoneReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := log.FromContext(ctx)
 
+	cfg, err := r.ConfigLoader.GetConfig(ctx, "unifi-operator-config")
+        if err != nil {
+            return ctrl.Result{}, err
+        }
+
+        defaultNs := cfg.Data["defaultNamespace"]
+
 	var fwzCRDs unifiv1beta1.FirewallZoneList
-	_ = r.List(ctx, &fwzCRDs)
+	_ = r.List(ctx, &fwzCRDs, client.InNamespace(defaultNs))
 
 	firewall_zones, err := r.UnifiClient.Client.ListFirewallZones(context.Background(), r.UnifiClient.SiteID)
 	if err != nil {
@@ -111,7 +121,7 @@ func (r *FirewallZoneReconciler) Reconcile(ctx context.Context, req ctrl.Request
 			zoneCRD := &unifiv1beta1.FirewallZone {
 				ObjectMeta : ctrl.ObjectMeta {
 				   Name: toKubeName(unifizone.Name),
-			  	   Namespace: "default",
+			  	   Namespace: defaultNs,
 			   	},
 				Spec: unifiv1beta1.FirewallZoneSpec {
 					Name : unifizone.Name,

internal/controller/networkconfiguration_controller.go

@@ -27,6 +27,7 @@ import (
 
 	unifiv1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
 	"github.com/vegardengen/unifi-network-operator/internal/unifi"
+	"github.com/vegardengen/unifi-network-operator/internal/config"
 )
 
 // NetworkconfigurationReconciler reconciles a Networkconfiguration object
@@ -34,11 +35,13 @@ type NetworkconfigurationReconciler struct {
 	client.Client
 	Scheme      *runtime.Scheme
 	UnifiClient *unifi.UnifiClient
+	ConfigLoader *config.ConfigLoaderType
 }
 
 // +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=networkconfigurations,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=networkconfigurations/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=networkconfigurations/finalizers,verbs=update
+// +kubebuilder:rbac:groups="",resources=configmaps,verbs=list;get;watch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
@@ -51,6 +54,13 @@ type NetworkconfigurationReconciler struct {
 // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.20.2/pkg/reconcile
 func (r *NetworkconfigurationReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := log.FromContext(ctx)
+	cfg, err := r.ConfigLoader.GetConfig(ctx, "unifi-operator-config")
+        if err != nil {
+            return ctrl.Result{}, err
+        }
+
+        defaultNs := cfg.Data["defaultNamespace"]
+	log.Info(defaultNs)
 
 	var networkCRDs unifiv1.NetworkconfigurationList
 	if err := r.List(ctx, &networkCRDs); err != nil {