klauvsteinen/unifi-network-operator
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: klauvsteinen:ea68bed9c2e04c066c65121036cae3cd5e85c76f
Branches Tags
klauvsteinen:main klauvsteinen:feature/add-helm klauvsteinen:feature/properly-handle-namespaced-services klauvsteinen:feature/properly-handle-firewallgroups-in-same-namespace klauvsteinen:feature/cleanly-delete-empty-resources klauvsteinen:feature/default-namespace-same-as-firewallpolicy-namespace-when-referring-firewallgroup klauvsteinen:feature/add-namespace-to-firewallgroup-and-firewallpolicy-resources klauvsteinen:feature/use-prebuilt-image klauvsteinen:feature/fix-indentation klauvsteinen:feature/create-correct-manifests klauvsteinen:feature/build-alpha-and-beta klauvsteinen:feature/update-image-labels klauvsteinen:feature/generate-manifest klauvsteinen:feature/use-image-from-gitea klauvsteinen:feature/fix-variable klauvsteinen:feature/fix klauvsteinen:feature/fix-push-workflow klauvsteinen:feature/push-to-gitea klauvsteinen:feature/clean_some_files klauvsteinen:feature/fix-publish-pipeline klauvsteinen:feature/kobuild-on-main klauvsteinen:master klauvsteinen:feature/test-cicd-2 klauvsteinen:feature/test-cicd klauvsteinen:39-port-forwards-should-not-log-per-default klauvsteinen:37-optimize-api-usage klauvsteinen:35-fix-portforward-logic klauvsteinen:11-create-port-forward-api klauvsteinen:32-refactor-unifi-firewall-rule-api klauvsteinen:28-add-status-information-to-firewall-rule-resources klauvsteinen:29-create-finalizer-for-cleaning-up-firewallgroup-resources klauvsteinen:12-create-firewall-rule-api klauvsteinen:24-create-network-api klauvsteinen:chore/formatting klauvsteinen:17-create-utility-library klauvsteinen:22-use-reauthentication-method-in-more-reconcilers klauvsteinen:19-create-configmap-with-default-namespace klauvsteinen:13-create-api-for-networks klauvsteinen:14-create-object-for-ports-on-firewall-groups klauvsteinen:9-add-watcher-for-annotations-for-firewall-groups-and-handle-service-updates klauvsteinen:7-handle-annotations-for-firewall-groups-in-normal-reconcile-flow klauvsteinen:4-handle-reauthentication klauvsteinen:feature/create-functionality-to-create-a-unifi-network-object-based-on-an-annotation
klauvsteinen:v0.1.1-beta6 klauvsteinen:v0.1.1-beta5 klauvsteinen:v0.1.1-alpha16 klauvsteinen:v0.1.1-alpha15 klauvsteinen:v0.1.1-alpha14 klauvsteinen:v0.1.1-alpha13 klauvsteinen:v0.1.1-beta4 klauvsteinen:v0.1.1-beta3 klauvsteinen:v0.1.1-beta2 klauvsteinen:v0.1.1-alpha12 klauvsteinen:v.01.1-alpha10 klauvsteinen:v.0.1.1-alpha11 klauvsteinen:v.0.1.1-alpha10 klauvsteinen:v0.1.1-beta1 klauvsteinen:v0.1.1-alpha11 klauvsteinen:v0.1.1-alpha10 klauvsteinen:v0.1.1-alpha9 klauvsteinen:v0.1.1 klauvsteinen:v0.1.1-alpha8 klauvsteinen:v0.1.1-alpha7 klauvsteinen:v0.1.1-alpha6 klauvsteinen:v0.1.1-alpha5 klauvsteinen:v0.1.1-alpha4 klauvsteinen:v0.1.0-alpha3 klauvsteinen:v0.1.1-alpha2 klauvsteinen:v0.1.1-alpha1 klauvsteinen:v0.1.0 klauvsteinen:v0.0.5 klauvsteinen:v0.0.4 klauvsteinen:v0.0.3 klauvsteinen:0.0.3 klauvsteinen:v0.0.2 klauvsteinen:0.0.1 klauvsteinen:v0.0.1 klauvsteinen:v.0.0.1 klauvsteinen:v0.0.1-alpha70 klauvsteinen:v0.0.1-alpha69 klauvsteinen:v0.0.1-alpha68 klauvsteinen:v0.0.1-alpha67 klauvsteinen:v0.0.1-alpha66
..
compare: klauvsteinen:v0.1.1-alpha5
Branches Tags
klauvsteinen:feature/add-helm klauvsteinen:main klauvsteinen:feature/properly-handle-namespaced-services klauvsteinen:feature/properly-handle-firewallgroups-in-same-namespace klauvsteinen:feature/cleanly-delete-empty-resources klauvsteinen:feature/default-namespace-same-as-firewallpolicy-namespace-when-referring-firewallgroup klauvsteinen:feature/add-namespace-to-firewallgroup-and-firewallpolicy-resources klauvsteinen:feature/use-prebuilt-image klauvsteinen:feature/fix-indentation klauvsteinen:feature/create-correct-manifests klauvsteinen:feature/build-alpha-and-beta klauvsteinen:feature/update-image-labels klauvsteinen:feature/generate-manifest klauvsteinen:feature/use-image-from-gitea klauvsteinen:feature/fix-variable klauvsteinen:feature/fix klauvsteinen:feature/fix-push-workflow klauvsteinen:feature/push-to-gitea klauvsteinen:feature/clean_some_files klauvsteinen:feature/fix-publish-pipeline klauvsteinen:feature/kobuild-on-main klauvsteinen:master klauvsteinen:feature/test-cicd-2 klauvsteinen:feature/test-cicd klauvsteinen:39-port-forwards-should-not-log-per-default klauvsteinen:37-optimize-api-usage klauvsteinen:35-fix-portforward-logic klauvsteinen:11-create-port-forward-api klauvsteinen:32-refactor-unifi-firewall-rule-api klauvsteinen:28-add-status-information-to-firewall-rule-resources klauvsteinen:29-create-finalizer-for-cleaning-up-firewallgroup-resources klauvsteinen:12-create-firewall-rule-api klauvsteinen:24-create-network-api klauvsteinen:chore/formatting klauvsteinen:17-create-utility-library klauvsteinen:22-use-reauthentication-method-in-more-reconcilers klauvsteinen:19-create-configmap-with-default-namespace klauvsteinen:13-create-api-for-networks klauvsteinen:14-create-object-for-ports-on-firewall-groups klauvsteinen:9-add-watcher-for-annotations-for-firewall-groups-and-handle-service-updates klauvsteinen:7-handle-annotations-for-firewall-groups-in-normal-reconcile-flow klauvsteinen:4-handle-reauthentication klauvsteinen:feature/create-functionality-to-create-a-unifi-network-object-based-on-an-annotation
klauvsteinen:v0.1.1-beta6 klauvsteinen:v0.1.1-beta5 klauvsteinen:v0.1.1-alpha16 klauvsteinen:v0.1.1-alpha15 klauvsteinen:v0.1.1-alpha14 klauvsteinen:v0.1.1-alpha13 klauvsteinen:v0.1.1-beta4 klauvsteinen:v0.1.1-beta3 klauvsteinen:v0.1.1-beta2 klauvsteinen:v0.1.1-alpha12 klauvsteinen:v.01.1-alpha10 klauvsteinen:v.0.1.1-alpha11 klauvsteinen:v.0.1.1-alpha10 klauvsteinen:v0.1.1-beta1 klauvsteinen:v0.1.1-alpha11 klauvsteinen:v0.1.1-alpha10 klauvsteinen:v0.1.1-alpha9 klauvsteinen:v0.1.1 klauvsteinen:v0.1.1-alpha8 klauvsteinen:v0.1.1-alpha7 klauvsteinen:v0.1.1-alpha6 klauvsteinen:v0.1.1-alpha5 klauvsteinen:v0.1.1-alpha4 klauvsteinen:v0.1.0-alpha3 klauvsteinen:v0.1.1-alpha2 klauvsteinen:v0.1.1-alpha1 klauvsteinen:v0.1.0 klauvsteinen:v0.0.5 klauvsteinen:v0.0.4 klauvsteinen:v0.0.3 klauvsteinen:0.0.3 klauvsteinen:v0.0.2 klauvsteinen:0.0.1 klauvsteinen:v0.0.1 klauvsteinen:v.0.0.1 klauvsteinen:v0.0.1-alpha70 klauvsteinen:v0.0.1-alpha69 klauvsteinen:v0.0.1-alpha68 klauvsteinen:v0.0.1-alpha67 klauvsteinen:v0.0.1-alpha66

3 Commits
ea68bed9c2 ... v0.1.1-alp

Author SHA1 Message Date
Vegard Engen
f406d470c1 Delete before put latest manifest
Some checks failed
Build project / build (push) Has been cancelled
Details
Publish / build (push) Successful in 3m30s
Details
2025-06-27 01:05:16 +02:00
Vegard Engen
7d52648e2e Fix workflow
All checks were successful
Publish / build (push) Successful in 3m18s
Details
Build project / build (push) Successful in 1m55s
Details
2025-06-27 00:50:10 +02:00
Vegard Engen
0146a0bfba Correct manifests with correct image
Some checks failed
Build project / build (push) Has been cancelled
Details
Publish / build (push) Successful in 3m26s
Details
2025-06-27 00:38:20 +02:00
29 changed files with 106 additions and 2242 deletions
Expand all files Collapse all files

2
.gitea/workflows/build.yaml
View File

@@ -6,7 +6,7 @@ on:
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: registry.engen.priv.no/gitea-build:0.1.0 container: golang:1.24
steps: steps:
- name: Setup SSH - name: Setup SSH
run: | run: |

36
.gitea/workflows/kobuild.yaml
View File

@@ -6,12 +6,7 @@ on:
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: registry.engen.priv.no/gitea-build:0.1.0 container: golang:1.24
env:
GITEA_USER: ${{ secrets.GITEAUSER }}
GITEA_TOKEN: ${{ secrets.GITEATOKEN }}
GITEA_REGISTRY: gitea.engen.priv.no
GITEA_ORG: klauvsteinen
steps: steps:
- name: Setup SSH - name: Setup SSH
run: | run: |
@@ -19,32 +14,15 @@ jobs:
echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa
ssh-keyscan gitea-ssh.engen.priv.no >> ~/.ssh/known_hosts ssh-keyscan gitea-ssh.engen.priv.no >> ~/.ssh/known_hosts
- name: Install node and go
run: apt update && apt -y install nodejs
- name: Check out repository code - name: Check out repository code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: ssh repo - name: ssh repo
run: git config --global url.git@gitea-ssh.engen.priv.no:.insteadOf https://gitea.engen.priv.no/ run: git config --global url.git@gitea-ssh.engen.priv.no:.insteadOf https://gitea.engen.priv.no/
- name: Docker login - name: Install ko
run: echo "${GITEA_TOKEN}" | docker login "${GITEA_REGISTRY}" --username "${GITEA_USER}" --password-stdin run: go install github.com/google/ko@latest
- name: Build - name: Build
run: | run: KO_DOCKER_REPO=gitea.engen.priv.no/unifi-network-operator-controller PATH=~/go/bin:$PATH ko build --local ./cmd
export KO_DOCKER_REPO="${GITEA_REGISTRY}/${GITEA_ORG}/unifi-network-operator-controller"
ko publish ./cmd \
--tags "latest" \
--image-label 'org.opencontainers.image.authors=Klauvsteinen <vegard@engen.priv.no>' \
--image-label 'org.opencontainers.image.vendor=Klauvsteinen' \
--image-label 'org.opencontainers.image.source=https://gitea.engen.priv.no/klauvsteinen/unifi-network-operator' \
--image-label 'org.opencontainers.image.url=https://gitea.engen.priv.no/klauvsteinen/unifi-network-operator' \
--image-label 'dev.chainguard.package.main=' \
--bare
- name: Build manifest - name: Build manifest
run: | run: make build-installer
make IMG="${GITEA_REGISTRY}/${GITEA_ORG}/unifi-network-operator-controller:latest" build-installer
curl -X DELETE \
-H "Authorization: token $GITEA_TOKEN" \
-H "Content-Type: application/x-yaml" \
https://gitea.engen.priv.no/api/packages/klauvsteinen/generic/unifi-network-operator/latest/install.yaml
curl -X PUT \
-H "Authorization: token $GITEA_TOKEN" \
-H "Content-Type: application/x-yaml" \
--data-binary @./dist/install.yaml \
https://gitea.engen.priv.no/api/packages/klauvsteinen/generic/unifi-network-operator/latest/install.yaml

18
.gitea/workflows/publish.yaml
View File

@@ -8,13 +8,15 @@ on:
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: registry.engen.priv.no/gitea-build:0.1.0 container: golang:1.24-bookworm
env: env:
GITEA_USER: ${{ secrets.GITEAUSER }} GITEA_USER: ${{ secrets.GITEAUSER }}
GITEA_TOKEN: ${{ secrets.GITEATOKEN }} GITEA_TOKEN: ${{ secrets.GITEATOKEN }}
GITEA_REGISTRY: gitea.engen.priv.no GITEA_REGISTRY: gitea.engen.priv.no
GITEA_ORG: klauvsteinen GITEA_ORG: klauvsteinen
steps: steps:
- name: Install dependencies
run: apt update && apt -y install nodejs bash docker.io
- name: Setup SSH - name: Setup SSH
run: | run: |
mkdir -p ~/.ssh mkdir -p ~/.ssh
@@ -25,6 +27,8 @@ jobs:
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: ssh repo - name: ssh repo
run: git config --global url.git@gitea-ssh.engen.priv.no:.insteadOf https://gitea.engen.priv.no/ run: git config --global url.git@gitea-ssh.engen.priv.no:.insteadOf https://gitea.engen.priv.no/
- name: Install ko
run: go install github.com/google/ko@latest
- name: Extract tag (outside container) - name: Extract tag (outside container)
shell: bash shell: bash
run: | run: |
@@ -36,7 +40,7 @@ jobs:
run: | run: |
export KO_DOCKER_REPO="${GITEA_REGISTRY}/${GITEA_ORG}/unifi-network-operator-controller" export KO_DOCKER_REPO="${GITEA_REGISTRY}/${GITEA_ORG}/unifi-network-operator-controller"
ko publish ./cmd \ ko publish ./cmd \
--tags "$TAG" \ --tags "$TAG,latest" \
--image-label 'org.opencontainers.image.authors=Klauvsteinen <vegard@engen.priv.no>' \ --image-label 'org.opencontainers.image.authors=Klauvsteinen <vegard@engen.priv.no>' \
--image-label 'org.opencontainers.image.vendor=Klauvsteinen' \ --image-label 'org.opencontainers.image.vendor=Klauvsteinen' \
--image-label 'org.opencontainers.image.source=https://gitea.engen.priv.no/klauvsteinen/unifi-network-operator' \ --image-label 'org.opencontainers.image.source=https://gitea.engen.priv.no/klauvsteinen/unifi-network-operator' \
@@ -45,6 +49,16 @@ jobs:
--bare --bare
- name: Build manifest - name: Build manifest
run: | run: |
make IMG="${GITEA_REGISTRY}/${GITEA_ORG}/unifi-network-operator-controller:latest" build-installer
curl -X DELETE \
-H "Authorization: token $GITEA_TOKEN" \
-H "Content-Type: application/x-yaml" \
https://gitea.engen.priv.no/api/packages/klauvsteinen/generic/unifi-network-operator/latest/install.yaml
curl -X PUT \
-H "Authorization: token $GITEA_TOKEN" \
-H "Content-Type: application/x-yaml" \
--data-binary @./dist/install.yaml \
https://gitea.engen.priv.no/api/packages/klauvsteinen/generic/unifi-network-operator/latest/install.yaml
make IMG="${GITEA_REGISTRY}/${GITEA_ORG}/unifi-network-operator-controller:$TAG" build-installer make IMG="${GITEA_REGISTRY}/${GITEA_ORG}/unifi-network-operator-controller:$TAG" build-installer
curl -X PUT \ curl -X PUT \
-H "Authorization: token $GITEA_TOKEN" \ -H "Authorization: token $GITEA_TOKEN" \

54
Makefile
View File

@@ -229,57 +229,3 @@ mv $(1) $(1)-$(3) ;\
} ;\ } ;\
ln -sf $(1)-$(3) $(1) ln -sf $(1)-$(3) $(1)
endef endef
##@ Helm
HELM_CHART_DIR ?= helm/unifi-network-operator
HELM_RELEASE_NAME ?= unifi-network-operator
HELM_NAMESPACE ?= unifi-network-operator-system
.PHONY: helm-lint
helm-lint: ## Lint the Helm chart
helm lint $(HELM_CHART_DIR) --set unifi.url="https://test.local" --set unifi.password="test"
.PHONY: helm-template
helm-template: ## Render Helm templates for inspection
helm template $(HELM_RELEASE_NAME) $(HELM_CHART_DIR) \
--namespace $(HELM_NAMESPACE) \
--set unifi.url="https://test.local" \
--set unifi.password="test" \
--debug
.PHONY: helm-install
helm-install: ## Install the Helm chart (requires UNIFI_URL and UNIFI_PASSWORD env vars)
@if [ -z "$(UNIFI_URL)" ]; then echo "Error: UNIFI_URL is not set"; exit 1; fi
@if [ -z "$(UNIFI_PASSWORD)" ]; then echo "Error: UNIFI_PASSWORD is not set"; exit 1; fi
helm install $(HELM_RELEASE_NAME) $(HELM_CHART_DIR) \
--namespace $(HELM_NAMESPACE) \
--create-namespace \
--set unifi.url="$(UNIFI_URL)" \
--set unifi.password="$(UNIFI_PASSWORD)" \
--set unifi.site="$(UNIFI_SITE)" \
--set unifi.username="$(UNIFI_USERNAME)"
.PHONY: helm-upgrade
helm-upgrade: ## Upgrade the Helm release
helm upgrade $(HELM_RELEASE_NAME) $(HELM_CHART_DIR) \
--namespace $(HELM_NAMESPACE)
.PHONY: helm-uninstall
helm-uninstall: ## Uninstall the Helm release
helm uninstall $(HELM_RELEASE_NAME) --namespace $(HELM_NAMESPACE)
.PHONY: helm-package
helm-package: ## Package the Helm chart
helm package $(HELM_CHART_DIR) -d dist/
.PHONY: helm-dry-run
helm-dry-run: ## Dry run Helm installation
@if [ -z "$(UNIFI_URL)" ]; then echo "Error: UNIFI_URL is not set"; exit 1; fi
@if [ -z "$(UNIFI_PASSWORD)" ]; then echo "Error: UNIFI_PASSWORD is not set"; exit 1; fi
helm install $(HELM_RELEASE_NAME) $(HELM_CHART_DIR) \
--namespace $(HELM_NAMESPACE) \
--create-namespace \
--set unifi.url="$(UNIFI_URL)" \
--set unifi.password="$(UNIFI_PASSWORD)" \
--dry-run --debug

298
helm/INSTALL.md
View File

@@ -1,298 +0,0 @@
# UniFi Network Operator - Helm Installation Guide
## Quick Start
### 1. Install the Helm Chart
The simplest way to install the operator:
```bash
helm install unifi-network-operator ./helm/unifi-network-operator \
--namespace unifi-network-operator-system \
--create-namespace \
--set unifi.url="https://your-unifi-controller:8443" \
--set unifi.password="your-password"
```
### 2. Verify Installation
```bash
# Check if the operator is running
kubectl get pods -n unifi-network-operator-system
# Check the operator logs
kubectl logs -n unifi-network-operator-system -l app.kubernetes.io/name=unifi-network-operator -f
# Verify CRDs are installed
kubectl get crds | grep unifi.engen.priv.no
```
### 3. Create Your First Resource
Create a FirewallZone:
```bash
cat <<EOF | kubectl apply -f -
apiVersion: unifi.engen.priv.no/v1beta1
kind: FirewallZone
metadata:
name: test-zone
namespace: default
spec:
zoneName: "test-zone"
EOF
```
## Production Installation
For production deployments, create a `values.yaml` file:
```yaml
# production-values.yaml
replicaCount: 1
image:
repository: gitea.engen.priv.no/klauvsteinen/unifi-network-operator-controller
tag: "latest"
pullPolicy: IfNotPresent
unifi:
url: "https://unifi.example.com:8443"
site: "default"
username: "operator-user"
# Use existingSecret in production!
existingSecret: "unifi-credentials"
config:
defaultNamespace: "default"
fullSyncZone: "gateway"
fullSyncNetwork: "core"
kubernetesUnifiZone: "kubernetes"
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
metrics:
serviceMonitor:
enabled: true
additionalLabels:
prometheus: kube-prometheus
leaderElection:
enabled: true
nodeSelector:
kubernetes.io/os: linux
tolerations: []
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- unifi-network-operator
topologyKey: kubernetes.io/hostname
```
Create the secret first:
```bash
kubectl create namespace unifi-network-operator-system
kubectl create secret generic unifi-credentials \
--from-literal=UNIFI_URL="https://unifi.example.com:8443" \
--from-literal=UNIFI_SITE="default" \
--from-literal=UNIFI_USERNAME="operator-user" \
--from-literal=UNIFI_PASSWORD="your-secure-password" \
-n unifi-network-operator-system
```
Then install with the values file:
```bash
helm install unifi-network-operator ./helm/unifi-network-operator \
-n unifi-network-operator-system \
-f production-values.yaml
```
## Upgrading
```bash
helm upgrade unifi-network-operator ./helm/unifi-network-operator \
-n unifi-network-operator-system \
-f production-values.yaml
```
## Uninstalling
```bash
# Remove the operator (keeps CRDs and CRs by default)
helm uninstall unifi-network-operator -n unifi-network-operator-system
# To also remove CRDs (this will delete all custom resources!)
kubectl delete crds -l app.kubernetes.io/name=unifi-network-operator
```
## Testing Locally
You can test the chart rendering without installing:
```bash
# Render templates
helm template unifi-network-operator ./helm/unifi-network-operator \
--set unifi.url="https://test.local" \
--set unifi.password="test" \
--debug
# Lint the chart
helm lint ./helm/unifi-network-operator \
--set unifi.url="https://test.local" \
--set unifi.password="test"
# Dry run installation
helm install unifi-network-operator ./helm/unifi-network-operator \
-n unifi-network-operator-system \
--create-namespace \
--set unifi.url="https://test.local" \
--set unifi.password="test" \
--dry-run --debug
```
## Packaging for Distribution
To package the chart for distribution:
```bash
# Package the chart
helm package helm/unifi-network-operator
# This creates: unifi-network-operator-0.1.0.tgz
# Generate index (if hosting a chart repository)
helm repo index .
```
## Common Configuration Scenarios
### Scenario 1: Development Environment
```bash
helm install unifi-network-operator ./helm/unifi-network-operator \
-n unifi-network-operator-system \
--create-namespace \
--set unifi.url="https://192.168.1.1:8443" \
--set unifi.password="admin" \
--set resources.limits.memory="128Mi" \
--set resources.requests.memory="64Mi"
```
### Scenario 2: Multiple Sites
For managing multiple UniFi sites, deploy separate instances:
```bash
# Site 1
helm install unifi-operator-site1 ./helm/unifi-network-operator \
-n unifi-site1 \
--create-namespace \
--set unifi.url="https://unifi-site1.example.com:8443" \
--set unifi.site="site1" \
--set unifi.password="password1"
# Site 2
helm install unifi-operator-site2 ./helm/unifi-network-operator \
-n unifi-site2 \
--create-namespace \
--set unifi.url="https://unifi-site2.example.com:8443" \
--set unifi.site="site2" \
--set unifi.password="password2"
```
### Scenario 3: Using with ArgoCD
Create an ArgoCD Application:
```yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: unifi-network-operator
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/yourusername/unifi-network-operator
targetRevision: main
path: helm/unifi-network-operator
helm:
values: |
unifi:
existingSecret: unifi-credentials
config:
fullSyncZone: "gateway"
fullSyncNetwork: "core"
metrics:
serviceMonitor:
enabled: true
destination:
server: https://kubernetes.default.svc
namespace: unifi-network-operator-system
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
```
## Troubleshooting
### Operator Won't Start
Check the logs:
```bash
kubectl logs -n unifi-network-operator-system \
-l app.kubernetes.io/name=unifi-network-operator
```
### Connection Issues to UniFi Controller
Verify the secret:
```bash
kubectl get secret -n unifi-network-operator-system
kubectl describe secret unifi-network-operator-unifi \
-n unifi-network-operator-system
```
### CRDs Not Installing
Manually install CRDs:
```bash
kubectl apply -f helm/unifi-network-operator/crds/
```
### Resources Not Syncing
Check operator configuration:
```bash
kubectl get configmap -n unifi-network-operator-system
kubectl describe configmap unifi-network-operator-config \
-n unifi-network-operator-system
```
## Additional Resources
- [Helm Chart README](./unifi-network-operator/README.md)
- [Values Reference](./unifi-network-operator/values.yaml)
- [Custom Resource Examples](../config/samples/)

234
helm/README.md
View File

@@ -1,234 +0,0 @@
# UniFi Network Operator - Helm Chart
This directory contains the Helm chart for deploying the UniFi Network Operator to Kubernetes.
## Quick Links
- **[Installation Guide](./INSTALL.md)** - Detailed installation instructions and examples
- **[Chart Documentation](./unifi-network-operator/README.md)** - Full configuration reference
- **[Values Reference](./unifi-network-operator/values.yaml)** - All configurable values
## Quick Start
```bash
# Install with minimal configuration
helm install unifi-network-operator ./helm/unifi-network-operator \
--namespace unifi-network-operator-system \
--create-namespace \
--set unifi.url="https://your-unifi-controller:8443" \
--set unifi.password="your-password"
```
## Chart Structure
```
helm/unifi-network-operator/
├── Chart.yaml # Chart metadata
├── values.yaml # Default configuration values
├── README.md # Detailed chart documentation
├── .helmignore # Files to ignore when packaging
├── crds/ # Custom Resource Definitions
│ ├── unifi.engen.priv.no_firewallgroups.yaml
│ ├── unifi.engen.priv.no_firewallpolicies.yaml
│ ├── unifi.engen.priv.no_firewallzones.yaml
│ ├── unifi.engen.priv.no_networkconfigurations.yaml
│ └── unifi.engen.priv.no_portforwards.yaml
└── templates/ # Kubernetes resource templates
├── NOTES.txt # Post-installation notes
├── _helpers.tpl # Template helpers
├── deployment.yaml # Operator deployment
├── serviceaccount.yaml # Service account
├── clusterrole.yaml # Cluster-level permissions
├── clusterrolebinding.yaml
├── role.yaml # Namespace-level permissions
├── rolebinding.yaml
├── configmap.yaml # Operator configuration
├── secret.yaml # UniFi credentials
├── service.yaml # Metrics service
└── servicemonitor.yaml # Prometheus integration
```
## Features
- **Secure by Default**: Runs with restricted security context and non-root user
- **Flexible Configuration**: Extensive values for customization
- **Production Ready**: Leader election, resource limits, health checks
- **Monitoring**: Built-in Prometheus ServiceMonitor support
- **GitOps Friendly**: Works with ArgoCD, Flux, and other GitOps tools
- **Credential Management**: Support for external secrets
## Key Configuration Options
### Required Settings
- `unifi.url` - UniFi controller URL (e.g., `https://unifi.example.com:8443`)
- `unifi.password` - UniFi password (or use `unifi.existingSecret`)
### Common Optional Settings
- `unifi.site` - UniFi site ID (default: `default`)
- `unifi.username` - UniFi username (default: `admin`)
- `config.fullSyncZone` - Zone name for bidirectional sync
- `config.fullSyncNetwork` - Network name for bidirectional sync
- `metrics.serviceMonitor.enabled` - Enable Prometheus monitoring
- `resources.*` - Resource limits and requests
## Using Make Targets
The project Makefile includes helpful Helm targets:
```bash
# Lint the chart
make helm-lint
# Render templates (for debugging)
make helm-template
# Install (requires env vars)
export UNIFI_URL="https://unifi.example.com:8443"
export UNIFI_PASSWORD="your-password"
make helm-install
# Upgrade
make helm-upgrade
# Uninstall
make helm-uninstall
# Package the chart
make helm-package
# Dry run
make helm-dry-run
```
## Examples
### Development Installation
```bash
helm install unifi-network-operator ./helm/unifi-network-operator \
-n unifi-network-operator-system \
--create-namespace \
--set unifi.url="https://192.168.1.1:8443" \
--set unifi.password="admin"
```
### Production with Existing Secret
```bash
# Create secret
kubectl create secret generic unifi-creds \
--from-literal=UNIFI_URL="https://unifi.example.com:8443" \
--from-literal=UNIFI_SITE="default" \
--from-literal=UNIFI_USERNAME="operator" \
--from-literal=UNIFI_PASSWORD="secure-password" \
-n unifi-network-operator-system
# Install with secret reference
helm install unifi-network-operator ./helm/unifi-network-operator \
-n unifi-network-operator-system \
--set unifi.existingSecret="unifi-creds"
```
### With Full Sync and Monitoring
```bash
helm install unifi-network-operator ./helm/unifi-network-operator \
-n unifi-network-operator-system \
--create-namespace \
--set unifi.url="https://unifi.example.com:8443" \
--set unifi.password="password" \
--set config.fullSyncZone="gateway" \
--set config.fullSyncNetwork="core" \
--set metrics.serviceMonitor.enabled=true
```
## Upgrading
To upgrade the operator:
```bash
helm upgrade unifi-network-operator ./helm/unifi-network-operator \
-n unifi-network-operator-system
```
## Uninstalling
```bash
# Remove the operator (CRDs remain)
helm uninstall unifi-network-operator -n unifi-network-operator-system
# Also remove CRDs (WARNING: deletes all custom resources)
kubectl delete crds \
firewallgroups.unifi.engen.priv.no \
firewallpolicies.unifi.engen.priv.no \
firewallzones.unifi.engen.priv.no \
networkconfigurations.unifi.engen.priv.no \
portforwards.unifi.engen.priv.no
```
## Customization
Create a `custom-values.yaml` file:
```yaml
image:
tag: "v1.0.0"
replicaCount: 1
unifi:
existingSecret: "my-unifi-secret"
config:
fullSyncZone: "gateway"
fullSyncNetwork: "core"
kubernetesUnifiZone: "k8s"
resources:
limits:
memory: 256Mi
requests:
memory: 128Mi
metrics:
serviceMonitor:
enabled: true
additionalLabels:
prometheus: kube-prometheus
nodeSelector:
kubernetes.io/os: linux
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
```
Install with:
```bash
helm install unifi-network-operator ./helm/unifi-network-operator \
-n unifi-network-operator-system \
--create-namespace \
-f custom-values.yaml
```
## Documentation
- **[INSTALL.md](./INSTALL.md)** - Complete installation guide with examples
- **[Chart README](./unifi-network-operator/README.md)** - Full configuration reference
- **[values.yaml](./unifi-network-operator/values.yaml)** - Commented default values
## Support
For issues and questions:
- Check the [Installation Guide](./INSTALL.md)
- Review the [Chart Documentation](./unifi-network-operator/README.md)
- Check operator logs: `kubectl logs -n unifi-network-operator-system -l app.kubernetes.io/name=unifi-network-operator`
## License
This Helm chart is provided under the same license as the UniFi Network Operator project.

23
helm/unifi-network-operator/.helmignore
View File

@@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

16
helm/unifi-network-operator/Chart.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: v2
name: unifi-network-operator
description: A Kubernetes operator for managing UniFi network configurations
type: application
version: 0.1.0
appVersion: "latest"
home: https://github.com/yourusername/unifi-network-operator
maintainers:
- name: Vegar Dengen
keywords:
- unifi
- network
- operator
- firewall
sources:
- https://github.com/yourusername/unifi-network-operator

335
helm/unifi-network-operator/README.md
View File

@@ -1,335 +0,0 @@
# UniFi Network Operator Helm Chart
A Kubernetes operator for managing UniFi network configurations declaratively through Kubernetes Custom Resources.
## Introduction
This Helm chart deploys the UniFi Network Operator on a Kubernetes cluster. The operator enables you to manage UniFi network infrastructure (firewall zones, groups, policies, networks, and port forwards) using Kubernetes resources.
## Prerequisites
- Kubernetes 1.19+
- Helm 3.0+
- Access to a UniFi Network Controller
- UniFi controller credentials (URL, username, password)
## Installing the Chart
To install the chart with the release name `unifi-network-operator`:
```bash
helm install unifi-network-operator ./helm/unifi-network-operator \
--namespace unifi-network-operator-system \
--create-namespace \
--set unifi.url="https://unifi.example.com:8443" \
--set unifi.username="admin" \
--set unifi.password="your-password" \
--set unifi.site="default"
```
## Uninstalling the Chart
To uninstall/delete the `unifi-network-operator` deployment:
```bash
helm uninstall unifi-network-operator -n unifi-network-operator-system
```
This command removes all the Kubernetes components associated with the chart. Note that CRDs are not deleted by default to prevent data loss.
## Configuration
The following table lists the configurable parameters of the UniFi Network Operator chart and their default values.
### General Parameters
| Parameter | Description | Default |
|-----------|-------------|---------|
| `replicaCount` | Number of operator replicas | `1` |
| `image.repository` | Operator image repository | `gitea.engen.priv.no/klauvsteinen/unifi-network-operator-controller` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `image.tag` | Image tag (overrides appVersion) | `latest` |
| `imagePullSecrets` | Image pull secrets | `[]` |
| `nameOverride` | Override chart name | `""` |
| `fullnameOverride` | Override full chart name | `""` |
### Service Account Parameters
| Parameter | Description | Default |
|-----------|-------------|---------|
| `serviceAccount.create` | Create service account | `true` |
| `serviceAccount.automount` | Auto-mount service account token | `true` |
| `serviceAccount.annotations` | Service account annotations | `{}` |
| `serviceAccount.name` | Service account name | `""` |
### Security Parameters
| Parameter | Description | Default |
|-----------|-------------|---------|
| `podSecurityContext.runAsNonRoot` | Run as non-root user | `true` |
| `podSecurityContext.seccompProfile.type` | Seccomp profile type | `RuntimeDefault` |
| `securityContext.allowPrivilegeEscalation` | Allow privilege escalation | `false` |
| `securityContext.capabilities.drop` | Dropped capabilities | `["ALL"]` |
### Resource Parameters
| Parameter | Description | Default |
|-----------|-------------|---------|
| `resources.limits.cpu` | CPU limit | `500m` |
| `resources.limits.memory` | Memory limit | `128Mi` |
| `resources.requests.cpu` | CPU request | `10m` |
| `resources.requests.memory` | Memory request | `64Mi` |
### UniFi Controller Parameters
| Parameter | Description | Default |
|-----------|-------------|---------|
| `unifi.url` | UniFi controller URL | `""` (required) |
| `unifi.site` | UniFi site ID | `"default"` |
| `unifi.username` | UniFi username | `"admin"` |
| `unifi.password` | UniFi password | `""` (required) |
| `unifi.existingSecret` | Use existing secret for credentials | `""` |
| `unifi.existingSecretKeys.url` | Key for URL in existing secret | `UNIFI_URL` |
| `unifi.existingSecretKeys.site` | Key for site in existing secret | `UNIFI_SITE` |
| `unifi.existingSecretKeys.username` | Key for username in existing secret | `UNIFI_USERNAME` |
| `unifi.existingSecretKeys.password` | Key for password in existing secret | `UNIFI_PASSWORD` |
### Operator Configuration Parameters
| Parameter | Description | Default |
|-----------|-------------|---------|
| `config.create` | Create ConfigMap for operator config | `true` |
| `config.defaultNamespace` | Default namespace for resources | `"default"` |
| `config.fullSyncZone` | Full sync zone name | `""` |
| `config.fullSyncNetwork` | Full sync network name | `""` |
| `config.kubernetesUnifiZone` | Kubernetes UniFi zone name | `""` |
| `config.existingConfigMap` | Use existing ConfigMap | `""` |
### RBAC Parameters
| Parameter | Description | Default |
|-----------|-------------|---------|
| `rbac.create` | Create RBAC resources | `true` |
### CRD Parameters
| Parameter | Description | Default |
|-----------|-------------|---------|
| `crds.install` | Install CRDs | `true` |
| `crds.keep` | Keep CRDs on uninstall | `true` |
### Service Parameters
| Parameter | Description | Default |
|-----------|-------------|---------|
| `service.enabled` | Enable metrics service | `true` |
| `service.type` | Service type | `ClusterIP` |
| `service.port` | Service port | `8443` |
| `service.annotations` | Service annotations | `{}` |
### Metrics Parameters
| Parameter | Description | Default |
|-----------|-------------|---------|
| `metrics.serviceMonitor.enabled` | Enable Prometheus ServiceMonitor | `false` |
| `metrics.serviceMonitor.additionalLabels` | Additional labels for ServiceMonitor | `{}` |
| `metrics.serviceMonitor.interval` | Scrape interval | `30s` |
| `metrics.serviceMonitor.scrapeTimeout` | Scrape timeout | `10s` |
### Other Parameters
| Parameter | Description | Default |
|-----------|-------------|---------|
| `leaderElection.enabled` | Enable leader election | `true` |
| `nodeSelector` | Node selector | `{}` |
| `tolerations` | Tolerations | `[]` |
| `affinity` | Affinity rules | `{}` |
| `podAnnotations` | Pod annotations | `{"kubectl.kubernetes.io/default-container": "manager"}` |
| `podLabels` | Pod labels | `{"control-plane": "controller-manager"}` |
## Using an Existing Secret
If you prefer to manage the UniFi credentials separately, you can create a secret manually and reference it:
```bash
kubectl create secret generic my-unifi-secret \
--from-literal=UNIFI_URL="https://unifi.example.com:8443" \
--from-literal=UNIFI_SITE="default" \
--from-literal=UNIFI_USERNAME="admin" \
--from-literal=UNIFI_PASSWORD="your-password" \
-n unifi-network-operator-system
```
Then install the chart with:
```bash
helm install unifi-network-operator ./helm/unifi-network-operator \
--namespace unifi-network-operator-system \
--create-namespace \
--set unifi.existingSecret="my-unifi-secret"
```
## Examples
### Basic Installation
```bash
helm install unifi-network-operator ./helm/unifi-network-operator \
-n unifi-network-operator-system \
--create-namespace \
--set unifi.url="https://192.168.1.1:8443" \
--set unifi.password="mypassword"
```
### Installation with Custom Configuration
```bash
helm install unifi-network-operator ./helm/unifi-network-operator \
-n unifi-network-operator-system \
--create-namespace \
--set unifi.url="https://unifi.example.com:8443" \
--set unifi.username="operator" \
--set unifi.password="secure-password" \
--set unifi.site="main" \
--set config.defaultNamespace="production" \
--set config.fullSyncZone="gateway" \
--set config.fullSyncNetwork="core" \
--set resources.limits.memory="256Mi" \
--set metrics.serviceMonitor.enabled=true
```
### Using a Values File
Create a `my-values.yaml` file:
```yaml
unifi:
url: "https://unifi.example.com:8443"
username: "operator"
password: "my-secure-password"
site: "default"
config:
defaultNamespace: "default"
fullSyncZone: "gateway"
fullSyncNetwork: "core"
resources:
limits:
memory: 256Mi
requests:
memory: 128Mi
metrics:
serviceMonitor:
enabled: true
additionalLabels:
prometheus: kube-prometheus
```
Install with:
```bash
helm install unifi-network-operator ./helm/unifi-network-operator \
-n unifi-network-operator-system \
--create-namespace \
-f my-values.yaml
```
## Custom Resources
After installing the operator, you can create the following custom resources:
### FirewallZone
```yaml
apiVersion: unifi.engen.priv.no/v1beta1
kind: FirewallZone
metadata:
name: my-zone
spec:
zoneName: "my-zone"
```
### FirewallGroup
```yaml
apiVersion: unifi.engen.priv.no/v1beta1
kind: FirewallGroup
metadata:
name: web-servers
spec:
addresses:
- "10.0.1.100/32"
- "10.0.1.101/32"
ports:
- "80/tcp"
- "443/tcp"
```
### FirewallPolicy
```yaml
apiVersion: unifi.engen.priv.no/v1beta1
kind: FirewallPolicy
metadata:
name: allow-web
spec:
sourceZone: "wan"
destinationGroup: "web-servers"
```
### Networkconfiguration
```yaml
apiVersion: unifi.engen.priv.no/v1beta1
kind: Networkconfiguration
metadata:
name: vlan10
spec:
networkName: "VLAN10"
```
## Upgrading
To upgrade the operator to a new version:
```bash
helm upgrade unifi-network-operator ./helm/unifi-network-operator \
-n unifi-network-operator-system
```
## Troubleshooting
### Check Operator Logs
```bash
kubectl logs -n unifi-network-operator-system -l app.kubernetes.io/name=unifi-network-operator -f
```
### Check Operator Status
```bash
kubectl get deployment -n unifi-network-operator-system
kubectl get pods -n unifi-network-operator-system
```
### Verify CRDs are Installed
```bash
kubectl get crds | grep unifi.engen.priv.no
```
### Common Issues
1. **Authentication Failures**: Verify your UniFi credentials and URL are correct
2. **CRD Not Found**: Ensure CRDs are installed with `crds.install=true`
3. **Operator Not Starting**: Check resource limits and image pull secrets
## License
This chart is provided as-is under the same license as the UniFi Network Operator project.
## Support
For issues and questions, please refer to the project repository.

187
helm/unifi-network-operator/crds/unifi.engen.priv.no_firewallgroups.yaml
View File

@@ -1,187 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.2
name: firewallgroups.unifi.engen.priv.no
spec:
group: unifi.engen.priv.no
names:
kind: FirewallGroup
listKind: FirewallGroupList
plural: firewallgroups
singular: firewallgroup
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: FirewallGroup is the Schema for the firewallgroups API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
auto_created_from:
properties:
name:
type: string
namespace:
type: string
type: object
autoIncludeSelector:
description: AutoIncludeSelector defines which services to extract
addresses from
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
id:
description: |-
Foo is an example field of FirewallGroup. Edit firewallgroup_types.go to remove/update
Description is a human-readable explanation for the object
type: string
manual_services:
items:
properties:
name:
type: string
namespace:
type: string
type: object
type: array
manualAddresses:
description: ManualAddresses is a list of manual IPs or CIDRs (IPv4
or IPv6)
items:
type: string
type: array
manualPorts:
items:
type: string
type: array
matchServicesInAllNamespaces:
type: boolean
name:
type: string
type: object
status:
description: FirewallGroupStatus defines the observed state of FirewallGroup.
properties:
lastSyncTime:
description: LastSyncTime is the last time the object was synced
format: date-time
type: string
resolvedIPV4Addresses:
items:
type: string
type: array
resolvedIPV6Addresses:
items:
type: string
type: array
resolvedTCPorts:
items:
type: string
type: array
resolvedUDPorts:
items:
type: string
type: array
resources_managed:
properties:
ipv4_object:
properties:
id:
type: string
name:
type: string
type: object
ipv6_object:
properties:
id:
type: string
name:
type: string
type: object
tcp_ports_object:
properties:
id:
type: string
name:
type: string
type: object
udp_ports_object:
properties:
id:
type: string
name:
type: string
type: object
type: object
syncedWithUnifi:
description: SyncedWithUnifi indicates whether the addresses are successfully
pushed
type: boolean
type: object
type: object
served: true
storage: true
subresources:
status: {}

138
helm/unifi-network-operator/crds/unifi.engen.priv.no_firewallpolicies.yaml
View File

@@ -1,138 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.2
name: firewallpolicies.unifi.engen.priv.no
spec:
group: unifi.engen.priv.no
names:
kind: FirewallPolicy
listKind: FirewallPolicyList
plural: firewallpolicies
singular: firewallpolicy
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: FirewallPolicy is the Schema for the firewallpolicies API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
destination:
properties:
firewall_groups:
items:
properties:
name:
type: string
namespace:
type: string
type: object
type: array
services:
items:
properties:
name:
type: string
namespace:
type: string
type: object
type: array
type: object
match_firewall_groups_in_all_namespaces:
type: boolean
match_services_in_all_namespaces:
type: boolean
name:
type: string
source:
properties:
from_networks:
items:
properties:
name:
type: string
namespace:
type: string
type: object
type: array
from_zones:
items:
properties:
name:
type: string
namespace:
type: string
type: object
type: array
type: object
required:
- destination
- name
- source
type: object
status:
description: FirewallPolicyStatus defines the observed state of FirewallPolicy.
properties:
resources_managed:
properties:
firewall_groups_managed:
items:
properties:
name:
type: string
namespace:
type: string
type: object
type: array
firewall_policies_managed:
items:
properties:
from:
type: string
tcpipv4_id:
type: string
tcpipv6_id:
type: string
to:
type: string
udpipv4_id:
type: string
udpipv6_id:
type: string
required:
- from
- tcpipv4_id
- tcpipv6_id
- to
- udpipv4_id
- udpipv6_id
type: object
type: array
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}

75
helm/unifi-network-operator/crds/unifi.engen.priv.no_firewallzones.yaml
View File

@@ -1,75 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.2
name: firewallzones.unifi.engen.priv.no
spec:
group: unifi.engen.priv.no
names:
kind: FirewallZone
listKind: FirewallZoneList
plural: firewallzones
singular: firewallzone
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: FirewallZone is the Schema for the firewallzones API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: FirewallZoneSpec defines the desired state of FirewallZone.
properties:
_id:
type: string
default_zone:
type: boolean
name:
type: string
network_ids:
items:
type: string
type: array
zone_key:
type: string
type: object
status:
description: FirewallZoneStatus defines the observed state of FirewallZone.
properties:
resources_managed:
properties:
firewall_zones_managed:
items:
properties:
id:
type: string
name:
type: string
type: object
type: array
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}

117
helm/unifi-network-operator/crds/unifi.engen.priv.no_networkconfigurations.yaml
View File

@@ -1,117 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.2
name: networkconfigurations.unifi.engen.priv.no
spec:
group: unifi.engen.priv.no
names:
kind: Networkconfiguration
listKind: NetworkconfigurationList
plural: networkconfigurations
singular: networkconfiguration
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: Networkconfiguration is the Schema for the networkconfigurations
API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: NetworkconfigurationSpec defines the desired state of Networkconfiguration.
properties:
_id:
description: Foo is an example field of Networkconfiguration. Edit
networkconfiguration_types.go to remove/update
type: string
enabled:
type: boolean
firewall_zone:
type: string
gateway_type:
type: string
ip_subnet:
type: string
ipv6_interface_type:
type: string
ipv6_pd_auto_prefixid_enabled:
type: boolean
ipv6_ra_enabled:
type: boolean
ipv6_setting_preference:
type: string
ipv6_subnet:
type: string
name:
type: string
networkgroup:
type: string
purpose:
type: string
setting_preference:
type: string
vlan:
format: int64
type: integer
vlan_enabled:
type: boolean
required:
- name
type: object
status:
description: NetworkconfigurationStatus defines the observed state of
Networkconfiguration.
properties:
firewall_zone_id:
description: |-
INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
Important: Run "make" to regenerate code after modifying this file
type: string
ipv6_subnet_status:
type: string
lastSyncTime:
description: LastSyncTime is the last time the object was synced
format: date-time
type: string
resources_managed:
properties:
networks_managed:
items:
properties:
id:
type: string
name:
type: string
type: object
type: array
type: object
syncedWithUnifi:
description: SyncedWithUnifi indicates whether the addresses are successfully
pushed
type: boolean
type: object
type: object
served: true
storage: true
subresources:
status: {}

49
helm/unifi-network-operator/crds/unifi.engen.priv.no_portforwards.yaml
View File

@@ -1,49 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.2
name: portforwards.unifi.engen.priv.no
spec:
group: unifi.engen.priv.no
names:
kind: PortForward
listKind: PortForwardList
plural: portforwards
singular: portforward
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: |-
PortForward is a placeholder type to allow future CRD support if needed.
Right now, port forwards are managed entirely through annotations on Services.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
type: object
status:
type: object
type: object
served: true
storage: true
subresources:
status: {}

49
helm/unifi-network-operator/templates/NOTES.txt
View File

@@ -1,49 +0,0 @@
Thank you for installing {{ .Chart.Name }}!
Your release is named {{ .Release.Name }}.
The UniFi Network Operator has been deployed to namespace: {{ .Release.Namespace }}
To learn more about the release, try:
$ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
$ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
{{- if not .Values.unifi.existingSecret }}
IMPORTANT: Make sure to configure your UniFi controller credentials properly.
The operator requires the following environment variables to be set:
- UNIFI_URL: {{ .Values.unifi.url }}
- UNIFI_SITE: {{ .Values.unifi.site }}
- UNIFI_USER: {{ .Values.unifi.username }}
- UNIFI_PASSWORD: [CONFIGURED]
{{- end }}
{{- if .Values.config.create }}
Operator configuration has been created with:
{{- if .Values.config.defaultNamespace }}
- Default Namespace: {{ .Values.config.defaultNamespace }}
{{- end }}
{{- if .Values.config.fullSyncZone }}
- Full Sync Zone: {{ .Values.config.fullSyncZone }}
{{- end }}
{{- if .Values.config.fullSyncNetwork }}
- Full Sync Network: {{ .Values.config.fullSyncNetwork }}
{{- end }}
{{- if .Values.config.kubernetesUnifiZone }}
- Kubernetes UniFi Zone: {{ .Values.config.kubernetesUnifiZone }}
{{- end }}
{{- end }}
To get the operator logs:
$ kubectl logs -n {{ .Release.Namespace }} -l {{ include "unifi-network-operator.selectorLabels" . | replace "\n" "," }} -f
Next steps:
1. Create FirewallZone resources to manage UniFi firewall zones
2. Create FirewallGroup resources to group IP addresses and ports
3. Create FirewallPolicy resources to define firewall rules
4. Create Networkconfiguration resources to manage network settings
5. Annotate Services for port forwarding
For more information, visit: {{ .Chart.Home }}

83
helm/unifi-network-operator/templates/_helpers.tpl
View File

@@ -1,83 +0,0 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "unifi-network-operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
*/}}
{{- define "unifi-network-operator.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "unifi-network-operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "unifi-network-operator.labels" -}}
helm.sh/chart: {{ include "unifi-network-operator.chart" . }}
{{ include "unifi-network-operator.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "unifi-network-operator.selectorLabels" -}}
app.kubernetes.io/name: {{ include "unifi-network-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
control-plane: controller-manager
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "unifi-network-operator.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "unifi-network-operator.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the secret to use
*/}}
{{- define "unifi-network-operator.secretName" -}}
{{- if .Values.unifi.existingSecret }}
{{- .Values.unifi.existingSecret }}
{{- else }}
{{- include "unifi-network-operator.fullname" . }}-unifi
{{- end }}
{{- end }}
{{/*
Create the name of the configmap to use
*/}}
{{- define "unifi-network-operator.configMapName" -}}
{{- if .Values.config.existingConfigMap }}
{{- .Values.config.existingConfigMap }}
{{- else }}
{{- include "unifi-network-operator.fullname" . }}-config
{{- end }}
{{- end }}

56
helm/unifi-network-operator/templates/clusterrole.yaml
View File

@@ -1,56 +0,0 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "unifi-network-operator.fullname" . }}-manager-role
labels:
{{- include "unifi-network-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- configmaps
- services
verbs:
- get
- list
- watch
- apiGroups:
- unifi.engen.priv.no
resources:
- firewallgroups
- firewallpolicies
- firewallzones
- networkconfigurations
- portforwards
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- unifi.engen.priv.no
resources:
- firewallgroups/finalizers
- firewallpolicies/finalizers
- firewallzones/finalizers
- networkconfigurations/finalizers
- portforwards/finalizers
verbs:
- update
- apiGroups:
- unifi.engen.priv.no
resources:
- firewallgroups/status
- firewallpolicies/status
- firewallzones/status
- networkconfigurations/status
- portforwards/status
verbs:
- get
- patch
- update
{{- end }}

16
helm/unifi-network-operator/templates/clusterrolebinding.yaml
View File

@@ -1,16 +0,0 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "unifi-network-operator.fullname" . }}-manager-rolebinding
labels:
{{- include "unifi-network-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "unifi-network-operator.fullname" . }}-manager-role
subjects:
- kind: ServiceAccount
name: {{ include "unifi-network-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

22
helm/unifi-network-operator/templates/configmap.yaml
View File

@@ -1,22 +0,0 @@
{{- if .Values.config.create -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "unifi-network-operator.configMapName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "unifi-network-operator.labels" . | nindent 4 }}
data:
{{- if .Values.config.defaultNamespace }}
defaultNamespace: {{ .Values.config.defaultNamespace | quote }}
{{- end }}
{{- if .Values.config.fullSyncZone }}
fullSyncZone: {{ .Values.config.fullSyncZone | quote }}
{{- end }}
{{- if .Values.config.fullSyncNetwork }}
fullSyncNetwork: {{ .Values.config.fullSyncNetwork | quote }}
{{- end }}
{{- if .Values.config.kubernetesUnifiZone }}
kubernetesUnifiZone: {{ .Values.config.kubernetesUnifiZone | quote }}
{{- end }}
{{- end }}

82
helm/unifi-network-operator/templates/deployment.yaml
View File

@@ -1,82 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "unifi-network-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "unifi-network-operator.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "unifi-network-operator.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "unifi-network-operator.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "unifi-network-operator.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: manager
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
{{- if .Values.leaderElection.enabled }}
- --leader-elect
{{- end }}
- --health-probe-bind-address=:8081
env:
- name: UNIFI_URL
valueFrom:
secretKeyRef:
name: {{ include "unifi-network-operator.secretName" . }}
key: {{ .Values.unifi.existingSecretKeys.url }}
- name: UNIFI_SITE
valueFrom:
secretKeyRef:
name: {{ include "unifi-network-operator.secretName" . }}
key: {{ .Values.unifi.existingSecretKeys.site }}
- name: UNIFI_USER
valueFrom:
secretKeyRef:
name: {{ include "unifi-network-operator.secretName" . }}
key: {{ .Values.unifi.existingSecretKeys.username }}
- name: UNIFI_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "unifi-network-operator.secretName" . }}
key: {{ .Values.unifi.existingSecretKeys.password }}
securityContext:
{{- toYaml .Values.securityContext | nindent 10 }}
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 10 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 10 }}
resources:
{{- toYaml .Values.resources | nindent 10 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
terminationGracePeriodSeconds: 10

41
helm/unifi-network-operator/templates/role.yaml
View File

@@ -1,41 +0,0 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "unifi-network-operator.fullname" . }}-leader-election-role
namespace: {{ .Release.Namespace }}
labels:
{{- include "unifi-network-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
{{- end }}

17
helm/unifi-network-operator/templates/rolebinding.yaml
View File

@@ -1,17 +0,0 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "unifi-network-operator.fullname" . }}-leader-election-rolebinding
namespace: {{ .Release.Namespace }}
labels:
{{- include "unifi-network-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "unifi-network-operator.fullname" . }}-leader-election-role
subjects:
- kind: ServiceAccount
name: {{ include "unifi-network-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

15
helm/unifi-network-operator/templates/secret.yaml
View File

@@ -1,15 +0,0 @@
{{- if not .Values.unifi.existingSecret -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "unifi-network-operator.fullname" . }}-unifi
namespace: {{ .Release.Namespace }}
labels:
{{- include "unifi-network-operator.labels" . | nindent 4 }}
type: Opaque
stringData:
{{ .Values.unifi.existingSecretKeys.url }}: {{ .Values.unifi.url | required "unifi.url is required when not using an existing secret" | quote }}
{{ .Values.unifi.existingSecretKeys.site }}: {{ .Values.unifi.site | quote }}
{{ .Values.unifi.existingSecretKeys.username }}: {{ .Values.unifi.username | quote }}
{{ .Values.unifi.existingSecretKeys.password }}: {{ .Values.unifi.password | required "unifi.password is required when not using an existing secret" | quote }}
{{- end }}

22
helm/unifi-network-operator/templates/service.yaml
View File

@@ -1,22 +0,0 @@
{{- if .Values.service.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "unifi-network-operator.fullname" . }}-metrics
namespace: {{ .Release.Namespace }}
labels:
{{- include "unifi-network-operator.labels" . | nindent 4 }}
{{- with .Values.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
- name: https
port: {{ .Values.service.port }}
targetPort: 8443
protocol: TCP
selector:
{{- include "unifi-network-operator.selectorLabels" . | nindent 4 }}
{{- end }}

14
helm/unifi-network-operator/templates/serviceaccount.yaml
View File

@@ -1,14 +0,0 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "unifi-network-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "unifi-network-operator.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
{{- end }}

24
helm/unifi-network-operator/templates/servicemonitor.yaml
View File

@@ -1,24 +0,0 @@
{{- if .Values.metrics.serviceMonitor.enabled -}}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "unifi-network-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "unifi-network-operator.labels" . | nindent 4 }}
{{- with .Values.metrics.serviceMonitor.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
- interval: {{ .Values.metrics.serviceMonitor.interval }}
path: /metrics
port: https
scheme: https
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
tlsConfig:
insecureSkipVerify: true
selector:
matchLabels:
{{- include "unifi-network-operator.selectorLabels" . | nindent 6 }}
{{- end }}

159
helm/unifi-network-operator/values.yaml
View File

@@ -1,159 +0,0 @@
# Default values for unifi-network-operator
# -- Number of replicas for the operator deployment
replicaCount: 1
image:
# -- Container image repository
repository: gitea.engen.priv.no/klauvsteinen/unifi-network-operator-controller
# -- Image pull policy
pullPolicy: IfNotPresent
# -- Overrides the image tag whose default is the chart appVersion
tag: "latest"
# -- Image pull secrets for private registries
imagePullSecrets: []
# -- Override the name of the chart
nameOverride: ""
# -- Override the full name of the chart
fullnameOverride: ""
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Automatically mount a ServiceAccount's API credentials
automount: true
# -- Annotations to add to the service account
annotations: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# -- Annotations to add to the pod
podAnnotations:
kubectl.kubernetes.io/default-container: manager
# -- Labels to add to the pod
podLabels:
control-plane: controller-manager
podSecurityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
service:
# -- Enable metrics service
enabled: true
# -- Service type
type: ClusterIP
# -- Metrics port
port: 8443
# -- Annotations to add to the service
annotations: {}
resources:
limits:
# -- CPU limit
cpu: 500m
# -- Memory limit
memory: 128Mi
requests:
# -- CPU request
cpu: 10m
# -- Memory request
memory: 64Mi
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
# -- Node selector for pod assignment
nodeSelector: {}
# -- Tolerations for pod assignment
tolerations: []
# -- Affinity for pod assignment
affinity: {}
# Leader election configuration
leaderElection:
# -- Enable leader election for high availability
enabled: true
# UniFi controller configuration
unifi:
# -- UniFi controller URL (e.g., https://unifi.example.com:8443)
url: ""
# -- UniFi site ID (e.g., default)
site: "default"
# -- UniFi username
username: "admin"
# -- UniFi password (leave empty to use existing secret)
password: ""
# -- Use existing secret for UniFi credentials
# If set, the chart will not create a secret
existingSecret: ""
# -- Keys in the existing secret for UniFi credentials
existingSecretKeys:
url: UNIFI_URL
site: UNIFI_SITE
username: UNIFI_USERNAME
password: UNIFI_PASSWORD
# Operator configuration
config:
# -- Create a ConfigMap for operator configuration
create: true
# -- Default namespace for resources
defaultNamespace: "default"
# -- Full sync zone name (zone for bidirectional sync)
fullSyncZone: ""
# -- Full sync network name (network for bidirectional sync)
fullSyncNetwork: ""
# -- Kubernetes UniFi zone name
kubernetesUnifiZone: ""
# -- Use existing ConfigMap for operator configuration
existingConfigMap: ""
# CRD configuration
crds:
# -- Install CRDs as part of the Helm chart
install: true
# -- Keep CRDs on chart uninstall
keep: true
# RBAC configuration
rbac:
# -- Create RBAC resources
create: true
# Metrics configuration
metrics:
# -- Enable Prometheus ServiceMonitor
serviceMonitor:
enabled: false
# -- Additional labels for the ServiceMonitor
additionalLabels: {}
# -- Scrape interval
interval: 30s
# -- Scrape timeout
scrapeTimeout: 10s

16
internal/controller/firewallgroup_controller.go
View File

@@ -361,10 +361,10 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
log.Error(err, "Could not list network objects") log.Error(err, "Could not list network objects")
return reconcile.Result{}, err return reconcile.Result{}, err
} }
ipv4_name := "k8s-" + firewallGroup.Namespace + "/" + firewallGroup.Name + "-ipv4" ipv4_name := "k8s-" + firewallGroup.Spec.Name + "-ipv4"
ipv6_name := "k8s-" + firewallGroup.Namespace + "/" + firewallGroup.Name + "-ipv6" ipv6_name := "k8s-" + firewallGroup.Spec.Name + "-ipv6"
tcpports_name := "k8s-" + firewallGroup.Namespace + "/" + firewallGroup.Name + "-tcpports" tcpports_name := "k8s-" + firewallGroup.Spec.Name + "-tcpports"
udpports_name := "k8s-" + firewallGroup.Namespace + "/" + firewallGroup.Name + "-udpports" udpports_name := "k8s-" + firewallGroup.Spec.Name + "-udpports"
ipv4_done := false ipv4_done := false
ipv6_done := false ipv6_done := false
tcpports_done := false tcpports_done := false
@@ -377,7 +377,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
if err != nil { if err != nil {
msg := strings.ToLower(err.Error()) msg := strings.ToLower(err.Error())
log.Info(msg) log.Info(msg)
if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg, "invalid character") { if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg,"invalid character") {
log.Info("Firewall group is in use. Invoking workaround...!") log.Info("Firewall group is in use. Invoking workaround...!")
firewall_group.GroupMembers = []string{"127.0.0.1"} firewall_group.GroupMembers = []string{"127.0.0.1"}
firewall_group.Name = firewall_group.Name + "-deleted" firewall_group.Name = firewall_group.Name + "-deleted"
@@ -417,7 +417,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
if err != nil { if err != nil {
msg := strings.ToLower(err.Error()) msg := strings.ToLower(err.Error())
log.Info(msg) log.Info(msg)
if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg, "invalid character") { if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg,"invalid character") {
log.Info("Firewall group is in use. Invoking workaround...!") log.Info("Firewall group is in use. Invoking workaround...!")
firewall_group.GroupMembers = []string{"::1"} firewall_group.GroupMembers = []string{"::1"}
firewall_group.Name = firewall_group.Name + "-deleted" firewall_group.Name = firewall_group.Name + "-deleted"
@@ -457,7 +457,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
if err != nil { if err != nil {
msg := strings.ToLower(err.Error()) msg := strings.ToLower(err.Error())
log.Info(msg) log.Info(msg)
if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg, "invalid character") { if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg,"invalid character") {
log.Info("Firewall group is in use. Invoking workaround...!") log.Info("Firewall group is in use. Invoking workaround...!")
firewall_group.GroupMembers = []string{"0"} firewall_group.GroupMembers = []string{"0"}
firewall_group.Name = firewall_group.Name + "-deleted" firewall_group.Name = firewall_group.Name + "-deleted"
@@ -497,7 +497,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
if err != nil { if err != nil {
msg := strings.ToLower(err.Error()) msg := strings.ToLower(err.Error())
log.Info(msg) log.Info(msg)
if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg, "invalid character") { if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg,"invalid character") {
log.Info("Firewall group is in use. Invoking workaround...!") log.Info("Firewall group is in use. Invoking workaround...!")
firewall_group.GroupMembers = []string{"127.0.0.1"} firewall_group.GroupMembers = []string{"127.0.0.1"}
firewall_group.Name = firewall_group.Name + "-deleted" firewall_group.Name = firewall_group.Name + "-deleted"

26
internal/controller/firewallpolicy_controller.go
View File

@@ -125,7 +125,6 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
} }
log.Info("Running finalizer logic for FirewallPolicy", "name", firewallPolicy.Name) log.Info("Running finalizer logic for FirewallPolicy", "name", firewallPolicy.Name)
if firewallPolicy.Status.ResourcesManaged != nil {
if len(firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies) > 0 { if len(firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies) > 0 {
for i, UnifiFirewallPolicy := range firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies { for i, UnifiFirewallPolicy := range firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies {
log.Info(fmt.Sprintf("From: %s to: %s TcpIpv4: %s UdpIpv4: %s TcpIpv6: %s UdpIpv6: %s", UnifiFirewallPolicy.From, UnifiFirewallPolicy.To, UnifiFirewallPolicy.TcpIpv4ID, UnifiFirewallPolicy.UdpIpv4ID, UnifiFirewallPolicy.TcpIpv6ID, UnifiFirewallPolicy.UdpIpv6ID)) log.Info(fmt.Sprintf("From: %s to: %s TcpIpv4: %s UdpIpv4: %s TcpIpv6: %s UdpIpv6: %s", UnifiFirewallPolicy.From, UnifiFirewallPolicy.To, UnifiFirewallPolicy.TcpIpv4ID, UnifiFirewallPolicy.UdpIpv4ID, UnifiFirewallPolicy.TcpIpv6ID, UnifiFirewallPolicy.UdpIpv6ID))
@@ -194,7 +193,6 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
} }
} }
} }
}
controllerutil.RemoveFinalizer(&firewallPolicy, firewallPolicyFinalizer) controllerutil.RemoveFinalizer(&firewallPolicy, firewallPolicyFinalizer)
if err := r.Update(ctx, &firewallPolicy); err != nil { if err := r.Update(ctx, &firewallPolicy); err != nil {
return ctrl.Result{}, err return ctrl.Result{}, err
@@ -287,14 +285,14 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
// This will be used when running through all firewall groups and servics known, to see if a rule should be added. // This will be used when running through all firewall groups and servics known, to see if a rule should be added.
for _, dest_group := range firewallPolicy.Spec.Destination.FirewallGroups { for _, dest_group := range firewallPolicy.Spec.Destination.FirewallGroups {
namespace := firewallPolicy.Namespace namespace := defaultNs
if len(dest_group.Namespace) > 0 { if len(dest_group.Namespace) > 0 {
namespace = dest_group.Namespace namespace = dest_group.Namespace
} }
destination_groups[namespace+"/"+dest_group.Name] = struct{}{} destination_groups[namespace+"/"+dest_group.Name] = struct{}{}
} }
for _, dest_service := range firewallPolicy.Spec.Destination.Services { for _, dest_service := range firewallPolicy.Spec.Destination.Services {
namespace := firewallPolicy.Namespace namespace := defaultNs
if len(dest_service.Namespace) > 0 { if len(dest_service.Namespace) > 0 {
namespace = dest_service.Namespace namespace = dest_service.Namespace
} }
@@ -312,7 +310,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
// Run through all firewall groups. Add them to the myFirewallGroups list if they either have an annotations or is specified in the resource. // Run through all firewall groups. Add them to the myFirewallGroups list if they either have an annotations or is specified in the resource.
for _, firewallGroup := range firewallGroupCRDs.Items { for _, firewallGroup := range firewallGroupCRDs.Items {
if val, found := firewallGroup.Annotations["unifi.engen.priv.no/firewall-policy"]; found && ((strings.Contains(val, "/") && val == firewallPolicy.Namespace+"/"+firewallPolicy.Name) || (val == firewallPolicy.Name && firewallPolicy.Namespace == firewallGroup.Namespace)) { if val, found := firewallGroup.Annotations["unifi.engen.priv.no/firewall-policy"]; found && ((strings.Contains(val, "/") && val == firewallPolicy.Namespace+"/"+firewallPolicy.Name) || (val == firewallPolicy.Name && firewallPolicy.Namespace == defaultNs)) {
myFirewallGroups = append(myFirewallGroups, firewallGroup) myFirewallGroups = append(myFirewallGroups, firewallGroup)
} else if _, found := destination_groups[firewallGroup.Namespace+"/"+firewallGroup.Name]; found { } else if _, found := destination_groups[firewallGroup.Namespace+"/"+firewallGroup.Name]; found {
myFirewallGroups = append(myFirewallGroups, firewallGroup) myFirewallGroups = append(myFirewallGroups, firewallGroup)
@@ -342,7 +340,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
skipService = true skipService = true
} }
} }
if val, found := service.Annotations["unifi.engen.priv.no/firewall-policy"]; found && ((strings.Contains(val, "/") && val == firewallPolicy.Namespace+"/"+firewallPolicy.Name) || (val == firewallPolicy.Name && firewallPolicy.Namespace == service.Namespace)) && !skipService { if val, found := service.Annotations["unifi.engen.priv.no/firewall-policy"]; found && ((strings.Contains(val, "/") && val == firewallPolicy.Namespace+"/"+firewallPolicy.Name) || (val == firewallPolicy.Name && firewallPolicy.Namespace == defaultNs)) && !skipService {
myServices = append(myServices, service) myServices = append(myServices, service)
} else if _, found := destination_services[service.Namespace+"/"+service.Name]; found && !skipService { } else if _, found := destination_services[service.Namespace+"/"+service.Name]; found && !skipService {
myServices = append(myServices, service) myServices = append(myServices, service)
@@ -470,7 +468,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
if len(firewallGroup.Status.ResolvedIPV4Addresses) > 0 { if len(firewallGroup.Status.ResolvedIPV4Addresses) > 0 {
if len(firewallGroup.Status.ResolvedTCPPorts) > 0 { if len(firewallGroup.Status.ResolvedTCPPorts) > 0 {
policyname := "k8s-fw-" + firewallPolicy.Namespace + "/" + firewallPolicy.Name + "-" + "zone:" + zoneCRDs.Items[zoneIndex].Name + "-" + firewallGroup.Name + "-ipv4-tcp" policyname := "k8s-fw-" + firewallPolicy.Name + "-" + "zone:" + zoneCRDs.Items[zoneIndex].Name + "-" + firewallGroup.Name + "-ipv4-tcp"
if _, found := unifiFirewallpolicyNames[policyname]; !found { if _, found := unifiFirewallpolicyNames[policyname]; !found {
log.Info(fmt.Sprintf("Creating ipv4 tcp firewallpolicy for %s to %s: %s", zoneCRDs.Items[zoneIndex].Name, firewallGroup.Name, policyname)) log.Info(fmt.Sprintf("Creating ipv4 tcp firewallpolicy for %s to %s: %s", zoneCRDs.Items[zoneIndex].Name, firewallGroup.Name, policyname))
unifiFirewallPolicy := fillDefaultPolicy() unifiFirewallPolicy := fillDefaultPolicy()
@@ -505,7 +503,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
} }
} }
if len(firewallGroup.Status.ResolvedUDPPorts) > 0 { if len(firewallGroup.Status.ResolvedUDPPorts) > 0 {
policyname := "k8s-fw-" + firewallPolicy.Namespace + "/" + firewallPolicy.Name + "-" + "zone:" + zoneCRDs.Items[zoneIndex].Name + "-" + firewallGroup.Name + "-ipv4-udp" policyname := "k8s-fw-" + firewallPolicy.Name + "-" + "zone:" + zoneCRDs.Items[zoneIndex].Name + "-" + firewallGroup.Name + "-ipv4-udp"
if _, found := unifiFirewallpolicyNames[policyname]; !found { if _, found := unifiFirewallpolicyNames[policyname]; !found {
log.Info(fmt.Sprintf("Creating ipv4 udp firewallpolicy for %s to %s: %s", zoneCRDs.Items[zoneIndex].Name, firewallGroup.Name, policyname)) log.Info(fmt.Sprintf("Creating ipv4 udp firewallpolicy for %s to %s: %s", zoneCRDs.Items[zoneIndex].Name, firewallGroup.Name, policyname))
unifiFirewallPolicy := fillDefaultPolicy() unifiFirewallPolicy := fillDefaultPolicy()
@@ -543,7 +541,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
} }
if len(firewallGroup.Status.ResolvedIPV6Addresses) > 0 { if len(firewallGroup.Status.ResolvedIPV6Addresses) > 0 {
if len(firewallGroup.Status.ResolvedTCPPorts) > 0 { if len(firewallGroup.Status.ResolvedTCPPorts) > 0 {
policyname := "k8s-fw-" + firewallPolicy.Namespace + "/" + firewallPolicy.Name + "-" + "zone:" + zoneCRDs.Items[zoneIndex].Name + "-" + firewallGroup.Name + "-ipv6-tcp" policyname := "k8s-fw-" + firewallPolicy.Name + "-" + "zone:" + zoneCRDs.Items[zoneIndex].Name + "-" + firewallGroup.Name + "-ipv6-tcp"
if _, found := unifiFirewallpolicyNames[policyname]; !found { if _, found := unifiFirewallpolicyNames[policyname]; !found {
log.Info(fmt.Sprintf("Creating ipv6 tcp firewallpolicy for %s to %s: %s", zoneCRDs.Items[zoneIndex].Name, firewallGroup.Name, policyname)) log.Info(fmt.Sprintf("Creating ipv6 tcp firewallpolicy for %s to %s: %s", zoneCRDs.Items[zoneIndex].Name, firewallGroup.Name, policyname))
unifiFirewallPolicy := fillDefaultPolicy() unifiFirewallPolicy := fillDefaultPolicy()
@@ -579,7 +577,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
} }
} }
if len(firewallGroup.Status.ResolvedUDPPorts) > 0 { if len(firewallGroup.Status.ResolvedUDPPorts) > 0 {
policyname := "k8s-fw-" + firewallPolicy.Namespace + "/" + firewallPolicy.Name + "-" + "zone:" + zoneCRDs.Items[zoneIndex].Name + "-" + firewallGroup.Name + "-ipv6-udp" policyname := "k8s-fw-" + firewallPolicy.Name + "-" + "zone:" + zoneCRDs.Items[zoneIndex].Name + "-" + firewallGroup.Name + "-ipv6-udp"
if _, found := unifiFirewallpolicyNames[policyname]; !found { if _, found := unifiFirewallpolicyNames[policyname]; !found {
log.Info(fmt.Sprintf("Creating ipv6 udp firewallpolicy for %s to %s: %s", zoneCRDs.Items[zoneIndex].Name, firewallGroup.Name, policyname)) log.Info(fmt.Sprintf("Creating ipv6 udp firewallpolicy for %s to %s: %s", zoneCRDs.Items[zoneIndex].Name, firewallGroup.Name, policyname))
unifiFirewallPolicy := fillDefaultPolicy() unifiFirewallPolicy := fillDefaultPolicy()
@@ -642,7 +640,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
} }
if len(firewallGroup.Status.ResolvedIPV4Addresses) > 0 { if len(firewallGroup.Status.ResolvedIPV4Addresses) > 0 {
if len(firewallGroup.Status.ResolvedTCPPorts) > 0 { if len(firewallGroup.Status.ResolvedTCPPorts) > 0 {
policyname := "k8s-fw-" + firewallPolicy.Namespace + "/" + firewallPolicy.Name + "-" + "network:" + networkCRDs.Items[networkIndex].Name + "-" + firewallGroup.Name + "-ipv4-tcp" policyname := "k8s-fw-" + firewallPolicy.Name + "-" + "network:" + networkCRDs.Items[networkIndex].Name + "-" + firewallGroup.Name + "-ipv4-tcp"
if _, found := unifiFirewallpolicyNames[policyname]; !found { if _, found := unifiFirewallpolicyNames[policyname]; !found {
log.Info(fmt.Sprintf("Creating ipv4 tcp firewallpolicy for %s to %s: %s", networkCRDs.Items[networkIndex].Name, firewallGroup.Name, policyname)) log.Info(fmt.Sprintf("Creating ipv4 tcp firewallpolicy for %s to %s: %s", networkCRDs.Items[networkIndex].Name, firewallGroup.Name, policyname))
unifiFirewallPolicy := fillDefaultPolicy() unifiFirewallPolicy := fillDefaultPolicy()
@@ -679,7 +677,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
} }
} }
if len(firewallGroup.Status.ResolvedUDPPorts) > 0 { if len(firewallGroup.Status.ResolvedUDPPorts) > 0 {
policyname := "k8s-fw-" + firewallPolicy.Namespace + "/" + firewallPolicy.Name + "-" + "network:" + networkCRDs.Items[networkIndex].Name + "-" + firewallGroup.Name + "-ipv4-udp" policyname := "k8s-fw-" + firewallPolicy.Name + "-" + "network:" + networkCRDs.Items[networkIndex].Name + "-" + firewallGroup.Name + "-ipv4-udp"
if _, found := unifiFirewallpolicyNames[policyname]; !found { if _, found := unifiFirewallpolicyNames[policyname]; !found {
log.Info(fmt.Sprintf("Creating ipv4 udp firewallpolicy for %s to %s: %s", networkCRDs.Items[networkIndex].Name, firewallGroup.Name, policyname)) log.Info(fmt.Sprintf("Creating ipv4 udp firewallpolicy for %s to %s: %s", networkCRDs.Items[networkIndex].Name, firewallGroup.Name, policyname))
unifiFirewallPolicy := fillDefaultPolicy() unifiFirewallPolicy := fillDefaultPolicy()
@@ -718,7 +716,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
} }
if len(firewallGroup.Status.ResolvedIPV6Addresses) > 0 { if len(firewallGroup.Status.ResolvedIPV6Addresses) > 0 {
if len(firewallGroup.Status.ResolvedTCPPorts) > 0 { if len(firewallGroup.Status.ResolvedTCPPorts) > 0 {
policyname := "k8s-fw-" + firewallPolicy.Namespace + "/" + firewallPolicy.Name + "-" + "network:" + networkCRDs.Items[networkIndex].Name + "-" + firewallGroup.Name + "-ipv6-tcp" policyname := "k8s-fw-" + firewallPolicy.Name + "-" + "network:" + networkCRDs.Items[networkIndex].Name + "-" + firewallGroup.Name + "-ipv6-tcp"
if _, found := unifiFirewallpolicyNames[policyname]; !found { if _, found := unifiFirewallpolicyNames[policyname]; !found {
log.Info(fmt.Sprintf("Creating ipv6 tcp firewallpolicy for %s to %s: %s", networkCRDs.Items[networkIndex].Name, firewallGroup.Name, policyname)) log.Info(fmt.Sprintf("Creating ipv6 tcp firewallpolicy for %s to %s: %s", networkCRDs.Items[networkIndex].Name, firewallGroup.Name, policyname))
unifiFirewallPolicy := fillDefaultPolicy() unifiFirewallPolicy := fillDefaultPolicy()
@@ -755,7 +753,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
} }
} }
if len(firewallGroup.Status.ResolvedUDPPorts) > 0 { if len(firewallGroup.Status.ResolvedUDPPorts) > 0 {
policyname := "k8s-fw-" + firewallPolicy.Namespace + "/" + firewallPolicy.Name + "-" + "network:" + networkCRDs.Items[networkIndex].Name + "-" + firewallGroup.Name + "-ipv6-udp" policyname := "k8s-fw-" + firewallPolicy.Name + "-" + "network:" + networkCRDs.Items[networkIndex].Name + "-" + firewallGroup.Name + "-ipv6-udp"
if _, found := unifiFirewallpolicyNames[policyname]; !found { if _, found := unifiFirewallpolicyNames[policyname]; !found {
log.Info(fmt.Sprintf("Creating ipv6 udp firewallpolicy for %s to %s: %s", networkCRDs.Items[networkIndex].Name, firewallGroup.Name, policyname)) log.Info(fmt.Sprintf("Creating ipv6 udp firewallpolicy for %s to %s: %s", networkCRDs.Items[networkIndex].Name, firewallGroup.Name, policyname))
unifiFirewallPolicy := fillDefaultPolicy() unifiFirewallPolicy := fillDefaultPolicy()