|
|
|
@@ -125,70 +125,72 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
|
|
|
|
}
|
|
|
|
}
|
|
|
|
log.Info("Running finalizer logic for FirewallPolicy", "name", firewallPolicy.Name)
|
|
|
|
log.Info("Running finalizer logic for FirewallPolicy", "name", firewallPolicy.Name)
|
|
|
|
|
|
|
|
|
|
|
|
if len(firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies) > 0 {
|
|
|
|
if firewallPolicy.Status.ResourcesManaged != nil {
|
|
|
|
for i, UnifiFirewallPolicy := range firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies {
|
|
|
|
if len(firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies) > 0 {
|
|
|
|
log.Info(fmt.Sprintf("From: %s to: %s TcpIpv4: %s UdpIpv4: %s TcpIpv6: %s UdpIpv6: %s", UnifiFirewallPolicy.From, UnifiFirewallPolicy.To, UnifiFirewallPolicy.TcpIpv4ID, UnifiFirewallPolicy.UdpIpv4ID, UnifiFirewallPolicy.TcpIpv6ID, UnifiFirewallPolicy.UdpIpv6ID))
|
|
|
|
for i, UnifiFirewallPolicy := range firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies {
|
|
|
|
if len(UnifiFirewallPolicy.TcpIpv4ID) > 0 {
|
|
|
|
log.Info(fmt.Sprintf("From: %s to: %s TcpIpv4: %s UdpIpv4: %s TcpIpv6: %s UdpIpv6: %s", UnifiFirewallPolicy.From, UnifiFirewallPolicy.To, UnifiFirewallPolicy.TcpIpv4ID, UnifiFirewallPolicy.UdpIpv4ID, UnifiFirewallPolicy.TcpIpv6ID, UnifiFirewallPolicy.UdpIpv6ID))
|
|
|
|
err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.TcpIpv4ID)
|
|
|
|
if len(UnifiFirewallPolicy.TcpIpv4ID) > 0 {
|
|
|
|
if err != nil && !strings.Contains(err.Error(), "not found") {
|
|
|
|
err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.TcpIpv4ID)
|
|
|
|
} else {
|
|
|
|
if err != nil && !strings.Contains(err.Error(), "not found") {
|
|
|
|
firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].TcpIpv4ID = ""
|
|
|
|
} else {
|
|
|
|
if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
|
|
|
|
firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].TcpIpv4ID = ""
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
|
|
|
|
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if len(UnifiFirewallPolicy.UdpIpv4ID) > 0 {
|
|
|
|
if len(UnifiFirewallPolicy.UdpIpv4ID) > 0 {
|
|
|
|
err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.UdpIpv4ID)
|
|
|
|
err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.UdpIpv4ID)
|
|
|
|
if err != nil && !strings.Contains(err.Error(), "not found") {
|
|
|
|
if err != nil && !strings.Contains(err.Error(), "not found") {
|
|
|
|
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].UdpIpv4ID = ""
|
|
|
|
|
|
|
|
if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
|
|
|
|
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].UdpIpv4ID = ""
|
|
|
|
|
|
|
|
if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
|
|
|
|
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if len(UnifiFirewallPolicy.TcpIpv6ID) > 0 {
|
|
|
|
if len(UnifiFirewallPolicy.TcpIpv6ID) > 0 {
|
|
|
|
err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.TcpIpv6ID)
|
|
|
|
err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.TcpIpv6ID)
|
|
|
|
if err != nil && !strings.Contains(err.Error(), "not found") {
|
|
|
|
if err != nil && !strings.Contains(err.Error(), "not found") {
|
|
|
|
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].TcpIpv6ID = ""
|
|
|
|
|
|
|
|
if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
|
|
|
|
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].TcpIpv6ID = ""
|
|
|
|
|
|
|
|
if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
|
|
|
|
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if len(UnifiFirewallPolicy.UdpIpv6ID) > 0 {
|
|
|
|
if len(UnifiFirewallPolicy.UdpIpv6ID) > 0 {
|
|
|
|
err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.UdpIpv6ID)
|
|
|
|
err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.UdpIpv6ID)
|
|
|
|
if err != nil && !strings.Contains(err.Error(), "not found") {
|
|
|
|
if err != nil && !strings.Contains(err.Error(), "not found") {
|
|
|
|
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].UdpIpv6ID = ""
|
|
|
|
|
|
|
|
if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
|
|
|
|
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].UdpIpv6ID = ""
|
|
|
|
|
|
|
|
if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
|
|
|
|
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if len(firewallPolicy.Status.ResourcesManaged.FirewallGroups) > 0 {
|
|
|
|
if len(firewallPolicy.Status.ResourcesManaged.FirewallGroups) > 0 {
|
|
|
|
for i, firewallGroup := range firewallPolicy.Status.ResourcesManaged.FirewallGroups {
|
|
|
|
for i, firewallGroup := range firewallPolicy.Status.ResourcesManaged.FirewallGroups {
|
|
|
|
var firewallGroupCRD unifiv1beta1.FirewallGroup
|
|
|
|
var firewallGroupCRD unifiv1beta1.FirewallGroup
|
|
|
|
if firewallGroup.Name != "" {
|
|
|
|
if firewallGroup.Name != "" {
|
|
|
|
if err := r.Get(ctx, types.NamespacedName{Name: firewallGroup.Name, Namespace: firewallGroup.Namespace}, &firewallGroupCRD); err != nil {
|
|
|
|
if err := r.Get(ctx, types.NamespacedName{Name: firewallGroup.Name, Namespace: firewallGroup.Namespace}, &firewallGroupCRD); err != nil {
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if err := r.Delete(ctx, &firewallGroupCRD); err != nil {
|
|
|
|
if err := r.Delete(ctx, &firewallGroupCRD); err != nil {
|
|
|
|
log.Error(err, "Could not delete firewall group")
|
|
|
|
log.Error(err, "Could not delete firewall group")
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
firewallPolicy.Status.ResourcesManaged.FirewallGroups[i].Name = ""
|
|
|
|
firewallPolicy.Status.ResourcesManaged.FirewallGroups[i].Name = ""
|
|
|
|
firewallPolicy.Status.ResourcesManaged.FirewallGroups[i].Namespace = ""
|
|
|
|
firewallPolicy.Status.ResourcesManaged.FirewallGroups[i].Namespace = ""
|
|
|
|
if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
|
|
|
|
if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
@@ -310,7 +312,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
|
|
|
|
// Run through all firewall groups. Add them to the myFirewallGroups list if they either have an annotations or is specified in the resource.
|
|
|
|
// Run through all firewall groups. Add them to the myFirewallGroups list if they either have an annotations or is specified in the resource.
|
|
|
|
|
|
|
|
|
|
|
|
for _, firewallGroup := range firewallGroupCRDs.Items {
|
|
|
|
for _, firewallGroup := range firewallGroupCRDs.Items {
|
|
|
|
if val, found := firewallGroup.Annotations["unifi.engen.priv.no/firewall-policy"]; found && ((strings.Contains(val, "/") && val == firewallPolicy.Namespace+"/"+firewallPolicy.Name) || (val == firewallPolicy.Name && firewallPolicy.Namespace == defaultNs)) {
|
|
|
|
if val, found := firewallGroup.Annotations["unifi.engen.priv.no/firewall-policy"]; found && ((strings.Contains(val, "/") && val == firewallPolicy.Namespace+"/"+firewallPolicy.Name) || (val == firewallPolicy.Name && firewallPolicy.Namespace == firewallGroup.Namespace)) {
|
|
|
|
myFirewallGroups = append(myFirewallGroups, firewallGroup)
|
|
|
|
myFirewallGroups = append(myFirewallGroups, firewallGroup)
|
|
|
|
} else if _, found := destination_groups[firewallGroup.Namespace+"/"+firewallGroup.Name]; found {
|
|
|
|
} else if _, found := destination_groups[firewallGroup.Namespace+"/"+firewallGroup.Name]; found {
|
|
|
|
myFirewallGroups = append(myFirewallGroups, firewallGroup)
|
|
|
|
myFirewallGroups = append(myFirewallGroups, firewallGroup)
|
|
|
|
@@ -340,7 +342,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
|
|
|
|
skipService = true
|
|
|
|
skipService = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if val, found := service.Annotations["unifi.engen.priv.no/firewall-policy"]; found && ((strings.Contains(val, "/") && val == firewallPolicy.Namespace+"/"+firewallPolicy.Name) || (val == firewallPolicy.Name && firewallPolicy.Namespace == defaultNs)) && !skipService {
|
|
|
|
if val, found := service.Annotations["unifi.engen.priv.no/firewall-policy"]; found && ((strings.Contains(val, "/") && val == firewallPolicy.Namespace+"/"+firewallPolicy.Name) || (val == firewallPolicy.Name && firewallPolicy.Namespace == service.Namespace)) && !skipService {
|
|
|
|
myServices = append(myServices, service)
|
|
|
|
myServices = append(myServices, service)
|
|
|
|
} else if _, found := destination_services[service.Namespace+"/"+service.Name]; found && !skipService {
|
|
|
|
} else if _, found := destination_services[service.Namespace+"/"+service.Name]; found && !skipService {
|
|
|
|
myServices = append(myServices, service)
|
|
|
|
myServices = append(myServices, service)
|
|
|
|
|
