debug

Reviewed-on: #31

.gitea/workflows/build.yaml

@@ -6,7 +6,7 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
-    container: golang:1.24
+    container: registry.engen.priv.no/gitea-build:0.1.0
     steps:
        - name: Setup SSH
          run: |
@@ -22,3 +22,5 @@ jobs:
          run: git config --global url.git@gitea-ssh.engen.priv.no:.insteadOf https://gitea.engen.priv.no/
        - name: Build
          run: go build cmd/main.go
+       - name: Build manifest
+         run: make build-installer

.gitea/workflows/kobuild.yaml

@@ -6,21 +6,45 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
-    container: golang:1.24
+    container: registry.engen.priv.no/gitea-build:0.1.0
+    env:
+      GITEA_USER: ${{ secrets.GITEAUSER }}
+      GITEA_TOKEN: ${{ secrets.GITEATOKEN }}
+      GITEA_REGISTRY: gitea.engen.priv.no
+      GITEA_ORG: klauvsteinen
     steps:
-       - name: Setup SSH
-         run: |
-           mkdir -p ~/.ssh
-           echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
-           chmod 600 ~/.ssh/id_rsa
-           ssh-keyscan gitea-ssh.engen.priv.no >> ~/.ssh/known_hosts
-       - name: Install node and go
-         run: apt update && apt -y install nodejs
-       - name: Check out repository code
-         uses: actions/checkout@v4
-       - name: ssh repo
-         run: git config --global url.git@gitea-ssh.engen.priv.no:.insteadOf https://gitea.engen.priv.no/
-       - name: Install ko
-         run: go install github.com/google/ko@latest
-       - name: Build
-         run: KO_DOCKER_REPO=registry.engen.priv.no/unifi-network-operator-controller PATH=~/go/bin:$PATH ko build --local ./cmd 
+      - name: Setup SSH
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
+          ssh-keyscan gitea-ssh.engen.priv.no >> ~/.ssh/known_hosts
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - name: ssh repo
+        run: git config --global url.git@gitea-ssh.engen.priv.no:.insteadOf https://gitea.engen.priv.no/
+      - name: Docker login
+        run: echo "${GITEA_TOKEN}" | docker login "${GITEA_REGISTRY}" --username "${GITEA_USER}" --password-stdin
+      - name: Build
+        run: |
+          export KO_DOCKER_REPO="${GITEA_REGISTRY}/${GITEA_ORG}/unifi-network-operator-controller"
+          ko publish ./cmd \
+          --tags "latest" \
+          --image-label 'org.opencontainers.image.authors=Klauvsteinen <vegard@engen.priv.no>' \
+          --image-label 'org.opencontainers.image.vendor=Klauvsteinen' \
+          --image-label 'org.opencontainers.image.source=https://gitea.engen.priv.no/klauvsteinen/unifi-network-operator' \
+          --image-label 'org.opencontainers.image.url=https://gitea.engen.priv.no/klauvsteinen/unifi-network-operator' \
+          --image-label 'dev.chainguard.package.main=' \
+          --bare
+      - name: Build manifest
+        run: |
+          make IMG="${GITEA_REGISTRY}/${GITEA_ORG}/unifi-network-operator-controller:latest" build-installer
+          curl -X DELETE \
+          -H "Authorization: token $GITEA_TOKEN" \
+          -H "Content-Type: application/x-yaml" \
+          https://gitea.engen.priv.no/api/packages/klauvsteinen/generic/unifi-network-operator/latest/install.yaml
+          curl -X PUT \
+          -H "Authorization: token $GITEA_TOKEN" \
+          -H "Content-Type: application/x-yaml" \
+          --data-binary @./dist/install.yaml \
+          https://gitea.engen.priv.no/api/packages/klauvsteinen/generic/unifi-network-operator/latest/install.yaml

.gitea/workflows/publish.yaml

@@ -3,13 +3,18 @@ on:
   push:
     tags:
       - 'v[0-9]+.[0-9]+.[0-9]+'
+      - 'v[0-9]+.[0-9]+.[0-9]+-alpha[0-9]+'
+      - 'v[0-9]+.[0-9]+.[0-9]+-beta[0-9]+'
 jobs:
   build:
     runs-on: ubuntu-latest
-    container: golang:1.24-bookworm
+    container: registry.engen.priv.no/gitea-build:0.1.0
+    env:
+      GITEA_USER: ${{ secrets.GITEAUSER }}
+      GITEA_TOKEN: ${{ secrets.GITEATOKEN }}
+      GITEA_REGISTRY: gitea.engen.priv.no
+      GITEA_ORG: klauvsteinen
     steps:
-      - name: Install dependencies
-        run: apt update && apt -y install nodejs bash
       - name: Setup SSH
         run: |
           mkdir -p ~/.ssh
@@ -20,15 +25,30 @@ jobs:
         uses: actions/checkout@v4
       - name: ssh repo
         run: git config --global url.git@gitea-ssh.engen.priv.no:.insteadOf https://gitea.engen.priv.no/
-      - name: Install ko
-        run: go install github.com/google/ko@latest
       - name: Extract tag (outside container)
         shell: bash
         run: |
           echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
           env
+      - name: Docker login
+        run: echo "${GITEA_TOKEN}" | docker login "${GITEA_REGISTRY}" --username "${GITEA_USER}" --password-stdin
       - name: Build
-        env:
-          KO_DOCKER_REPO: registry.engen.priv.no/unifi-network-operator-controller
         run: |
-          ko publish ./cmd --tags "$TAG,latest" --bare
+          export KO_DOCKER_REPO="${GITEA_REGISTRY}/${GITEA_ORG}/unifi-network-operator-controller"
+          ko publish ./cmd \
+          --tags "$TAG" \
+          --image-label 'org.opencontainers.image.authors=Klauvsteinen <vegard@engen.priv.no>' \
+          --image-label 'org.opencontainers.image.vendor=Klauvsteinen' \
+          --image-label 'org.opencontainers.image.source=https://gitea.engen.priv.no/klauvsteinen/unifi-network-operator' \
+          --image-label 'org.opencontainers.image.url=https://gitea.engen.priv.no/klauvsteinen/unifi-network-operator' \
+          --image-label 'dev.chainguard.package.main=' \
+          --bare
+      - name: Build manifest
+        run: |
+          make IMG="${GITEA_REGISTRY}/${GITEA_ORG}/unifi-network-operator-controller:$TAG" build-installer
+          curl -X PUT \
+          -H "Authorization: token $GITEA_TOKEN" \
+          -H "Content-Type: application/x-yaml" \
+          --data-binary @./dist/install.yaml \
+          https://gitea.engen.priv.no/api/packages/klauvsteinen/generic/unifi-network-operator/$TAG/install.yaml
+

Makefile

@@ -1,5 +1,5 @@
 # Image URL to use all building/pushing image targets
-IMG ?= registry.engen.priv.no/unifi-network-operator-controller:latest
+IMG ?= gitea.engen.priv.no/klauvsteinen/unifi-network-operator-controller:latest
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -8,7 +8,7 @@ else
 GOBIN=$(shell go env GOBIN)
 endif
 
-export KO_DOCKER_REPO=registry.engen.priv.no/unifi-network-operator-controller
+export KO_DOCKER_REPO=gitea.engen.priv.no/klauvsteinen/unifi-network-operator-controller
 
 # CONTAINER_TOOL defines the container tool to be used for building images.
 # Be aware that the target commands are only tested with Docker which is

PROJECT

@@ -6,7 +6,7 @@ domain: engen.priv.no
 layout:
 - go.kubebuilder.io/v4
 projectName: unifi-network-operator
-repo: github.com/vegardengen/unifi-network-operator
+repo: gitea.engen.priv.no/klauvsteinen/unifi-network-operator
 resources:
 - api:
     crdVersion: v1
@@ -15,7 +15,7 @@ resources:
   domain: engen.priv.no
   group: unifi
   kind: Networkconfiguration
-  path: github.com/vegardengen/unifi-network-operator/api/v1beta1
+  path: gitea.engen.priv.no/klauvsteinen/unifi-network-operator/api/v1beta1
   version: v1beta1
 - api:
     crdVersion: v1
@@ -24,7 +24,7 @@ resources:
   domain: engen.priv.no
   group: unifi
   kind: FirewallZone
-  path: github.com/vegardengen/unifi-network-operator/api/v1beta1
+  path: gitea.engen.priv.no/klauvsteinen/unifi-network-operator/api/v1beta1
   version: v1beta1
 - api:
     crdVersion: v1
@@ -33,7 +33,7 @@ resources:
   domain: engen.priv.no
   group: unifi
   kind: FirewallPolicy
-  path: github.com/vegardengen/unifi-network-operator/api/v1beta1
+  path: gitea.engen.priv.no/klauvsteinen/unifi-network-operator/api/v1beta1
   version: v1beta1
 - api:
     crdVersion: v1
@@ -42,6 +42,6 @@ resources:
   domain: engen.priv.no
   group: unifi
   kind: PortForward
-  path: github.com/vegardengen/unifi-network-operator/api/v1beta1
+  path: gitea.engen.priv.no/klauvsteinen/unifi-network-operator/api/v1beta1
   version: v1beta1
 version: "3"

config/manager/kustomization.yaml

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: registry.engen.priv.no/unifi-network-operator-controller
+  newName: gitea.engen.priv.no/klauvsteinen/unifi-network-operator-controller
   newTag: latest

dist/install.yaml

@@ -915,7 +915,7 @@ spec:
             secretKeyRef:
               key: UNIFI_PASSWORD
               name: unifi-configuration
-        image: registry.engen.priv.no/unifi-network-operator-controller:latest
+        image: gitea.engen.priv.no/klauvsteinen/unifi-network-operator-controller:latest
         livenessProbe:
           httpGet:
             path: /healthz

internal/controller/firewallgroup_controller.go

@@ -361,10 +361,10 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
 		log.Error(err, "Could not list network objects")
 		return reconcile.Result{}, err
 	}
-	ipv4_name := "k8s-" + firewallGroup.Spec.Name + "-ipv4"
-	ipv6_name := "k8s-" + firewallGroup.Spec.Name + "-ipv6"
-	tcpports_name := "k8s-" + firewallGroup.Spec.Name + "-tcpports"
-	udpports_name := "k8s-" + firewallGroup.Spec.Name + "-udpports"
+	ipv4_name := "k8s-" + firewallGroup.Namespace + "/" + firewallGroup.Name + "-ipv4"
+	ipv6_name := "k8s-" + firewallGroup.Namespace + "/" + firewallGroup.Name + "-ipv6"
+	tcpports_name := "k8s-" + firewallGroup.Namespace + "/" + firewallGroup.Name + "-tcpports"
+	udpports_name := "k8s-" + firewallGroup.Namespace + "/" + firewallGroup.Name + "-udpports"
 	ipv4_done := false
 	ipv6_done := false
 	tcpports_done := false
@@ -377,7 +377,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
 				if err != nil {
 					msg := strings.ToLower(err.Error())
 					log.Info(msg)
-					if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg,"invalid character") {
+					if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg, "invalid character") {
 						log.Info("Firewall group is in use. Invoking workaround...!")
 						firewall_group.GroupMembers = []string{"127.0.0.1"}
 						firewall_group.Name = firewall_group.Name + "-deleted"
@@ -417,7 +417,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
 				if err != nil {
 					msg := strings.ToLower(err.Error())
 					log.Info(msg)
-					if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg,"invalid character") {
+					if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg, "invalid character") {
 						log.Info("Firewall group is in use. Invoking workaround...!")
 						firewall_group.GroupMembers = []string{"::1"}
 						firewall_group.Name = firewall_group.Name + "-deleted"
@@ -457,7 +457,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
 				if err != nil {
 					msg := strings.ToLower(err.Error())
 					log.Info(msg)
-					if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg,"invalid character") {
+					if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg, "invalid character") {
 						log.Info("Firewall group is in use. Invoking workaround...!")
 						firewall_group.GroupMembers = []string{"0"}
 						firewall_group.Name = firewall_group.Name + "-deleted"
@@ -497,7 +497,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.R
 				if err != nil {
 					msg := strings.ToLower(err.Error())
 					log.Info(msg)
-					if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg,"invalid character") {
+					if strings.Contains(msg, "api.err.objectreferredby") || strings.Contains(msg, "invalid character") {
 						log.Info("Firewall group is in use. Invoking workaround...!")
 						firewall_group.GroupMembers = []string{"127.0.0.1"}
 						firewall_group.Name = firewall_group.Name + "-deleted"

internal/controller/firewallpolicy_controller.go

@@ -125,70 +125,73 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 			}
 			log.Info("Running finalizer logic for FirewallPolicy", "name", firewallPolicy.Name)
 
-			if len(firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies) > 0 {
-				for i, UnifiFirewallPolicy := range firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies {
-					log.Info(fmt.Sprintf("From: %s to: %s TcpIpv4: %s UdpIpv4: %s TcpIpv6: %s UdpIpv6: %s", UnifiFirewallPolicy.From, UnifiFirewallPolicy.To, UnifiFirewallPolicy.TcpIpv4ID, UnifiFirewallPolicy.UdpIpv4ID, UnifiFirewallPolicy.TcpIpv6ID, UnifiFirewallPolicy.UdpIpv6ID))
-					if len(UnifiFirewallPolicy.TcpIpv4ID) > 0 {
-						err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.TcpIpv4ID)
-						if err != nil && !strings.Contains(err.Error(), "not found") {
-						} else {
-							firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].TcpIpv4ID = ""
-							if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
-								return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+			log.Info(fmt.Sprintf("Deleting %+v", firewallPolicy))
+			if true {
+				if len(firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies) > 0 {
+					for i, UnifiFirewallPolicy := range firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies {
+						log.Info(fmt.Sprintf("From: %s to: %s TcpIpv4: %s UdpIpv4: %s TcpIpv6: %s UdpIpv6: %s", UnifiFirewallPolicy.From, UnifiFirewallPolicy.To, UnifiFirewallPolicy.TcpIpv4ID, UnifiFirewallPolicy.UdpIpv4ID, UnifiFirewallPolicy.TcpIpv6ID, UnifiFirewallPolicy.UdpIpv6ID))
+						if len(UnifiFirewallPolicy.TcpIpv4ID) > 0 {
+							err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.TcpIpv4ID)
+							if err != nil && !strings.Contains(err.Error(), "not found") {
+							} else {
+								firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].TcpIpv4ID = ""
+								if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
+									return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+								}
 							}
 						}
-					}
-					if len(UnifiFirewallPolicy.UdpIpv4ID) > 0 {
-						err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.UdpIpv4ID)
-						if err != nil && !strings.Contains(err.Error(), "not found") {
-							return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
-						} else {
-							firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].UdpIpv4ID = ""
-							if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
+						if len(UnifiFirewallPolicy.UdpIpv4ID) > 0 {
+							err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.UdpIpv4ID)
+							if err != nil && !strings.Contains(err.Error(), "not found") {
 								return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+							} else {
+								firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].UdpIpv4ID = ""
+								if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
+									return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+								}
 							}
 						}
-					}
-					if len(UnifiFirewallPolicy.TcpIpv6ID) > 0 {
-						err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.TcpIpv6ID)
-						if err != nil && !strings.Contains(err.Error(), "not found") {
-							return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
-						} else {
-							firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].TcpIpv6ID = ""
-							if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
+						if len(UnifiFirewallPolicy.TcpIpv6ID) > 0 {
+							err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.TcpIpv6ID)
+							if err != nil && !strings.Contains(err.Error(), "not found") {
 								return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+							} else {
+								firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].TcpIpv6ID = ""
+								if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
+									return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+								}
 							}
 						}
-					}
-					if len(UnifiFirewallPolicy.UdpIpv6ID) > 0 {
-						err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.UdpIpv6ID)
-						if err != nil && !strings.Contains(err.Error(), "not found") {
-							return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
-						} else {
-							firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].UdpIpv6ID = ""
-							if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
+						if len(UnifiFirewallPolicy.UdpIpv6ID) > 0 {
+							err := r.UnifiClient.Client.DeleteFirewallPolicy(context.Background(), r.UnifiClient.SiteID, UnifiFirewallPolicy.UdpIpv6ID)
+							if err != nil && !strings.Contains(err.Error(), "not found") {
 								return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+							} else {
+								firewallPolicy.Status.ResourcesManaged.UnifiFirewallPolicies[i].UdpIpv6ID = ""
+								if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
+									return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+								}
 							}
 						}
 					}
 				}
-			}
 
-			if len(firewallPolicy.Status.ResourcesManaged.FirewallGroups) > 0 {
-				for i, firewallGroup := range firewallPolicy.Status.ResourcesManaged.FirewallGroups {
-					var firewallGroupCRD unifiv1beta1.FirewallGroup
-					if firewallGroup.Name != "" {
-						if err := r.Get(ctx, types.NamespacedName{Name: firewallGroup.Name, Namespace: firewallGroup.Namespace}, &firewallGroupCRD); err != nil {
-							return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
-						}
-						if err := r.Delete(ctx, &firewallGroupCRD); err != nil {
-							log.Error(err, "Could not delete firewall group")
-							return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
-						}
-						firewallPolicy.Status.ResourcesManaged.FirewallGroups[i].Name = ""
-						firewallPolicy.Status.ResourcesManaged.FirewallGroups[i].Namespace = ""
-						if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
-							return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+				if len(firewallPolicy.Status.ResourcesManaged.FirewallGroups) > 0 {
+					for i, firewallGroup := range firewallPolicy.Status.ResourcesManaged.FirewallGroups {
+						var firewallGroupCRD unifiv1beta1.FirewallGroup
+						if firewallGroup.Name != "" {
+							if err := r.Get(ctx, types.NamespacedName{Name: firewallGroup.Name, Namespace: firewallGroup.Namespace}, &firewallGroupCRD); err != nil {
+								return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+							}
+							if err := r.Delete(ctx, &firewallGroupCRD); err != nil {
+								log.Error(err, "Could not delete firewall group")
+								return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+							}
+							firewallPolicy.Status.ResourcesManaged.FirewallGroups[i].Name = ""
+							firewallPolicy.Status.ResourcesManaged.FirewallGroups[i].Namespace = ""
+							if err := r.Status().Update(ctx, &firewallPolicy); err != nil {
+								return ctrl.Result{RequeueAfter: 10 * time.Minute}, err
+							}
 						}
 					}
 				}
@@ -310,7 +313,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 	// Run through all firewall groups. Add them to the myFirewallGroups list if they either have an annotations or is specified in the resource.
 
 	for _, firewallGroup := range firewallGroupCRDs.Items {
-		if val, found := firewallGroup.Annotations["unifi.engen.priv.no/firewall-policy"]; found && ((strings.Contains(val, "/") && val == firewallPolicy.Namespace+"/"+firewallPolicy.Name) || (val == firewallPolicy.Name && firewallPolicy.Namespace == defaultNs)) {
+		if val, found := firewallGroup.Annotations["unifi.engen.priv.no/firewall-policy"]; found && ((strings.Contains(val, "/") && val == firewallPolicy.Namespace+"/"+firewallPolicy.Name) || (val == firewallPolicy.Name && firewallPolicy.Namespace == firewallGroup.Namespace)) {
 			myFirewallGroups = append(myFirewallGroups, firewallGroup)
 		} else if _, found := destination_groups[firewallGroup.Namespace+"/"+firewallGroup.Name]; found {
 			myFirewallGroups = append(myFirewallGroups, firewallGroup)
@@ -340,7 +343,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 				skipService = true
 			}
 		}
-		if val, found := service.Annotations["unifi.engen.priv.no/firewall-policy"]; found && ((strings.Contains(val, "/") && val == firewallPolicy.Namespace+"/"+firewallPolicy.Name) || (val == firewallPolicy.Name && firewallPolicy.Namespace == defaultNs)) && !skipService {
+		if val, found := service.Annotations["unifi.engen.priv.no/firewall-policy"]; found && ((strings.Contains(val, "/") && val == firewallPolicy.Namespace+"/"+firewallPolicy.Name) || (val == firewallPolicy.Name && firewallPolicy.Namespace == service.Namespace)) && !skipService {
 			myServices = append(myServices, service)
 		} else if _, found := destination_services[service.Namespace+"/"+service.Name]; found && !skipService {
 			myServices = append(myServices, service)
@@ -468,7 +471,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 
 				if len(firewallGroup.Status.ResolvedIPV4Addresses) > 0 {
 					if len(firewallGroup.Status.ResolvedTCPPorts) > 0 {
-						policyname := "k8s-fw-" + firewallPolicy.Name + "-" + "zone:" + zoneCRDs.Items[zoneIndex].Name + "-" + firewallGroup.Name + "-ipv4-tcp"
+						policyname := "k8s-fw-" + firewallPolicy.Namespace + "/" + firewallPolicy.Name + "-" + "zone:" + zoneCRDs.Items[zoneIndex].Name + "-" + firewallGroup.Name + "-ipv4-tcp"
 						if _, found := unifiFirewallpolicyNames[policyname]; !found {
 							log.Info(fmt.Sprintf("Creating ipv4 tcp firewallpolicy for %s to %s: %s", zoneCRDs.Items[zoneIndex].Name, firewallGroup.Name, policyname))
 							unifiFirewallPolicy := fillDefaultPolicy()
@@ -503,7 +506,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 						}
 					}
 					if len(firewallGroup.Status.ResolvedUDPPorts) > 0 {
-						policyname := "k8s-fw-" + firewallPolicy.Name + "-" + "zone:" + zoneCRDs.Items[zoneIndex].Name + "-" + firewallGroup.Name + "-ipv4-udp"
+						policyname := "k8s-fw-" + firewallPolicy.Namespace + "/" + firewallPolicy.Name + "-" + "zone:" + zoneCRDs.Items[zoneIndex].Name + "-" + firewallGroup.Name + "-ipv4-udp"
 						if _, found := unifiFirewallpolicyNames[policyname]; !found {
 							log.Info(fmt.Sprintf("Creating ipv4 udp firewallpolicy for %s to %s: %s", zoneCRDs.Items[zoneIndex].Name, firewallGroup.Name, policyname))
 							unifiFirewallPolicy := fillDefaultPolicy()
@@ -541,7 +544,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 				}
 				if len(firewallGroup.Status.ResolvedIPV6Addresses) > 0 {
 					if len(firewallGroup.Status.ResolvedTCPPorts) > 0 {
-						policyname := "k8s-fw-" + firewallPolicy.Name + "-" + "zone:" + zoneCRDs.Items[zoneIndex].Name + "-" + firewallGroup.Name + "-ipv6-tcp"
+						policyname := "k8s-fw-" + firewallPolicy.Namespace + "/" + firewallPolicy.Name + "-" + "zone:" + zoneCRDs.Items[zoneIndex].Name + "-" + firewallGroup.Name + "-ipv6-tcp"
 						if _, found := unifiFirewallpolicyNames[policyname]; !found {
 							log.Info(fmt.Sprintf("Creating ipv6 tcp firewallpolicy for %s to %s: %s", zoneCRDs.Items[zoneIndex].Name, firewallGroup.Name, policyname))
 							unifiFirewallPolicy := fillDefaultPolicy()
@@ -577,7 +580,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 						}
 					}
 					if len(firewallGroup.Status.ResolvedUDPPorts) > 0 {
-						policyname := "k8s-fw-" + firewallPolicy.Name + "-" + "zone:" + zoneCRDs.Items[zoneIndex].Name + "-" + firewallGroup.Name + "-ipv6-udp"
+						policyname := "k8s-fw-" + firewallPolicy.Namespace + "/" + firewallPolicy.Name + "-" + "zone:" + zoneCRDs.Items[zoneIndex].Name + "-" + firewallGroup.Name + "-ipv6-udp"
 						if _, found := unifiFirewallpolicyNames[policyname]; !found {
 							log.Info(fmt.Sprintf("Creating ipv6 udp firewallpolicy for %s to %s: %s", zoneCRDs.Items[zoneIndex].Name, firewallGroup.Name, policyname))
 							unifiFirewallPolicy := fillDefaultPolicy()
@@ -640,7 +643,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 				}
 				if len(firewallGroup.Status.ResolvedIPV4Addresses) > 0 {
 					if len(firewallGroup.Status.ResolvedTCPPorts) > 0 {
-						policyname := "k8s-fw-" + firewallPolicy.Name + "-" + "network:" + networkCRDs.Items[networkIndex].Name + "-" + firewallGroup.Name + "-ipv4-tcp"
+						policyname := "k8s-fw-" + firewallPolicy.Namespace + "/" + firewallPolicy.Name + "-" + "network:" + networkCRDs.Items[networkIndex].Name + "-" + firewallGroup.Name + "-ipv4-tcp"
 						if _, found := unifiFirewallpolicyNames[policyname]; !found {
 							log.Info(fmt.Sprintf("Creating ipv4 tcp firewallpolicy for %s to %s: %s", networkCRDs.Items[networkIndex].Name, firewallGroup.Name, policyname))
 							unifiFirewallPolicy := fillDefaultPolicy()
@@ -677,7 +680,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 						}
 					}
 					if len(firewallGroup.Status.ResolvedUDPPorts) > 0 {
-						policyname := "k8s-fw-" + firewallPolicy.Name + "-" + "network:" + networkCRDs.Items[networkIndex].Name + "-" + firewallGroup.Name + "-ipv4-udp"
+						policyname := "k8s-fw-" + firewallPolicy.Namespace + "/" + firewallPolicy.Name + "-" + "network:" + networkCRDs.Items[networkIndex].Name + "-" + firewallGroup.Name + "-ipv4-udp"
 						if _, found := unifiFirewallpolicyNames[policyname]; !found {
 							log.Info(fmt.Sprintf("Creating ipv4 udp firewallpolicy for %s to %s: %s", networkCRDs.Items[networkIndex].Name, firewallGroup.Name, policyname))
 							unifiFirewallPolicy := fillDefaultPolicy()
@@ -716,7 +719,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 				}
 				if len(firewallGroup.Status.ResolvedIPV6Addresses) > 0 {
 					if len(firewallGroup.Status.ResolvedTCPPorts) > 0 {
-						policyname := "k8s-fw-" + firewallPolicy.Name + "-" + "network:" + networkCRDs.Items[networkIndex].Name + "-" + firewallGroup.Name + "-ipv6-tcp"
+						policyname := "k8s-fw-" + firewallPolicy.Namespace + "/" + firewallPolicy.Name + "-" + "network:" + networkCRDs.Items[networkIndex].Name + "-" + firewallGroup.Name + "-ipv6-tcp"
 						if _, found := unifiFirewallpolicyNames[policyname]; !found {
 							log.Info(fmt.Sprintf("Creating ipv6 tcp firewallpolicy for %s to %s: %s", networkCRDs.Items[networkIndex].Name, firewallGroup.Name, policyname))
 							unifiFirewallPolicy := fillDefaultPolicy()
@@ -753,7 +756,7 @@ func (r *FirewallPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 						}
 					}
 					if len(firewallGroup.Status.ResolvedUDPPorts) > 0 {
-						policyname := "k8s-fw-" + firewallPolicy.Name + "-" + "network:" + networkCRDs.Items[networkIndex].Name + "-" + firewallGroup.Name + "-ipv6-udp"
+						policyname := "k8s-fw-" + firewallPolicy.Namespace + "/" + firewallPolicy.Name + "-" + "network:" + networkCRDs.Items[networkIndex].Name + "-" + firewallGroup.Name + "-ipv6-udp"
 						if _, found := unifiFirewallpolicyNames[policyname]; !found {
 							log.Info(fmt.Sprintf("Creating ipv6 udp firewallpolicy for %s to %s: %s", networkCRDs.Items[networkIndex].Name, firewallGroup.Name, policyname))
 							unifiFirewallPolicy := fillDefaultPolicy()

ko.yaml

@@ -0,0 +1,7 @@
+defaultBaseImage: cgr.dev/chainguard/static:latest
+
+labels:
+  org.opencontainers.image.authors: Vegard Engen <vegard@engen.priv.no>
+  org.opencontainers.image.source: https://gitea.engen.priv.no/klauvsteinen/unifi-network-operator
+  org.opencontainers.image.vendor: Klauvsteinen
+  dev.chainguard.package.main: ""