Handle annotations in firewallgroup reconcile function

Merge pull request #5 from vegardengen/4-handle-reauthentication
Reauthentication and deleting firewall groups that are in use.
2025-04-10 19:36:55 +02:00 · 2025-04-10 13:53:53 +02:00 · 2025-04-10 13:45:51 +02:00 · 2025-04-10 12:06:24 +02:00 · 2025-04-10 10:46:41 +02:00 · 2025-04-10 00:34:53 +02:00
4 changed files with 179 additions and 22 deletions
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -4,6 +4,14 @@ kind: ClusterRole
 metadata:
  name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
  - unifi.engen.priv.no
  resources:
--- a/config/samples/unifi_v1beta1_firewallgroup.yaml
+++ b/config/samples/unifi_v1beta1_firewallgroup.yaml
@@ -7,11 +7,8 @@ metadata:
  name: firewallgroup-sample
 spec:
  name: Test
+  matchServicesInAllNamespaces: true
  manualAddresses:
    - 192.168.1.153
    - 192.168.1.154
-    - 192.168.1.155
-    - 2a01::3
-    - 2a01:0::5
-    - 2a01:2a01::/32
  # TODO(user): Add fields here
--- a/internal/controller/firewallgroup_controller.go
+++ b/internal/controller/firewallgroup_controller.go
@@ -21,11 +21,15 @@ import (
 	"fmt"
 	"net"
 	"reflect"
+	"strings"

 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"

 	goUnifi "github.com/vegardengen/go-unifi/unifi"
 	unifiv1beta1 "github.com/vegardengen/unifi-network-operator/api/v1beta1"
@@ -42,6 +46,7 @@ type FirewallGroupReconciler struct {
 // +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallgroups,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallgroups/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=unifi.engen.priv.no,resources=firewallgroups/finalizers,verbs=update
+// +kubebuilder:rbac:groups="",resources=services,verbs=list;get;watch

 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
@@ -53,11 +58,11 @@ type FirewallGroupReconciler struct {
 // For more details, check Reconcile and its Result here:
 // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.20.2/pkg/reconcile

-func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error) {
 	log := log.FromContext(ctx)
 	var nwObj unifiv1beta1.FirewallGroup
 	if err := r.Get(ctx, req.NamespacedName, &nwObj); err != nil {
-		return ctrl.Result{}, client.IgnoreNotFound(err)
+		return reconcile.Result{}, client.IgnoreNotFound(err)
 	}
 	log.Info(nwObj.Spec.Name)
 	var ipv4, ipv6 []string
@@ -86,14 +91,51 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 				}
 			} else {
 				log.Error(err, fmt.Sprintf("Could not parse: %s", addressEntry))
-				return ctrl.Result{}, err
+				return reconcile.Result{}, err
 			}
 		}
 	}
+	var services corev1.ServiceList
+	if nwObj.Spec.MatchServicesInAllNamespaces {
+		if err := r.List(ctx, &services); err != nil {
+			log.Error(err, "unable to list services")
+			return reconcile.Result{}, err
+		}
+	} else {
+		// List Services only in the current namespace
+		if err := r.List(ctx, &services, client.InNamespace(req.Namespace)); err != nil {
+			log.Error(err, "unable to list services")
+			return reconcile.Result{}, err
+		}
+	}
+        for _, service := range services.Items {
+		if val, found := service.Annotations["unifi.engen.priv.no/firewall-group"]; found && val == nwObj.Name && service.Status.LoadBalancer.Ingress != nil {
+			for _, ingress := range service.Status.LoadBalancer.Ingress {
+				if ingress.IP != "" {
+					ip := ingress.IP
+					if isIPv6(ip) {
+						ipv6 = append(ipv6, ip)
+					} else {
+						ipv4= append(ipv4, ip)
+					}
+				}
+			}
+		}
+	}
+	nwObj.Status.ResolvedAddresses = ipv4
+	nwObj.Status.ResolvedAddresses = append(nwObj.Status.ResolvedAddresses, ipv6...)
+	currentTime := metav1.Now()
+	nwObj.Status.LastSyncTime = &currentTime;
+	nwObj.Status.SyncedWithUnifi = true
+
+	err := r.UnifiClient.Reauthenticate()
+	if err != nil {
+		return reconcile.Result{}, err
+	}
 	firewall_groups, err := r.UnifiClient.Client.ListFirewallGroup(context.Background(), r.UnifiClient.SiteID)
 	if err != nil {
 		log.Error(err, "Could not list network objects")
-		return ctrl.Result{}, err
+		return reconcile.Result{}, err
 	}
 	ipv4_name := "k8s-" + nwObj.Spec.Name + "-ipv4"
 	ipv6_name := "k8s-" + nwObj.Spec.Name + "-ipv6"
@@ -105,8 +147,21 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 				log.Info(fmt.Sprintf("Delete %s", ipv4_name))
 				err := r.UnifiClient.Client.DeleteFirewallGroup(context.Background(), r.UnifiClient.SiteID, firewall_group.ID)
 				if err != nil {
-					log.Error(err, "Could not delete firewall group")
-					return ctrl.Result{}, err
+					msg := strings.ToLower(err.Error())
+					log.Info(msg)
+					if strings.Contains(msg, "api.err.objectreferredby") {
+						log.Info("Firewall group is in use. Invoking workaround...!")
+						firewall_group.GroupMembers = []string{"127.0.0.1"}
+						firewall_group.Name = firewall_group.Name + "-deleted"
+						_, updateerr := r.UnifiClient.Client.UpdateFirewallGroup(context.Background(), r.UnifiClient.SiteID, &firewall_group)
+						if updateerr != nil {
+							log.Error(updateerr, "Could neither delete or rename firewall group")
+							return reconcile.Result{}, updateerr
+						}
+					} else {
+						log.Error(err, "Could not delete firewall group")
+						return reconcile.Result{}, err
+					}
 				}
 				ipv4_done = true
 			} else {
@@ -116,7 +171,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 					_, err := r.UnifiClient.Client.UpdateFirewallGroup(context.Background(), r.UnifiClient.SiteID, &firewall_group)
 					if err != nil {
 						log.Error(err, "Could not update firewall group")
-						return ctrl.Result{}, err
+						return reconcile.Result{}, err
 					}
 				}
 				ipv4_done = true
@@ -127,8 +182,21 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 				log.Info(fmt.Sprintf("Delete %s", ipv6_name))
 				err := r.UnifiClient.Client.DeleteFirewallGroup(context.Background(), r.UnifiClient.SiteID, firewall_group.ID)
 				if err != nil {
-					log.Error(err, "Could not delete firewall group")
-					return ctrl.Result{}, err
+					msg := strings.ToLower(err.Error())
+					log.Info(msg)
+					if strings.Contains(msg, "api.err.objectreferredby") {
+						log.Info("Firewall group is in use. Invoking workaround...!")
+						firewall_group.GroupMembers = []string{"::1"}
+						firewall_group.Name = firewall_group.Name + "-deleted"
+						_, updateerr := r.UnifiClient.Client.UpdateFirewallGroup(context.Background(), r.UnifiClient.SiteID, &firewall_group)
+						if updateerr != nil {
+							log.Error(updateerr, "Could neither delete or rename firewall group")
+							return reconcile.Result{}, updateerr
+						}
+					} else {
+						log.Error(err, "Could not delete firewall group")
+						return reconcile.Result{}, err
+					}
 				}
 				ipv6_done = true
 			} else {
@@ -138,12 +206,34 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 					_, err := r.UnifiClient.Client.UpdateFirewallGroup(context.Background(), r.UnifiClient.SiteID, &firewall_group)
 					if err != nil {
 						log.Error(err, "Could not update firewall group")
-						return ctrl.Result{}, err
+						return reconcile.Result{}, err
 					}
 				}
 				ipv6_done = true
 			}
 		}
+		if firewall_group.Name == ipv4_name+"-deleted" && len(ipv4) > 0 {
+			firewall_group.Name = ipv4_name
+			firewall_group.GroupMembers = ipv4
+			log.Info(fmt.Sprintf("Creating %s (from previously deleted)", ipv4_name))
+			_, err := r.UnifiClient.Client.UpdateFirewallGroup(context.Background(), r.UnifiClient.SiteID, &firewall_group)
+			if err != nil {
+				log.Error(err, "Could not update firewall group")
+				return reconcile.Result{}, err
+			}
+			ipv4_done = true
+		}
+		if firewall_group.Name == ipv6_name+"-deleted" && len(ipv6) > 0 {
+			firewall_group.Name = ipv6_name
+			firewall_group.GroupMembers = ipv6
+			log.Info(fmt.Sprintf("Creating %s (from previously deleted)", ipv6_name))
+			_, err := r.UnifiClient.Client.UpdateFirewallGroup(context.Background(), r.UnifiClient.SiteID, &firewall_group)
+			if err != nil {
+				log.Error(err, "Could not update firewall group")
+				return reconcile.Result{}, err
+			}
+			ipv6_done = true
+		}
 	}
 	if len(ipv4) > 0 && !ipv4_done {
 		log.Info(fmt.Sprintf("Creating %s", ipv4_name))
@@ -155,7 +245,7 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 		_, err := r.UnifiClient.Client.CreateFirewallGroup(context.Background(), r.UnifiClient.SiteID, &firewall_group)
 		if err != nil {
 			log.Error(err, "Could not create firewall group")
-			return ctrl.Result{}, err
+			return reconcile.Result{}, err
 		}
 	}
 	if len(ipv6) > 0 && !ipv6_done {
@@ -168,13 +258,21 @@ func (r *FirewallGroupReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 		_, err := r.UnifiClient.Client.CreateFirewallGroup(context.Background(), r.UnifiClient.SiteID, &firewall_group)
 		if err != nil {
 			log.Error(err, "Could not create firewall group")
-			return ctrl.Result{}, err
+			return reconcile.Result{}, err
 		}
 	}
+        if err := r.Status().Update(ctx, &nwObj); err != nil {
+		log.Error(err, "unable to update FirewallGroup status")
+		return reconcile.Result{}, err
+	}

-	return ctrl.Result{}, nil
+	log.Info("Successfully updated FirewallGroup status with collected IP addresses")
+
+	return reconcile.Result{}, nil
+}
+func isIPv6(ip string) bool {
+	return strings.Contains(ip, ":")
 }
-
 // SetupWithManager sets up the controller with the Manager.
 func (r *FirewallGroupReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
--- a/internal/unifi/unifi.go
+++ b/internal/unifi/unifi.go
@@ -10,13 +10,19 @@ import (
 	"net/http"
 	"net/http/cookiejar"
 	"os"
+	"strings"
+	"sync"

 	"github.com/vegardengen/go-unifi/unifi"
 )

 type UnifiClient struct {
-	Client *unifi.Client
-	SiteID string
+	Client     *unifi.Client
+	SiteID     string
+	mutex      sync.Mutex
+	controller string
+	username   string
+	password   string
 }

 func CreateUnifiClient() (*UnifiClient, error) {
@@ -64,9 +70,57 @@ func CreateUnifiClient() (*UnifiClient, error) {
 	}

 	unifiClient := &UnifiClient{
-		Client: client,
-		SiteID: siteID,
+		Client:     client,
+		SiteID:     siteID,
+		controller: unifiURL,
+		username:   username,
+		password:   password,
 	}

 	return unifiClient, nil
 }
+
+func (s *UnifiClient) WithSession(action func(c *unifi.Client) error) error {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	err := action(s.Client)
+	if err == nil {
+		return nil
+	}
+
+	if IsSessionExpired(err) {
+		if loginErr := s.Client.Login(context.Background(), s.username, s.password); loginErr != nil {
+			return fmt.Errorf("re-login to Unifi failed: %w", loginErr)
+		}
+
+		return action(s.Client)
+	}
+	return err
+}
+
+func (uClient *UnifiClient) Reauthenticate() error {
+	_, err := uClient.Client.ListSites(context.Background())
+	if err == nil {
+		return nil
+	}
+
+	if IsSessionExpired(err) {
+		if loginErr := uClient.Client.Login(context.Background(), uClient.username, uClient.password); loginErr != nil {
+			return fmt.Errorf("re-login to Unifi failed: %w", loginErr)
+		}
+	}
+	return nil
+}
+
+func IsSessionExpired(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	msg := strings.ToLower(err.Error())
+	return strings.Contains(msg, "unauthorized") ||
+		strings.Contains(msg, "authentication") ||
+		strings.Contains(msg, "login required") ||
+		strings.Contains(msg, "token")
+}
Author	SHA1	Message	Date
Vegard Engen	7aadd06258	Handle annotations in firewallgroup reconcile function	2025-04-10 19:36:55 +02:00
vegardengen	7fc1960d4c	Merge pull request #5 from vegardengen/4-handle-reauthentication Reauthentication and deleting firewall groups that are in use.	2025-04-10 13:53:53 +02:00
Vegard Engen	a1ed82258c	Reauthenticate method plus workaround for delete	2025-04-10 13:45:51 +02:00
Vegard Engen	1306939d58	fix compile errors	2025-04-10 12:06:24 +02:00
Vegard Engen	5b0b555557	Create logic to handle sessions in Unifi API	2025-04-10 10:46:41 +02:00
vegardengen	7710f93a41	Merge pull request #2 from vegardengen/feature/create-functionality-to-create-a-unifi-network-object-based-on-an-annotation Feature/create functionality to create a unifi network object	2025-04-10 00:34:53 +02:00