[Kubevirt] Remove EgressFirewall Creation in HCP namespace

Starting from 4.14, the EgressFirewall is not needed any longer, since kubevirt platform consumes the kubevirt provider in RHCOS, thus an attempt to access the metadata server is not being initiated, as opposed to the legacy OpenStack RHCOS provider.
Therefore, EgressFirewall is not needed to be deployed on the mgmt/infra cluster for guests >= v4.14.

Signed-off-by: Oren Cohen <ocohen@redhat.com>

cmd/install/assets/hypershift_operator.go

@@ -990,11 +990,6 @@ func (o HyperShiftOperatorClusterRole) Build() *rbacv1.ClusterRole {
 				Verbs:         []string{"delete"},
 				ResourceNames: []string{hyperv1.GroupVersion.Group},
 			},
-			{
-				APIGroups: []string{"k8s.ovn.org"},
-				Resources: []string{"egressfirewalls"},
-				Verbs:     []string{"*"},
-			},
 		},
 	}
 	return role

hack/app-sre/saas_template.yaml

@@ -262,12 +262,6 @@ objects:
     - validatingwebhookconfigurations
     verbs:
     - delete
-  - apiGroups:
-    - k8s.ovn.org
-    resources:
-    - egressfirewalls
-    verbs:
-    - '*'
 - apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:

hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go

@@ -77,7 +77,6 @@ import (
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/types"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -4029,26 +4028,6 @@ type NodeClientCert struct {
 	Disabled bool `json:"disabled,omitempty"`
 }
 
-func reconcileVirtLauncherEgressFirewall(egressFirewall *unstructured.Unstructured) error {
-	egressFirewall.Object["spec"] = map[string]interface{}{
-		"egress": []interface{}{
-			map[string]interface{}{
-				"to": map[string]interface{}{
-					"cidrSelector": "169.254.169.254/32",
-				},
-				"type": "Deny",
-				"ports": []interface{}{
-					map[string]interface{}{
-						"port":     int64(80),
-						"protocol": "TCP",
-					},
-				},
-			},
-		},
-	}
-	return nil
-}
-
 const (
 	oidcDocumentsFinalizer         = "hypershift.io/aws-oidc-discovery"
 	serviceAccountSigningKeySecret = "sa-signing-key"

hypershift-operator/controllers/hostedcluster/network_policies.go

@@ -10,7 +10,6 @@ import (
 	configv1 "github.com/openshift/api/config/v1"
 	hyperv1 "github.com/openshift/hypershift/api/v1beta1"
 	"github.com/openshift/hypershift/hypershift-operator/controllers/manifests"
-	"github.com/openshift/hypershift/hypershift-operator/controllers/manifests/egressfirewall"
 	"github.com/openshift/hypershift/hypershift-operator/controllers/manifests/networkpolicy"
 	"github.com/openshift/hypershift/support/capabilities"
 	"github.com/openshift/hypershift/support/config"
@@ -108,25 +107,6 @@ func (r *HostedClusterReconciler) reconcileNetworkPolicies(ctx context.Context,
 				return fmt.Errorf("failed to reconcile virt launcher policy: %w", err)
 			}
 		}
-
-		var creds *hyperv1.KubevirtPlatformCredentials
-
-		if hcluster.Spec.Platform.Kubevirt != nil && hcluster.Spec.Platform.Kubevirt.Credentials != nil {
-			creds = hcluster.Spec.Platform.Kubevirt.Credentials
-		}
-
-		kvInfraCluster, err := r.KubevirtInfraClients.DiscoverKubevirtClusterClient(ctx, r.Client, hcluster.Spec.InfraID, creds, hcp.Namespace, hcluster.Namespace)
-		if err != nil {
-			return err
-		}
-		if hcluster.Spec.Networking.NetworkType == hyperv1.OVNKubernetes {
-			egressFirewall := egressfirewall.VirtLauncherEgressFirewall(kvInfraCluster.GetInfraNamespace())
-			if _, err := createOrUpdate(ctx, kvInfraCluster.GetInfraClient(), egressFirewall, func() error {
-				return reconcileVirtLauncherEgressFirewall(egressFirewall)
-			}); err != nil {
-				return fmt.Errorf("failed to reconcile firewall to deny metadata server egress: %w", err)
-			}
-		}
 	}
 
 	for _, svc := range hcluster.Spec.Services {