Skip to content

no-jira: Allow CAPG to create firewall Rules#10318

Open
barbacbd wants to merge 4 commits intoopenshift:mainfrom
barbacbd:test-firewall-rules-capg
Open

no-jira: Allow CAPG to create firewall Rules#10318
barbacbd wants to merge 4 commits intoopenshift:mainfrom
barbacbd:test-firewall-rules-capg

Conversation

@barbacbd
Copy link
Contributor

@barbacbd barbacbd commented Feb 16, 2026

*** Includes unmerged CAPG commits:
kubernetes-sigs/cluster-api-provider-gcp#1538

** Code Changes:

pkg/asset/manifests/gcp/cluster.go:

Migrated the creation of firewall rules to CAPG. These rules are now formed
in the manifest and passed to CAPG for creation.

pkg/infrastructure/gcp/clusterapi:

Remove the creation of firewall rules.

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 16, 2026
@barbacbd
Copy link
Contributor Author

/cc @patrickdillon
/cc @damdo
/cc @tthvo
/cc @sadasu
/cc @JoelSpeed

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 16, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mtulio for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@barbacbd barbacbd changed the title Allow CAPG to create firewall Rules WIP: Allow CAPG to create firewall Rules Feb 16, 2026
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 16, 2026
Comment on lines +335 to +337
if installConfig.Config.Publish == types.InternalPublishingStrategy {
healthCheckSrcRanges = append(healthCheckSrcRanges, []string{"209.85.152.0/22", "209.85.204.0/22"}...)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if installConfig.Config.Publish == types.InternalPublishingStrategy {
  healthCheckSrcRanges = append(healthCheckSrcRanges,
         []string{"209.85.152.0/22", "209.85.204.0/22"}...)
}

I think the condition should be installConfig.Config.Publish == types.ExternalPublishingStrategy since these 209.x.x.x/22 subnets are applicable to public clusters, right?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Can we use installConfig.Config.PublicAPI()?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a case of don't fix what isn't broken. These were taken directly from the infrastructure creation.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, but this part said health check IPs "209.85.152.0/22", "209.85.204.0/22" are for public install, right?

srcRanges = []string{"35.191.0.0/16", "130.211.0.0/22"}
if in.InstallConfig.Config.Publish == types.ExternalPublishingStrategy {
// public installs require additional google ip addresses for health checks
srcRanges = append(srcRanges, []string{"209.85.152.0/22", "209.85.204.0/22"}...)
}

Firewall: capg.FirewallSpec{
DefaultRulesManagement: firewallRulesManagementPolicy,
FirewallSpec: capg.FirewallSpec{
DefaultRulesManagement: capg.RulesManagementManaged,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We still need to consider user-provider options for rule management mode, right?

firewallRulesManagementPolicy := capg.RulesManagementManaged
if installConfig.Config.GCP.FirewallRulesManagement == gcp.UnmanagedFirewallRules {
    firewallRulesManagementPolicy = capg.RulesManagementUnmanaged
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this was just a proof on concept. It was more to assist getting the firewall rules merged in CAPG.

Comment on lines 140 to 141
firewallRules := createBootstrapFirewallRuleForCAPG(installConfig, clusterID)
firewallRules = append(firewallRules, createFirewallRulesForCAPG(installConfig, clusterID)...)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When the user defines platform.gcp.networkProjectID, we should use that project to create the firewall rules, right?

With the latest change, I don't see it being checked anyway... Maybe CAPG handles it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CAPG should handle this now. We attach the firewall rules spec to a network spec.

@barbacbd barbacbd force-pushed the test-firewall-rules-capg branch 2 times, most recently from 75c3fb8 to ac0a050 Compare February 18, 2026 14:34
…the changes to allow users

to specify the firewall rules to be created by CAPG.
Migrated the creation of firewall rules to CAPG. These rules are now formed
in the manifest and passed to CAPG for creation.

pkg/infrastructure/gcp/clusterapi:

Remove the creation of firewall rules.
@barbacbd barbacbd force-pushed the test-firewall-rules-capg branch from ac0a050 to 8942e19 Compare February 18, 2026 15:26
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 18, 2026
@barbacbd barbacbd changed the title WIP: Allow CAPG to create firewall Rules Allow CAPG to create firewall Rules Feb 18, 2026
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 18, 2026
@barbacbd barbacbd changed the title Allow CAPG to create firewall Rules no-jira: Allow CAPG to create firewall Rules Feb 18, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Feb 18, 2026
@openshift-ci-robot
Copy link
Contributor

@barbacbd: This pull request explicitly references no jira issue.

Details

In response to this:

*** Includes unmerged CAPG commits:
kubernetes-sigs/cluster-api-provider-gcp#1538

** Code Changes:

pkg/asset/manifests/gcp/cluster.go:

Migrated the creation of firewall rules to CAPG. These rules are now formed
in the manifest and passed to CAPG for creation.

pkg/infrastructure/gcp/clusterapi:

Remove the creation of firewall rules.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@barbacbd
Copy link
Contributor Author

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 18, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 18, 2026

@barbacbd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/images 8942e19 link true /test images
ci/prow/e2e-gcp-ovn-xpn 8942e19 link false /test e2e-gcp-ovn-xpn
ci/prow/e2e-gcp-ovn-byo-vpc 8942e19 link false /test e2e-gcp-ovn-byo-vpc
ci/prow/e2e-gcp-xpn-custom-dns 8942e19 link false /test e2e-gcp-xpn-custom-dns
ci/prow/e2e-gcp-custom-dns 8942e19 link false /test e2e-gcp-custom-dns
ci/prow/e2e-aws-ovn-heterogeneous 8942e19 link false /test e2e-aws-ovn-heterogeneous
ci/prow/e2e-aws-ovn-dualstack-ipv6-primary-techpreview 8942e19 link false /test e2e-aws-ovn-dualstack-ipv6-primary-techpreview
ci/prow/gcp-private 8942e19 link false /test gcp-private
ci/prow/e2e-aws-default-config 8942e19 link false /test e2e-aws-default-config
ci/prow/e2e-aws-ovn-dualstack-ipv4-primary-techpreview 8942e19 link false /test e2e-aws-ovn-dualstack-ipv4-primary-techpreview
ci/prow/e2e-aws-ovn-shared-vpc-custom-security-groups 8942e19 link false /test e2e-aws-ovn-shared-vpc-custom-security-groups
ci/prow/e2e-gcp-secureboot 8942e19 link false /test e2e-gcp-secureboot
ci/prow/e2e-aws-ovn-single-node 8942e19 link false /test e2e-aws-ovn-single-node
ci/prow/e2e-gcp-custom-endpoints 8942e19 link false /test e2e-gcp-custom-endpoints
ci/prow/e2e-gcp-default-config 8942e19 link false /test e2e-gcp-default-config
ci/prow/e2e-gcp-xpn-dedicated-dns-project 8942e19 link false /test e2e-gcp-xpn-dedicated-dns-project
ci/prow/e2e-gcp-ovn 8942e19 link true /test e2e-gcp-ovn
ci/prow/e2e-aws-ovn-shared-vpc-edge-zones 8942e19 link false /test e2e-aws-ovn-shared-vpc-edge-zones
ci/prow/e2e-aws-ovn-fips 8942e19 link false /test e2e-aws-ovn-fips
ci/prow/e2e-aws-ovn-edge-zones 8942e19 link false /test e2e-aws-ovn-edge-zones

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Comment on lines +145 to +146
firewallRules = append(firewallRules, createBootstrapFirewallRuleForCAPG(installConfig, clusterID)...)
firewallRules = append(firewallRules, createFirewallRulesForCAPG(installConfig, clusterID)...)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since CAPG manages the firewall rules now, I wonder how we should handle bootstrap firewall rule destroy...? Currently, we have below code in DestroyBootstrap phase.

if err := removeBootstrapFirewallRules(ctx, in.Metadata.InfraID, projectID, in.Metadata.GCP.Endpoint); err != nil {
return fmt.Errorf("failed to remove bootstrap firewall rules: %w", err)
}

My question is: will there a "fight" between the installer and CAPG? The installer deletes the firewall rule, but CAPG tries to re-create it as the rule is still defined in spec? If so, we should follow AWS here to edit the firewall rule spec and wait till its gone right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants

Comments