CORS-4230: Add a firewall spec and the ability to manage or unmanaged firewall rule creation

[barbacbd]

What type of PR is this?

/kind feature
/kind api-change

What this PR does / why we need it:

Add API changes to Skip firewall rule creation. When unmanaged, the firewall rules will not be
created. When this is the case, the firewall rules should exist prior to creating the network.
This will allow ServiceAccounts to skip the rules:compute.firewalls.create.
Update the services and interfaces. The firewall service will no longer create firewall rules when
the firewall policy is set to unmanaged OR when a shared vpc is used during installation and resource creation.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

https://issues.redhat.com/browse/CORS-4230

Special notes for your reviewer:

Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

TODOs:

• squashed commits
• includes documentation
• adds unit tests

Release note:

Add API changes to Skip firewall rule creation. When unmanaged, the firewall rules will not be
created. When this is the case, the firewall rules should exist prior to creating the network.
This will allow ServiceAccounts to skip the rules:compute.firewalls.create.

Update the services and interfaces. The firewall service will no longer create firewall rules when
the firewall policy is set to unmanaged OR when a shared vpc is used during installation and resource creation.

[netlify]

✅ Deploy Preview for kubernetes-sigs-cluster-api-gcp ready!

Name	Link
🔨 Latest commit	56d4280
🔍 Latest deploy log	https://app.netlify.com/projects/kubernetes-sigs-cluster-api-gcp/deploys/68d42ee43f740700081ae43a
😎 Deploy Preview	https://deploy-preview-1532--kubernetes-sigs-cluster-api-gcp.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[k8s-ci-robot]

Hi @barbacbd. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[damdo]

/ok-to-test

[barbacbd]

/retest

[damdo]

Thanks @barbacbd

On the API side, I think we could make it a bit more "future proof" and adherent to the upstream API conventions: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md

[damdo]

How about creating a Firewall type that in the future can be expanded if necessary?

// Firewall configuration.
// +optional
Firewall FirewallSpec `json:"firewall,omitempty"`

And for the inner struct maybe have a field called something along the lines of RulesManagement?

// FirewallSpec contains configuration for the firewall.
type FirewallSpec struct {
	// RulesManagement determines the management policy for firewall rules.
	// "On": The controller will create and manage firewall rules.
	// "Off": The controller will not touch any firewall rules. If this is
	//        changed to "Off" after rules have been created, they will not be
	//        deleted.
	// Defaults to "On".
	// +optional
	// +kubebuilder:default:="On"
	RulesManagement RulesManagementPolicy `json:"rulesManagement,omitempty"`
}

// RulesManagementPolicy is a string enum type for managing firewall rules.
// +kubebuilder:validation:Enum=On;Off
type RulesManagementPolicy string

const (
	// RulesManagementOn indicates that the controller should create and manage
	// firewall rules. This is the default behavior.
	RulesManagementOn RulesManagementPolicy = "On"

	// RulesManagementOff indicates that the controller should not create or manage
	// any firewall rules. If rules already exist, they will be left as-is.
	RulesManagementOff RulesManagementPolicy = "Off"
)

[damdo]

cc. @JoelSpeed for a sanity check

[JoelSpeed]

Seems like a reasonable suggestion, though maybe you want to change it to be rules: Managed | Unmanaged so that in the future you could potentially add a PartiallyManaged or other third option to the enum

[damdo]

Thanks!

/approve

/assign @justinsb @salasberryfin @cpanato

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: barbacbd, damdo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [damdo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment