Firewall CR migration

[sugangli]

This PR is for migrating existing direct GCE FW configuration to our firewall CR approach. Only L7 firewall changes are included here. L4 changes will come later. Major changes:

1. Most of the new CR-related functions are under the second commit. Firewall CRUDs are supported here.
2. Add firewall informers so that the ingress-gce can watch the status and populate to the related LB services/ingresses. It is mainly for populating the XPN error and its relevant gcloud cmd to the service/ingress's event, but it also serves general service updating purpose.

Here is the algorithm in high-level:

• ingress-gce creates the CR with pending status
• Platform Firewall Controller(borg) configures the firewall based on the CRs, and updates the status
• ingress-gce watches the status, and enqueue in the service/ingress if needed. Then it uses the service/ingress ensuring code path to ensure(read) the firewall CR status and populate the event.

3. Two flags are added : EnableFirewallCR and EnableFWControllerEnforcement. When the latter is false, ingress-gce configures firewall CRs and gce firewalls at the same time, but Platform FW Controller(borg) will not enforce the CRs. When EnableFWControllerEnforcement is true, we simply drop the direct GCE firewall configurations. We use cluster proto as the source of truth to turn this flag on/off.

[k8s-ci-robot]

Hi @sugangli. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

Welcome @sugangli!

It looks like this is your first PR to kubernetes/ingress-gce 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/ingress-gce has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[swetharepakula]

/ok-to-test

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[sugangli]

/remove-lifecycle rotten

[swetharepakula]

I think this mostly looks good to me. I have thought about the two flags, and I think the enforcement flag should be renamed to indicate a behavior in ingress-gce instead of a behavior on an external component.

Thanks Sugang!

[swetharepakula]

Trying to understand why this was necessary for the tests? Is there something that is depending on the firewallClient even when the flag is disabled?

[sugangli]

Updated.

[swetharepakula]

should this pass in !flags.F.EnableFWControllerEnforcement since the field in the FirewallController is enforceCR?

[sugangli]

Per discussion, I renamed it to DisableFWEnforcement. Since they mean the same thing (disable ingress controller FW enforcement = enable FW controller enforcement), I renamed all of them without changing the logic.

[swetharepakula]

similar to the flag, enforceCR is confusing to understand in the code. Maybe disableFWEnforcement? I am assuming in this case disable will be easier to right the logic for than the other way.

[sugangli]

See the comment above.

[swetharepakula]

I think we should update the others to be like Creating or Created depending on whether the action we are logging has happened or not. If you think the error has enough context, I am fine with this as is.

[swetharepakula]

I was more wondering if the error by itself has enough context, so whatever is consuming, we should be able to understand in the logs what caused it.

[cezarygerard]

please use full name for 'PFW'

[sugangli]

Done.

[cezarygerard]

please use full name for 'PFW'

[sugangli]

Done.

[cezarygerard]

please rename to firewallcrclient

[sugangli]

Done.

[cezarygerard]

firewallCRClient

here and further

[cezarygerard]

firewallClient would suggest this is provisioning resources on the GCP

[sugangli]

Done.

[cezarygerard]

I think we should panic here

[sugangli]

Agreed. Updated.

[cezarygerard]

why not StringVar with 3 valid values?

[sugangli]

Technically I am fine with either way. But StringVar does not validate the values and we need to check it by ourselves? Plus, the other features flags are using Bool so it might be more consistent?

[cezarygerard]

ctx.FirewallInformer.AddEventHandler

what we get updates on? Firewall CRs rigth?
when the Platform Firewall Controller changes the CR?
or when customer changes something there?

[sugangli]

The PFW controller will update the status of the CR, and some status requires the ingress controller to take actions. For example, the ingress controller needs to populate gcloud command for the user if there is an XPNPermission error.

[cezarygerard]

what should be the queueKey?

I am confused why we always use the fake?

	// queueKey is a "fake" key which can be enqueued to a task queue.
	queueKey = &v1.Ingress{
		ObjectMeta: metav1.ObjectMeta{Name: "queueKey"},
	}

@swetharepakula ?

[sugangli]

Because we won't have more than one ingress firewall at any given time?

[swetharepakula]

I didn't catch this initially. Even if we will only have one, I think it makes sense to either have a constant for the name of the single firewall CR or to just enqueue the CR from the cur in update func.
My preference is for the later, because I think it makes the most sense.

We should be checking that the firewall cr that we see is the one we expect before adding the queueKey.

[bowei]

What is the status of this change?

[sugangli]

I refactored L7 firewall pool code path according to what @cezarygerard proposed. Waiting for his comment. We have few more PRs to come after this. But I am only able to spend 20% of my time on this project.

[cezarygerard]

it's LGTM overall

thank you for applying my suggestions

let's just let's just remove this comment

"//// if we had enum-like flag 'crMode' to guard the firewall CR creation the above code would look ~like:"
and I will tag the change

[sugangli]

/retest

[cezarygerard]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cezarygerard, sugangli

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [cezarygerard]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment