metal-stack · Honigeintopf · Nov 5, 2024 · Nov 6, 2024 · Nov 22, 2024 · Nov 22, 2024
@@ -24,12 +24,14 @@ import (
 // FirewallMonitorReconciler reconciles a firewall monitor object
 type FirewallMonitorReconciler struct {
 	ShootClient client.Client
+	SeedClient  client.Client
 
 	Recorder record.EventRecorder
 	Log      logr.Logger
 
-	FirewallName string
-	Namespace    string
+	FirewallName  string
+	Namespace     string
+	SeedNamespace string
 
 	IDSEnabled bool
 	Interval   time.Duration
@@ -57,6 +59,9 @@ func (r *FirewallMonitorReconciler) SetupWithManager(mgr ctrl.Manager) error {
 				return false
 			},
 		}).
+		WithEventFilter(predicate.NewPredicateFuncs(func(object client.Object) bool {
+			return object.GetNamespace() == r.Namespace && object.GetName() == r.FirewallName
+		})).
 		Complete(r)
 }
 
@@ -70,6 +75,13 @@ func (r *FirewallMonitorReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		return ctrl.Result{}, err
 	}
 
+	f := &firewallv2.Firewall{}
+	if err := r.SeedClient.Get(ctx, req.NamespacedName, f); err != nil {
+		return ctrl.Result{}, fmt.Errorf("error retrieving resource: %w", err)
+	}
+
+	r.Log.Info("firewall fetched from Seed in Monitor", "Fw Distance", f.Distance, "Fw Name", f.Name)
+
 	idsStats := firewallv2.IDSStatsByDevice{}
 	if r.IDSEnabled {
 		s := suricata.New()
@@ -119,8 +131,8 @@ func (r *FirewallMonitorReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 			ControllerVersion:       v.Version,
 			NftablesExporterVersion: "", // TODO
 			Updated:                 metav1.NewTime(now),
-			Distance:                0,
-			DistanceSupported:       false,
+			Distance:                f.Distance,
+			DistanceSupported:       true,
 		}
 
 		if !r.seedUpdated.IsZero() {

@@ -206,19 +206,23 @@ func main() {
 		panic(err)
 	}
 
-	shootClient, err := controllerclient.New(shootConfig, controllerclient.Options{Scheme: scheme})
+	shootClient, err := controllerclient.New(shootConfig, controllerclient.Options{
+		Scheme: scheme,
+	})
 	if err != nil {
 		l.Error("unable to create shoot client", "error", err)
 		panic(err)
 	}
 
 	fwmReconciler := &controllers.FirewallMonitorReconciler{
-		ShootClient:  shootMgr.GetClient(),
-		Log:          ctrl.Log.WithName("controllers").WithName("FirewallMonitorReconciler"),
-		Recorder:     shootMgr.GetEventRecorderFor("FirewallMonitorController"),
-		IDSEnabled:   enableIDS,
-		FirewallName: firewallName,
-		Namespace:    firewallv2.FirewallShootNamespace,
+		ShootClient:   shootMgr.GetClient(),
+		SeedClient:    seedMgr.GetClient(),
+		Log:           ctrl.Log.WithName("controllers").WithName("FirewallMonitorReconciler"),
+		Recorder:      shootMgr.GetEventRecorderFor("FirewallMonitorController"),
+		IDSEnabled:    enableIDS,
+		FirewallName:  firewallName,
+		Namespace:     firewallv2.FirewallShootNamespace,
+		SeedNamespace: seedNamespace,
 	}
 
 	frrVersion, err := frr.DetectVersion()

@@ -70,6 +70,7 @@
 		return false, fmt.Errorf("failed to init networker config: %w", err)
 	}
 	c.Networks = GetNewNetworks(f, c.Networks)
+	c.FirewallDistance = uint8(f.Distance)
 
 	a := netconf.NewFrrConfigApplier(netconf.Firewall, *c, tmpFile, frrVersion)
 	tpl := netconf.MustParseTpl(netconf.TplFirewallFRR)