Report last seed updated controllerstatus (#46)

Makefile

@@ -26,7 +26,7 @@ clean:
 	rm -f bin/*
 
 # Run tests
-test:
+test: generate manifests
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out
 
 # Build manager binary

api/v2/types_firewall.go

@@ -174,8 +174,10 @@ const (
 	FirewallCreated ConditionType = "Created"
 	// FirewallReady indicates that the firewall is running and and according to the metal-api in a healthy, working state
 	FirewallReady ConditionType = "Ready"
-	// FirewallControllerConnected indicates that the firewall-controller running on the firewall is reconciling the firewall resource
+	// FirewallControllerConnected indicates that the firewall-controller running on the firewall is reconciling the shoot
 	FirewallControllerConnected ConditionType = "Connected"
+	// FirewallControllerSeedConnected indicates that the firewall-controller running on the firewall is reconciling the firewall resource
+	FirewallControllerSeedConnected ConditionType = "SeedConnected"
 	// FirewallMonitorDeployed indicates that the firewall monitor is deployed into the shoot cluster
 	FirewallMonitorDeployed ConditionType = "MonitorDeployed"
 	// FirewallDistanceConfigured indicates that the firewall-controller has configured the given firewall distance.
@@ -226,8 +228,10 @@ type MachineLastEvent struct {
 type ControllerConnection struct {
 	// ActualVersion is the actual version running at the firewall-controller.
 	ActualVersion string `json:"actualVersion,omitempty"`
-	// Updated is a timestamp when the controller has last reconciled the firewall resource.
+	// Updated is a timestamp when the controller has last reconciled the shoot cluster.
 	Updated metav1.Time `json:"lastRun,omitempty"`
+	// SeedUpdated is a timestamp when the controller has last reconciled the firewall resource.
+	SeedUpdated metav1.Time `json:"lastRunAgainstSeed,omitempty"`
 	// ActualDistance is the actual distance as reflected by the firewall-controller.
 	ActualDistance FirewallDistance `json:"actualDistance,omitempty"`
 }

api/v2/types_firewallmonitor.go

@@ -58,6 +58,7 @@ type ControllerStatus struct {
 	ControllerVersion       string           `json:"controllerVersion,omitempty"`
 	NftablesExporterVersion string           `json:"nftablesExporterVersion,omitempty"`
 	Updated                 metav1.Time      `json:"lastRun,omitempty"`
+	SeedUpdated             metav1.Time      `json:"lastRunAgainstSeed,omitempty"`
 	Distance                FirewallDistance `json:"distance,omitempty"`
 	DistanceSupported       bool             `json:"distanceSupported,omitempty"`
 }

config/crds/firewall.metal-stack.io_firewallmonitors.yaml

@@ -108,6 +108,9 @@ spec:
               lastRun:
                 format: date-time
                 type: string
+              lastRunAgainstSeed:
+                format: date-time
+                type: string
               message:
                 type: string
               nftablesExporterVersion:

config/crds/firewall.metal-stack.io_firewalls.yaml

@@ -255,7 +255,12 @@ spec:
                     type: string
                   lastRun:
                     description: Updated is a timestamp when the controller has last
-                      reconciled the firewall resource.
+                      reconciled the shoot cluster.
+                    format: date-time
+                    type: string
+                  lastRunAgainstSeed:
+                    description: SeedUpdated is a timestamp when the controller has
+                      last reconciled the firewall resource.
                     format: date-time
                     type: string
                 type: object

controllers/firewall/status.go

@@ -121,6 +121,9 @@ func SetFirewallStatusFromMonitor(fw *v2.Firewall, mon *v2.FirewallMonitor) {
 		cond := v2.NewCondition(v2.FirewallControllerConnected, v2.ConditionTrue, "NotChecking", "Not checking controller connection due to firewall annotation.")
 		fw.Status.Conditions.Set(cond)
 
+		cond = v2.NewCondition(v2.FirewallControllerSeedConnected, v2.ConditionTrue, "NotChecking", "Not checking controller seed connection due to firewall annotation.")
+		fw.Status.Conditions.Set(cond)
+
 		cond = v2.NewCondition(v2.FirewallDistanceConfigured, v2.ConditionTrue, "NotChecking", "Not checking distance due to firewall annotation.")
 		fw.Status.Conditions.Set(cond)
 
@@ -144,22 +147,37 @@ func SetFirewallStatusFromMonitor(fw *v2.Firewall, mon *v2.FirewallMonitor) {
 	connection := &v2.ControllerConnection{
 		ActualVersion:  mon.ControllerStatus.ControllerVersion,
 		Updated:        mon.ControllerStatus.Updated,
+		SeedUpdated:    mon.ControllerStatus.SeedUpdated,
 		ActualDistance: mon.ControllerStatus.Distance,
 	}
 
 	fw.Status.ControllerStatus = connection
 
+	// Check if the firewall-controller has reconciled the shoot
 	if connection.Updated.Time.IsZero() {
-		cond := v2.NewCondition(v2.FirewallControllerConnected, v2.ConditionFalse, "NotConnected", "Controller has not yet connected.")
+		cond := v2.NewCondition(v2.FirewallControllerConnected, v2.ConditionFalse, "NotConnected", "Controller has not yet connected to shoot.")
 		fw.Status.Conditions.Set(cond)
 	} else if time.Since(connection.Updated.Time) > 5*time.Minute {
-		cond := v2.NewCondition(v2.FirewallControllerConnected, v2.ConditionFalse, "StoppedReconciling", fmt.Sprintf("Controller has stopped reconciling since %s.", connection.Updated.Time.String()))
+		cond := v2.NewCondition(v2.FirewallControllerConnected, v2.ConditionFalse, "StoppedReconciling", fmt.Sprintf("Controller has stopped reconciling since %s to shoot.", connection.Updated.Time.String()))
+		fw.Status.Conditions.Set(cond)
+	} else {
+		cond := v2.NewCondition(v2.FirewallControllerConnected, v2.ConditionTrue, "Connected", fmt.Sprintf("Controller reconciled shoot at %s.", connection.Updated.Time.String()))
+		fw.Status.Conditions.Set(cond)
+	}
+
+	// Check if the firewall-controller has reconciled the firewall
+	if connection.SeedUpdated.Time.IsZero() {
+		cond := v2.NewCondition(v2.FirewallControllerSeedConnected, v2.ConditionFalse, "NotConnected", "Controller has not yet connected to seed.")
+		fw.Status.Conditions.Set(cond)
+	} else if time.Since(connection.SeedUpdated.Time) > 5*time.Minute {
+		cond := v2.NewCondition(v2.FirewallControllerSeedConnected, v2.ConditionFalse, "StoppedReconciling", fmt.Sprintf("Controller has stopped reconciling since %s to seed.", connection.SeedUpdated.Time.String()))
 		fw.Status.Conditions.Set(cond)
 	} else {
-		cond := v2.NewCondition(v2.FirewallControllerConnected, v2.ConditionTrue, "Connected", fmt.Sprintf("Controller reconciled firewall at %s.", connection.Updated.Time.String()))
+		cond := v2.NewCondition(v2.FirewallControllerSeedConnected, v2.ConditionTrue, "Connected", fmt.Sprintf("Controller reconciled firewall at %s.", connection.SeedUpdated.Time.String()))
 		fw.Status.Conditions.Set(cond)
 	}
 
+	// Check if the firewall-controller has reconciled the distance
 	if !mon.ControllerStatus.DistanceSupported {
 		cond := v2.NewCondition(v2.FirewallDistanceConfigured, v2.ConditionTrue, "NotChecking", "Controller does not support distance reconciliation.")
 		fw.Status.Conditions.Set(cond)

controllers/set/status.go

@@ -19,13 +19,14 @@ func (c *controller) setStatus(r *controllers.Ctx[*v2.FirewallSet], ownedFirewal
 		var (
 			fw = fw
 
-			created   = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallCreated)).Status == v2.ConditionTrue
-			ready     = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallReady)).Status == v2.ConditionTrue
-			connected = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Status == v2.ConditionTrue
-			distance  = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallDistanceConfigured)).Status == v2.ConditionTrue
+			created       = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallCreated)).Status == v2.ConditionTrue
+			ready         = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallReady)).Status == v2.ConditionTrue
+			connected     = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerConnected)).Status == v2.ConditionTrue
+			seedConnected = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallControllerSeedConnected)).Status == v2.ConditionTrue
+			distance      = pointer.SafeDeref(fw.Status.Conditions.Get(v2.FirewallDistanceConfigured)).Status == v2.ConditionTrue
 		)
 
-		if created && ready && connected && distance {
+		if created && ready && connected && seedConnected && distance {
 			r.Target.Status.ReadyReplicas++
 			continue
 		}

integration/integration_test.go

@@ -224,6 +224,7 @@ var _ = Context("integration test", Ordered, func() {
 				Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(mon), mon)).To(Succeed()) // refetch
 				mon.ControllerStatus = &v2.ControllerStatus{
 					Updated:           metav1.NewTime(time.Now()),
+					SeedUpdated:       metav1.NewTime(time.Now()),
 					Distance:          v2.FirewallShortestDistance,
 					DistanceSupported: true,
 				}
@@ -307,9 +308,18 @@ var _ = Context("integration test", Ordered, func() {
 					Expect(cond.LastTransitionTime).NotTo(BeZero())
 					Expect(cond.LastUpdateTime).NotTo(BeZero())
 					Expect(cond.Reason).To(Equal("Connected"))
-					Expect(cond.Message).To(Equal(fmt.Sprintf("Controller reconciled firewall at %s.", mon.ControllerStatus.Updated.Time.String())))
+					Expect(cond.Message).To(Equal(fmt.Sprintf("Controller reconciled shoot at %s.", mon.ControllerStatus.Updated.Time.String())))
 				})
+				It("should have the firewall-controller connected to seed condition true", func() {
+					cond := testcommon.WaitForCondition(k8sClient, ctx, fw.DeepCopy(), func(fd *v2.Firewall) v2.Conditions {
+						return fd.Status.Conditions
+					}, v2.FirewallControllerSeedConnected, v2.ConditionTrue, 15*time.Second)
 
+					Expect(cond.LastTransitionTime).NotTo(BeZero())
+					Expect(cond.LastUpdateTime).NotTo(BeZero())
+					Expect(cond.Reason).To(Equal("Connected"))
+					Expect(cond.Message).To(Equal(fmt.Sprintf("Controller reconciled firewall at %s.", mon.ControllerStatus.SeedUpdated.Time.String())))
+				})
 				It("should have configured the distance", func() {
 					cond := testcommon.WaitForCondition(k8sClient, ctx, fw.DeepCopy(), func(fd *v2.Firewall) v2.Conditions {
 						return fd.Status.Conditions
@@ -735,6 +745,7 @@ var _ = Context("integration test", Ordered, func() {
 					// simulating a firewall-controller updating the resource
 					mon.ControllerStatus = &v2.ControllerStatus{
 						Updated:           metav1.NewTime(time.Now()),
+						SeedUpdated:       metav1.NewTime(time.Now()),
 						Distance:          v2.FirewallRollingUpdateSetDistance,
 						DistanceSupported: true,
 					}
@@ -779,7 +790,7 @@ var _ = Context("integration test", Ordered, func() {
 						Expect(set.Status.ObservedRevision).To(Equal(1))
 					})
 
-					Context("the update is finalizes", func() {
+					Context("the update is finalized", func() {
 						It("should populate the controller status field in the firewall resource", func() {
 							var fw = fw.DeepCopy()
 							Eventually(func() *v2.ControllerConnection {
@@ -909,6 +920,7 @@ var _ = Context("integration test", Ordered, func() {
 				Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(mon), mon)).To(Succeed()) // refetch
 				mon.ControllerStatus = &v2.ControllerStatus{
 					Updated:           metav1.NewTime(time.Now()),
+					SeedUpdated:       metav1.NewTime(time.Now()),
 					Distance:          v2.FirewallShortestDistance,
 					DistanceSupported: true,
 				}
@@ -992,9 +1004,18 @@ var _ = Context("integration test", Ordered, func() {
 					Expect(cond.LastTransitionTime).NotTo(BeZero())
 					Expect(cond.LastUpdateTime).NotTo(BeZero())
 					Expect(cond.Reason).To(Equal("Connected"))
-					Expect(cond.Message).To(Equal(fmt.Sprintf("Controller reconciled firewall at %s.", mon.ControllerStatus.Updated.Time.String())))
+					Expect(cond.Message).To(Equal(fmt.Sprintf("Controller reconciled shoot at %s.", mon.ControllerStatus.Updated.Time.String())))
 				})
+				It("should have the firewall-controller connected to seed condition true", func() {
+					cond := testcommon.WaitForCondition(k8sClient, ctx, fw.DeepCopy(), func(fd *v2.Firewall) v2.Conditions {
+						return fd.Status.Conditions
+					}, v2.FirewallControllerSeedConnected, v2.ConditionTrue, 15*time.Second)
 
+					Expect(cond.LastTransitionTime).NotTo(BeZero())
+					Expect(cond.LastUpdateTime).NotTo(BeZero())
+					Expect(cond.Reason).To(Equal("Connected"))
+					Expect(cond.Message).To(Equal(fmt.Sprintf("Controller reconciled firewall at %s.", mon.ControllerStatus.SeedUpdated.Time.String())))
+				})
 				It("should have configured the distance", func() {
 					cond := testcommon.WaitForCondition(k8sClient, ctx, fw.DeepCopy(), func(fd *v2.Firewall) v2.Conditions {
 						return fd.Status.Conditions
@@ -1257,6 +1278,7 @@ var _ = Context("integration test", Ordered, func() {
 						// simulating a firewall-controller updating the resource
 						newMon.ControllerStatus = &v2.ControllerStatus{
 							Updated:           metav1.NewTime(time.Now()),
+							SeedUpdated:       metav1.NewTime(time.Now()),
 							Distance:          v2.FirewallShortestDistance,
 							DistanceSupported: true,
 						}
@@ -1341,7 +1363,18 @@ var _ = Context("integration test", Ordered, func() {
 						Expect(cond.LastTransitionTime).NotTo(BeZero())
 						Expect(cond.LastUpdateTime).NotTo(BeZero())
 						Expect(cond.Reason).To(Equal("Connected"))
-						Expect(cond.Message).To(Equal(fmt.Sprintf("Controller reconciled firewall at %s.", newMon.ControllerStatus.Updated.Time.String())))
+						Expect(cond.Message).To(Equal(fmt.Sprintf("Controller reconciled shoot at %s.", newMon.ControllerStatus.Updated.Time.String())))
+					})
+
+					It("should have the firewall-controller connected to seed condition true", func() {
+						cond := testcommon.WaitForCondition(k8sClient, ctx, newFw.DeepCopy(), func(fd *v2.Firewall) v2.Conditions {
+							return fd.Status.Conditions
+						}, v2.FirewallControllerSeedConnected, v2.ConditionTrue, 15*time.Second)
+
+						Expect(cond.LastTransitionTime).NotTo(BeZero())
+						Expect(cond.LastUpdateTime).NotTo(BeZero())
+						Expect(cond.Reason).To(Equal("Connected"))
+						Expect(cond.Message).To(Equal(fmt.Sprintf("Controller reconciled firewall at %s.", newMon.ControllerStatus.SeedUpdated.Time.String())))
 					})
 
 					It("should have firewall networks populated", func() {