[feat] adding linodeFirewall to clusters (#496)

* - defined the LinodeFirewall resource in linodeFirewall.yaml
- added the resource linodeFirewall.yaml in kustomization.yaml

* - added firewallRef to template

* - updated firewallRef definition
- added params apiVersion and kind

* - updated inboundPolicy
- removed inboundRules

* - re-added the newline at EOF in kustomization.yaml
- added newline at EOF in linodeFirewall.yaml
- reset the comment lines in linodeMachineTemplate.yaml
- added back the inbound rules

* - updated /24 to /8

* - added patches in vpcless flavors to delete the LinodeFirewall

* - added patches in vpcless flavors to delete the firewallRef

templates/flavors/k3s/full-vpcless/kustomization.yaml

@@ -163,3 +163,18 @@ patches:
           - sed -i '/swap/d' /etc/fstab
           - swapoff -a
           - hostnamectl set-hostname '{{ ds.meta_data.label }}' && hostname -F /etc/hostname
+  - target:
+      kind: LinodeFirewall
+    patch: |-
+      $patch: delete
+      apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+      kind: LinodeFirewall
+      metadata:
+        name: ${CLUSTER_NAME}
+  - target:
+      group: infrastructure.cluster.x-k8s.io
+      version: v1alpha2
+      kind: LinodeMachineTemplate
+    patch: |-
+      - op: remove
+        path: /spec/template/spec/firewallRef

templates/flavors/k3s/vpcless/kustomization.yaml

@@ -100,3 +100,18 @@ patches:
                   enabled: true
                 ui:
                   enabled: true
+  - target:
+      kind: LinodeFirewall
+    patch: |-
+      $patch: delete
+      apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+      kind: LinodeFirewall
+      metadata:
+        name: ${CLUSTER_NAME}
+  - target:
+      group: infrastructure.cluster.x-k8s.io
+      version: v1alpha2
+      kind: LinodeMachineTemplate
+    patch: |-
+      - op: remove
+        path: /spec/template/spec/firewallRef

templates/flavors/kubeadm/full-vpcless/kustomization.yaml

@@ -190,3 +190,18 @@ patches:
           maxRetry: 5
           retryPeriod: 2m
           minHealthyPeriod: 2h
+  - target:
+      kind: LinodeFirewall
+    patch: |-
+      $patch: delete
+      apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+      kind: LinodeFirewall
+      metadata:
+        name: ${CLUSTER_NAME}
+  - target:
+      group: infrastructure.cluster.x-k8s.io
+      version: v1alpha2
+      kind: LinodeMachineTemplate
+    patch: |-
+      - op: remove
+        path: /spec/template/spec/firewallRef

templates/flavors/kubeadm/vpcless/kustomization.yaml

@@ -117,3 +117,18 @@ patches:
     patch: |-
       - op: remove
         path: /spec/kubeadmConfigSpec/initConfiguration/skipPhases
+  - target:
+      kind: LinodeFirewall
+    patch: |-
+      $patch: delete
+      apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+      kind: LinodeFirewall
+      metadata:
+        name: ${CLUSTER_NAME}
+  - target:
+      group: infrastructure.cluster.x-k8s.io
+      version: v1alpha2
+      kind: LinodeMachineTemplate
+    patch: |-
+      - op: remove
+        path: /spec/template/spec/firewallRef

templates/flavors/rke2/full-vpcless/kustomization.yaml

@@ -71,3 +71,11 @@ patches:
                   device: /dev/sdc
               mounts:
                 - ["/dev/sdc", "/var/lib/etcd_data"]
+  - target:
+      kind: LinodeFirewall
+    patch: |-
+      $patch: delete
+      apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+      kind: LinodeFirewall
+      metadata:
+        name: ${CLUSTER_NAME}

templates/flavors/rke2/vpcless/kustomization.yaml

@@ -90,3 +90,18 @@ patches:
           - sed -i '/swap/d' /etc/fstab
           - swapoff -a
           - hostnamectl set-hostname '{{ ds.meta_data.label }}' && hostname -F /etc/hostname
+  - target:
+      kind: LinodeFirewall
+    patch: |-
+      $patch: delete
+      apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+      kind: LinodeFirewall
+      metadata:
+        name: ${CLUSTER_NAME}
+  - target:
+      group: infrastructure.cluster.x-k8s.io
+      version: v1alpha2
+      kind: LinodeMachineTemplate
+    patch: |-
+      - op: remove
+        path: /spec/template/spec/firewallRef

templates/infra/kustomization.yaml

@@ -7,3 +7,4 @@ resources:
   - linodeMachineTemplate.yaml
   - machineDeployment.yaml
   - secret.yaml
+  - linodeFirewall.yaml

templates/infra/linodeFirewall.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+kind: LinodeFirewall
+metadata:
+  labels:
+    cluster.x-k8s.io/cluster-name: ${CLUSTER_NAME}
+  name: ${CLUSTER_NAME}
+spec:
+  enabled: ${LINODE_FIREWALL_ENABLED:=false}
+  inboundPolicy: DROP
+  inboundRules:
+    - action: ACCEPT
+      label: intra-cluster
+      ports: "1-65535"
+      protocol: "TCP"
+      addresses:
+        ipv4:
+          - "10.0.0.0/8"
+    - action: ACCEPT
+      addresses:
+        ipv4:
+          - 0.0.0.0/0
+        ipv6:
+          - ::/0
+      ports: "6443"
+      protocol: TCP
+      label: inbound-api-server

templates/infra/linodeMachineTemplate.yaml

@@ -9,6 +9,10 @@ spec:
       image: ${LINODE_OS:="linode/ubuntu22.04"}
       type: ${LINODE_CONTROL_PLANE_MACHINE_TYPE}
       region: ${LINODE_REGION}
+      firewallRef:
+        apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+        kind: LinodeFirewall
+        name: ${CLUSTER_NAME}
       # diskEncryption: disabled
       interfaces:
         - purpose: public
@@ -26,6 +30,10 @@ spec:
       image: ${LINODE_OS:="linode/ubuntu22.04"}
       type: ${LINODE_MACHINE_TYPE}
       region: ${LINODE_REGION}
+      firewallRef:
+        apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+        kind: LinodeFirewall
+        name: ${CLUSTER_NAME}
       # diskEncryption: disabled
       interfaces:
         - purpose: public