only automatically put latest fwcv into firewall if supported (#201)

pkg/apis/metal/types_cloudprofile.go

@@ -36,8 +36,25 @@ type FirewallControllerVersion struct {
 	Version string
 	// URL points to the downloadable binary artifact of the firewall controller
 	URL string
+	// Classification defines the state of a version (preview, supported, deprecated)
+	Classification *VersionClassification
 }
 
+// VersionClassification is the logical state of a version according to https://github.com/gardener/gardener/blob/master/docs/operations/versioning.md
+type VersionClassification string
+
+const (
+	// ClassificationPreview indicates that a version has recently been added and not promoted to "Supported" yet.
+	// ClassificationPreview versions will not be considered for automatic firewallcontroller version updates.
+	ClassificationPreview VersionClassification = "preview"
+	// ClassificationSupported indicates that a patch version is the recommended version for a shoot.
+	// Supported versions are eligible for the automated firewallcontroller version update.
+	ClassificationSupported VersionClassification = "supported"
+	// ClassificationDeprecated indicates that a patch version should not be used anymore, should be updated to a new version
+	// and will eventually expire.
+	ClassificationDeprecated VersionClassification = "deprecated"
+)
+
 // Partition contains configuration specific for this metal stack control plane partition
 type Partition struct{}
 

pkg/apis/metal/v1alpha1/types_cloudprofile.go

@@ -42,8 +42,25 @@ type FirewallControllerVersion struct {
 	Version string `json:"version"`
 	// URL points to the downloadable binary artifact of the firewall controller
 	URL string `json:"url"`
+	// Classification defines the state of a version (preview, supported, deprecated)
+	Classification *VersionClassification `json:"classification,omitempty"`
 }
 
+// VersionClassification is the logical state of a version according to https://github.com/gardener/gardener/blob/master/docs/operations/versioning.md
+type VersionClassification string
+
+const (
+	// ClassificationPreview indicates that a version has recently been added and not promoted to "Supported" yet.
+	// ClassificationPreview versions will not be considered for automatic firewallcontroller version updates.
+	ClassificationPreview VersionClassification = "preview"
+	// ClassificationSupported indicates that a patch version is the recommended version for a shoot.
+	// Supported versions are eligible for the automated firewallcontroller version update.
+	ClassificationSupported VersionClassification = "supported"
+	// ClassificationDeprecated indicates that a patch version should not be used anymore, should be updated to a new version
+	// and will eventually expire.
+	ClassificationDeprecated VersionClassification = "deprecated"
+)
+
 // Partition contains configuration specific for this metal stack control plane partition
 type Partition struct{}
 

pkg/apis/metal/validation/cloudprofile.go

@@ -24,6 +24,8 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
 
+var supportedVersionClassifications = sets.NewString(string(apismetal.ClassificationPreview), string(apismetal.ClassificationSupported), string(apismetal.ClassificationDeprecated))
+
 // ValidateCloudProfileConfig validates a CloudProfileConfig object.
 func ValidateCloudProfileConfig(cloudProfileConfig *apismetal.CloudProfileConfig, cloudProfile *core.CloudProfile, providerConfigPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
@@ -37,18 +39,23 @@ func ValidateCloudProfileConfig(cloudProfileConfig *apismetal.CloudProfileConfig
 
 	controlPlanesPath := providerConfigPath.Child("metalControlPlanes")
 	for mcpName, mcp := range cloudProfileConfig.MetalControlPlanes {
-
+		mcpField := controlPlanesPath.Child(mcpName)
 		versionSet := sets.NewString()
 		for _, v := range mcp.FirewallControllerVersions {
+			fwcField := mcpField.Child("firewallControllerVersions")
+			if v.Classification != nil && !supportedVersionClassifications.Has(string(*v.Classification)) {
+				allErrs = append(allErrs, field.NotSupported(fwcField.Child("classification"), *v.Classification, supportedVersionClassifications.List()))
+			}
+
 			versionSet.Insert(v.Version)
 		}
 		if versionSet.Len() != len(mcp.FirewallControllerVersions) {
-			allErrs = append(allErrs, field.Invalid(controlPlanesPath.Child(mcpName), "firewallcontrollerversions", "contains duplicate entries"))
+			allErrs = append(allErrs, field.Invalid(mcpField.Child("firewallcontrollerversions"), "version", "contains duplicate entries"))
 		}
 
 		for partitionName := range mcp.Partitions {
 			if !availableZones.Has(partitionName) {
-				allErrs = append(allErrs, field.Invalid(controlPlanesPath.Child(mcpName), partitionName, fmt.Sprintf("the control plane has a partition that is not a configured zone in any of the cloud profile regions: %v", availableZones.List())))
+				allErrs = append(allErrs, field.Invalid(mcpField, partitionName, fmt.Sprintf("the control plane has a partition that is not a configured zone in any of the cloud profile regions: %v", availableZones.List())))
 			}
 		}
 	}

pkg/apis/metal/validation/firewall_controller.go

@@ -25,7 +25,7 @@ func ValidateFirewallControllerVersion(availableVersions []apismetal.FirewallCon
 		}
 	}
 
-	return nil, fmt.Errorf("firewall controller version:%s was not found in available versions: %s", specVersion, availableVersions)
+	return nil, fmt.Errorf("firewall controller version:%s was not found in available versions: %v", specVersion, availableVersions)
 }
 
 func getLatestFirewallControllerVersion(availableVersions []apismetal.FirewallControllerVersion) (*apismetal.FirewallControllerVersion, error) {
@@ -36,6 +36,14 @@ func getLatestFirewallControllerVersion(availableVersions []apismetal.FirewallCo
 		if err != nil {
 			continue
 		}
+		// no given classification considered as preview
+		if v.Classification == nil {
+			continue
+		}
+		// only "supported" counts
+		if v.Classification != nil && *v.Classification != apismetal.ClassificationSupported {
+			continue
+		}
 		av = append(av, v)
 	}
 

pkg/apis/metal/validation/firewall_controller_test.go

@@ -8,6 +8,9 @@ import (
 )
 
 func Test_getLatestFirewallControllerVersion(t *testing.T) {
+	preview := apismetal.ClassificationPreview
+	supported := apismetal.ClassificationSupported
+
 	tests := []struct {
 		name              string
 		availableVersions []apismetal.FirewallControllerVersion
@@ -16,31 +19,37 @@ func Test_getLatestFirewallControllerVersion(t *testing.T) {
 	}{
 		{
 			name:              "simple",
-			availableVersions: []apismetal.FirewallControllerVersion{{Version: "v1.0.1"}, {Version: "v1.0.2"}, {Version: "v1.0.3"}},
-			want:              &apismetal.FirewallControllerVersion{Version: "v1.0.3"},
+			availableVersions: []apismetal.FirewallControllerVersion{{Version: "v1.0.1", Classification: &supported}, {Version: "v1.0.2", Classification: &supported}, {Version: "v1.0.3", Classification: &supported}},
+			want:              &apismetal.FirewallControllerVersion{Version: "v1.0.3", Classification: &supported},
 			wantErr:           false,
 		},
 		{
 			name:              "even more simple",
-			availableVersions: []apismetal.FirewallControllerVersion{{Version: "v1.0.1"}, {Version: "v0.0.2"}, {Version: "v2.0.3"}, {Version: "v0.0.3"}},
-			want:              &apismetal.FirewallControllerVersion{Version: "v2.0.3"},
+			availableVersions: []apismetal.FirewallControllerVersion{{Version: "v1.0.1", Classification: &preview}, {Version: "v0.0.2", Classification: &supported}, {Version: "v2.0.3", Classification: &supported}, {Version: "v0.0.3", Classification: &supported}},
+			want:              &apismetal.FirewallControllerVersion{Version: "v2.0.3", Classification: &supported},
 			wantErr:           false,
 		},
 		{
 			name:              "one version is specified with git sha",
-			availableVersions: []apismetal.FirewallControllerVersion{{Version: "v1.0.1"}, {Version: "2fb7fd7"}, {Version: "v2.0.3"}, {Version: "v0.0.3"}},
-			want:              &apismetal.FirewallControllerVersion{Version: "v2.0.3"},
+			availableVersions: []apismetal.FirewallControllerVersion{{Version: "v1.0.1", Classification: &supported}, {Version: "2fb7fd7", Classification: &preview}, {Version: "v2.0.3", Classification: &supported}, {Version: "v0.0.3", Classification: &supported}},
+			want:              &apismetal.FirewallControllerVersion{Version: "v2.0.3", Classification: &supported},
 			wantErr:           false,
 		},
 		{
 			name:              "only one version is specified semver compatible",
-			availableVersions: []apismetal.FirewallControllerVersion{{Version: "1fb7fd7"}, {Version: "2fb7fd7"}, {Version: "v2.0.3"}, {Version: "4fb7fd7"}},
-			want:              &apismetal.FirewallControllerVersion{Version: "v2.0.3"},
+			availableVersions: []apismetal.FirewallControllerVersion{{Version: "1fb7fd7"}, {Version: "2fb7fd7", Classification: &preview}, {Version: "v2.0.3", Classification: &supported}, {Version: "4fb7fd7", Classification: &supported}},
+			want:              &apismetal.FirewallControllerVersion{Version: "v2.0.3", Classification: &supported},
+			wantErr:           false,
+		},
+		{
+			name:              "latest version is preview",
+			availableVersions: []apismetal.FirewallControllerVersion{{Version: "1fb7fd7"}, {Version: "2fb7fd7", Classification: &preview}, {Version: "v2.0.3", Classification: &supported}, {Version: "v2.1.0", Classification: &preview}},
+			want:              &apismetal.FirewallControllerVersion{Version: "v2.0.3", Classification: &supported},
 			wantErr:           false,
 		},
 		{
 			name:              "no version is specified semver compatible",
-			availableVersions: []apismetal.FirewallControllerVersion{{Version: "1fb7fd7"}, {Version: "2fb7fd7"}, {Version: "4fb7fd7"}},
+			availableVersions: []apismetal.FirewallControllerVersion{{Version: "1fb7fd7", Classification: &preview}, {Version: "2fb7fd7", Classification: &preview}, {Version: "4fb7fd7", Classification: &preview}},
 			want:              nil,
 			wantErr:           true,
 		},

pkg/apis/metal/validation/infrastructure_test.go

@@ -222,6 +222,7 @@ var _ = Describe("InfrastructureConfig validation", func() {
 })
 
 func createCloudProfileConfig() *apismetal.CloudProfileConfig {
+	supported := apismetal.ClassificationSupported
 	return &apismetal.CloudProfileConfig{
 		MetalControlPlanes: map[string]apismetal.MetalControlPlane{
 			"prod": {
@@ -230,7 +231,7 @@ func createCloudProfileConfig() *apismetal.CloudProfileConfig {
 					"partition-a": {},
 				},
 				FirewallControllerVersions: []apismetal.FirewallControllerVersion{
-					{Version: "v1.0.1"},
+					{Version: "v1.0.1", Classification: &supported},
 				},
 			},
 		},