[Feat] Enable adding NodeBalancer to Linode Firewall

api/v1alpha2/linodecluster_types.go

@@ -47,6 +47,11 @@ type LinodeClusterSpec struct {
 	// +optional
 	VPCRef *corev1.ObjectReference `json:"vpcRef,omitempty"`
 
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
+	// +optional
+	// NodeBalancerFirewallRef is a reference to a NodeBalancer Firewall object. This makes the linode use the specified NodeBalancer Firewall.
+	NodeBalancerFirewallRef *corev1.ObjectReference `json:"nodeBalancerFirewallRef,omitempty"`
+
 	// CredentialsRef is a reference to a Secret that contains the credentials to use for provisioning this cluster. If not
 	// supplied then the credentials of the controller will be used.
 	// +optional
@@ -142,6 +147,9 @@ type NetworkSpec struct {
 	// NodeBalancerID is the id of NodeBalancer.
 	// +optional
 	NodeBalancerID *int `json:"nodeBalancerID,omitempty"`
+	// NodeBalancerFirewallID is the id of NodeBalancer Firewall.
+	// +optional
+	NodeBalancerFirewallID *int `json:"nodeBalancerFirewallID,omitempty"`
 	// apiserverNodeBalancerConfigID is the config ID of api server NodeBalancer config.
 	// +optional
 	ApiserverNodeBalancerConfigID *int `json:"apiserverNodeBalancerConfigID,omitempty"`

cloud/scope/common.go

@@ -148,7 +148,7 @@ func addCredentialsFinalizer(ctx context.Context, crClient K8sClient, credential
 func removeCredentialsFinalizer(ctx context.Context, crClient K8sClient, credentialsRef corev1.SecretReference, defaultNamespace, finalizer string) error {
 	secret, err := getCredentials(ctx, crClient, credentialsRef, defaultNamespace)
 	if err != nil {
-		return err
+		return client.IgnoreNotFound(err)
 	}
 
 	controllerutil.RemoveFinalizer(secret, finalizer)

cloud/scope/firewall.go

@@ -18,6 +18,7 @@ import (
 	"errors"
 	"fmt"
 
+	"k8s.io/client-go/util/retry"
 	"sigs.k8s.io/cluster-api/util/patch"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
@@ -102,19 +103,25 @@ func (s *FirewallScope) AddCredentialsRefFinalizer(ctx context.Context) error {
 		return nil
 	}
 
-	return addCredentialsFinalizer(ctx, s.Client,
-		*s.LinodeFirewall.Spec.CredentialsRef, s.LinodeFirewall.GetNamespace(),
-		toFinalizer(s.LinodeFirewall))
+	// Retry on conflict to handle the case where the secret is being updated concurrently.
+	return retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		return addCredentialsFinalizer(ctx, s.Client,
+			*s.LinodeFirewall.Spec.CredentialsRef, s.LinodeFirewall.GetNamespace(),
+			toFinalizer(s.LinodeFirewall))
+	})
 }
 
 func (s *FirewallScope) RemoveCredentialsRefFinalizer(ctx context.Context) error {
 	if s.LinodeFirewall.Spec.CredentialsRef == nil {
 		return nil
 	}
 
-	return removeCredentialsFinalizer(ctx, s.Client,
-		*s.LinodeFirewall.Spec.CredentialsRef, s.LinodeFirewall.GetNamespace(),
-		toFinalizer(s.LinodeFirewall))
+	// Retry on conflict to handle the case where the secret is being updated concurrently.
+	return retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		return removeCredentialsFinalizer(ctx, s.Client,
+			*s.LinodeFirewall.Spec.CredentialsRef, s.LinodeFirewall.GetNamespace(),
+			toFinalizer(s.LinodeFirewall))
+	})
 }
 
 func (s *FirewallScope) SetCredentialRefTokenForLinodeClients(ctx context.Context) error {

cloud/services/loadbalancers.go

@@ -9,7 +9,9 @@
 
 	"github.com/go-logr/logr"
 	"github.com/linode/linodego"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/cluster-api/api/v1beta1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/linode/cluster-api-provider-linode/api/v1alpha2"
 	"github.com/linode/cluster-api-provider-linode/cloud/scope"
@@ -35,15 +37,69 @@
 	}
 
 	logger.Info(fmt.Sprintf("Creating NodeBalancer %s", clusterScope.LinodeCluster.Name))
+
 	createConfig := linodego.NodeBalancerCreateOptions{
 		Label:  util.Pointer(clusterScope.LinodeCluster.Name),
 		Region: clusterScope.LinodeCluster.Spec.Region,
 		Tags:   []string{string(clusterScope.LinodeCluster.UID)},
 	}
 
+	// get firewall ID from firewallRef if it exists
+	if clusterScope.LinodeCluster.Spec.NodeBalancerFirewallRef != nil {
+		firewallID, err := getFirewallID(ctx, clusterScope, logger)
+		if err != nil {
+			logger.Error(err, "Failed to fetch LinodeFirewall ID")
+			return nil, err
+		}
+		createConfig.FirewallID = firewallID
+		clusterScope.LinodeCluster.Spec.Network.NodeBalancerFirewallID = &firewallID
+	}
+
+	// Use a firewall created outside of the CAPL ecosystem
+	// get & validate firewall ID from .Spec.Network.FirewallID if it exists
+	if clusterScope.LinodeCluster.Spec.Network.NodeBalancerFirewallID != nil {
+		firewallID := *clusterScope.LinodeCluster.Spec.Network.NodeBalancerFirewallID
+		firewall, err := clusterScope.LinodeClient.GetFirewall(ctx, firewallID)
+		if err != nil {
+			logger.Error(err, "Failed to fetch Linode Firewall from the Linode API")
+			return nil, err
+		}
+		createConfig.FirewallID = firewall.ID
+	}
+
 	return clusterScope.LinodeClient.CreateNodeBalancer(ctx, createConfig)
 }
 
+func getFirewallID(ctx context.Context, clusterScope *scope.ClusterScope, logger logr.Logger) (int, error) {
+	name := clusterScope.LinodeCluster.Spec.NodeBalancerFirewallRef.Name
+	namespace := clusterScope.LinodeCluster.Spec.NodeBalancerFirewallRef.Namespace
+	if namespace == "" {
+		namespace = clusterScope.LinodeCluster.Namespace
+	}
+
+	logger = logger.WithValues("firewallName", name, "firewallNamespace", namespace)
+
+	linodeFirewall := &v1alpha2.LinodeFirewall{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: namespace,
+			Name:      name,
+		},
+	}
+	objectKey := client.ObjectKeyFromObject(linodeFirewall)
+	err := clusterScope.Client.Get(ctx, objectKey, linodeFirewall)
+	if err != nil {
+		logger.Error(err, "Failed to fetch LinodeFirewall")
+		return -1, err
+	}
+	if linodeFirewall.Spec.FirewallID == nil {
+		err = errors.New("nil firewallID")
+		logger.Error(err, "Failed to fetch LinodeFirewall")
+		return -1, err
+	}
+
+	return *linodeFirewall.Spec.FirewallID, nil
+}
+
 // EnsureNodeBalancerConfigs creates NodeBalancer configs if it does not exist or returns the existing NodeBalancerConfig
 func EnsureNodeBalancerConfigs(
 	ctx context.Context,