CORS-4230: Add SkipFirewallRuleCreation

api:

Add API changes to SkipFirewallRuleCreation. When true, the firewall rules will not be
created. When this is the case, the firewall rules should exist prior to creating the network.
This will allow ServiceAccounts to skip the rules:

compute.firewalls.create

cloud:

Update the services and interfaces. The firewall service will no longer create firewall rules when
the skip firewall rule creation is enabled OR when it is a shared vpc.

Author: barbacbd

api/v1beta1/types.go

@@ -137,6 +137,10 @@ type NetworkSpec struct {
 	// +optional
 	HostProject *string `json:"hostProject,omitempty"`
 
+	// SkipFirewallRuleCreation should be set to true when no firewall rules should be
+	// created by the provider.
+	SkipFirewallRuleCreation *bool `json:"skipFirewallRuleCreation,omitempty"`
+
 	// Mtu: Maximum Transmission Unit in bytes. The minimum value for this field is
 	// 1300 and the maximum value is 8896. The suggested value is 1500, which is
 	// the default MTU used on the Internet, or 8896 if you want to use Jumbo

api/v1beta1/zz_generated.deepcopy.go

@@ -58,6 +58,7 @@ type ClusterGetter interface {
 	NetworkName() string
 	NetworkProject() string
 	IsSharedVpc() bool
+	SkipFirewallRuleCreation() bool
 	Network() *infrav1.Network
 	AdditionalLabels() infrav1.Labels
 	FailureDomains() clusterv1.FailureDomains

cloud/interfaces.go

@@ -106,6 +106,12 @@ func (s *ClusterScope) NetworkProject() string {
 	return ptr.Deref(s.GCPCluster.Spec.Network.HostProject, s.Project())
 }
 
+// SkipFirewallRuleCreation returns whether the spec indicates that firewall rules
+// should be created or not.
+func (s *ClusterScope) SkipFirewallRuleCreation() bool {
+	return ptr.Deref(s.GCPCluster.Spec.Network.SkipFirewallRuleCreation, false) || s.IsSharedVpc()
+}
+
 // IsSharedVpc returns true If sharedVPC used else , returns false.
 func (s *ClusterScope) IsSharedVpc() bool {
 	return s.NetworkProject() != s.Project()

cloud/scope/cluster.go

@@ -129,6 +129,12 @@ func (s *ManagedClusterScope) NetworkProject() string {
 	return ptr.Deref(s.GCPManagedCluster.Spec.Network.HostProject, s.Project())
 }
 
+// SkipFirewallRuleCreation returns whether the spec indicates that firewall rules
+// should be created or not.
+func (s *ManagedClusterScope) SkipFirewallRuleCreation() bool {
+	return ptr.Deref(s.GCPManagedCluster.Spec.Network.SkipFirewallRuleCreation, false) || s.IsSharedVpc()
+}
+
 // IsSharedVpc returns true If sharedVPC used else , returns false.
 func (s *ManagedClusterScope) IsSharedVpc() bool {
 	return s.NetworkProject() != s.Project()

cloud/scope/managedcluster.go

@@ -28,8 +28,8 @@ import (
 // Reconcile reconcile cluster firewall compoenents.
 func (s *Service) Reconcile(ctx context.Context) error {
 	log := log.FromContext(ctx)
-	if s.scope.IsSharedVpc() {
-		log.V(2).Info("Shared VPC enabled. Ignore Reconciling firewall resources")
+	if s.scope.SkipFirewallRuleCreation() {
+		log.V(2).Info("Ignore Reconciling firewall resources")
 		return nil
 	}
 	log.Info("Reconciling firewall resources")

cloud/services/compute/firewalls/reconcile.go

@@ -203,6 +203,11 @@ spec:
                   name:
                     description: Name is the name of the network to be used.
                     type: string
+                  skipFirewallRuleCreation:
+                    description: |-
+                      SkipFirewallRuleCreation should be set to true when no firewall rules should be
+                      created by the provider.
+                    type: boolean
                   subnets:
                     description: Subnets configuration.
                     items:

config/crd/bases/infrastructure.cluster.x-k8s.io_gcpclusters.yaml

@@ -222,6 +222,11 @@ spec:
                           name:
                             description: Name is the name of the network to be used.
                             type: string
+                          skipFirewallRuleCreation:
+                            description: |-
+                              SkipFirewallRuleCreation should be set to true when no firewall rules should be
+                              created by the provider.
+                            type: boolean
                           subnets:
                             description: Subnets configuration.
                             items:

config/crd/bases/infrastructure.cluster.x-k8s.io_gcpclustertemplates.yaml

@@ -199,6 +199,11 @@ spec:
                   name:
                     description: Name is the name of the network to be used.
                     type: string
+                  skipFirewallRuleCreation:
+                    description: |-
+                      SkipFirewallRuleCreation should be set to true when no firewall rules should be
+                      created by the provider.
+                    type: boolean
                   subnets:
                     description: Subnets configuration.
                     items:

config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedclusters.yaml

@@ -193,6 +193,11 @@ spec:
                           name:
                             description: Name is the name of the network to be used.
                             type: string
+                          skipFirewallRuleCreation:
+                            description: |-
+                              SkipFirewallRuleCreation should be set to true when no firewall rules should be
+                              created by the provider.
+                            type: boolean
                           subnets:
                             description: Subnets configuration.
                             items: