Skip to content

Configure compute.network_firewall_policy_rule and add example#769

Merged
turkenf merged 13 commits intocrossplane-contrib:mainfrom
brais-real-edo:network_firewall_policy_rule
Apr 17, 2025
Merged

Configure compute.network_firewall_policy_rule and add example#769
turkenf merged 13 commits intocrossplane-contrib:mainfrom
brais-real-edo:network_firewall_policy_rule

Conversation

@brais-real-edo
Copy link
Copy Markdown
Contributor

@brais-real-edo brais-real-edo commented Apr 9, 2025
edited
Loading

Description of your changes

I have:

  • Read and followed Crossplane's contribution process.
  • Run make reviewable to ensure this PR is ready for review.

How has this code been tested

Manual testing

google_network_security_address_group

Apply

> kubectl apply -f examples/networksecurity/v1beta1/addressgroup.yaml 
addressgroup.networksecurity.gcp.upbound.io/default created

> kubectl get managed
NAME                                                  SYNCED   READY   EXTERNAL-NAME   AGE
addressgroup.networksecurity.gcp.upbound.io/default   True     True    default         28s

> kubectl annotate managed --all upjet.upbound.io/test=true --overwrite
addressgroup.networksecurity.gcp.upbound.io/default annotate

> kubectl get addressgroups.networksecurity.gcp.upbound.io default -o yaml
(...)
  conditions:
  - lastTransitionTime: "2025-04-11T08:49:44Z"
    reason: Available
    status: "True"
    type: Ready
  - lastTransitionTime: "2025-04-11T08:49:31Z"
    reason: ReconcileSuccess
    status: "True"
    type: Synced
  - lastTransitionTime: "2025-04-11T08:49:42Z"
    reason: Success
    status: "True"
    type: LastAsyncOperation
  - lastTransitionTime: "2025-04-11T08:50:32Z"
    reason: UpToDate
    status: "True"
    type: Test

Import
make run stopped

> kubectl --subresource=status patch addressgroups.networksecurity.gcp.upbound.io/default --type=merge -p '{"status":{"conditions":[]}}'
addressgroup.networksecurity.gcp.upbound.io/default patched

> kubectl get addressgroups.networksecurity.gcp.upbound.io/default -o json | jq .status.atProvider.id
"projects/PROJECT/locations/LOCATION/addressGroups/default"

make run started

> kubectl get addressgroups.networksecurity.gcp.upbound.io/default -o yaml
(...)
  conditions:
  - lastTransitionTime: "2025-04-11T09:05:39Z"
    reason: Available
    status: "True"
    type: Ready
  - lastTransitionTime: "2025-04-11T09:05:39Z"
    reason: UpToDate
    status: "True"
    type: Test
  - lastTransitionTime: "2025-04-11T09:05:39Z"
    reason: Success
    status: "True"
    type: LastAsyncOperation
  - lastTransitionTime: "2025-04-11T09:05:39Z"
    reason: ReconcileSuccess
    status: "True"
    type: Synced

> kubectl get addressgroups.networksecurity.gcp.upbound.io/default -o json | jq .status.atProvider.id
"projects/PROJECT/locations/LOCATION/addressGroups/default"

Delete

> kubectl delete addressgroups.networksecurity.gcp.upbound.io default 
addressgroup.networksecurity.gcp.upbound.io "default" deleted

Resource has been deleted

google_compute_network_firewall_policy_rule

Apply

> kubectl apply -f examples/compute/v1beta1/networkfirewallpolicyrule.yaml
networkfirewallpolicyrule.compute.gcp.upbound.io/primary created
network.compute.gcp.upbound.io/basic-network created
networkfirewallpolicy.compute.gcp.upbound.io/basic-network-firewall-policy created
addressgroup.networksecurity.gcp.upbound.io/default created
tagkey.tags.gcp.upbound.io/basic-key created
tagvalue.tags.gcp.upbound.io/basic-value created

> kubectl get managed
NAME                                                                         SYNCED   READY   EXTERNAL-NAME                   AGE
networkfirewallpolicy.compute.gcp.upbound.io/basic-network-firewall-policy   True     True    basic-network-firewall-policy   9m43s

NAME                                                       SYNCED   READY   EXTERNAL-NAME                                                                                  AGE
networkfirewallpolicyrule.compute.gcp.upbound.io/primary   True     True    projects/PROJECT/global/firewallPolicies/basic-network-firewall-policy/rules/1000   9m43s

NAME                                           SYNCED   READY   EXTERNAL-NAME   AGE
network.compute.gcp.upbound.io/basic-network   True     True    basic-network   9m43s

NAME                                                                                     SYNCED   READY   EXTERNAL-NAME                                AGE
addressgroup.networksecurity.gcp.upbound.io/basic-global-networksecurity-address-group   True     True    basic-global-networksecurity-address-group   9m43s

NAME                                   SYNCED   READY   EXTERNAL-NAME             AGE
tagkey.tags.gcp.upbound.io/basic-key   True     True    tagKeys/tagKeyId   2m

NAME                                       SYNCED   READY   EXTERNAL-NAME               AGE
tagvalue.tags.gcp.upbound.io/basic-value   True     True    tagValues/tagValueId   9m44s

> kubectl annotate managed --all upjet.upbound.io/test=true --overwrite
networkfirewallpolicy.compute.gcp.upbound.io/basic-network-firewall-policy annotate
networkfirewallpolicyrule.compute.gcp.upbound.io/primary annotate
network.compute.gcp.upbound.io/basic-network annotate
addressgroup.networksecurity.gcp.upbound.io/default annotate
tagkey.tags.gcp.upbound.io/basic-key annotate
tagvalue.tags.gcp.upbound.io/basic-value annotate

> kubectl get networkfirewallpolicyrules.compute.gcp.upbound.io primary -o yaml
(...)
  conditions:
  - lastTransitionTime: "2025-04-15T09:16:59Z"
    reason: ReconcileSuccess
    status: "True"
    type: Synced
  - lastTransitionTime: "2025-04-15T09:17:35Z"
    reason: Available
    status: "True"
    type: Ready
  - lastTransitionTime: "2025-04-15T09:17:32Z"
    reason: Success
    status: "True"
    type: LastAsyncOperation
  - lastTransitionTime: "2025-04-15T09:21:20Z"
    reason: UpToDate
    status: "True"
    type: Test

Import
make run stopped

> kubectl --subresource=status patch networkfirewallpolicyrules.compute.gcp.upbound.io/primary  --type=merge -p '{"status":{"conditions":[]}}'
networkfirewallpolicyrule.compute.gcp.upbound.io/primary patched

> kubectl get networkfirewallpolicyrules.compute.gcp.upbound.io/primary -o json | jq .status.atProvider.id
"projects/PROJECT/global/firewallPolicies/basic-network-firewall-policy/rules/1000"

make run started

> kubectl get networkfirewallpolicyrules.compute.gcp.upbound.io primary -o yaml
(...)
  conditions:
  - lastTransitionTime: "2025-04-15T09:23:23Z"
    reason: Available
    status: "True"
    type: Ready
  - lastTransitionTime: "2025-04-15T09:23:23Z"
    reason: UpToDate
    status: "True"
    type: Test
  - lastTransitionTime: "2025-04-15T09:23:23Z"
    reason: Success
    status: "True"
    type: LastAsyncOperation
  - lastTransitionTime: "2025-04-15T09:23:23Z"
    reason: ReconcileSuccess
    status: "True"
    type: Synced

> kubectl get networkfirewallpolicyrules.compute.gcp.upbound.io/primary -o json | jq .status.atProvider.id
"projects/PROJECT/global/firewallPolicies/basic-network-firewall-policy/rules/1000"

Delete

> kubectl delete networkfirewallpolicyrules.compute.gcp.upbound.io primary 
networkfirewallpolicyrule.compute.gcp.upbound.io "primary" deleted

The resource has been deleted

@jeanduplessis
Copy link
Copy Markdown
Collaborator

jeanduplessis commented Apr 10, 2025

/test-examples="examples/compute/v1beta1/networkfirewallpolicyrule.yaml"

turkenf
turkenf reviewed Apr 10, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@turkenf turkenf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @brais-real-edo, congrats on your first contribution! 🎉

To move forward with your PR faster and more securely, it's a good idea to consider the following:

  • Please make sure your PR description covers all of the changes you've made. For example, when I looked at the description, you just mentioned issue #645, but I see you've also tried to add the resource google_network_security_address_group. If there is another change you have made, clearly mentioning it will make the job of the maintainer who will review the PR easier.
  • When adding a new resource, please first perform manual tests for the added resource and then open the PR. Mention the results of the manual tests you performed in the description section of the PR and feel free to ask if you encounter any issues. I left a short comment about the failed uptest, but I recommend you continue with manual testing from now on.

Thanks in advance 🙏

Comment thread examples/compute/v1beta1/networkfirewallpolicyrule.yaml Outdated
@turkenf
Copy link
Copy Markdown
Collaborator

turkenf commented Apr 15, 2025

/test-examples="examples/compute/v1beta1/networkfirewallpolicyrule.yaml"

turkenf
turkenf reviewed Apr 16, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@turkenf turkenf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@brais-real-edo, thanks a lot for carefully following the manual testing steps and sharing them with us — really appreciate the effort!

I’ve taken a detailed look at your PR and left a few comments for you. As you also mentioned on Slack, it makes sense to add a manual intervention annotation to the NetworkFirewallPolicyRule example.
I’ve included the resources where the annotation should be added, along with explanations.

Comment thread config/compute/config.go
Comment thread config/externalname.go Outdated
Comment thread config/externalname.go Outdated
Comment thread examples/compute/v1beta1/networkfirewallpolicyrule.yaml
Comment thread examples/compute/v1beta1/networkfirewallpolicyrule.yaml
Comment thread examples/compute/v1beta1/networkfirewallpolicyrule.yaml
Comment thread examples/compute/v1beta1/networkfirewallpolicyrule.yaml
Comment thread examples/compute/v1beta1/networkfirewallpolicyrule.yaml
Comment thread examples/compute/v1beta1/networkfirewallpolicyrule.yaml
Comment thread examples/networksecurity/v1beta1/addressgroup.yaml Outdated
brais-real-edo and others added 13 commits April 17, 2025 14:08
@brais-real-edo
Configure compute.network_firewall_policy_rule and add example
0f6e3b3 
Signed-off-by: Brais Real <brais.real@edreamsodigeo.com>
@brais-real-edo
Configure network_security_address_group and add example
f40c101 
Signed-off-by: Brais Real <brais.real@edreamsodigeo.com>
@brais-real-edo
Configure network_security_address_group and add example
465ae21 
Signed-off-by: Brais Real <brais.real@edreamsodigeo.com>
@brais-real-edo
Configure compute.network_firewall_policy_rule and add example
a658a68 
Signed-off-by: Brais Real <brais.real@edreamsodigeo.com>
@brais-real-edo
Configure compute.network_firewall_policy_rule and add example
9bff69b 
Signed-off-by: Brais Real <brais.real@edreamsodigeo.com>
@brais-real-edo @turkenf
Update examples/compute/v1beta1/networkfirewallpolicyrule.yaml
a35a7a8 
Co-authored-by: Fatih Türken <103541666+turkenf@users.noreply.github.com>
Signed-off-by: Brais Real <brais.real@edreamsodigeo.com>
@brais-real-edo @turkenf
Update examples/compute/v1beta1/networkfirewallpolicyrule.yaml
c7fdaeb 
Co-authored-by: Fatih Türken <103541666+turkenf@users.noreply.github.com>
Signed-off-by: Brais Real <brais.real@edreamsodigeo.com>
@brais-real-edo @turkenf
Update examples/compute/v1beta1/networkfirewallpolicyrule.yaml
010d7c3 
Co-authored-by: Fatih Türken <103541666+turkenf@users.noreply.github.com>
Signed-off-by: Brais Real <brais.real@edreamsodigeo.com>
@brais-real-edo @turkenf
Update examples/compute/v1beta1/networkfirewallpolicyrule.yaml
718f6d8 
Co-authored-by: Fatih Türken <103541666+turkenf@users.noreply.github.com>
Signed-off-by: Brais Real <brais.real@edreamsodigeo.com>
@brais-real-edo @turkenf
Update examples/compute/v1beta1/networkfirewallpolicyrule.yaml
172e6ca 
Co-authored-by: Fatih Türken <103541666+turkenf@users.noreply.github.com>
Signed-off-by: Brais Real <brais.real@edreamsodigeo.com>
@brais-real-edo @turkenf
Update examples/networksecurity/v1beta1/addressgroup.yaml
9d26ae7 
Co-authored-by: Fatih Türken <103541666+turkenf@users.noreply.github.com>
Signed-off-by: Brais Real <brais.real@edreamsodigeo.com>
@brais-real-edo @turkenf
Update examples/compute/v1beta1/networkfirewallpolicyrule.yaml
f047368 
Co-authored-by: Fatih Türken <103541666+turkenf@users.noreply.github.com>
Signed-off-by: Brais Real <brais.real@edreamsodigeo.com>
@brais-real-edo
Set parameter parent as required
1c3ec30 
Signed-off-by: Brais Real <brais.real@edreamsodigeo.com>
@turkenf
Copy link
Copy Markdown
Collaborator

turkenf commented Apr 17, 2025
edited
Loading

/test-examples="examples/networksecurity/v1beta1/addressgroup.yaml"

https://github.com/crossplane-contrib/provider-upjet-gcp/actions/runs/14524317604

Note: Since Network Security API is paid, it has been enabled and disabled to test the resource.

turkenf
turkenf approved these changes Apr 17, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@turkenf turkenf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your efforts on this PR @brais-real-edo 🙌

@turkenf turkenf merged commit 04c9a6c into crossplane-contrib:main Apr 17, 2025
9 checks passed
@brais-real-edo brais-real-edo deleted the network_firewall_policy_rule branch April 22, 2025 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@turkenf turkenf turkenf approved these changes

@sergenyalcin sergenyalcin Awaiting requested review from sergenyalcin sergenyalcin is a code owner

@jastang jastang Awaiting requested review from jastang jastang is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support NetworkFirewallPolicyRule resource

3 participants

@brais-real-edo @jeanduplessis @turkenf