NSX: (temp fix) Skip adding firewall rules for CKS Clusters on VPC tiers (#56)

Pearl1594 · web-flow · commit 98bd3c586943 · 2024-01-19T18:25:47.000+01:00
Currently CKP does not setup NetworkACLs for CKS clusters on VPC tiers, and fails to add Firewall rules - as Firewall isn't supported on VPCs. This is a partial fix, to skip setting up Firewall rules if the network doesn't support the service.
diff --git a/cloudstack_loadbalancer.go b/cloudstack_loadbalancer.go
@@ -163,7 +163,15 @@ func (cs *CSCloud) EnsureLoadBalancer(ctx context.Context, clusterName string, s
 			}
 		}
 
-		if lbRule != nil {
+		network, count, err := lb.Network.GetNetworkByID(lb.networkID, cloudstack.WithProject(lb.projectID))
+		if err != nil {
+			if count == 0 {
+				return nil, err
+			}
+			return nil, err
+		}
+
+		if lbRule != nil && isFirewallSupported(network.Service) {
 			klog.V(4).Infof("Creating firewall rules for load balancer rule: %v (%v:%v:%v)", lbRuleName, protocol, lbRule.Publicip, port.Port)
 			if _, err := lb.updateFirewallRule(lbRule.Publicipid, int(port.Port), protocol, service.Spec.LoadBalancerSourceRanges); err != nil {
 				return nil, err
@@ -244,6 +252,15 @@ func (cs *CSCloud) UpdateLoadBalancer(ctx context.Context, clusterName string, s
 	return nil
 }
 
+func isFirewallSupported(services []cloudstack.NetworkServiceInternal) bool {
+	for _, svc := range services {
+		if svc.Name == "Firewall" {
+			return true
+		}
+	}
+	return false
+}
+
 // EnsureLoadBalancerDeleted deletes the specified load balancer if it exists, returning
 // nil if the load balancer specified either didn't exist or was successfully deleted.
 func (cs *CSCloud) EnsureLoadBalancerDeleted(ctx context.Context, clusterName string, service *corev1.Service) error {
