firewall infrastructure does not get reconciled about gardener-extension-provider-metal HOT 7 CLOSED

Rafael, I did not expect you here! :D

Thanks for clarification. We wanted to make our firewall creation idempotent. I guess it's fine for the time being if the infrastructure gets only reconciled during maintenance window. We differ a little from the other cloud providers here because we actually maintain a server in the infrastructure. Ideally, this would be managed by something like the machine-controller-manager, such that we can also do machine upgrades. Maybe we even need a special controller to handle this properly... not sure yet.

from gardener-extension-provider-metal.

That's right. We do not ask the metal-api again after we got a machine id from the firewall create request. Would be a good thing to make this more robust.

from gardener-extension-provider-metal.

Unfortunately, the Gardener does not explicitly request infrastructure reconciliation once it succeeded. When adding the gardener.cloud/operation: "reconcile" annotation to the infrastructure resource, the newly implemented behavior of recreating a firewall works fine...

from gardener-extension-provider-metal.

@Gerrit91 The Gardener does add the gardener.cloud/operation=reconcile annotation to the Infrastructure only during the maintenance time window. It's a little bit special here. For all other extension resources (like Worker, ControlPlane, etc), it adds the annotation in every reconciliation loop. The rational was to minimize the number of calls to the IaaS providers to prevent running into quota limits, especially if you have a lot of shoots using the same IaaS account. Hence, the idea was to run the infrastructure reconciliation only once a day - in the maintenance time window. WDYT?

from gardener-extension-provider-metal.

Btw, to trigger an immediate maintenance operation (if you don't want to wait till the time window starts) you can annotate your shoot with shoot.garden.sapcloud.io/operation=maintain instead of shoot.garden.sapcloud.io/operation=reconcile.

from gardener-extension-provider-metal.

We now support updating the firewall spec (image or size), which causes firewall deletion (hence downtime) and recreation.

from gardener-extension-provider-metal.

I think, we can close this for now as it has partially been resolved. Let's open another issue for "zero-downtime firewall updates" when it's time.

from gardener-extension-provider-metal.