metal-stack · vknabel · Nov 13, 2025 · Nov 13, 2025
@@ -62,6 +62,9 @@ type FirewallSpec struct {
 	// Userdata contains the userdata used for the creation of the firewall.
 	// It gets defaulted to a userdata matching for the firewall-controller with connection to Gardener shoot and seed.
 	Userdata string `json:"userdata,omitempty"`
+	// UserdataContents contains the unprocessed userdata as separate files.
+	// This is meant as an alternative to `Userdata`.
+	UserdataContents []UserdataContent `json:"userdataContents,omitempty"`
 	// SSHPublicKeys are public keys which are added to the firewall's authorized keys file on creation.
 	// It gets defaulted to the public key of ssh secret as provided by the controller flags.
 	SSHPublicKeys []string `json:"sshPublicKeys,omitempty"`
@@ -74,6 +77,9 @@ type FirewallSpec struct {
 	// EgressRules contains egress rules configured for this firewall.
 	EgressRules []EgressRuleSNAT `json:"egressRules,omitempty"`
 
+	// InitialRuleSet is the initial firewall ruleset applied before the firewall-controller starts running.
+	InitialRuleSet *InitialRuleSet `json:"initialRuleSet,omitempty"`
+
 	// Interval on which rule reconciliation by the firewall-controller should happen.
 	Interval string `json:"interval,omitempty"`
 	// DryRun if set to true, firewall rules are not applied. For devel-purposes only.
@@ -113,6 +119,42 @@ type AllowedNetworks struct {
 	Egress []string `json:"egress,omitempty"`
 }
 
+// UserdataContent represents a file at a specific path with either direct content or content sourced from a secret or configmap.
+type UserdataContent struct {
+	// Path is the file path where the content should be placed.
+	Path string `json:"path"`
+	// Content is the direct content of the file.
+	Content string `json:"content,omitempty"`
+	// ContentFrom represents the source from which to obtain the content of the file.
+	ContentFrom UserdataContentFrom `json:"contentFrom,omitzero"`
+}
+
+// UserdataContentFrom represents the source from which to obtain the content of a userdata file.
+type UserdataContentFrom struct {
+	// SecretKeyRef is a reference to a key within a secret.
+	SecretKeyRef UserdataContentFromSecretKeyRef `json:"secretKeyRef,omitzero"`
+	// ConfigMapKeyRef is a reference to a key within a configmap.
+	ConfigMapKeyRef UserdataContentFromConfigMapKeyRef `json:"configMapKeyRef,omitzero"`
+	// FirewallControllerKubeconfigSecret is a reference to the desired kubeconfig secret for the firewall-controller to access the seed cluster. This kubeconfig will be generated by the firewall-controller-manager.
+	FirewallControllerKubeconfigSecret *UserdataContentFromSecretKeyRef `json:"firewallControllerKubeconfigSecret,omitempty"`
+}
+
+// UserdataContentFromSecretKeyRef represents a reference to a key within a secret.
+type UserdataContentFromSecretKeyRef struct {
+	// Name is the name of the secret.
+	Name string `json:"name"`
+	// Key is the key within the secret.
+	Key string `json:"key"`
+}
+
+// UserdataContentFromConfigMapKeyRef represents a reference to a key within a configmap.
+type UserdataContentFromConfigMapKeyRef struct {
+	// Name is the name of the configmap.
+	Name string `json:"name"`
+	// Key is the key within the configmap.
+	Key string `json:"key"`
+}
+
 // FirewallTemplateSpec describes the data a firewall should have when created from a template
 type FirewallTemplateSpec struct {
 	// Metadata of the firewalls created from this template.
@@ -122,6 +164,46 @@ type FirewallTemplateSpec struct {
 	Spec FirewallSpec `json:"spec,omitempty"`
 }
 
+// InitialRuleSet is the initial rule set deployed on the firewall.
+type InitialRuleSet struct {
+	// Egress rules to be deployed initially on the firewall.
+	Egress []EgressRule `json:"egress,omitempty"`
+	// Ingress rules to be deployed initially on the firewall.
+	Ingress []IngressRule `json:"ingress,omitempty"`
+}
+
+// NetworkProtocol represents the kind of network protocol.
+type NetworkProtocol string
+
+const (
+	// NetworkProtocolTCP represents tcp connections.
+	NetworkProtocolTCP = "TCP"
+	// NetworkProtocolUDP represents udp connections.
+	NetworkProtocolUDP = "UDP"
+)
+
+type EgressRule struct {
+	// Comment provides a human readable description of this rule.
+	Comment string `json:"comment,omitempty"`
+	// Ports contains all affected network ports.
+	Ports []int32 `json:"ports"`
+	// Protocol constraints the protocol this rule applies to.
+	Protocol NetworkProtocol `json:"protocol"`
+	// To source address cidrs this rule applies to.
+	To []string `json:"to"`
+}
+
+type IngressRule struct {
+	// Comment provides a human readable description of this rule.
+	Comment string `json:"comment,omitempty"`
+	// Ports contains all affected network ports.
+	Ports []int32 `json:"ports"`
+	// Protocol constraints the protocol this rule applies to.
+	Protocol NetworkProtocol `json:"protocol"`
+	// From source address cidrs this rule applies to.
+	From []string `json:"from"`
+}
+
 // EgressRuleSNAT holds a Source-NAT rule
 type EgressRuleSNAT struct {
 	// NetworkID is the network for which the egress rule will be configured.