Drop default cluster profile, cleanup instance creation profiles and logic (#93)

---------

Signed-off-by: Angelos Kolaitis <neoaggelos@gmail.com>

Author: neoaggelos

api/v1alpha2/condition_consts.go

@@ -23,25 +23,6 @@ const (
 	LoadBalancerProvisioningAbortedReason = "LoadBalancerProvisioningAbortedReason"
 )
 
-const (
-	// KubeadmProfileAvailableCondition documents the availability of the default kubeadm LXC profile.
-	KubeadmProfileAvailableCondition = "KubeadmProfileAvailable"
-
-	// KubeadmProfileDisabledReason (Severity=Info) documents a LXCCluster controller detecting that the
-	// LXCCluster spec requests that no default kubeam profile be created.
-	KubeadmProfileDisabledReason = "KubeadmProfileDisabled"
-
-	// KubeadmProfileCreationFailedReason (Severity=Warning) documents a LXCCluster controller detecting
-	// a retriable error while provisioning the default kubeadm LXC profile; those kind of errors are
-	// usually transient and failed provisioning are automatically re-tried by the controller.'
-	KubeadmProfileCreationFailedReason = "KubeadmProfileCreationFailed"
-
-	// KubeadmProfileCreationAbortedReason (Severity=Error) documents a LXCCluster controller detecting
-	// an unrecoverable error while provisioning the default kubeadm LXC profile. This is usually because
-	// of permission issues on the server, therefore requires user intervention.
-	KubeadmProfileCreationAbortedReason = "KubeadmProfileCreationAborted"
-)
-
 // Conditions and condition Reasons for the LXCMachine object.
 
 const (

api/v1alpha2/lxccluster_types.go

@@ -51,15 +51,14 @@ type LXCClusterSpec struct {
 	// +optional
 	Unprivileged bool `json:"unprivileged"`
 
-	// Skip creation of the default kubeadm profile "cluster-api-$namespace-$name"
-	// for LXCClusters.
+	// Do not apply the default kubeadm profile on container instances.
 	//
 	// In this case, the cluster administrator is responsible to create the
 	// profile manually and set the `.spec.template.spec.profiles` field of all
 	// LXCMachineTemplate objects.
 	//
-	// This is useful in cases where a restricted project is used, which does not
-	// allow privileged containers.
+	// For more details on the default kubeadm profile that is applied, see
+	// https://lxc.github.io/cluster-api-provider-incus/reference/profile/kubeadm.html
 	//
 	// +optional
 	SkipDefaultKubeadmProfile bool `json:"skipDefaultKubeadmProfile"`
@@ -262,11 +261,6 @@ func (c *LXCCluster) GetLoadBalancerInstanceName() string {
 	return fmt.Sprintf("%s-%s-lb", c.Name, hex.EncodeToString(hash[:3])[:5])
 }
 
-// GetProfileName returns the profile name for the cluster LXC machines.
-func (c *LXCCluster) GetProfileName() string {
-	return fmt.Sprintf("cluster-api-%s-%s", c.Namespace, c.Name)
-}
-
 // +kubebuilder:object:root=true
 
 // LXCClusterList contains a list of LXCCluster.

config/crd/bases/infrastructure.cluster.x-k8s.io_lxcclusters.yaml

@@ -241,15 +241,14 @@ spec:
                 type: object
               skipDefaultKubeadmProfile:
                 description: |-
-                  Skip creation of the default kubeadm profile "cluster-api-$namespace-$name"
-                  for LXCClusters.
+                  Do not apply the default kubeadm profile on container instances.
 
                   In this case, the cluster administrator is responsible to create the
                   profile manually and set the `.spec.template.spec.profiles` field of all
                   LXCMachineTemplate objects.
 
-                  This is useful in cases where a restricted project is used, which does not
-                  allow privileged containers.
+                  For more details on the default kubeadm profile that is applied, see
+                  https://lxc.github.io/cluster-api-provider-incus/reference/profile/kubeadm.html
                 type: boolean
               unprivileged:
                 description: |-

config/crd/bases/infrastructure.cluster.x-k8s.io_lxcclustertemplates.yaml

@@ -264,15 +264,14 @@ spec:
                         type: object
                       skipDefaultKubeadmProfile:
                         description: |-
-                          Skip creation of the default kubeadm profile "cluster-api-$namespace-$name"
-                          for LXCClusters.
+                          Do not apply the default kubeadm profile on container instances.
 
                           In this case, the cluster administrator is responsible to create the
                           profile manually and set the `.spec.template.spec.profiles` field of all
                           LXCMachineTemplate objects.
 
-                          This is useful in cases where a restricted project is used, which does not
-                          allow privileged containers.
+                          For more details on the default kubeadm profile that is applied, see
+                          https://lxc.github.io/cluster-api-provider-incus/reference/profile/kubeadm.html
                         type: boolean
                       unprivileged:
                         description: |-

docs/book/src/reference/api/v1alpha2/api.md

@@ -105,13 +105,12 @@ bool
 </td>
 <td>
 <em>(Optional)</em>
-<p>Skip creation of the default kubeadm profile &ldquo;cluster-api-$namespace-$name&rdquo;
-for LXCClusters.</p>
+<p>Do not apply the default kubeadm profile on container instances.</p>
 <p>In this case, the cluster administrator is responsible to create the
 profile manually and set the <code>.spec.template.spec.profiles</code> field of all
 LXCMachineTemplate objects.</p>
-<p>This is useful in cases where a restricted project is used, which does not
-allow privileged containers.</p>
+<p>For more details on the default kubeadm profile that is applied, see
+<a href="https://lxc.github.io/cluster-api-provider-incus/reference/profile/kubeadm.html">https://lxc.github.io/cluster-api-provider-incus/reference/profile/kubeadm.html</a></p>
 </td>
 </tr>
 </table>
@@ -297,13 +296,12 @@ bool
 </td>
 <td>
 <em>(Optional)</em>
-<p>Skip creation of the default kubeadm profile &ldquo;cluster-api-$namespace-$name&rdquo;
-for LXCClusters.</p>
+<p>Do not apply the default kubeadm profile on container instances.</p>
 <p>In this case, the cluster administrator is responsible to create the
 profile manually and set the <code>.spec.template.spec.profiles</code> field of all
 LXCMachineTemplate objects.</p>
-<p>This is useful in cases where a restricted project is used, which does not
-allow privileged containers.</p>
+<p>For more details on the default kubeadm profile that is applied, see
+<a href="https://lxc.github.io/cluster-api-provider-incus/reference/profile/kubeadm.html">https://lxc.github.io/cluster-api-provider-incus/reference/profile/kubeadm.html</a></p>
 </td>
 </tr>
 </tbody>
@@ -532,13 +530,12 @@ bool
 </td>
 <td>
 <em>(Optional)</em>
-<p>Skip creation of the default kubeadm profile &ldquo;cluster-api-$namespace-$name&rdquo;
-for LXCClusters.</p>
+<p>Do not apply the default kubeadm profile on container instances.</p>
 <p>In this case, the cluster administrator is responsible to create the
 profile manually and set the <code>.spec.template.spec.profiles</code> field of all
 LXCMachineTemplate objects.</p>
-<p>This is useful in cases where a restricted project is used, which does not
-allow privileged containers.</p>
+<p>For more details on the default kubeadm profile that is applied, see
+<a href="https://lxc.github.io/cluster-api-provider-incus/reference/profile/kubeadm.html">https://lxc.github.io/cluster-api-provider-incus/reference/profile/kubeadm.html</a></p>
 </td>
 </tr>
 </table>

docs/book/src/reference/profile/kubeadm.md

@@ -17,7 +17,18 @@ When using unprivileged containers, the following profile is applied instead:
 
 ```yaml
 # incus profile create kubeadm-unprivileged
-# curl https://lxc.github.io/cluster-api-provider-incus/static/v0.1/profile.yaml | incus profile edit kubeadm-unprivileged
+# curl https://lxc.github.io/cluster-api-provider-incus/static/v0.1/unprivileged.yaml | incus profile edit kubeadm-unprivileged
 
 {{#include ../../static/v0.1/unprivileged.yaml }}
 ```
+
+## Unprivileged containers (Canonical LXD)
+
+When using unprivileged containers with Canonical LXD, it is also required to enable `security.nesting` and disable apparmor:
+
+```bash
+# lxc profile create kubeadm-unprivileged
+# curl https://lxc.github.io/cluster-api-provider-incus/static/v0.1/unprivileged-lxd.yaml | lxc profile edit kubeadm-unprivileged
+
+{{#include ../../static/v0.1/unprivileged-lxd.yaml }}
+```

docs/book/src/static/v0.1/unprivileged-lxd.yaml

@@ -0,0 +1 @@
+../../../../../internal/static/embed/unprivileged-lxd.yaml

internal/controller/lxccluster/controller_delete.go

@@ -29,7 +29,6 @@ func (r *LXCClusterReconciler) reconcileDelete(ctx context.Context, cluster *clu
 		return ctrl.Result{}, err
 	}
 	conditions.MarkFalse(lxcCluster, infrav1.LoadBalancerAvailableCondition, clusterv1.DeletingReason, clusterv1.ConditionSeverityInfo, "")
-	conditions.MarkFalse(lxcCluster, infrav1.KubeadmProfileAvailableCondition, clusterv1.DeletingReason, clusterv1.ConditionSeverityInfo, "")
 	if err := patchLXCCluster(ctx, patchHelper, lxcCluster); err != nil {
 		return ctrl.Result{}, fmt.Errorf("failed to patch LXCCluster: %w", err)
 	}
@@ -48,11 +47,6 @@ func (r *LXCClusterReconciler) reconcileDelete(ctx context.Context, cluster *clu
 		return ctrl.Result{RequeueAfter: 5 * time.Second}, nil
 	}
 
-	log.FromContext(ctx).Info("Deleting default kubeadm profile")
-	if err := lxcClient.DeleteProfile(lxcCluster.GetProfileName()); err != nil {
-		return ctrl.Result{}, fmt.Errorf("failed to delete the default kubeadm profile: %w", err)
-	}
-
 	// Cluster is deleted so remove the finalizer.
 	controllerutil.RemoveFinalizer(lxcCluster, infrav1.ClusterFinalizer)
 

internal/controller/lxccluster/controller_normal.go

@@ -2,54 +2,18 @@ package lxccluster
 
 import (
 	"context"
-	"strings"
 
-	"github.com/lxc/incus/v6/shared/api"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/util/conditions"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	infrav1 "github.com/lxc/cluster-api-provider-incus/api/v1alpha2"
 	"github.com/lxc/cluster-api-provider-incus/internal/loadbalancer"
 	"github.com/lxc/cluster-api-provider-incus/internal/lxc"
-	"github.com/lxc/cluster-api-provider-incus/internal/static"
 	"github.com/lxc/cluster-api-provider-incus/internal/utils"
 )
 
 func (r *LXCClusterReconciler) reconcileNormal(ctx context.Context, cluster *clusterv1.Cluster, lxcCluster *infrav1.LXCCluster, lxcClient *lxc.Client) error {
-	// Create the default kubeadm profile for LXC containers
-	profileName := lxcCluster.GetProfileName()
-	if lxcCluster.Spec.SkipDefaultKubeadmProfile {
-		// only log the message once, before the condition is set.
-		if !conditions.Has(lxcCluster, infrav1.KubeadmProfileAvailableCondition) {
-			log.FromContext(ctx).Info("Skipping kubeadm profile creation")
-		}
-		conditions.MarkTrue(lxcCluster, infrav1.KubeadmProfileAvailableCondition)
-	} else {
-		log := log.FromContext(ctx).WithValues("profileName", profileName)
-
-		if _, _, err := lxcClient.GetProfile(profileName); err != nil {
-			if !strings.Contains(err.Error(), "Profile not found") {
-				conditions.MarkFalse(lxcCluster, infrav1.KubeadmProfileAvailableCondition, infrav1.KubeadmProfileCreationFailedReason, clusterv1.ConditionSeverityWarning, "failed to check profile %q status: %s", profileName, err)
-				return err
-			}
-
-			log.Info("Creating default kubeadm profile for cluster")
-			if err := lxcClient.CreateProfile(api.ProfilesPost{Name: profileName, ProfilePut: static.DefaultKubeadmProfile(!lxcCluster.Spec.Unprivileged)}); err != nil {
-				log.Error(err, "Failed to create default kubeadm profile")
-
-				if strings.Contains(err.Error(), "Privileged containers are forbidden") {
-					conditions.MarkFalse(lxcCluster, infrav1.KubeadmProfileAvailableCondition, infrav1.KubeadmProfileCreationAbortedReason, clusterv1.ConditionSeverityError, "The default kubeadm LXC profile could not be created, most likely because of a permissions issue. Either enable privileged containers on the project, or specify .spec.skipDefaultKubeadmProfile=true on the LXCCluster object. The error was: %s", err)
-					return nil
-				}
-				conditions.MarkFalse(lxcCluster, infrav1.KubeadmProfileAvailableCondition, infrav1.KubeadmProfileCreationFailedReason, clusterv1.ConditionSeverityWarning, "%s", err)
-				return err
-			}
-		}
-
-		conditions.MarkTrue(lxcCluster, infrav1.KubeadmProfileAvailableCondition)
-	}
-
 	// Create the container hosting the load balancer.
 	log.FromContext(ctx).Info("Creating load balancer")
 	lbIPs, err := loadbalancer.ManagerForCluster(cluster, lxcCluster, lxcClient).Create(ctx)

internal/controller/lxccluster/controller_util.go

@@ -13,7 +13,6 @@ import (
 
 func patchLXCCluster(ctx context.Context, patchHelper *patch.Helper, lxcCluster *infrav1.LXCCluster) error {
 	infraConditions := []clusterv1.ConditionType{
-		infrav1.KubeadmProfileAvailableCondition,
 		infrav1.LoadBalancerAvailableCondition,
 	}
 	hasInfraConditionError := false