Merge pull request #1 from projectsyn/initial-implementation

Initial implementation

Author: DebakelOrakel

.cruft.json

@@ -7,7 +7,7 @@
       "name": "cloudscale-cloud-controller-manager",
       "slug": "cloudscale-cloud-controller-manager",
       "parameter_key": "cloudscale_cloud_controller_manager",
-      "test_cases": "defaults",
+      "test_cases": "defaults openshift4",
       "add_lib": "n",
       "add_pp": "n",
       "add_golden": "y",

.github/workflows/test.yaml

@@ -33,6 +33,7 @@ jobs:
       matrix:
         instance:
           - defaults
+          - openshift4
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}
@@ -48,6 +49,7 @@ jobs:
       matrix:
         instance:
           - defaults
+          - openshift4
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}

Makefile.vars.mk

@@ -50,4 +50,4 @@ KUBENT_IMAGE    ?= ghcr.io/doitintl/kube-no-trouble:latest
 KUBENT_DOCKER   ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE)
 
 instance ?= defaults
-test_instances = tests/defaults.yml
+test_instances = tests/defaults.yml tests/openshift4.yml

class/cloudscale-cloud-controller-manager.yml

@@ -1,5 +1,10 @@
 parameters:
   kapitan:
+    dependencies:
+      - type: https
+        source: https://github.com/cloudscale-ch/cloudscale-cloud-controller-manager/releases/download/${cloudscale_cloud_controller_manager:manifests_version}/config.yml
+        output_path: ${_base_directory}/manifests/${cloudscale_cloud_controller_manager:manifests_version}/config.yml
+
     compile:
       - input_paths:
           - ${_base_directory}/component/app.jsonnet

class/defaults.yml

@@ -2,3 +2,7 @@ parameters:
   cloudscale_cloud_controller_manager:
     =_metadata: {}
     namespace: syn-cloudscale-cloud-controller-manager
+
+    manifests_version: 1.0.0
+
+    api_token: ?{vaultkv:${cluster:tenant}/${cluster:name}/cloudscale/token}

component/main.jsonnet

@@ -1,10 +1,107 @@
-// main template for cloudscale-cloud-controller-manager
 local kap = import 'lib/kapitan.libjsonnet';
 local kube = import 'lib/kube.libjsonnet';
 local inv = kap.inventory();
-// The hiera parameters for the component
+
 local params = inv.parameters.cloudscale_cloud_controller_manager;
+local isOpenShift = inv.parameters.facts.distribution == 'openshift4';
+
+local manifests = std.parseJson(
+  kap.yaml_load_stream(
+    '%s/manifests/%s/config.yml'
+    % [ inv.parameters._base_directory, params.manifests_version ]
+  )
+);
+
+local patchDaemonset(obj) =
+  if isOpenShift && obj.kind == 'DaemonSet' then
+    obj {
+      spec+: {
+        template+: {
+          spec+: {
+            nodeSelector: {
+              'node-role.kubernetes.io/master': '',
+            },
+            tolerations+: [
+              {
+                key: 'node-role.kubernetes.io/master',
+                effect: 'NoSchedule',
+              },
+            ],
+          },
+        },
+      },
+    }
+  else
+    obj;
+
+local tokenSecret = kube.Secret('cloudscale') {
+  metadata+: {
+    namespace: params.namespace,
+  },
+  data:: {},
+  stringData: {
+    'access-token': params.api_token,
+  },
+};
+
+local customRBAC = if isOpenShift then
+  [
+    kube.RoleBinding('ccm-hostnetwork') {
+      metadata+: {
+        // Required if we want to deploy this manifest during cluster
+        // bootstrap.
+        namespace: params.namespace,
+      },
+      roleRef_: kube.ClusterRole('system:openshift:scc:hostnetwork'),
+      subjects: [
+        {
+          kind: 'ServiceAccount',
+          name: std.filter(
+            function(obj) obj.kind == 'DaemonSet', manifests
+          )[0].spec.template.spec.serviceAccountName,
+          namespace: params.namespace,
+        },
+      ],
+    },
+  ]
+else
+  [];
 
-// Define outputs below
 {
+  [if params.namespace != 'kube-system' then '00_namespace']:
+    kube.Namespace(params.namespace) {
+      metadata+: {
+        annotations+: {
+          // NOTE(sg): we set this unconditionally since it doesn't matter on
+          // non-OCP.
+          'openshift.io/node-selector': '',
+        },
+      },
+    },
+  '01_secret': tokenSecret,
+  '10_daemonset': [
+    patchDaemonset(object) {
+      metadata+: {
+        namespace: params.namespace,
+      },
+    }
+    for object in manifests
+    if std.setMember(object.kind, [ 'DaemonSet', 'ServiceAccount' ])
+  ],
+  '20_rbac': [
+    object + if std.objectHas(object, 'subjects') then
+      {
+        subjects: [
+          sub {
+            namespace: params.namespace,
+          }
+          for sub in super.subjects
+        ],
+      }
+    else
+      {}
+    for object in manifests
+    if std.setMember(object.kind, [ 'ClusterRole', 'ClusterRoleBinding' ])
+  ],
+  [if std.length(customRBAC) > 0 then '30_custom_rbac']: customRBAC,
 }

docs/modules/ROOT/pages/how-tos/deploy-ocp.adoc

@@ -0,0 +1,138 @@
+= Deploy on existing OpenShift cluster
+
+This guide describes how to deploy cloudscale.ch CCM on an existing cluster.
+
+== Steb-by-step guide
+
+. Ensure nodes are registered with cloudscale.ch provider id
++
+If not already present add the following machine config which customizes the kubelet systemd service on all cluster nodes.
+As described in https://github.com/openshift/infrastructure-provider-onboarding-guide/blob/main/docs/platform-external/installing.md.
++
+[source,yaml]
+----
+spec:
+  config:
+    ignition:
+      version: 3.2.0
+    storage:
+      files:
+        - mode: 493 # 0755
+          path: /usr/local/bin/appuio-kubelet-providerid
+          contents:
+            inline: |
+              #!/bin/bash
+              set -e -o pipefail
+              NODECONF=/etc/systemd/system/kubelet.service.d/20-appuio-providerid.conf
+              if [ -e "\${NODECONF}" ]; then
+                echo "Not replacing existing \${NODECONF}"
+                exit 0
+              fi
+              PROVIDERID=$(curl -sL http://169.254.169.254/openstack/2017-02-22/meta_data.json | \
+                jq -r .meta.cloudscale_uuid)
+              cat >"\${NODECONF}" <<EOF
+              [Service]
+              Environment="KUBELET_PROVIDERID=cloudscale://\${PROVIDERID}"
+              EOF
+    systemd:
+      units:
+        - name: appuio-kubelet-providerid.service
+          enabled: true
+          contents: |
+            [Unit]
+            Description=Fetch provide id from metadata service
+            After=NetworkManager-wait-online.service
+            Before=kubelet.service
+            [Service]
+            ExecStart=/usr/local/bin/appuio-kubelet-providerid
+            Type=oneshot
+            [Install]
+            WantedBy=network-online.target
+----
+
+. Check if provider id is present on nodes
++
+[source,bash]
+----
+for n in $(kubectl get nodes -oname); do
+  PROVIDERID=$(oc -n syn-debug-nodes --as=cluster-admin debug $n -- chroot /host cat /etc/systemd/system/kubelet.service.d/20-appuio-providerid.conf 2>&1 | grep PROVIDERID | sed -e 's/^Environment="KUBELET_PROVIDERID=\([^"]\+\)"$/\1/g')
+  echo kubectl --as=cluster-admin patch $n --type=merge -p "{\"spec\":{\"providerID\":\"${PROVIDERID}\"}}";
+done
+----
+
+. Patch nodes with provider id
++
+[source,bash]
+----
+for n in $(kubectl get nodes -oname); do
+  PROVIDERID=$(oc -n syn-debug-nodes --as=cluster-admin debug $n -- chroot /host cat /etc/systemd/system/kubelet.service.d/20-appuio-providerid.conf 2>&1 | grep PROVIDERID | sed -e 's/^Environment="KUBELET_PROVIDERID=\([^"]\+\)"$/\1/g')
+  kubectl --as=cluster-admin patch $n --type=merge -p "{\"spec\":{\"providerID\":\"${PROVIDERID}\"}}";
+done
+kubectl get no -ocustom-columns='NAME:.metadata.name,PROVIDER_ID:.spec.providerID'
+----
++
+[source,bash]
+----
+NAME           PROVIDER_ID
+infra-8344     cloudscale://1b04b1fb-d6c8-4108-92f4-f64f8c1ca960
+infra-87c9     cloudscale://2813282a-2a88-461d-a927-4ad96bf4360a
+infra-eba2     cloudscale://22fd8f7d-0eb8-4d10-82d7-e35df65e62b8
+master-3b79    cloudscale://b7597a27-0129-40cc-9bd8-ac19f5d3deb6
+master-6cc2    cloudscale://556ca8bd-37a3-4a48-8412-8eafe90c606a
+master-edc2    cloudscale://48255c88-ad2b-4242-a4ba-74332f16b264
+storage-17fd   cloudscale://2584f7f1-a2cf-4598-903b-80ff6acc1dd0
+storage-534a   cloudscale://e2c96748-7d24-45e7-b345-8b83d7dc21bf
+storage-c4e4   cloudscale://a8358646-fe30-4fb6-bffb-6971863286d3
+worker-10db    cloudscale://f2a2cc9b-aae9-4674-ae64-de4bd3cfb1db
+worker-3b6c    cloudscale://671553ab-2243-4075-b35b-0592aa9d2299
+worker-52c6    cloudscale://a6255254-46bf-4c4f-8638-9eb26559814e
+worker-8e76    cloudscale://a0ba2200-bfc3-435a-b733-8607b6ee4190
+----
+
+. Deploy component-cloudscale-cloud-controller-manager
+
+. Patch infrastructure config
++
+[source,bash]
+----
+kubectl --as cluster-admin patch infrastructure.config  cluster --type=merge -p '{"spec":{"platformSpec":{"external":{"platformName":"cloudscale.ch"},"type":"External"}}}'
+infrastructure.config.openshift.io/cluster patched
+----
++
+[source,bash]
+----
+kubectl proxy &
+curl -XPATCH -H"Content-Type: application/merge-patch+json" http://localhost:8001/apis/config.openshift.io/v1/infrastructures/cluster/status -d '{"status":{"platform":"External","platformStatus":{"external":{"cloudControllerManager":{"state":"External"}},"type":"External"}}}'
+----
+
+. Taint nodes with `node.cloudprovider.kubernetes.io/uninitialized=true:NoSchedule`
++
+[source,bash]
+----
+kubectl --as cluster-admin taint node --all node.cloudprovider.kubernetes.io/uninitialized=true:NoSchedule
+----
+
+. Check if instance-type is applied
++
+[source,bash]
+----
+kubectl get nodes -ocustom-columns='NAME:.metadata.name,INSTANCE_TYPE:.metadata.labels.node\.kubernetes\.io/instance-type'
+----
++
+[source,bash]
+----
+NAME           INSTANCE_TYPE
+infra-8344     flex-24-6
+infra-87c9     flex-24-6
+infra-eba2     flex-24-6
+master-3b79    flex-24-6
+master-6cc2    flex-24-6
+master-edc2    flex-24-6
+storage-17fd   flex-8-2
+storage-534a   flex-8-2
+storage-c4e4   flex-8-2
+worker-10db    flex-16-4
+worker-3b6c    flex-16-4
+worker-52c6    flex-16-4
+worker-8e76    flex-16-4
+----

docs/modules/ROOT/pages/references/parameters.adoc

@@ -11,6 +11,16 @@ default:: `syn-cloudscale-cloud-controller-manager`
 The namespace in which to deploy this component.
 
 
+== `api_token`
+
+[horizontal]
+type:: string
+default:: `?{vaultkv:${cluster:tenant}/${cluster:name}/cloudscale/token}`
+
+cloudscale.ch API token to be used by the CCM driver.
+This should be a reference to a secret in Vault instead of the plaintext token.
+
+
 == Example
 
 [source,yaml]

docs/modules/ROOT/partials/nav.adoc

@@ -1,2 +1,3 @@
 * xref:index.adoc[Home]
+* xref:how-tos/deploy-ocp.adoc[]
 * xref:references/parameters.adoc[Parameters]

tests/golden/defaults/cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/00_namespace.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    openshift.io/node-selector: ''
+  labels:
+    name: syn-cloudscale-cloud-controller-manager
+  name: syn-cloudscale-cloud-controller-manager