feat(kubernetes): Draft Kubernetes deployment of tedge

Signed-off-by: Reuben Miller <reuben.d.miller@gmail.com>

Author: albinsuresh

.gitignore

@@ -51,3 +51,8 @@ containers/tedge/*.tar
 Makefile.toml
 .vimspector.json
 *.env
+
+
+# thin-edge.io certificate files
+tedge-certificate.pem
+tedge-private-key.pem

kubernetes/README.md

@@ -0,0 +1,152 @@
+# thin-edge.io on Kubernetes
+
+:construction: This is a work-in-progress so don't expect everything to work out of the box in all situations. Contributions are welcomed to improve the setup.
+
+This document describes the steps required to get thin-edge.io deployed in a Kubernetes (k8s) cluster.
+
+## Pre-requisites
+
+The following pre-requisites are required to run the example:
+
+* A kubernetes cluster - [k3s](https://k3s.io/) is a good option for a single node cluster if you're just trying things out locally
+* kubectl - cli to interact with kubernetes
+* [helm](https://helm.sh/)
+
+Kubernetes know-how is also assumed, so if you have trouble with setting up Kubernetes, please consult the public Kubernetes documentation or seek help in community forums (e.g. stack overflow etc.).
+
+## Getting started
+
+The following guide should help you install thin-edge.io as a helm chart.
+
+1. Create the device certificate key pair
+
+    **Option 1: Create self-signed certificates using tedge cli**
+
+    ```sh
+    mkdir device-certs
+    tedge --config-dir $(pwd) cert create --device-id mydevice001
+    ```
+
+    The certificates will be stored under the `./device-certs` folder.
+
+    Alternatively, you can also create device certificates using a CA and openssl. Please consult the openssl documentation on how to do this.
+
+1. Add device certificate to Cumulocity IoT's Trusted Certificates
+
+    You can uploaded it to Cumulocity IoT using the Device Management UI, or using the go-c8y-cli tool:
+
+    ```sh
+    c8y devicemanagement certificates create --name mydevice001 --file ./device-certs/tedge-certificate.pem --status ENABLED --autoRegistrationEnabled
+    ```
+
+1. Create a kubernetes namespace where the helm chart will be deployed to
+
+    ```sh
+    kubectl create namespace tedge
+    ```
+
+1. Create a Secret for the device certificate key pair
+
+    ```sh
+    kubectl create secret generic tedge-certs --from-file=./device-certs/tedge-certificate.pem --from-file=./device-certs/tedge-private-key.pem --namespace tedge
+    ```
+
+1. Install the thin-edge.io helm chart
+
+    ```sh
+    helm install tedge-chart ./tedge --set c8y.url=example.eu-latest.cumulocity.com --namespace tedge
+    ```
+
+    Change the `c8y.url=` value to the MQTT endpoint of your Cumulocity IoT tenant.
+
+1. Validate the device created in Cumulocity
+
+    If you are using go-c8y-cli, then you can open the Device Management application to your device using the following command:
+
+    ```sh
+    c8y identity get --name mydevice001 | c8y applications open
+    ```
+
+1. The mosquitto broker can be accessed by other pods in the cluster via the `mosquitto.<namespace>.svc.cluster.local` endpoint
+
+    **Using an existing service**
+
+    The MQTT service endpoint can be verified from within a deployment using the following command:
+
+    ```sh
+    kubectl exec -n tedge -it service/mosquitto -- mosquitto_sub -h 'mosquitto.tedge.svc.cluster.local' -p 1883 -t '#' -W 5 -v
+    ```
+
+    **Using a new pod**
+
+    The MQTT service endpoint can also be verified from other pods by creating a test pod, and executing a command from it.
+
+    ```sh
+    kubectl run -n tedge --restart=Never --image eclipse-mosquitto tedge-test -- sleep infinity
+    kubectl exec -n tedge -it pod/tedge-test -- mosquitto_sub -h 'mosquitto.tedge.svc.cluster.local' -p 1883 -t '#' -W 3 -v
+    kubectl delete -n tedge pod/tedge-test
+    ```
+
+    ```sh
+    te/device/main/service/mosquitto-c8y-bridge {"@id":"example001:device:main:service:mosquitto-c8y-bridge","@parent":"device/main//","@type":"service","name":"mosquitto-c8y-bridge","type":"service"}
+    te/device/main/service/mosquitto-c8y-bridge/status/health 1
+    te/device/main/service/tedge-mapper-c8y {"@parent":"device/main//","@type":"service","type":"service"}
+    te/device/main/service/tedge-mapper-c8y/status/health {"pid":1,"status":"up","time":1710236345.2828279}
+    te/device/main/service/tedge-agent {"@parent":"device/main//","@type":"service","type":"service"}
+    te/device/main/service/tedge-agent/status/health {"pid":1,"status":"up","time":1710236338.9187257}
+    te/device/main///twin/c8y_Agent {"name":"thin-edge.io","url":"https://thin-edge.io","version":"1.0.1"}
+    te/device/main///cmd/config_snapshot {"types":["tedge-configuration-plugin","tedge-log-plugin","tedge.toml"]}
+    te/device/main///cmd/config_update {"types":["tedge-configuration-plugin","tedge-log-plugin","tedge.toml"]}
+    te/device/main///cmd/log_upload {"types":["software-management"]}
+    te/device/main///cmd/restart {}
+    te/device/main///cmd/software_list {}
+    te/device/main///cmd/software_update {}
+    Timed out
+    command terminated with exit code 27
+    ```
+
+## Uninstall helm chart
+
+You can uninstall the helm chart using the following command:
+
+```
+helm uninstall tedge-chart --namespace tedge
+```
+
+## Project structure
+
+Key points about the deployment design are listed below:
+
+* The thin-edge.io helm chart consists of two deployments:
+    * a multi-container pod with `mosquitto` broker and `tedge-mapper` along with `tedge-bootstrap` init container
+      that performs the bootstrapping
+    * an independent deployment of `tedge-agent`
+* The `mosquitto` broker and `tedge-mapper` are deployed in the same pod with `/etc/tedge` directory mounted as a shared volume,
+  so that the mapper and the broker can access the bridge configurations created by the `tedge-bootstrap` container.
+* A custom mosquitto configuration is used for the `mosquitto` container so that it picks up configuration extensions
+  from the `/etc/tedge/mosquitto-conf` directory where the bridge configurations are created.
+* The mosquitto broker from the first deployment is exposed as a service so that the `tedge-agent` deployment can access it.
+  Similarly, the file-transfer-service of the `tedge-agent` is also exposed as a service for the mapper to use it.
+* The config settings required by the thin-edge.io components are provided via env variables.
+* The device certificate key pair generated and provided to the cluster as a `Secret`.
+* The persistent volume for the shared `/etc/tedge` directory is a local volume.
+
+## Misc.
+
+### Using dedicated colima instance on MacOS
+
+If you want to use a dedicated k3s single node cluster on MacOS, then you can use colima to create a dedicated environment (different from the default colima instance).
+
+**Containerd runtime**
+
+You can create a colima instance using containerd as the runtime using the following command:
+
+```sh
+colima start k3s --runtime containerd --kubernetes
+```
+
+Afterwards you can configure kubectl to use the new context:
+
+```sh
+kubectl config use-context colima-k3s
+```

kubernetes/tedge/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

kubernetes/tedge/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: tedge
+description: Device management application using thin-edge.io
+type: application
+version: "0.1.0"
+appVersion: "1.0.1"

kubernetes/tedge/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "tedge.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "tedge.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "tedge.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "tedge.labels" -}}
+helm.sh/chart: {{ include "tedge.chart" . }}
+{{ include "tedge.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "tedge.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "tedge.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "tedge.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "tedge.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

kubernetes/tedge/templates/mosquitto-config.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mosquitto-config
+data:
+  mosquitto.conf: |
+    include_dir /etc/tedge/mosquitto-conf

kubernetes/tedge/templates/mosquitto.yaml

@@ -0,0 +1,87 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mosquitto
+spec:
+  replicas: 1 # Number of broker pods
+  selector:
+    matchLabels:
+      app: mosquitto
+  template:
+    metadata:
+      labels:
+        app: mosquitto
+    spec:
+      volumes:
+      - name: tedge-vol
+        persistentVolumeClaim:
+          claimName: "tedge-pvc"
+      - name: mosquitto-config-vol
+        configMap:
+          name: mosquitto-config
+      - name: tedge-certs-vol
+        secret:
+          secretName: tedge-certs
+      initContainers:
+      - name: tedge-bootstrap
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        securityContext:
+          runAsUser: 0
+        command:
+          - sh
+          - -xec
+          - "tedge init && cp /tedge/device-certs/* /etc/tedge/device-certs/ && tedge cert show && tedge connect c8y && cat /etc/tedge/mosquitto-conf/c8y-bridge.conf"
+        volumeMounts:
+        - name: tedge-vol
+          mountPath: /etc/tedge
+        - name: tedge-certs-vol
+          mountPath: /tedge/device-certs
+        env:
+        - name: TEDGE_C8Y_URL
+          value: {{ required "A valid c8y.url is required!" .Values.c8y.url }}
+      containers:
+      - name: mosquitto
+        image: eclipse-mosquitto
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        ports:
+        - containerPort: 1883
+          name: mqtt-svc
+        volumeMounts:
+        - name: mosquitto-config-vol
+          mountPath: /mosquitto/config
+        - name: tedge-vol
+          mountPath: /etc/tedge
+      - name: tedge-mapper
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        command: ["tedge-mapper", "c8y"]
+        ports:
+        - containerPort: 8001
+        volumeMounts:
+        - name: tedge-vol
+          mountPath: /etc/tedge
+        env:
+        - name: TEDGE_MQTT_CLIENT_HOST
+          value: "localhost"
+        - name: TEDGE_C8Y_URL
+          value: {{ required "A valid c8y.url is required!" .Values.c8y.url }}
+        - name: TEDGE_HTTP_CLIENT_HOST
+          value: "fts"
+        - name: TEDGE_C8Y_PROXY_CLIENT_HOST
+          value: "localhost"
+
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: mosquitto
+spec:
+  selector:
+    app: mosquitto
+  ports:
+    - protocol: TCP
+      port: {{ .Values.services.mqtt.port }}
+      targetPort: mqtt-svc

kubernetes/tedge/templates/tedge-agent.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tedge-agent
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: tedge-agent
+  template:
+    metadata:
+      labels:
+        app: tedge-agent
+    spec:
+      containers:
+      - name: tedge-agent
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        ports:
+        - containerPort: 8000
+          name: fts-svc
+        env:
+        - name: TEDGE_MQTT_CLIENT_HOST
+          value: "mosquitto"
+        - name: TEDGE_HTTP_CLIENT_HOST
+          value: "localhost"
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: fts
+spec:
+  selector:
+    app: tedge-agent
+  ports:
+    - name: fts
+      port: 8000
+      targetPort: fts-svc