BYOH agent systemd service

.ci/build-and-push.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -o nounset
+set -o errexit
+set -o pipefail
+
+project_root=$(realpath "$(dirname $0)/..")
+build_dir=${project_root}/build
+CONTAINER_TAG=${CONTAINER_TAG:-${build_dir}/manager-container-tag}
+CONTAINER_FULL_TAG=${CONTAINER_FULL_TAG:-${build_dir}/manager-container-full-tag}
+GO_VERSION=${GO_VERSION:-1.20.0}
+

Makefile

@@ -1,4 +1,5 @@
-# Ensure Make is run with bash shell as some syntax below is bash-specific
+
+#Ensure Make is run with bash shell as some syntax below is bash-specific
 SHELL:=/usr/bin/env bash
 
 # Define registries
@@ -22,9 +23,11 @@ E2E_CONF_FILE  ?= ${REPO_ROOT}/test/e2e/config/provider.yaml
 ARTIFACTS ?= ${REPO_ROOT}/_artifacts
 SKIP_RESOURCE_CLEANUP ?= false
 USE_EXISTING_CLUSTER ?= false
-EXISTING_CLUSTER_KUBECONFIG_PATH ?=
+EXISTING_CLUSTER_BYOHOSTCONFIG_PATH ?=
 GINKGO_NOCOLOR ?= false
 
+
+
 TOOLS_DIR := $(REPO_ROOT)/hack/tools
 BIN_DIR := bin
 TOOLS_BIN_DIR := $(TOOLS_DIR)/$(BIN_DIR)
@@ -36,6 +39,29 @@ BYOH_TEMPLATES := $(REPO_ROOT)/test/e2e/data/infrastructure-provider-byoh
 LDFLAGS := -w -s $(shell hack/version.sh)
 STATIC=-extldflags '-static'
 
+check-env:
+	$(shell ./check_env.sh)
+
+
+BUILD_DIR=$(shell pwd)/build
+$(BUILD_DIR):
+	mkdir -p $@
+
+PF9_BYOHOST_SRCDIR := $(BUILD_DIR)/pf9-byohost
+$(PF9_BYOHOST_SRCDIR):
+	echo "make PF9_BYOHOST_SRCDIR $(PF9_BYOHOST_SRCDIR)"
+	rm -fr $@
+	mkdir -p $@
+
+AGENT_SRC_DIR := $(REPO_ROOT)
+RPM_SRC_ROOT := $(PF9_BYOHOST_SRCDIR)/rpmsrc
+DEB_SRC_ROOT := $(PF9_BYOHOST_SRCDIR)/debsrc
+COMMON_SRC_ROOT := $(PF9_BYOHOST_SRCDIR)/common
+PF9_BYOHOST_DEB_FILE := $(PF9_BYOHOST_SRCDIR)/debsrc/pf9-byohost-agent.deb
+RPMBUILD_DIR := $(PF9_BYOHOST_SRCDIR)/rpmsrc
+PF9_BYOHOST_RPM_FILE := $(PF9_BYOHOST_SRCDIR)/rpmsrc/pf9-byohost-agent.rpm
+DEB_DEP_SRC_ROOT := $(PF9_BYOHOST_SRCDIR)/dependencies
+
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
@@ -146,7 +172,7 @@ test-e2e: take-user-input docker-build prepare-byoh-docker-host-image $(GINKGO)
 	    -e2e.artifacts-folder="$(ARTIFACTS)" \
 	    -e2e.config="$(E2E_CONF_FILE)" \
 	    -e2e.skip-resource-cleanup=$(SKIP_RESOURCE_CLEANUP) -e2e.use-existing-cluster=$(USE_EXISTING_CLUSTER) \
-		-e2e.existing-cluster-kubeconfig-path=$(EXISTING_CLUSTER_KUBECONFIG_PATH)
+		-e2e.existing-cluster-kubeconfig-path=$(EXISTING_CLUSTER_BYOHOSTCONFIG_PATH)
 
 cluster-templates: kustomize cluster-templates-v1beta1
 
@@ -257,8 +283,71 @@ build-metadata-yaml:
 
 build-host-agent-binary: host-agent-binaries
 	cp bin/byoh-hostagent-linux-amd64 $(RELEASE_DIR)/byoh-hostagent-linux-amd64
-
-
+##########################################################################
+
+
+$(RPM_SRC_ROOT): | $(COMMON_SRC_ROOT)
+	echo "make RPM_SRC_ROOT: $(RPM_SRC_ROOT)"
+	cp -a $(COMMON_SRC_ROOT) $(RPM_SRC_ROOT)
+
+$(PF9_BYOHOST_RPM_FILE): |$(RPM_SRC_ROOT)
+	echo "make PF9_BYOHOST_RPM_FILE $(PF9_BYOHOST_RPM_FILE) "
+	rpmbuild -bb \
+	    --define "_topdir $(RPMBUILD_DIR)"  \
+	    --define "_src_dir $(RPM_SRC_ROOT)"  \
+	    --define "_githash $(AGENT_SRC_DIR)/scripts/pf9-byohost.spec "
+	./$(AGENT_SRC_DIR)/scripts/sign_packages.sh $(PF9_BYOHOST_RPM_FILE)
+	md5sum $(PF9_BYOHOST_RPM_FILE) | cut -d' ' -f 1  > $(PF9_BYOHOST_RPM_FILE).md5
+
+build-host-agent-rpm:  $(PF9_BYOHOST_RPM_FILE)
+	echo "make agent-rpm pf9_byohost_rpm_file = $(PF9_BYOHOST_RPM_FILE)"
+
+#########################################################################
+$(COMMON_SRC_ROOT): build-host-agent-binary
+	echo "Building COMMON_SRC_ROOT"
+	mkdir -p $(COMMON_SRC_ROOT)
+	echo "BUILDING COMMON_SRC_ROOT/binary COPING binary pf9-byoh-hostagent-linux-amd64"
+	mkdir -p $(COMMON_SRC_ROOT)/binary
+	cp $(RELEASE_DIR)/byoh-hostagent-linux-amd64 $(COMMON_SRC_ROOT)/binary/pf9-byoh-hostagent-linux-amd64
+	echo "BUILDING dir for pf9-byohost-service , COPING service pf9-byoh-agent.service "
+	mkdir -p $(COMMON_SRC_ROOT)/lib/systemd/system/
+	cp $(AGENT_SRC_DIR)/service/pf9-byohostagent.service $(COMMON_SRC_ROOT)/lib/systemd/system/pf9-byohost-agent.service
+
+$(DEB_SRC_ROOT): | $(COMMON_SRC_ROOT)
+	cp -a  $(COMMON_SRC_ROOT) $(DEB_SRC_ROOT)
+
+$(PF9_BYOHOST_DEB_FILE): $(DEB_SRC_ROOT)
+	fpm -t deb -s dir -n pf9-byohost-agent \
+	 --description "Platform9 Bring Your Own Host deb package" \
+	 --license "Commercial" --architecture all --url "http://www.platform9.net" --vendor Platform9 \
+	 -d socat -d ethtool -d ebtables -d conntrack \
+	 --after-install $(AGENT_SRC_DIR)/scripts/pf9-byohost-agent-after-install.sh \
+	 --before-remove $(AGENT_SRC_DIR)/scripts/pf9-byohost-agent-before-remove.sh \
+	 --after-remove $(AGENT_SRC_DIR)/scripts/pf9-byohost-agent-after-remove.sh \
+	 -p $(PF9_BYOHOST_DEB_FILE) \
+	 -C $(DEB_SRC_ROOT)/ .
+	./sign_packages_deb.sh $(PF9_BYOHOST_DEB_FILE)
+	md5sum $(PF9_BYOHOST_DEB_FILE) | cut -d' ' -f 1 > $(PF9_BYOHOST_DEB_FILE).md5
+
+build-host-agent-deb: $(PF9_BYOHOST_DEB_FILE)
+
+
+$(DEB_DEP_SRC_ROOT):	build-host-agent-deb
+			echo "\n Building DEB for dependency package "
+			mkdir -p $(DEB_DEP_SRC_ROOT)
+			cp $(PF9_BYOHOST_DEB_FILE) $(DEB_DEP_SRC_ROOT)/.
+			echo "Successfully copied byoh-sgent deb pkg\n"
+			cp $(AGENT_SRC_DIR)/scripts/Dockerfile $(DEB_DEP_SRC_ROOT)/Dockerfile
+			echo "Successfully copied Dockerfile"
+			cp $(AGENT_SRC_DIR)/scripts/install.sh $(DEB_DEP_SRC_ROOT)/install.sh
+			echo "Successfully copied install.sh"
+
+
+bundle-dockerfile-debpkg-install : | $(DEB_DEP_SRC_ROOT)
+	echo $(DEB_DEP_SRC_ROOT)
+
+
+########################################################################
 # go-get-tool will 'go get' any package $2 and install it to $1.
 PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
 define go-get-tool
@@ -268,7 +357,7 @@ TMP_DIR=$$(mktemp -d) ;\
 cd $$TMP_DIR ;\
 go mod init tmp ;\
 echo "Downloading $(2)" ;\
-GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
+GOBIN=$(PROJECT_DIR)/bi go install $(2) ;\
 rm -rf $$TMP_DIR ;\
 }
 endef

agent/main.go

@@ -86,7 +86,7 @@ func setupflags() {
 	// clear any discard loggers set by dependecies
 	klog.ClearLogger()
 
-	flag.StringVar(&namespace, "namespace", "default", "Namespace in the management cluster where you would like to register this host")
+	flag.StringVar(&namespace, "namespace" ,"default","Namespace in the management cluster where you would like to register this host")
 	flag.Int64Var(&certExpiryDuration, "certExpiryDuration", registration.ExpirationSeconds, "Duration (in seconds) for the expiration of the host certificates")
 	flag.Var(&labels, "label", "labels to attach to the ByoHost CR in the form labelname=labelVal for e.g. '--label site=apac --label cores=2'")
 	flag.StringVar(&metricsbindaddress, "metricsbindaddress", ":8080", "metricsbindaddress is the TCP address that the controller should bind to for serving prometheus metrics.It can be set to \"0\" to disable the metrics serving")
@@ -129,6 +129,9 @@ var (
 	bootstrapKubeConfig string
 	certExpiryDuration  int64
 )
+const (
+	DefaultNamespacePath = "/namespace"  
+)
 
 // TODO - fix logging
 func main() {
@@ -162,7 +165,7 @@ func main() {
 			os.Exit(1)
 		}
 	}
-	// Handle restart flow or if the ~/.byoh/config already exists
+	// Handle restart flow or if the ~/.byoh/config
 	config := getConfig(logger)
 	k8sClient := getClient(logger, config)
 	registration.LocalHostRegistrar = &registration.HostRegistrar{K8sClient: k8sClient}
@@ -300,3 +303,5 @@ func getClient(logger logr.Logger, config *rest.Config) client.Client {
 
 	return k8sClient
 }
+
+

agent/registration/csr.go

@@ -121,7 +121,7 @@ func (bcsr *ByohCSR) RequestBYOHClientCert(hostname string) (string, types.UID,
 	reqName, reqUID, err := csr.RequestCertificate(bcsr.bootstrapClient,
 		csrData,
 		fmt.Sprintf(ByohCSRNameFormat, hostname),
-		certv1.KubeAPIServerClientSignerName,
+		"clusterissuers.cert-manager.io/byoh-issuer",
 		&certTimeToExpire,
 		[]certv1.KeyUsage{certv1.UsageClientAuth},
 		privateKey)

apis/infrastructure/v1beta1/byohost_webhook.go

@@ -23,7 +23,7 @@ type ByoHostValidator struct {
 }
 
 // To allow byoh manager service account to patch ByoHost CR
-const managerServiceAccount = "system:serviceaccount:byoh-system:byoh-controller-manager"
+const managerServiceAccount = "system:serviceaccount:kaapi:byoh-controller-manager"
 
 //nolint: gocritic
 // Handle handles all the requests for ByoHost resource

chart-generator/byoh-chart/kustomization.yaml

@@ -0,0 +1,75 @@
+# Adds namespace to all resources.
+namespace: '{{ .Release.Namespace }}'
+
+# Value of this field is prepended to the
+# names of all resources, e.g. a deployment named
+# "wordpress" becomes "alices-wordpress".
+# Note that it should also match with the prefix (text before '-') of the namespace
+# field above.
+namePrefix: byoh-
+
+# Labels to add to all resources and selectors.
+commonLabels:
+  cluster.x-k8s.io/provider: "infrastructure-byoh"
+
+bases:
+- ../../config/crd
+- ../../config/rbac
+- ../../config/manager
+- ../../config/webhook
+- ../../config/certmanager
+# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
+#- ../prometheus
+
+
+patchesStrategicMerge:
+#Protect the /metrics endpoint by putting it behind auth.
+# If you want your controller-manager to expose the /metrics
+# endpoint w/o any authn/z, please comment the following line.
+- manager_auth_proxy_patch.yaml
+
+# Mount the controller config file for loading manager configurations
+# through a ComponentConfig type
+#- manager_config_patch.yaml
+
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
+# crd/kustomization.yaml
+- manager_webhook_patch.yaml
+
+# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
+# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
+# 'CERTMANAGER' needs to be enabled to use ca injection
+- webhookcainjection_patch.yaml
+
+# the following config is for teaching kustomize how to do var substitution
+vars:
+# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
+- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
+  objref:
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: serving-cert # this name should match the one in certificate.yaml
+  fieldref:
+    fieldpath: metadata.namespace
+- name: CERTIFICATE_NAME
+  objref:
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: serving-cert # this name should match the one in certificate.yaml
+- name: SERVICE_NAMESPACE # namespace of the service
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
+  fieldref:
+    fieldpath: metadata.namespace
+- name: SERVICE_NAME
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
+
+configurations:
+  - kustomizeconfig.yaml

chart-generator/byoh-chart/kustomizeconfig.yaml

@@ -0,0 +1,4 @@
+# This configuration is for teaching kustomize how to update name ref and var substitution
+varReference:
+- kind: Deployment
+  path: spec/template/spec/volumes/secret/secretName

chart-generator/byoh-chart/manager_auth_proxy_patch.yaml

@@ -0,0 +1,25 @@
+# This patch injects a sidecar container which is an HTTP proxy for the
+# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: kube-rbac-proxy
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
+        args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--logtostderr=true"
+        - "--v=10"
+        ports:
+        - containerPort: 8443
+          name: https
+      - name: manager
+        args:
+        - "--metrics-addr=127.0.0.1:8080"
+        - "--enable-leader-election"

chart-generator/byoh-chart/manager_config_patch.yaml

@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        args:
+        - "--config=controller_manager_config.yaml"
+        volumeMounts:
+        - name: manager-config
+          mountPath: /controller_manager_config.yaml
+          subPath: controller_manager_config.yaml
+      volumes:
+      - name: manager-config
+        configMap:
+          name: manager-config

chart-generator/byoh-chart/manager_webhook_patch.yaml

@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: $(SERVICE_NAME)-cert

chart-generator/byoh-chart/metrics_service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    control-plane: controller-manager
+    app.kubernetes.io/name: barista
+    app.kubernetes.io/managed-by: kustomize
+  name: controller-manager-metrics-service
+  namespace: system
+spec:
+  ports:
+  - name: https
+    port: 8443
+    protocol: TCP
+    targetPort: 8443
+  selector:
+    control-plane: controller-manager

chart-generator/byoh-chart/webhookcainjection_patch.yaml

@@ -0,0 +1,9 @@
+# This patch adds annotation to admission webhook config and
+# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: validating-webhook-configuration
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)