OSBuildEnvConfig Controller - Create and Setup Workers

Controller ---------- Create ConfigMaps for Ansible configuration and playbook Create ConfigMap for the osbuild-worker Create Secret with SSH Key-Pair if needed For each VM: - If needed, create the VM and expose its SSH port as a service - Create certificate - Create ConfigMap for the inventory - Create the Setup Job Remove the worker certificate secrets on teardown main.go ------- Add kubevirt v1 to Scheme Create Job and VM repositories Templates --------- Add templates for: - Worker VM - Worker Setup Job - OSBuild-Worker configuration - Ansible Config - Ansible Inventory - Ansible Playbook Repository ---------- Add repositories for Job and CNV VM RBAC ---- Add permissions for Jobs and CNV VMs SSHKey ------ Add package for SSH Key-Pair generation Setup Container image --------------------- Add Dockerfile Add Makefile rules Add ansible requirements.yml file Type ---- Add comment about the required key in the CABundle secret Config ------ Add configuration flags for the worker setup container image name and tag Add configuration flags for the composer api service container image name and tag Add configuration flags for the envoy proxy container image name and tag Add configuration flags for the OSBuild and OSBuild-Composer release tags Unit Tests ---------- Add tests to the new code Sample ------ Rename the worker to avoid conflict with node Add caBundleSecretReference Signed-off-by: Ygal Blum <[email protected]>
David-eb97 · Jul 13, 2022 · c77cb7c · c77cb7c
1 parent 367ba2f
commit c77cb7c
Show file tree

Hide file tree

Showing 171 changed files with 35,097 additions and 58 deletions.
diff --git a/Dockerfile.WorkerSetupJob b/Dockerfile.WorkerSetupJob
@@ -0,0 +1,19 @@
+FROM registry.access.redhat.com/ubi8/python-39
+
+USER 0
+
+COPY resources/ansible/requirements.yml /tmp/requirements.yml
+
+RUN dnf install skopeo -y && \
+    pip install --upgrade pip && \
+    pip install openshift && \
+    pip install jmespath && \
+    pip install netaddr && \
+    pip install ansible==2.9.27 && \
+    curl -L https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/openshift-client-linux.tar.gz | \
+    tar -xvzf - -C /usr/local/bin/ oc && chmod 755 /usr/local/bin/oc && ln -s /usr/local/bin/oc /usr/local/bin/kubectl && \
+    ansible-galaxy collection install -r /tmp/requirements.yml
+
+RUN chgrp -R 0 $HOME && chmod -R g=u $HOME
+
+USER 1001
diff --git a/Makefile b/Makefile
@@ -48,6 +48,11 @@ endif
 
 # Image URL to use all building/pushing image targets
 IMG ?= controller:latest
+
+# Worker setup job container
+SETUP_IMG ?= quay.io/project-flotta/osbuild-operator-worker-setup:v0.1
+SETUP_DOCKERFILE = Dockerfile.WorkerSetupJob
+
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.23
 
@@ -203,6 +208,14 @@ docker-build: test ## Build docker image with the manager.
 docker-push: ## Push docker image with the manager.
 	$(CONTAINER_RUNTIME) push ${IMG}
 
+.PHONY: setup-image-build
+setup-image-build: # Build container image for the Worker setup job
+	$(CONTAINER_RUNTIME) build -t ${SETUP_IMG} -f ${SETUP_DOCKERFILE} .
+
+.PHONY: setup-image-push
+setup-image-push: ## Push the Worker setup job image.
+	$(CONTAINER_RUNTIME) push ${SETUP_IMG}
+
 ##@ Deployment
 
 ifndef ignore-not-found

diff --git a/api/v1alpha1/osbuildenvconfig_types.go b/api/v1alpha1/osbuildenvconfig_types.go
@@ -138,6 +138,7 @@ type GenericS3ServiceConfig struct {
 	Endpoint string `json:"endpoint"`
 	// CABundleSecretReference is a reference to a secret in the same namespace,
 	// containing the CA certificate to use when connecting to the S3 service (optional, default empty)
+	// If provided the required key is ca-bundle
 	// +kubebuilder:validation:Optional
 	CABundleSecretReference *buildv1.SecretLocalReference `json:"caBundleSecretReference,omitempty"`
 	// SkipSSLVerification when set to true the SSL certificate will not be verified (optional, default False)

diff --git a/config/crd/bases/osbuilder.project-flotta.io_osbuildenvconfigs.yaml b/config/crd/bases/osbuilder.project-flotta.io_osbuildenvconfigs.yaml
@@ -128,7 +128,7 @@ spec:
                         description: CABundleSecretReference is a reference to a secret
                           in the same namespace, containing the CA certificate to
                           use when connecting to the S3 service (optional, default
-                          empty)
+                          empty) If provided the required key is ca-bundle
                         properties:
                           name:
                             description: Name is the name of the resource in the same

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -17,6 +17,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - cert-manager.io
   resources:
@@ -65,6 +77,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - kubevirt.io
+  resources:
+  - virtualmachines
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - osbuilder.project-flotta.io
   resources:

diff --git a/config/samples/osbuilder_v1alpha1_osbuildenvconfig.yaml b/config/samples/osbuilder_v1alpha1_osbuildenvconfig.yaml
@@ -9,7 +9,7 @@ spec:
         name: composer-db
       sslMode: disable
   workers:
-  - name: worker-1
+  - name: builder-1
     vmWorkerConfig:
       architecture: x86_64
       imageURL: "http://nexus-osbuild:8081/repository/disk-images/rhel-8.5-x86_64-kvm.qcow2"
@@ -19,6 +19,8 @@ spec:
     genericS3ServiceConfig:
       credsSecretReference:
         name: osbuild-s3-credentials
+      caBundleSecretReference:
+        name: osbuild-s3-ca-bundle
       region: us-east-1
       bucket: osbuild-images
       endpoint: "http://minio:9000"