diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a444d5de..191b6bfe 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,7 +16,7 @@ updates: interval: "daily" open-pull-requests-limit: 10 - package-ecosystem: "docker" - directory: "/irimachineprovider" + directory: "/metal-provider" schedule: interval: "daily" open-pull-requests-limit: 10 diff --git a/.github/workflows/publish-docker-irimachineprovider.yml b/.github/workflows/publish-docker-metal-provider.yml similarity index 97% rename from .github/workflows/publish-docker-irimachineprovider.yml rename to .github/workflows/publish-docker-metal-provider.yml index bf5b0448..2b1d3d9d 100644 --- a/.github/workflows/publish-docker-irimachineprovider.yml +++ b/.github/workflows/publish-docker-metal-provider.yml @@ -63,7 +63,7 @@ jobs: timeout-minutes: 40 uses: docker/build-push-action@v5 with: - file: irimachineprovider/Dockerfile + file: metal-provider/Dockerfile context: . platforms: ${{ env.platforms }} push: true diff --git a/irimachineprovider/Dockerfile b/metal-provider/Dockerfile similarity index 88% rename from irimachineprovider/Dockerfile rename to metal-provider/Dockerfile index 2e6760fd..c575846f 100644 --- a/irimachineprovider/Dockerfile +++ b/metal-provider/Dockerfile @@ -12,9 +12,9 @@ RUN --mount=type=ssh --mount=type=secret,id=github_pat GITHUB_PAT_PATH=/run/secr COPY apis/ apis/ COPY applyconfiguration/ applyconfiguration/ -COPY irimachineprovider/ irimachineprovider/ +COPY metal-provider/ metal-provider/ COPY pkg/ pkg/ -RUN CGO_ENABLED=0 GOOS=linux GOARCH=${GOARCH} go build -a -o /metal-provider irimachineprovider/main.go +RUN CGO_ENABLED=0 GOOS=linux GOARCH=${GOARCH} go build -a -o /metal-provider metal-provider/main.go FROM gcr.io/distroless/static:nonroot WORKDIR / diff --git a/metal-provider/config/default/kustomization.yaml b/metal-provider/config/default/kustomization.yaml new file mode 100644 index 00000000..c2262f9c --- /dev/null +++ b/metal-provider/config/default/kustomization.yaml @@ -0,0 +1,10 @@ +namespace: metal-provider-system + +namePrefix: metal-provider- + +bases: +- ../rbac +- ../manager + +patchesStrategicMerge: +- manager_auth_proxy_patch.yaml diff --git a/metal-provider/config/default/manager_auth_proxy_patch.yaml b/metal-provider/config/default/manager_auth_proxy_patch.yaml new file mode 100644 index 00000000..6600ac6c --- /dev/null +++ b/metal-provider/config/default/manager_auth_proxy_patch.yaml @@ -0,0 +1,37 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: kube-rbac-proxy + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=0" + ports: + - containerPort: 8443 + protocol: TCP + name: https + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=127.0.0.1:8080" + - "--leader-elect" diff --git a/metal-provider/config/manager/kustomization.yaml b/metal-provider/config/manager/kustomization.yaml new file mode 100644 index 00000000..4fe5ccaa --- /dev/null +++ b/metal-provider/config/manager/kustomization.yaml @@ -0,0 +1,5 @@ +resources: +- manager.yaml + +generatorOptions: + disableNameSuffixHash: true diff --git a/metal-provider/config/manager/manager.yaml b/metal-provider/config/manager/manager.yaml new file mode 100644 index 00000000..c52ec9cd --- /dev/null +++ b/metal-provider/config/manager/manager.yaml @@ -0,0 +1,96 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + name: system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: controller-manager +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: metal-provider + labels: + control-plane: controller-manager + spec: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - command: + - /metal-provier + args: + - --leader-elect + image: metal-provider:latest + name: metal-provider + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + - command: + - /machinepoollet + args: + - --leader-elect + image: machinepoollet:latest + name: machinepoollet + securityContext: + allowPrivilegeEscalation: false + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 30Mi + requests: + cpu: 100m + memory: 20Mi + volumeMounts: + - mountPath: /var/run + name: var-run + serviceAccountName: controller-manager + terminationGracePeriodSeconds: 10 + volumes: + - name: var-run + emptyDir: { } diff --git a/metal-provider/config/rbac/auth_proxy_client_clusterrole.yaml b/metal-provider/config/rbac/auth_proxy_client_clusterrole.yaml new file mode 100644 index 00000000..51a75db4 --- /dev/null +++ b/metal-provider/config/rbac/auth_proxy_client_clusterrole.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-reader +rules: +- nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/metal-provider/config/rbac/auth_proxy_role.yaml b/metal-provider/config/rbac/auth_proxy_role.yaml new file mode 100644 index 00000000..80e1857c --- /dev/null +++ b/metal-provider/config/rbac/auth_proxy_role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/metal-provider/config/rbac/auth_proxy_role_binding.yaml b/metal-provider/config/rbac/auth_proxy_role_binding.yaml new file mode 100644 index 00000000..ec7acc0a --- /dev/null +++ b/metal-provider/config/rbac/auth_proxy_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/metal-provider/config/rbac/auth_proxy_service.yaml b/metal-provider/config/rbac/auth_proxy_service.yaml new file mode 100644 index 00000000..71f17972 --- /dev/null +++ b/metal-provider/config/rbac/auth_proxy_service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager diff --git a/metal-provider/config/rbac/kustomization.yaml b/metal-provider/config/rbac/kustomization.yaml new file mode 100644 index 00000000..ca04e399 --- /dev/null +++ b/metal-provider/config/rbac/kustomization.yaml @@ -0,0 +1,10 @@ +resources: +- service_account.yaml +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml +- auth_proxy_service.yaml +- auth_proxy_role.yaml +- auth_proxy_role_binding.yaml +- auth_proxy_client_clusterrole.yaml diff --git a/metal-provider/config/rbac/leader_election_role.yaml b/metal-provider/config/rbac/leader_election_role.yaml new file mode 100644 index 00000000..4190ec80 --- /dev/null +++ b/metal-provider/config/rbac/leader_election_role.yaml @@ -0,0 +1,37 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/metal-provider/config/rbac/leader_election_role_binding.yaml b/metal-provider/config/rbac/leader_election_role_binding.yaml new file mode 100644 index 00000000..1d1321ed --- /dev/null +++ b/metal-provider/config/rbac/leader_election_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/metal-provider/config/rbac/oob_editor_role.yaml b/metal-provider/config/rbac/oob_editor_role.yaml new file mode 100644 index 00000000..eb0f6f29 --- /dev/null +++ b/metal-provider/config/rbac/oob_editor_role.yaml @@ -0,0 +1,24 @@ +# permissions for end users to edit oobs. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: oob-editor-role +rules: +- apiGroups: + - onmetal.de + resources: + - oobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - onmetal.de + resources: + - oobs/status + verbs: + - get diff --git a/metal-provider/config/rbac/oob_viewer_role.yaml b/metal-provider/config/rbac/oob_viewer_role.yaml new file mode 100644 index 00000000..e5dd535a --- /dev/null +++ b/metal-provider/config/rbac/oob_viewer_role.yaml @@ -0,0 +1,20 @@ +# permissions for end users to view oobs. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: oob-viewer-role +rules: +- apiGroups: + - onmetal.de + resources: + - oobs + verbs: + - get + - list + - watch +- apiGroups: + - onmetal.de + resources: + - oobs/status + verbs: + - get diff --git a/metal-provider/config/rbac/role.yaml b/metal-provider/config/rbac/role.yaml new file mode 100644 index 00000000..3f4bc7e0 --- /dev/null +++ b/metal-provider/config/rbac/role.yaml @@ -0,0 +1,146 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - create + - get + - list + - watch +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/machinepoolclient + verbs: + - create +- apiGroups: + - compute.ironcore.dev + resources: + - machineclasses + verbs: + - get + - list + - watch +- apiGroups: + - compute.ironcore.dev + resources: + - machinepools + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - compute.ironcore.dev + resources: + - machinepools/status + verbs: + - get + - patch + - update +- apiGroups: + - compute.ironcore.dev + resources: + - machines + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - compute.ironcore.dev + resources: + - machines/finalizers + verbs: + - update +- apiGroups: + - compute.ironcore.dev + resources: + - machines/status + verbs: + - get + - patch + - update +- apiGroups: + - ipam.ironcore.dev + resources: + - prefixes + verbs: + - get + - list + - watch +- apiGroups: + - networking.ironcore.dev + resources: + - networkinterfaces + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - networking.ironcore.dev + resources: + - networkinterfaces/status + verbs: + - get + - patch + - update +- apiGroups: + - networking.ironcore.dev + resources: + - networks + verbs: + - get + - list + - watch +- apiGroups: + - storage.ironcore.dev + resources: + - volumes + verbs: + - get + - list + - patch + - update + - watch diff --git a/metal-provider/config/rbac/role_binding.yaml b/metal-provider/config/rbac/role_binding.yaml new file mode 100644 index 00000000..2070ede4 --- /dev/null +++ b/metal-provider/config/rbac/role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/metal-provider/config/rbac/service_account.yaml b/metal-provider/config/rbac/service_account.yaml new file mode 100644 index 00000000..7cd6025b --- /dev/null +++ b/metal-provider/config/rbac/service_account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: controller-manager + namespace: system diff --git a/irimachineprovider/internal/log/log.go b/metal-provider/internal/log/log.go similarity index 100% rename from irimachineprovider/internal/log/log.go rename to metal-provider/internal/log/log.go diff --git a/irimachineprovider/internal/patch/patch.go b/metal-provider/internal/patch/patch.go similarity index 100% rename from irimachineprovider/internal/patch/patch.go rename to metal-provider/internal/patch/patch.go diff --git a/irimachineprovider/internal/unix/unix.go b/metal-provider/internal/unix/unix.go similarity index 100% rename from irimachineprovider/internal/unix/unix.go rename to metal-provider/internal/unix/unix.go diff --git a/irimachineprovider/main.go b/metal-provider/main.go similarity index 98% rename from irimachineprovider/main.go rename to metal-provider/main.go index 64264348..882f5911 100644 --- a/irimachineprovider/main.go +++ b/metal-provider/main.go @@ -39,8 +39,8 @@ import ( onmetalcomputev1alpha1 "github.com/ironcore-dev/ironcore/api/compute/v1alpha1" metalv1alpha4 "github.com/ironcore-dev/metal/apis/metal/v1alpha4" - "github.com/ironcore-dev/metal/irimachineprovider/internal/log" - "github.com/ironcore-dev/metal/irimachineprovider/servers" + "github.com/ironcore-dev/metal/metal-provider/internal/log" + "github.com/ironcore-dev/metal/metal-provider/servers" ) func usage() { diff --git a/irimachineprovider/servers/grpc_server.go b/metal-provider/servers/grpc_server.go similarity index 96% rename from irimachineprovider/servers/grpc_server.go rename to metal-provider/servers/grpc_server.go index 7fd66975..67cc13b0 100644 --- a/irimachineprovider/servers/grpc_server.go +++ b/metal-provider/servers/grpc_server.go @@ -37,9 +37,9 @@ import ( metalv1alpha4 "github.com/ironcore-dev/metal/apis/metal/v1alpha4" metalv1alpha4apply "github.com/ironcore-dev/metal/applyconfiguration/metal/v1alpha4" - "github.com/ironcore-dev/metal/irimachineprovider/internal/log" - "github.com/ironcore-dev/metal/irimachineprovider/internal/patch" - "github.com/ironcore-dev/metal/irimachineprovider/internal/unix" + "github.com/ironcore-dev/metal/metal-provider/internal/log" + "github.com/ironcore-dev/metal/metal-provider/internal/patch" + "github.com/ironcore-dev/metal/metal-provider/internal/unix" ) func NewGRPCServer(addr string, namespace string) (*GRPCServer, error) { @@ -126,7 +126,11 @@ func (s *GRPCServer) ListMachines(ctx context.Context, req *irimachinev1alpha1.L return nil, internalError(ctx, fmt.Errorf("could not list machines: %w", err)) } - machines = machineList.Items + for _, m := range machineList.Items { + if m.Status.Reservation.Status == "Reserved" { + machines = append(machines, m) + } + } } else { ctx = log.WithValues(ctx, "machine", id) @@ -151,7 +155,7 @@ func (s *GRPCServer) ListMachines(ctx context.Context, req *irimachinev1alpha1.L machines = append(machines, machine) } - resMachines := make([]*irimachinev1alpha1.Machine, len(machines)) + resMachines := make([]*irimachinev1alpha1.Machine, 0, len(machines)) for _, m := range machines { resMachines = append(resMachines, &irimachinev1alpha1.Machine{ Metadata: kMetaToMeta(&m.ObjectMeta), @@ -276,7 +280,7 @@ func (s *GRPCServer) CreateMachine(ctx context.Context, req *irimachinev1alpha1. }, } log.Debug(ctx, "Applying machine status") - err = s.Client.Status().Patch(ctx, machine, patch.ApplyConfiguration(machineApply), client.FieldOwner("metal.ironcore.dev/irimachineprovider"), client.ForceOwnership) + err = s.Client.Status().Patch(ctx, machine, patch.ApplyConfiguration(machineApply), client.FieldOwner("metal.ironcore.dev/metal-provider"), client.ForceOwnership) if err != nil { return nil, internalError(ctx, fmt.Errorf("could not apply machine status: %w", err)) } @@ -302,7 +306,7 @@ func (s *GRPCServer) CreateMachine(ctx context.Context, req *irimachinev1alpha1. }, } log.Debug(ctx, "Applying machine annotations and labels") - err = s.Client.Patch(ctx, machine, patch.ApplyConfiguration(machineApply), client.FieldOwner("metal.ironcore.dev/irimachineprovider"), client.ForceOwnership) + err = s.Client.Patch(ctx, machine, patch.ApplyConfiguration(machineApply), client.FieldOwner("metal.ironcore.dev/metal-provider"), client.ForceOwnership) if err != nil { return nil, internalError(ctx, fmt.Errorf("could not apply machine: %w", err)) } @@ -386,7 +390,7 @@ func (s *GRPCServer) DeleteMachine(ctx context.Context, req *irimachinev1alpha1. }, } log.Debug(ctx, "Applying machine annotations and labels") - err = s.Client.Patch(ctx, &machine, patch.ApplyConfiguration(machineApply), client.FieldOwner("metal.ironcore.dev/irimachineprovider"), client.ForceOwnership) + err = s.Client.Patch(ctx, &machine, patch.ApplyConfiguration(machineApply), client.FieldOwner("metal.ironcore.dev/metal-provider"), client.ForceOwnership) if err != nil { return nil, internalError(ctx, fmt.Errorf("could not apply machine: %w", err)) } @@ -404,7 +408,7 @@ func (s *GRPCServer) DeleteMachine(ctx context.Context, req *irimachinev1alpha1. }, } log.Debug(ctx, "Applying machine status") - err = s.Client.Status().Patch(ctx, &machine, patch.ApplyConfiguration(machineApply), client.FieldOwner("metal.ironcore.dev/irimachineprovider"), client.ForceOwnership) + err = s.Client.Status().Patch(ctx, &machine, patch.ApplyConfiguration(machineApply), client.FieldOwner("metal.ironcore.dev/metal-provider"), client.ForceOwnership) if err != nil { return nil, internalError(ctx, fmt.Errorf("could not apply machine status: %w", err)) }