Move modifications to actuator in order to pick them up with GNA later.

metal-stack · Aug 20, 2024 · a63debd · a63debd
1 parent 73a063b
commit a63debd
Show file tree

Hide file tree

Showing 4 changed files with 236 additions and 325 deletions.
diff --git a/go.mod b/go.mod
@@ -10,6 +10,7 @@ require (
 	github.com/gardener/gardener v1.89.4
 	github.com/go-logr/logr v1.4.2
 	github.com/golang/mock v1.6.0
+	github.com/google/go-cmp v0.6.0
 	github.com/metal-stack/gardener-extension-provider-metal v0.24.4
 	github.com/onsi/ginkgo/v2 v2.20.0
 	github.com/onsi/gomega v1.34.1
@@ -58,7 +59,6 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 // indirect
 	github.com/google/uuid v1.6.0 // indirect

diff --git a/pkg/controller/operatingsystemconfig/actuator.go b/pkg/controller/operatingsystemconfig/actuator.go
@@ -18,29 +18,66 @@ import (
 	"context"
 	_ "embed"
 	"fmt"
+	"strings"
 
 	"github.com/gardener/gardener/extensions/pkg/controller/operatingsystemconfig"
 	oscommonactuator "github.com/gardener/gardener/extensions/pkg/controller/operatingsystemconfig/oscommon/actuator"
+	gardenv1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
 	extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
 	"github.com/go-logr/logr"
+	metalextensionv1alpha1 "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/v1alpha1"
+	"github.com/metal-stack/os-metal-extension/pkg/controller/operatingsystemconfig/generator"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
+)
 
-	"github.com/metal-stack/os-metal-extension/pkg/controller/operatingsystemconfig/generator"
+const (
+	containerdConfig = `# Generated by os-extension-metal
+imports = ["/etc/containerd/conf.d/*.toml"]
+disabled_plugins = []
+
+[plugins."io.containerd.grpc.v1.cri".registry]
+  config_path = "/etc/containerd/certs.d"
+`
 )
 
 type actuator struct {
-	client client.Client
+	client  client.Client
+	decoder runtime.Decoder
 }
 
 // NewActuator creates a new Actuator that updates the status of the handled OperatingSystemConfig resources.
 func NewActuator(mgr manager.Manager) operatingsystemconfig.Actuator {
+	scheme := runtime.NewScheme()
+	utilruntime.Must(gardenv1beta1.AddToScheme(scheme))
+	decoder := serializer.NewCodecFactory(scheme).UniversalDecoder()
+
 	return &actuator{
-		client: mgr.GetClient(),
+		client:  mgr.GetClient(),
+		decoder: decoder,
 	}
 }
 
 func (a *actuator) Reconcile(ctx context.Context, log logr.Logger, osc *extensionsv1alpha1.OperatingSystemConfig) ([]byte, *string, []string, []string, []extensionsv1alpha1.Unit, []extensionsv1alpha1.File, error) {
+	imageProviderConfig := &metalextensionv1alpha1.ImageProviderConfig{}
+
+	networkIsolation := &metalextensionv1alpha1.NetworkIsolation{}
+	if osc.Spec.ProviderConfig != nil {
+		err := decodeProviderConfig(a.decoder, osc.Spec.ProviderConfig, imageProviderConfig)
+		if err != nil {
+			return nil, nil, nil, nil, nil, nil, fmt.Errorf("unable to decode providerConfig")
+		}
+	}
+	if imageProviderConfig.NetworkIsolation != nil {
+		networkIsolation = imageProviderConfig.NetworkIsolation
+	}
+
+	osc = addOsSpecifics(osc, networkIsolation)
+
 	cloudConfig, command, err := oscommonactuator.CloudConfigFromOperatingSystemConfig(ctx, log, a.client, osc, generator.IgnitionGenerator())
 	if err != nil {
 		return nil, nil, nil, nil, nil, nil, fmt.Errorf("could not generate cloud config: %w", err)
@@ -64,3 +101,136 @@ func (a *actuator) ForceDelete(ctx context.Context, log logr.Logger, osc *extens
 func (a *actuator) Restore(ctx context.Context, log logr.Logger, osc *extensionsv1alpha1.OperatingSystemConfig) ([]byte, *string, []string, []string, []extensionsv1alpha1.Unit, []extensionsv1alpha1.File, error) {
 	return a.Reconcile(ctx, log, osc)
 }
+
+func addOsSpecifics(osc *extensionsv1alpha1.OperatingSystemConfig, networkIsolation *metalextensionv1alpha1.NetworkIsolation) *extensionsv1alpha1.OperatingSystemConfig {
+	osc = osc.DeepCopy()
+
+	dnsFiles := additionalDNSConfFiles(networkIsolation.DNSServers)
+	osc.Spec.Files = append(osc.Spec.Files, dnsFiles...)
+
+	ntpFiles := additionalNTPConfFiles(networkIsolation.NTPServers)
+	osc.Spec.Files = append(osc.Spec.Files, ntpFiles...)
+
+	if osc.Spec.CRIConfig != nil && osc.Spec.CRIConfig.Name == extensionsv1alpha1.CRINameContainerD {
+		// the debian:12 containerd ships with "cri" plugin disabled, so we need override the config that ships with the os
+		//
+		// with g/g v1.100 it would be best to just remove the config.toml and let the GNA generate the default config.
+		// unfortunately, ignition does not allow to remove files easily.
+		// along with the default import paths. see https://github.com/gardener/gardener/pull/10050)
+		osc.Spec.Files = append(osc.Spec.Files, extensionsv1alpha1.File{
+			Path:        "/etc/containerd/config.toml",
+			Permissions: ptr.To(int32(0644)),
+			Content: extensionsv1alpha1.FileContent{
+				Inline: &extensionsv1alpha1.FileContentInline{
+					Encoding: string(extensionsv1alpha1.PlainFileCodecID),
+					Data:     containerdConfig,
+				},
+			},
+		})
+
+		if len(networkIsolation.RegistryMirrors) > 0 {
+			osc.Spec.Files = append(osc.Spec.Files, additionalContainerdMirrors(networkIsolation.RegistryMirrors)...)
+		}
+	}
+
+	return osc
+}
+
+// decodeProviderConfig decodes the provider config into the given struct
+func decodeProviderConfig(decoder runtime.Decoder, providerConfig *runtime.RawExtension, into runtime.Object) error {
+	if providerConfig == nil {
+		return nil
+	}
+
+	if _, _, err := decoder.Decode(providerConfig.Raw, nil, into); err != nil {
+		return fmt.Errorf("could not decode provider config: %w", err)
+	}
+
+	return nil
+}
+
+func additionalContainerdMirrors(mirrors []metalextensionv1alpha1.RegistryMirror) []extensionsv1alpha1.File {
+	var files []extensionsv1alpha1.File
+
+	for _, m := range mirrors {
+		for _, of := range m.MirrorOf {
+			content := fmt.Sprintf(`server = "https://%s"
+
+[host.%q]
+  capabilities = ["pull", "resolve"]
+`, of, m.Endpoint)
+
+			files = append(files, extensionsv1alpha1.File{
+				Path: fmt.Sprintf("/etc/containerd/certs.d/%s/hosts.toml", of),
+				Content: extensionsv1alpha1.FileContent{
+					Inline: &extensionsv1alpha1.FileContentInline{
+						Encoding: string(extensionsv1alpha1.PlainFileCodecID),
+						Data:     content,
+					},
+				},
+			})
+		}
+	}
+
+	return files
+}
+
+func additionalDNSConfFiles(dnsServers []string) []extensionsv1alpha1.File {
+	if len(dnsServers) == 0 {
+		return nil
+	}
+	resolveDNS := strings.Join(dnsServers, " ")
+	systemdResolvedConfd := fmt.Sprintf(`# Generated by os-extension-metal
+[Resolve]
+DNS=%s
+Domain=~.
+`, resolveDNS)
+	resolvConf := "# Generated by os-extension-metal\n"
+	for _, ip := range dnsServers {
+		resolvConf += fmt.Sprintf("nameserver %s\n", ip)
+	}
+
+	return []extensionsv1alpha1.File{
+		{
+			Path: "/etc/systemd/resolved.conf.d/dns.conf",
+			Content: extensionsv1alpha1.FileContent{
+				Inline: &extensionsv1alpha1.FileContentInline{
+					Encoding: string(extensionsv1alpha1.PlainFileCodecID),
+					Data:     systemdResolvedConfd,
+				},
+			},
+		},
+		{
+			Path: "/etc/resolv.conf",
+			Content: extensionsv1alpha1.FileContent{
+				Inline: &extensionsv1alpha1.FileContentInline{
+					Encoding: string(extensionsv1alpha1.PlainFileCodecID),
+					Data:     resolvConf,
+				},
+			},
+		},
+	}
+}
+
+func additionalNTPConfFiles(ntpServers []string) []extensionsv1alpha1.File {
+	if len(ntpServers) == 0 {
+		return nil
+	}
+	ntps := strings.Join(ntpServers, " ")
+	renderedContent := fmt.Sprintf(`# Generated by os-extension-metal
+[Time]
+NTP=%s
+`, ntps)
+
+	return []extensionsv1alpha1.File{
+		{
+			Path: "/etc/systemd/timesyncd.conf",
+			Content: extensionsv1alpha1.FileContent{
+				Inline: &extensionsv1alpha1.FileContentInline{
+					Encoding: string(extensionsv1alpha1.PlainFileCodecID),
+					Data:     renderedContent,
+				},
+			},
+		},
+	}
+}