Add HTTPS server for serial consoles

ironcore-dev · Sep 7, 2023 · 8c39ff0 · 8c39ff0
1 parent 226938a
commit 8c39ff0
Show file tree

Hide file tree

Showing 21 changed files with 652 additions and 304 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-# Build the manager binary
+# Build the oob-operator binary
 FROM golang:1.21 as builder
 
 ARG TARGETARCH
@@ -21,10 +21,12 @@ COPY api/ api/
 COPY bmc/ bmc/
 COPY controllers/ controllers/
 COPY log/ log/
+COPY servers/ servers/
 COPY *.go ./
 
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} go build -a -o manager main.go
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} go build -a -o oob-operator main.go
 
+RUN --mount=type=ssh --mount=type=secret,id=github_pat GITHUB_PAT_PATH=/run/secrets/github_pat go get github.com/onmetal/oob-console && go install github.com/onmetal/oob-console
 
 FROM debian:bookworm-20230904-slim
 
@@ -35,6 +37,7 @@ RUN apt-get update && \
     rm -rf /var/lib/apt/lists/*
 
 USER 65532:65532
-ENTRYPOINT ["/manager"]
+ENTRYPOINT ["/oob-operator"]
 
-COPY --from=builder /workspace/manager .
+COPY --from=builder /workspace/oob-operator .
+COPY --from=builder /go/bin/oob-console .
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: oob-cert
+  namespace: system
+spec:
+  dnsNames:
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
+  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+  issuerRef:
+    kind: ClusterIssuer
+    name: cluster-issuer
+  secretName: $(SERVICE_NAME)-cert
diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- certificate.yaml
+configurations:
+- kustomizeconfig.yaml
diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml
@@ -0,0 +1,10 @@
+varReference:
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/commonName
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/dnsNames
+- kind: Certificate
+  group: cert-manager.io
+  path: spec/secretName
diff --git a/config/console/args_patch.yaml b/config/console/args_patch.yaml
@@ -0,0 +1,6 @@
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: --console-server-key=/cert/tls.key
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: --console-server-cert=/cert/tls.crt
diff --git a/config/console/cert_patch.yaml b/config/console/cert_patch.yaml
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        volumeMounts:
+        - mountPath: /cert
+          name: cert
+          readOnly: true
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: $(SERVICE_NAME)-cert
diff --git a/config/console/kustomization.yaml b/config/console/kustomization.yaml
@@ -0,0 +1,36 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+configurations:
+  - kustomizeconfig.yaml
+
+bases:
+- ../default
+- ../certmanager
+- ../consoleservice
+
+vars:
+  - name: SERVICE_NAMESPACE
+    objref:
+      kind: Service
+      version: v1
+      name: oob-console
+    fieldref:
+      fieldpath: metadata.namespace
+  - name: SERVICE_NAME
+    objref:
+      kind: Service
+      version: v1
+      name: oob-console
+
+patchesStrategicMerge:
+- cert_patch.yaml
+
+patches:
+  - target:
+      group: apps
+      kind: Deployment
+      name: oob-operator-controller-manager
+      namespace: system 
+      version: v1
+    path: args_patch.yaml
diff --git a/config/console/kustomizeconfig.yaml b/config/console/kustomizeconfig.yaml
@@ -0,0 +1,3 @@
+varReference:
+- kind: Deployment
+  path: spec/template/spec/volumes/secret/secretName
diff --git a/config/consoleservice/kustomization.yaml b/config/consoleservice/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+- service.yaml
diff --git a/config/consoleservice/service.yaml b/config/consoleservice/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: oob-console
+  namespace: system
+spec:
+  ports:
+    - port: 12319 
+      protocol: TCP
+      targetPort: 12319
+  selector:
+    control-plane: controller-manager
+  type: ClusterIP
diff --git a/config/crd/bases/onmetal.de_oobs.yaml b/config/crd/bases/onmetal.de_oobs.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: oobs.onmetal.de
 spec:
   group: onmetal.de

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -30,14 +30,11 @@ spec:
           type: RuntimeDefault
       containers:
       - command:
-        - /manager
+        - /oob-operator
         args:
         - --leader-elect
         image: controller:latest
         name: manager
-        env:
-        - name: ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH
-          value: go1.19
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -4,6 +4,22 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
+- apiGroups:
+  - compute.api.onmetal.de
+  resources:
+  - machinepools
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - compute.api.onmetal.de
+  resources:
+  - machines
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:

diff --git a/controllers/controllers_test.go b/controllers/controllers_test.go
@@ -47,7 +47,7 @@ var _ = BeforeSuite(func() {
 	Expect(err).NotTo(HaveOccurred())
 	Expect(os.Setenv("KUBEBUILDER_ASSETS", string(path))).To(Succeed())
 
-	ctx, cancel := context.WithCancel(log.Setup(context.Background(), true, GinkgoWriter))
+	ctx, cancel := context.WithCancel(log.Setup(context.Background(), true, false, GinkgoWriter))
 	DeferCleanup(cancel)
 	l := logr.FromContextOrDiscard(ctx)
 	klog.SetLogger(l)

diff --git a/controllers/ip_controller_test.go b/controllers/ip_controller_test.go
@@ -1,11 +1,11 @@
 package controllers
 
 import (
+	"net/netip"
 	"time"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
-	"inet.af/netaddr"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -38,8 +38,6 @@ var _ = Describe("IP controller", func() {
 	var res reconcile.Result
 	var err error
 	BeforeEach(func() {
-		netaddrIP, e := netaddr.ParseIP("1.2.3.4")
-		Expect(e).NotTo(HaveOccurred())
 		ip = &ipamv1alpha1.IP{
 			TypeMeta: metav1.TypeMeta{
 				APIVersion: ipamv1alpha1.GroupVersion.String(),
@@ -54,7 +52,7 @@ var _ = Describe("IP controller", func() {
 			},
 			Spec: ipamv1alpha1.IPSpec{
 				IP: &ipamv1alpha1.IPAddr{
-					Net: netaddrIP,
+					Net: netip.MustParseAddr("1.2.3.4"),
 				},
 			},
 		}