Add support for Lightbits duros storage. (#140)

metal-stack · Jan 15, 2021 · 69171fd · 69171fd
1 parent 2097c5f
commit 69171fd
Show file tree

Hide file tree

Showing 33 changed files with 1,174 additions and 149 deletions.
diff --git a/charts/images.yaml b/charts/images.yaml
@@ -35,6 +35,10 @@ images:
   sourceRepository: https://github.com/metal-stack/kubernetes-splunk-audit-webhook
   repository: ghcr.io/metal-stack/kubernetes-splunk-audit-webhook
   tag: "v0.1.4"
+- name: duros-controller
+  sourceRepository: https://github.com/metal-stack/duros-controller
+  repository: ghcr.io/metal-stack/duros-controller
+  tag: "v0.1.1"
 # firewall-controller tag must be semver compatible with golang dependency!
 - name: firewall-controller
   sourceRepository: https://github.com/metal-stack/firewall-controller

diff --git a/charts/internal/control-plane/templates/accounting-exporter.yaml b/charts/internal/control-plane/templates/accounting-exporter.yaml
@@ -106,17 +106,4 @@ spec:
     ports:
     - protocol: TCP
       port: 9000
----
-apiVersion: metal-stack.io/v1
-kind: ClusterwideNetworkPolicy
-metadata:
-  name: egress-allow-accounting-api
-  namespace: firewall
-spec:
-  egress:
-  - ports:
-    - port: 9000
-      protocol: TCP
-    to:
-    - cidr: 0.0.0.0/0
 {{- end }}
diff --git a/charts/internal/control-plane/templates/duros-controller.yaml b/charts/internal/control-plane/templates/duros-controller.yaml
@@ -0,0 +1,123 @@
+{{- if .Values.duros.enabled }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: duros-controller
+  namespace: {{ .Release.Namespace }}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: duros-controller
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups:
+  - storage.metal-stack.io
+  resources:
+  - duros
+  - duros/status
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - get
+  - update
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: duros-controller
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: duros-controller
+subjects:
+- kind: ServiceAccount
+  name: duros-controller
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app: duros-controller
+  name: duros-admin
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  admin-key: {{ required ".Values.duros.controller.adminKey is required" (b64enc .Values.duros.controller.adminKey) }}
+  admin-token: {{ required ".Values.duros.controller.adminToken is required" (b64enc .Values.duros.controller.adminToken) }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: duros-controller
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: duros-controller
+spec:
+  selector:
+    matchLabels:
+      app: duros-controller
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: duros-controller
+    spec:
+      serviceAccountName: duros-controller
+      containers:
+      - name: duros-controller
+        args:
+          - -endpoints={{ join "," .Values.duros.controller.endpoints }}
+          - -namespace={{ .Release.Namespace }}
+          - -enable-leader-election
+          - -admin-token=/duros/admin-token
+          - -admin-key=/duros/admin-key
+          - -shoot-kubeconfig=/duros/client/kubeconfig
+        image: {{ index .Values.images "duros-controller" }}
+        imagePullPolicy: Always
+        resources:
+          limits:
+            cpu: 400m
+            memory: 100Mi
+          requests:
+            cpu: 100m
+            memory: 20Mi
+        volumeMounts:
+          - name: duros-admin
+            mountPath: /duros
+          - name: kubeconfig
+            mountPath: /duros/client
+      volumes:
+        - name: duros-admin
+          secret:
+            secretName: duros-admin
+        - name: kubeconfig
+          secret:
+            secretName: duros-controller
+---
+apiVersion: storage.metal-stack.io/v1
+kind: Duros
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: shoot-default-storage
+spec:
+  metalProjectID: {{ required ".Values.duros.projectID is required" .Values.duros.projectID }}
+{{- if .Values.duros.storageClasses }}
+  storageClasses:
+{{ toYaml .Values.duros.storageClasses | indent 4 }}
+{{- end }}
+{{- end }}
diff --git a/charts/internal/control-plane/values.yaml b/charts/internal/control-plane/values.yaml
@@ -8,6 +8,7 @@ images:
   splunk-audit-webhook: image-repository:image-tag
   group-rolebinding-controller: image-repository:image-tag
   accounting-exporter: image-repository:image-tag
+  duros-controller: image-repository:image-tag
 
 cloudControllerManager:
   additionalParameters: []
@@ -82,3 +83,15 @@ accountingExporter:
       -----BEGIN RSA PRIVATE KEY-----
       ...
       -----END RSA PRIVATE KEY-----
+
+duros:
+  enabled: false
+  storageClasses: []
+  projectID: project-id
+  controller:
+    endpoints:
+    - ip:port
+    - ip:port
+    - ip:port
+    adminKey: KEY
+    adminToken: tok
diff --git a/charts/internal/crds-storage/Chart.yaml b/charts/internal/crds-storage/Chart.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+description: Helm chart for Storage CRDs required by the extension-provider-metal
+name: crds-storage
+version: 0.1.0
diff --git a/charts/internal/crds-storage/templates/storage.metal-stack.io_duros.yaml b/charts/internal/crds-storage/templates/storage.metal-stack.io_duros.yaml
@@ -0,0 +1,85 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: duros.storage.metal-stack.io
+spec:
+  group: storage.metal-stack.io
+  names:
+    kind: Duros
+    listKind: DurosList
+    plural: duros
+    singular: duros
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.metalProjectID
+      name: ProjectID
+      type: string
+    - jsonPath: .spec.storageClasses
+      name: StorageClasses
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: Duros is the Schema for the Duros API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: DurosSpec defines the desired state of Duros
+            properties:
+              metalProjectID:
+                description: MetalProjectID is the projectID of this deployment
+                type: string
+              storageClasses:
+                description: StorageClasses defines what storageclasses should be
+                  deployed
+                items:
+                  description: StorageClass defines the storageClass parameters
+                  properties:
+                    compression:
+                      type: boolean
+                    name:
+                      type: string
+                    replicas:
+                      type: integer
+                  required:
+                  - compression
+                  - name
+                  - replicas
+                  type: object
+                type: array
+            type: object
+          status:
+            description: DurosStatus defines the observed state of Duros
+            properties:
+              secret:
+                description: SecretRef to the create JWT Token TODO, this can be used
+                  to detect required key rotation
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/internal/metal-crds/charts/crds-storage b/charts/internal/metal-crds/charts/crds-storage
@@ -0,0 +1 @@
+../../crds-storage
diff --git a/charts/internal/shoot-control-plane/templates/network-policies.yaml b/charts/internal/shoot-control-plane/templates/network-policies.yaml
@@ -67,3 +67,24 @@ spec:
     ports:
     - protocol: UDP
       port: 123
+{{- if .Values.duros.enabled }}
+---
+apiVersion: metal-stack.io/v1
+kind: ClusterwideNetworkPolicy
+metadata:
+  name: allow-to-storage
+  namespace: firewall
+spec:
+  egress:
+  - ports:
+    - port: 443
+      protocol: TCP
+    - port: 4420
+      protocol: TCP
+    - port: 8009
+      protocol: TCP
+    to:
+{{ range $i, $endpoint := .Values.duros.endpoints }}
+    - cidr: {{ (split ":" $endpoint)._0 }}/32
+{{- end }}
+{{- end }}