From e352ca041389cd5f0386dddafa6097ed6b78a7d6 Mon Sep 17 00:00:00 2001
From: Jorge Turrado <jorge_turrado@hotmail.es>
Date: Fri, 1 Nov 2024 01:22:11 +0100
Subject: [PATCH 1/7] Update the cluster to update the nodes

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
---
 terraform/main.tf                           |  10 +-
 terraform/modules/azure/aks/main.tf         | 126 +++++++++++++++-----
 terraform/modules/azure/aks/vars.tf         |  13 +-
 terraform/modules/azure/registry/main.tf    |  23 ++++
 terraform/modules/azure/registry/outputs.tf |  12 +-
 5 files changed, 145 insertions(+), 39 deletions(-)

diff --git a/terraform/main.tf b/terraform/main.tf
index 3b00581..32cb1b2 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -109,8 +109,9 @@ module "azure_aks_pr" {
     module.azuread_applications.identity_2
   ]
 
-  azure_container_registry_id      = module.acr_proxy.id
-  azure_container_registry_enpoint = module.acr_proxy.endpoint
+  azure_container_registry_username = module.acr_proxy.username
+  azure_container_registry_password = module.acr_proxy.password
+  azure_container_registry_enpoint  = module.acr_proxy.endpoint
 
   tags = local.tags
 }
@@ -135,8 +136,9 @@ module "azure_aks_nightly" {
     module.azuread_applications.identity_2
   ]
 
-  azure_container_registry_id      = module.acr_proxy.id
-  azure_container_registry_enpoint = module.acr_proxy.endpoint
+  azure_container_registry_username = module.acr_proxy.username
+  azure_container_registry_password = module.acr_proxy.password
+  azure_container_registry_enpoint  = module.acr_proxy.endpoint
 
   tags = local.tags
 }
diff --git a/terraform/modules/azure/aks/main.tf b/terraform/modules/azure/aks/main.tf
index c993caf..70f1c73 100644
--- a/terraform/modules/azure/aks/main.tf
+++ b/terraform/modules/azure/aks/main.tf
@@ -31,8 +31,6 @@ resource "azurerm_kubernetes_cluster" "aks" {
   oidc_issuer_enabled = true
   node_resource_group = var.node_resource_group_name
 
-  node_os_channel_upgrade = "Unmanaged"
-
   monitor_metrics {}
 
   default_node_pool {
@@ -62,14 +60,6 @@ resource "azurerm_kubernetes_cluster" "aks" {
   }
 }
 
-## ACR Permissions
-
-resource "azurerm_role_assignment" "kubweb_to_acr" {
-  scope                = var.azure_container_registry_id
-  role_definition_name = "AcrPull"
-  principal_id         = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
-}
-
 ## Workload Identity Federation
 
 resource "azurerm_federated_identity_credential" "msi_federation" {
@@ -388,22 +378,104 @@ provider "helm" {
   }
 }
 
-resource "helm_release" "spegel" {
-  name             = "spegel"
-  namespace        = "spegel"
-  repository       = "oci://ghcr.io/spegel-org/helm-charts"
-  chart            = "spegel"
-  create_namespace = true
-  version          = "v0.0.27"
-
-  values = [
-    <<EOF
-spegel:
-  additionalMirrorRegistries: 
-    - ${var.azure_container_registry_enpoint}
-  appendMirrors: false
-  registries:
-  - https://docker.io
+provider "kubectl" {
+  host                   = azurerm_kubernetes_cluster.aks.kube_config.0.host
+  client_certificate     = base64decode(azurerm_kubernetes_cluster.aks.kube_config.0.client_certificate)
+  client_key             = base64decode(azurerm_kubernetes_cluster.aks.kube_config.0.client_key)
+  cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.aks.kube_config.0.cluster_ca_certificate)
+}
+
+
+resource "kubectl_manifest" "namespace" {
+  yaml_body = <<YAML
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: node-installer
+YAML
+}
+
+resource "kubectl_manifest" "configuration" {
+  yaml_body = <<YAML
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: installer-config
+  namespace: node-installer
+data:
+  install.sh: |
+    #!/bin/bash
+
+    # Update docker.io mirror
+    mkdir -p /etc/containerd/certs.d/docker.io
+    cat <<EOF > /etc/containerd/certs.d/docker.io/hosts.toml
+    server = 'https://registry-1.docker.io'
+
+    [host.'https://${var.azure_container_registry_enpoint}/v2']
+    capabilities = ['pull', 'resolve']
+    override_path = true
     EOF
-  ]
+
+    # Update credentials
+    if grep "${var.azure_container_registry_enpoint}" /etc/containerd/config.toml; 
+    then 
+      echo "credentials already set, ignorning"
+    else 
+      cat <<EOF >> /etc/containerd/config.toml
+    [plugins."io.containerd.grpc.v1.cri".registry.configs."${var.azure_container_registry_enpoint}".auth]
+      username = "${var.azure_container_registry_username}"
+      password = "${var.azure_container_registry_password}"
+    EOF
+      # Restart containerd
+      systemctl restart containerd
+    fi
+YAML
+
+  depends_on = [kubectl_manifest.namespace]
+}
+
+resource "kubectl_manifest" "daemonset" {
+  yaml_body = <<YAML
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: installer
+  namespace: node-installer
+spec:
+  selector:
+    matchLabels:
+      job: installer
+  template:
+    metadata:
+      labels:
+        job: installer
+    spec:
+      hostPID: true
+      restartPolicy: Always
+      containers:
+      - image: patnaikshekhar/node-installer:1.3
+        name: installer
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: install-script
+          mountPath: /tmp
+        - name: host-mount
+          mountPath: /host
+        - name: containerd
+          mountPath: /etc/containerd
+      volumes:
+      - name: install-script
+        configMap:
+          name: installer-config
+      - name: containerd
+        hostPath:
+          path: /etc/containerd
+          type: Directory
+      - name: host-mount
+        hostPath:
+          path: /tmp/install
+YAML
+
+  depends_on = [kubectl_manifest.configuration]
 }
\ No newline at end of file
diff --git a/terraform/modules/azure/aks/vars.tf b/terraform/modules/azure/aks/vars.tf
index 5f79833..c264762 100644
--- a/terraform/modules/azure/aks/vars.tf
+++ b/terraform/modules/azure/aks/vars.tf
@@ -36,14 +36,19 @@ variable "node_resource_group_name" {
   description = "AKS nodes resource group name"
 }
 
-variable "azure_container_registry_id" {
+variable "azure_container_registry_enpoint" {
   type        = string
-  description = "Azure Container Registry ID"
+  description = "Azure Container Registry Endpoint"
 }
 
-variable "azure_container_registry_enpoint" {
+variable "azure_container_registry_username" {
   type        = string
-  description = "Azure Container Registry Endpoint"
+  description = "Azure Container Registry Username"
+}
+
+variable "azure_container_registry_password" {
+  type        = string
+  description = "Azure Container Registry Password"
 }
 
 variable "default_node_pool_count" {
diff --git a/terraform/modules/azure/registry/main.tf b/terraform/modules/azure/registry/main.tf
index a419207..dcecba6 100644
--- a/terraform/modules/azure/registry/main.tf
+++ b/terraform/modules/azure/registry/main.tf
@@ -5,6 +5,7 @@ provider "azurerm" {
 
 locals {
   registry_name = "${var.unique_project_name}proxy"
+  username      = "e2e-cluster-puller"
 }
 
 data "azurerm_resource_group" "rg" {
@@ -19,6 +20,28 @@ resource "azurerm_container_registry" "acr" {
   tags                = var.tags
 }
 
+resource "azurerm_container_registry_scope_map" "acr_policy" {
+  name                    = "e2e-cluster-puller"
+  container_registry_name = azurerm_container_registry.acr.name
+  resource_group_name     = data.azurerm_resource_group.rg.name
+  actions = [
+    "content/read",
+  ]
+}
+
+resource "azurerm_container_registry_token" "acr_user" {
+  name                    = local.username
+  container_registry_name = azurerm_container_registry.acr.name
+  resource_group_name     = azurerm_resource_group.acr.name
+  scope_map_id            = azurerm_container_registry_scope_map.acr_policy.id
+}
+
+resource "azurerm_container_registry_token_password" "acr_token" {
+  container_registry_token_id = azurerm_container_registry_token.acr_user.id
+
+  password1 {}
+}
+
 resource "azurerm_container_registry_cache_rule" "docker-io" {
   name                  = "docker-io"
   container_registry_id = azurerm_container_registry.acr.id
diff --git a/terraform/modules/azure/registry/outputs.tf b/terraform/modules/azure/registry/outputs.tf
index 47ac0c2..fb5af67 100644
--- a/terraform/modules/azure/registry/outputs.tf
+++ b/terraform/modules/azure/registry/outputs.tf
@@ -1,8 +1,12 @@
-output "id" {
-  value = azurerm_container_registry.acr.id
-}
-
 output "endpoint" {
   value = azurerm_container_registry.acr.login_server
 }
 
+output "username" {
+  value = local.username
+}
+
+output "password" {
+  value = azurerm_container_registry_token_password.acr_token.password1.value
+}
+

From ed25086d2bc58759ce94350cbe2ea31356de0630 Mon Sep 17 00:00:00 2001
From: Jorge Turrado <jorge_turrado@hotmail.es>
Date: Fri, 1 Nov 2024 01:25:37 +0100
Subject: [PATCH 2/7] Update the cluster to update the nodes

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
---
 terraform/terraform.tf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/terraform/terraform.tf b/terraform/terraform.tf
index 6d6b28e..e00e742 100644
--- a/terraform/terraform.tf
+++ b/terraform/terraform.tf
@@ -30,6 +30,10 @@ terraform {
       source  = "hashicorp/tls"
       version = "=4.0.5"
     }
+    kubectl = {
+      source = "gavinbunney/kubectl"
+      version = "1.14.0"
+    }
   }
 }
 

From 9e2a719297b1c25b4f5754a78d74ba16f6429e65 Mon Sep 17 00:00:00 2001
From: Jorge Turrado <jorge_turrado@hotmail.es>
Date: Fri, 1 Nov 2024 01:27:47 +0100
Subject: [PATCH 3/7] Update the cluster to update the nodes

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
---
 terraform/modules/azure/aks/main.tf | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/terraform/modules/azure/aks/main.tf b/terraform/modules/azure/aks/main.tf
index 70f1c73..ac7f742 100644
--- a/terraform/modules/azure/aks/main.tf
+++ b/terraform/modules/azure/aks/main.tf
@@ -1,3 +1,11 @@
+terraform {
+  required_providers {
+    kubectl = {
+      source = "gavinbunney/kubectl"
+    }
+  }
+}
+
 provider "azurerm" {
   features {}
   skip_provider_registration = true

From 52aeac2f113c2d93da2dc8a093f37b4e478ddd58 Mon Sep 17 00:00:00 2001
From: Jorge Turrado <jorge_turrado@hotmail.es>
Date: Fri, 1 Nov 2024 01:28:31 +0100
Subject: [PATCH 4/7] Update the cluster to update the nodes

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
---
 terraform/terraform.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/terraform.tf b/terraform/terraform.tf
index e00e742..08a1709 100644
--- a/terraform/terraform.tf
+++ b/terraform/terraform.tf
@@ -31,7 +31,7 @@ terraform {
       version = "=4.0.5"
     }
     kubectl = {
-      source = "gavinbunney/kubectl"
+      source  = "gavinbunney/kubectl"
       version = "1.14.0"
     }
   }

From daca1e4f36165ac8020262c479ff70489cdfcc15 Mon Sep 17 00:00:00 2001
From: Jorge Turrado <jorge_turrado@hotmail.es>
Date: Fri, 1 Nov 2024 01:31:08 +0100
Subject: [PATCH 5/7] Update the cluster to update the nodes

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
---
 terraform/modules/azure/registry/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/modules/azure/registry/main.tf b/terraform/modules/azure/registry/main.tf
index dcecba6..2eef8e8 100644
--- a/terraform/modules/azure/registry/main.tf
+++ b/terraform/modules/azure/registry/main.tf
@@ -32,7 +32,7 @@ resource "azurerm_container_registry_scope_map" "acr_policy" {
 resource "azurerm_container_registry_token" "acr_user" {
   name                    = local.username
   container_registry_name = azurerm_container_registry.acr.name
-  resource_group_name     = azurerm_resource_group.acr.name
+  resource_group_name     = azurerm_resource_group.rg.name
   scope_map_id            = azurerm_container_registry_scope_map.acr_policy.id
 }
 

From 1df038be3a02c23fbb2c2b9c56a121c740417225 Mon Sep 17 00:00:00 2001
From: Jorge Turrado <jorge_turrado@hotmail.es>
Date: Fri, 1 Nov 2024 01:32:49 +0100
Subject: [PATCH 6/7] Update the cluster to update the nodes

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
---
 terraform/modules/azure/registry/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/modules/azure/registry/main.tf b/terraform/modules/azure/registry/main.tf
index 2eef8e8..9860d3b 100644
--- a/terraform/modules/azure/registry/main.tf
+++ b/terraform/modules/azure/registry/main.tf
@@ -32,7 +32,7 @@ resource "azurerm_container_registry_scope_map" "acr_policy" {
 resource "azurerm_container_registry_token" "acr_user" {
   name                    = local.username
   container_registry_name = azurerm_container_registry.acr.name
-  resource_group_name     = azurerm_resource_group.rg.name
+  resource_group_name     = data.azurerm_resource_group.rg.name
   scope_map_id            = azurerm_container_registry_scope_map.acr_policy.id
 }
 

From 94fb8924cb3bcd9c6eca9021bb9141fce465ef85 Mon Sep 17 00:00:00 2001
From: Jorge Turrado <jorge_turrado@hotmail.es>
Date: Fri, 1 Nov 2024 01:39:38 +0100
Subject: [PATCH 7/7] Update the cluster to update the nodes

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
---
 terraform/modules/azure/registry/outputs.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/modules/azure/registry/outputs.tf b/terraform/modules/azure/registry/outputs.tf
index fb5af67..190d1d2 100644
--- a/terraform/modules/azure/registry/outputs.tf
+++ b/terraform/modules/azure/registry/outputs.tf
@@ -7,6 +7,6 @@ output "username" {
 }
 
 output "password" {
-  value = azurerm_container_registry_token_password.acr_token.password1.value
+  value = azurerm_container_registry_token_password.acr_token.password1[0].value
 }