Skip to content

Commit

Permalink
Identity Controller Boilerplate (#50)
Browse files Browse the repository at this point in the history
At present, when provisioning in a cluster, it blocks a long time
waiting for OpenStack to do what it needs to do.  This has a knock on
effect for UX in that said delay is visible in the UI and CLI tools.
This lays down the groundwork to make this asychronous so we don't hold
up uer interaction, but we do cluster provisioning.  This is a template
also for phyiscal network provisioning that takes even longer, and
causes request timeouts that need to be avoided.
  • Loading branch information
spjmurray authored Aug 16, 2024
1 parent b4b82f1 commit 679a909
Show file tree
Hide file tree
Showing 42 changed files with 1,431 additions and 614 deletions.
3 changes: 2 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@ REVISION := $(shell git rev-parse HEAD)
# for your host's architecture. The latter are going to run in Kubernetes, so
# want to be amd64.
CONTROLLERS = \
unikorn-region-controller
unikorn-region-controller \
unikorn-identity-controller

# Release will do cross compliation of all images for the 'all' target.
# Note we aren't fucking about with docker here because that opens up a
Expand Down
4 changes: 2 additions & 2 deletions charts/region/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ description: A Helm chart for deploying Unikorn's Region Controller

type: application

version: v0.1.32
appVersion: v0.1.32
version: v0.1.33
appVersion: v0.1.33

icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/dark-on-light/icon.png

Expand Down
86 changes: 52 additions & 34 deletions charts/region/crds/region.unikorn-cloud.org_identities.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -57,38 +57,9 @@ spec:
spec:
description: IdentitySpec stores any state necessary to manage identity.
properties:
openstack:
description: OpenStack is populated when the provider type is set
to "openstack".
properties:
cloud:
description: Cloud is the cloud name in the cloud config to use.
type: string
cloudConfig:
description: CloudConfig is a client compatible cloud configuration.
format: byte
type: string
password:
description: Password is the login for the user.
type: string
projectID:
description: ProjectID is the ID of the project created for the
identity.
type: string
serverGroupID:
description: ServerGroupID is the ID of the server group created
for the identity.
type: string
userID:
description: UserID is the ID of the user created for the identity.
type: string
required:
- cloud
- cloudConfig
- password
- projectID
- userID
type: object
pause:
description: Pause, if true, will inhibit reconciliation.
type: boolean
provider:
description: Provider defines the provider type.
enum:
Expand Down Expand Up @@ -116,11 +87,58 @@ spec:
- provider
type: object
status:
properties:
conditions:
description: Current service state of a cluster manager.
items:
description: |-
Condition is a generic condition type for use across all resource types.
It's generic so that the underlying controller-manager functionality can
be shared across all resources.
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
format: date-time
type: string
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, one-word, CamelCase reason for the condition's
last transition.
enum:
- Provisioning
- Provisioned
- Cancelled
- Errored
- Deprovisioning
- Deprovisioned
type: string
status:
description: |-
Status is the status of the condition.
Can be True, False, Unknown.
type: string
type:
description: Type is the type of the condition.
enum:
- Available
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
type: object
required:
- spec
- status
type: object
served: true
storage: true
subresources: {}
subresources:
status: {}
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: openstackidentities.region.unikorn-cloud.org
spec:
group: region.unikorn-cloud.org
names:
categories:
- unikorn
kind: OpenstackIdentity
listKind: OpenstackIdentityList
plural: openstackidentities
singular: openstackidentity
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.provider
name: provider
type: string
- jsonPath: .metadata.creationTimestamp
name: age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: OpenstackIdentity has no controller, its a database record of
state.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
applicationCredentialID:
description: ApplicationCredentialID is the ID of the user's application
credential.
type: string
applicationCredentialSecret:
description: ApplicationCredentialSecret is the one-time secret for
the application credential.
type: string
cloud:
description: Cloud is the cloud name in the cloud config to use.
type: string
cloudConfig:
description: CloudConfig is a client compatible cloud configuration.
format: byte
type: string
password:
description: Password is the login for the user.
type: string
projectID:
description: ProjectID is the ID of the project created for the identity.
type: string
serverGroupID:
description: ServerGroupID is the ID of the server group created for
the identity.
type: string
userID:
description: UserID is the ID of the user created for the identity.
type: string
type: object
status:
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,6 @@ spec:
type: object
required:
- spec
- status
type: object
served: true
storage: true
Expand Down
4 changes: 4 additions & 0 deletions charts/region/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ Create the container images
{{- .Values.image | default (printf "%s/unikorn-region-controller:%s" (include "unikorn.defaultRepositoryPath" .) (.Values.tag | default .Chart.Version)) }}
{{- end }}

{{- define "unikorn.identityControllerImage" -}}
{{- .Values.identityController.image | default (printf "%s/unikorn-identity-controller:%s" (include "unikorn.defaultRepositoryPath" .) (.Values.tag | default .Chart.Version)) }}
{{- end }}

{{/*
Create image pull secrets
*/}}
Expand Down
47 changes: 47 additions & 0 deletions charts/region/templates/identity-controller/clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: unikorn-identity-controller
labels:
{{- include "unikorn.labels" . | nindent 4 }}
rules:
# Orchestrate Unikorn resources (my job).
- apiGroups:
- region.unikorn-cloud.org
resources:
- identities
verbs:
- list
- watch
- patch
- update
- apiGroups:
- region.unikorn-cloud.org
resources:
- identities/status
verbs:
- update
- apiGroups:
- region.unikorn-cloud.org
resources:
- openstackidentities
verbs:
- list
- watch
- create
- update
- delete
- apiGroups:
- ""
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- region.unikorn-cloud.org
resources:
- regions
verbs:
- list
- watch
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: unikorn-identity-controller
labels:
{{- include "unikorn.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
namespace: {{ .Release.Namespace }}
name: unikorn-identity-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: unikorn-identity-controller
40 changes: 40 additions & 0 deletions charts/region/templates/identity-controller/deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: unikorn-identity-controller
labels:
{{- include "unikorn.labels" . | nindent 4 }}
spec:
replicas: 1
selector:
matchLabels:
app: unikorn-identity-controller
template:
metadata:
labels:
app: unikorn-identity-controller
spec:
containers:
- name: unikorn-identity-controller
image: {{ include "unikorn.identityControllerImage" . }}
args:
{{- include "unikorn.otlp.flags" . | nindent 8 }}
ports:
- name: http
containerPort: 6080
- name: prometheus
containerPort: 8080
- name: pprof
containerPort: 6060
resources:
requests:
cpu: "50m"
memory: 50Mi
limits:
cpu: "100m"
memory: 100Mi
securityContext:
readOnlyRootFilesystem: true
serviceAccountName: unikorn-identity-controller
securityContext:
runAsNonRoot: true
23 changes: 23 additions & 0 deletions charts/region/templates/identity-controller/role.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: unikorn-identity-controller
labels:
{{- include "unikorn.labels" . | nindent 4 }}
rules:
# Controller prerequisites.
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
14 changes: 14 additions & 0 deletions charts/region/templates/identity-controller/rolebinding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: unikorn-identity-controller
labels:
{{- include "unikorn.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
namespace: {{ .Release.Namespace }}
name: unikorn-identity-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: unikorn-identity-controller
10 changes: 10 additions & 0 deletions charts/region/templates/identity-controller/serviceaccount.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: unikorn-identity-controller
labels:
{{- include "unikorn.labels" . | nindent 4 }}
{{- with ( include "unikorn.imagePullSecrets" . ) }}
imagePullSecrets:
{{ . }}
{{- end }}
7 changes: 7 additions & 0 deletions charts/region/templates/region-controller/clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,13 @@ rules:
- watch
- create
- delete
- apiGroups:
- region.unikorn-cloud.org
resources:
- openstackidentities
verbs:
- list
- watch
- apiGroups:
- ""
resources:
Expand Down
Loading

0 comments on commit 679a909

Please sign in to comment.