Rejig Neutron VLAN Provisioning

So it transpires we were trying to piggy back on the stellar work by SCS
for identity and allow a domain admin for provider networks, but alas
Neutron has zero visibility of domains, and secondly only "admin" and
"advsvc" can provision in a different project (hard coded, not a
policy).  Out one remaining option is to create a context that is for
the "manager" user, but scoped to the user's project, and that can allow
the provider network to be provisioned.

Makefile

@@ -12,7 +12,8 @@ REVISION := $(shell git rev-parse HEAD)
 # want to be amd64.
 CONTROLLERS = \
   unikorn-region-controller \
-  unikorn-identity-controller
+  unikorn-identity-controller \
+  unikorn-physical-network-controller
 
 # Release will do cross compliation of all images for the 'all' target.
 # Note we aren't fucking about with docker here because that opens up a

charts/region/Chart.yaml

@@ -11,5 +11,5 @@ icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/d
 
 dependencies:
 - name: unikorn-common
-  version: v0.1.6
+  version: v0.1.8
   repository: https://unikorn-cloud.github.io/helm-common

charts/region/crds/region.unikorn-cloud.org_openstackphysicalnetworks.yaml

@@ -0,0 +1,62 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: openstackphysicalnetworks.region.unikorn-cloud.org
+spec:
+  group: region.unikorn-cloud.org
+  names:
+    categories:
+    - unikorn
+    kind: OpenstackPhysicalNetwork
+    listKind: OpenstackPhysicalNetworkList
+    plural: openstackphysicalnetworks
+    singular: openstackphysicalnetwork
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: OpenstackPhysicalNetwork defines a physical network beloning
+          to an identity.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              id:
+                description: ID is the network ID.
+                type: string
+              vlanID:
+                description: VlanID is the ID if the VLAN for IPAM.
+                type: integer
+            type: object
+          status:
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}

charts/region/crds/region.unikorn-cloud.org_physicalnetworks.yaml

@@ -47,21 +47,9 @@ spec:
             type: object
           spec:
             properties:
-              providerNetwork:
-                description: |-
-                  ProviderNetwork is the provider network for port allocation of
-                  virtual machines.
-                properties:
-                  id:
-                    description: ID is the network ID.
-                    type: string
-                  vlanID:
-                    description: VlanID is the ID if the VLAN for IPAM.
-                    type: integer
-                required:
-                - id
-                - vlanID
-                type: object
+              pause:
+                description: Pause, if true, will inhibit reconciliation.
+                type: boolean
               tags:
                 description: |-
                   Tags are an abitrary list of key/value pairs that a client
@@ -82,10 +70,58 @@ spec:
                 type: array
             type: object
           status:
+            properties:
+              conditions:
+                description: Current service state of a cluster manager.
+                items:
+                  description: |-
+                    Condition is a generic condition type for use across all resource types.
+                    It's generic so that the underlying controller-manager functionality can
+                    be shared across all resources.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    reason:
+                      description: Unique, one-word, CamelCase reason for the condition's
+                        last transition.
+                      enum:
+                      - Provisioning
+                      - Provisioned
+                      - Cancelled
+                      - Errored
+                      - Deprovisioning
+                      - Deprovisioned
+                      type: string
+                    status:
+                      description: |-
+                        Status is the status of the condition.
+                        Can be True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      enum:
+                      - Available
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
             type: object
         required:
         - spec
         type: object
     served: true
     storage: true
-    subresources: {}
+    subresources:
+      status: {}

charts/region/crds/region.unikorn-cloud.org_vlanallocations.yaml

@@ -0,0 +1,75 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: vlanallocations.region.unikorn-cloud.org
+spec:
+  group: region.unikorn-cloud.org
+  names:
+    categories:
+    - unikorn
+    kind: VLANAllocation
+    listKind: VLANAllocationList
+    plural: vlanallocations
+    singular: vlanallocation
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          VLANAllocation is used to manage VLAN allocations.  Only a single instance is
+          allowed per region.  As this is a custom resource, we are guaranteed atomicity
+          due to Kubernetes' speculative locking implementation.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              allocations:
+                description: Allocations are an explcit set of VLAN allocations.
+                items:
+                  properties:
+                    id:
+                      description: ID is the VLAN ID.
+                      type: integer
+                    physicalNetworkID:
+                      description: |-
+                        PhysicalNetworkID is the physical network/provider specific physical network
+                        identifier that owns this entry.
+                      type: string
+                  required:
+                  - id
+                  - physicalNetworkID
+                  type: object
+                type: array
+            type: object
+          status:
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}

charts/region/templates/_helpers.tpl

@@ -9,6 +9,10 @@ Create the container images
 {{- .Values.identityController.image | default (printf "%s/unikorn-identity-controller:%s" (include "unikorn.defaultRepositoryPath" .) (.Values.tag | default .Chart.Version)) }}
 {{- end }}
 
+{{- define "unikorn.physicalNetworkControllerImage" -}}
+{{- .Values.physicalNetworkController.image | default (printf "%s/unikorn-physical-network-controller:%s" (include "unikorn.defaultRepositoryPath" .) (.Values.tag | default .Chart.Version)) }}
+{{- end }}
+
 {{/*
 Create image pull secrets
 */}}

charts/region/templates/identity-controller/clusterrole.yaml

@@ -31,6 +31,15 @@ rules:
   - create
   - update
   - delete
+# Cascading deletion.
+- apiGroups:
+  - region.unikorn-cloud.org
+  resources:
+  - physicalnetworks
+  verbs:
+  - list
+  - watch
+  - delete
 - apiGroups:
   - ""
   resources:

charts/region/templates/physical-network-controller/clusterrole.yaml

@@ -0,0 +1,64 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: unikorn-physical-network-controller
+  labels:
+    {{- include "unikorn.labels" . | nindent 4 }}
+rules:
+# Orchestrate Unikorn resources (my job).
+- apiGroups:
+  - region.unikorn-cloud.org
+  resources:
+  - identities
+  - openstackidentities
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - region.unikorn-cloud.org
+  resources:
+  - physicalnetworks
+  verbs:
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - region.unikorn-cloud.org
+  resources:
+  - physicalnetworks/status
+  verbs:
+  - update
+- apiGroups:
+  - region.unikorn-cloud.org
+  resources:
+  - openstackphysicalnetworks
+  verbs:
+  - list
+  - watch
+  - create
+  - update
+  - delete
+- apiGroups:
+  - region.unikorn-cloud.org
+  resources:
+  - vlanallocations
+  verbs:
+  - list
+  - watch
+  - create
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - region.unikorn-cloud.org
+  resources:
+  - regions
+  verbs:
+  - list
+  - watch

charts/region/templates/physical-network-controller/clusterrolebinding.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: unikorn-physical-network-controller
+  labels:
+    {{- include "unikorn.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  namespace: {{ .Release.Namespace }}
+  name: unikorn-physical-network-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: unikorn-physical-network-controller

charts/region/templates/physical-network-controller/deployment.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: unikorn-physical-network-controller
+  labels:
+    {{- include "unikorn.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: unikorn-physical-network-controller
+  template:
+    metadata:
+      labels:
+        app: unikorn-physical-network-controller
+    spec:
+      containers:
+      - name: unikorn-physical-network-controller
+        image: {{ include "unikorn.physicalNetworkControllerImage" . }}
+        args:
+        {{- include "unikorn.otlp.flags" . | nindent 8 }}
+        ports:
+        - name: http
+          containerPort: 6080
+        - name: prometheus
+          containerPort: 8080
+        - name: pprof
+          containerPort: 6060
+        resources:
+          requests:
+            cpu: "50m"
+            memory: 50Mi
+          limits:
+            cpu: "100m"
+            memory: 100Mi
+        securityContext:
+          readOnlyRootFilesystem: true
+      serviceAccountName: unikorn-physical-network-controller
+      securityContext:
+        runAsNonRoot: true