k8supdates: label nodes with k8s component hash

operators/constellation-node-operator/.gitignore

@@ -16,6 +16,9 @@ testbin/*
 
 # Kubernetes Generated files - skip generated files, except for vendored files
 
+# We hold the charts in the cli/internal/helm directory
+chart/ 
+
 !vendor/**/zz_generated.*
 
 # editor and IDE paraphernalia

operators/constellation-node-operator/api/v1alpha1/joiningnodes_types.go

@@ -0,0 +1,48 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// JoiningNodeSpec defines the components hash which the node should be annotated with.
+type JoiningNodeSpec struct {
+	// Name of the node expected to join.
+	Name string `json:"name,omitempty"`
+	// ComponentsHash is the hash of the components that were sent to the node by the join service.
+	ComponentsHash string `json:"componentshash,omitempty"`
+}
+
+// JoiningNodeStatus defines the observed state of JoiningNode.
+type JoiningNodeStatus struct{}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+//+kubebuilder:resource:scope=Cluster
+
+// JoiningNode is the Schema for the joiningnodes API.
+type JoiningNode struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   JoiningNodeSpec   `json:"spec,omitempty"`
+	Status JoiningNodeStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// JoiningNodeList contains a list of JoiningNodes.
+type JoiningNodeList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []JoiningNode `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&JoiningNode{}, &JoiningNodeList{})
+}

operators/constellation-node-operator/api/v1alpha1/zz_generated.deepcopy.go

@@ -107,6 +107,95 @@ func (in *AutoscalingStrategyStatus) DeepCopy() *AutoscalingStrategyStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JoiningNode) DeepCopyInto(out *JoiningNode) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	out.Status = in.Status
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JoiningNode.
+func (in *JoiningNode) DeepCopy() *JoiningNode {
+	if in == nil {
+		return nil
+	}
+	out := new(JoiningNode)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *JoiningNode) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JoiningNodeList) DeepCopyInto(out *JoiningNodeList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]JoiningNode, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JoiningNodeList.
+func (in *JoiningNodeList) DeepCopy() *JoiningNodeList {
+	if in == nil {
+		return nil
+	}
+	out := new(JoiningNodeList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *JoiningNodeList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JoiningNodeSpec) DeepCopyInto(out *JoiningNodeSpec) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JoiningNodeSpec.
+func (in *JoiningNodeSpec) DeepCopy() *JoiningNodeSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(JoiningNodeSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JoiningNodeStatus) DeepCopyInto(out *JoiningNodeStatus) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JoiningNodeStatus.
+func (in *JoiningNodeStatus) DeepCopy() *JoiningNodeStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(JoiningNodeStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NodeImage) DeepCopyInto(out *NodeImage) {
 	*out = *in

operators/constellation-node-operator/config/crd/bases/update.edgeless.systems_joiningnodes.yaml

@@ -0,0 +1,54 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.9.0
+  creationTimestamp: null
+  name: joiningnodes.update.edgeless.systems
+spec:
+  group: update.edgeless.systems
+  names:
+    kind: JoiningNode
+    listKind: JoiningNodeList
+    plural: joiningnodes
+    singular: joiningnode
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: JoiningNode is the Schema for the joiningnodes API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: JoiningNodeSpec defines the components hash which the node
+              should be annotated with.
+            properties:
+              componentshash:
+                description: ComponentsHash is the hash of the components that were
+                  sent to the node by the join service.
+                type: string
+              name:
+                description: Name of the node expected to join.
+                type: string
+            type: object
+          status:
+            description: JoiningNodeStatus defines the observed state of JoiningNode.
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

operators/constellation-node-operator/config/crd/kustomization.yaml

@@ -3,6 +3,7 @@
 # It should be run by config/default
 resources:
 - bases/update.edgeless.systems_nodeimages.yaml
+- bases/update.edgeless.systems_joiningnodes.yaml
 - bases/update.edgeless.systems_autoscalingstrategies.yaml
 - bases/update.edgeless.systems_scalinggroups.yaml
 - bases/update.edgeless.systems_pendingnodes.yaml
@@ -12,6 +13,7 @@ patchesStrategicMerge:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 #- patches/webhook_in_nodeimages.yaml
+#- patches/webhook_in_joiningnodes.yaml
 #- patches/webhook_in_autoscalingstrategies.yaml
 #- patches/webhook_in_scalinggroups.yaml
 #- patches/webhook_in_pendingnodes.yaml
@@ -20,6 +22,7 @@ patchesStrategicMerge:
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
 #- patches/cainjection_in_nodeimages.yaml
+#- patches/cainjection_in_joiningnodes.yaml
 #- patches/cainjection_in_autoscalingstrategies.yaml
 #- patches/cainjection_in_scalinggroups.yaml
 #- patches/cainjection_in_pendingnodes.yaml

operators/constellation-node-operator/config/crd/patches/cainjection_in_joiningnodes.yaml

@@ -0,0 +1,7 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: joiningnodes.update.edgeless.systems

operators/constellation-node-operator/config/crd/patches/webhook_in_joiningnodes.yaml

@@ -0,0 +1,16 @@
+# The following patch enables a conversion webhook for the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: joiningnodes.update.edgeless.systems
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          namespace: system
+          name: webhook-service
+          path: /convert
+      conversionReviewVersions:
+      - v1

operators/constellation-node-operator/config/rbac/role.yaml

@@ -72,6 +72,32 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - joiningnodes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - joiningnodes/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - joiningnodes/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - update.edgeless.systems
   resources:

operators/constellation-node-operator/controllers/joiningnode_controller.go

@@ -0,0 +1,127 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package controllers
+
+import (
+	"context"
+
+	updatev1alpha1 "github.com/edgelesssys/constellation/operators/constellation-node-operator/v2/api/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/util/retry"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+)
+
+const (
+	// NodeKubernetesComponentsHashAnnotationKey is the name of the annotation holding the hash of the installed components of this node.
+	NodeKubernetesComponentsHashAnnotationKey = "updates.edgeless.systems/kubernetes-components-hash"
+
+	joiningNodeNameKey = ".spec.name"
+)
+
+// JoiningNodesReconciler reconciles a JoiningNode object.
+type JoiningNodesReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+// NewJoiningNodesReconciler creates a new JoiningNodesReconciler.
+func NewJoiningNodesReconciler(client client.Client, scheme *runtime.Scheme) *JoiningNodesReconciler {
+	return &JoiningNodesReconciler{
+		Client: client,
+		Scheme: scheme,
+	}
+}
+
+//+kubebuilder:rbac:groups=update.edgeless.systems,resources=joiningnodes,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=update.edgeless.systems,resources=joiningnodes/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=update.edgeless.systems,resources=joiningnodes/finalizers,verbs=update
+//+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
+
+// Reconcile annotates the node with the components hash.
+func (r *JoiningNodesReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	logr := log.FromContext(ctx)
+
+	var joiningNode updatev1alpha1.JoiningNode
+	if err := r.Get(ctx, req.NamespacedName, &joiningNode); err != nil {
+		logr.Error(err, "unable to fetch JoiningNodes")
+		return ctrl.Result{}, client.IgnoreNotFound(err)
+	}
+
+	err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		var node corev1.Node
+		if err := r.Get(ctx, types.NamespacedName{Name: joiningNode.Spec.Name}, &node); err != nil {
+			logr.Error(err, "unable to fetch Node")
+			return err
+		}
+
+		// add annotations to node
+		if node.Annotations == nil {
+			node.Annotations = map[string]string{}
+		}
+		node.Annotations[NodeKubernetesComponentsHashAnnotationKey] = joiningNode.Spec.ComponentsHash
+		return r.Update(ctx, &node)
+	})
+	if err != nil {
+		logr.Error(err, "unable to update Node")
+		return ctrl.Result{}, client.IgnoreNotFound(err)
+	}
+
+	err = retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		if err := r.Delete(ctx, &joiningNode); err != nil {
+			logr.Error(err, "unable to delete JoiningNode")
+			return err
+		}
+		return nil
+	})
+	if err != nil {
+		logr.Error(err, "unable to delete JoiningNode")
+		return ctrl.Result{}, err
+	}
+
+	return ctrl.Result{}, nil
+}
+
+// SetupWithManager sets up the controller with the Manager.
+func (r *JoiningNodesReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	// index joining nodes by nodename.
+	if err := mgr.GetFieldIndexer().IndexField(context.Background(), &updatev1alpha1.JoiningNode{}, joiningNodeNameKey, func(rawObj client.Object) []string {
+		joiningNode := rawObj.(*updatev1alpha1.JoiningNode)
+		return []string{joiningNode.Spec.Name}
+	}); err != nil {
+		return err
+	}
+
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&updatev1alpha1.JoiningNode{}).
+		Watches(
+			&source.Kind{Type: &corev1.Node{}},
+			handler.EnqueueRequestsFromMapFunc(r.findAllJoiningNodes),
+		).
+		Complete(r)
+}
+
+func (r *JoiningNodesReconciler) findAllJoiningNodes(obj client.Object) []reconcile.Request {
+	var joiningNodesList updatev1alpha1.JoiningNodeList
+	err := r.List(context.TODO(), &joiningNodesList, client.MatchingFields{joiningNodeNameKey: obj.GetName()})
+	if err != nil {
+		return []reconcile.Request{}
+	}
+	requests := make([]reconcile.Request, len(joiningNodesList.Items))
+	for i, item := range joiningNodesList.Items {
+		requests[i] = reconcile.Request{
+			NamespacedName: types.NamespacedName{Name: item.GetName()},
+		}
+	}
+	return requests
+}

operators/constellation-node-operator/controllers/joiningnode_controller_env_test.go

@@ -0,0 +1,143 @@
+//go:build integration
+
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package controllers
+
+import (
+	"context"
+	"time"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	updatev1alpha1 "github.com/edgelesssys/constellation/operators/constellation-node-operator/v2/api/v1alpha1"
+)
+
+var _ = Describe("JoiningNode controller", func() {
+	const (
+		nodeName1       = "node-name-1"
+		nodeName2       = "node-name-2"
+		componentsHash1 = "test-hash-1"
+		componentsHash2 = "test-hash-2"
+
+		timeout  = time.Second * 20
+		duration = time.Second * 2
+		interval = time.Millisecond * 250
+	)
+	Context("When changing a joining node resource spec", func() {
+		It("Should annotate the corresponding node when creating the CRD first", func() {
+			By("creating a joining node resource")
+			ctx := context.Background()
+			joiningNode := &updatev1alpha1.JoiningNode{
+				TypeMeta: metav1.TypeMeta{
+					APIVersion: "update.edgeless.systems/v1alpha1",
+					Kind:       "JoiningNode",
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: nodeName1,
+				},
+				Spec: updatev1alpha1.JoiningNodeSpec{
+					Name:           nodeName1,
+					ComponentsHash: componentsHash1,
+				},
+			}
+			Expect(k8sClient.Create(ctx, joiningNode)).Should(Succeed())
+			createdJoiningNode := &updatev1alpha1.JoiningNode{}
+			Eventually(func() error {
+				return k8sClient.Get(ctx, types.NamespacedName{Name: nodeName1}, createdJoiningNode)
+			}, timeout, interval).Should(Succeed())
+			Expect(createdJoiningNode.Spec.Name).Should(Equal(nodeName1))
+			Expect(createdJoiningNode.Spec.ComponentsHash).Should(Equal(componentsHash1))
+
+			By("creating a node")
+			node := &corev1.Node{
+				TypeMeta: metav1.TypeMeta{
+					APIVersion: "update.edgeless.systems/v1alpha1",
+					Kind:       "Node",
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: nodeName1,
+				},
+				Spec: corev1.NodeSpec{},
+			}
+			Expect(k8sClient.Create(ctx, node)).Should(Succeed())
+			createdNode := &corev1.Node{}
+			Eventually(func() error {
+				return k8sClient.Get(ctx, types.NamespacedName{Name: nodeName1}, createdNode)
+			}, timeout, interval).Should(Succeed())
+			Expect(createdNode.ObjectMeta.Name).Should(Equal(nodeName1))
+
+			By("annotating the node")
+			Eventually(func() string {
+				_ = k8sClient.Get(ctx, types.NamespacedName{Name: nodeName1}, createdNode)
+				return createdNode.Annotations[NodeKubernetesComponentsHashAnnotationKey]
+			}, timeout, interval).Should(Equal(componentsHash1))
+
+			By("deleting the joining node resource")
+			Eventually(func() error {
+				return k8sClient.Get(ctx, types.NamespacedName{Name: joiningNode.Name}, createdJoiningNode)
+			}, timeout, interval).ShouldNot(Succeed())
+		})
+	})
+	It("Should annotate the corresponding node when creating the node first", func() {
+		ctx := context.Background()
+		By("creating a node")
+		node := &corev1.Node{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "update.edgeless.systems/v1alpha1",
+				Kind:       "Node",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: nodeName2,
+			},
+			Spec: corev1.NodeSpec{},
+		}
+		Expect(k8sClient.Create(ctx, node)).Should(Succeed())
+		createdNode := &corev1.Node{}
+		Eventually(func() error {
+			return k8sClient.Get(ctx, types.NamespacedName{Name: nodeName2}, createdNode)
+		}, timeout, interval).Should(Succeed())
+		Expect(createdNode.ObjectMeta.Name).Should(Equal(nodeName2))
+
+		By("creating a joining node resource")
+		joiningNode := &updatev1alpha1.JoiningNode{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "update.edgeless.systems/v1alpha1",
+				Kind:       "JoiningNode",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: nodeName2,
+			},
+			Spec: updatev1alpha1.JoiningNodeSpec{
+				Name:           nodeName2,
+				ComponentsHash: componentsHash2,
+			},
+		}
+		Expect(k8sClient.Create(ctx, joiningNode)).Should(Succeed())
+		createdJoiningNode := &updatev1alpha1.JoiningNode{}
+		Eventually(func() error {
+			return k8sClient.Get(ctx, types.NamespacedName{Name: joiningNode.Name}, createdJoiningNode)
+		}, timeout, interval).Should(Succeed())
+		Expect(createdJoiningNode.Spec.Name).Should(Equal(nodeName2))
+		Expect(createdJoiningNode.Spec.ComponentsHash).Should(Equal(componentsHash2))
+
+		By("annotating the node")
+		Eventually(func() string {
+			_ = k8sClient.Get(ctx, types.NamespacedName{Name: createdNode.Name}, createdNode)
+			return createdNode.Annotations[NodeKubernetesComponentsHashAnnotationKey]
+		}, timeout, interval).Should(Equal(componentsHash2))
+
+		By("deleting the joining node resource")
+		Eventually(func() error {
+			return k8sClient.Get(ctx, types.NamespacedName{Name: joiningNode.Name}, createdJoiningNode)
+		}, timeout, interval).ShouldNot(Succeed())
+	})
+})

operators/constellation-node-operator/controllers/suite_test.go

@@ -93,6 +93,12 @@ var _ = BeforeSuite(func() {
 	}).SetupWithManager(k8sManager)
 	Expect(err).ToNot(HaveOccurred())
 
+	err = (&JoiningNodesReconciler{
+		Client: k8sManager.GetClient(),
+		Scheme: k8sManager.GetScheme(),
+	}).SetupWithManager(k8sManager)
+	Expect(err).ToNot(HaveOccurred())
+
 	err = (&ScalingGroupReconciler{
 		scalingGroupUpdater: fakes.scalingGroupUpdater,
 		Client:              k8sManager.GetClient(),

operators/constellation-node-operator/main.go

@@ -145,6 +145,13 @@ func main() {
 		setupLog.Error(err, "Unable to create controller", "controller", "AutoscalingStrategy")
 		os.Exit(1)
 	}
+	if err = (&controllers.JoiningNodesReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "Unable to create controller", "controller", "JoiningNode")
+		os.Exit(1)
+	}
 	if err = controllers.NewScalingGroupReconciler(
 		cspClient, mgr.GetClient(), mgr.GetScheme(),
 	).SetupWithManager(mgr); err != nil {