Fixes: #265
* registration: negotiate registration protocol
* operator: always update the MachineInventory for authenticated clients
* register: rename sendData to sendSMBIOSdata
* register: rework the Register() function
* operator: rework the registration protocol loop
* operator: no need to return the msgType from the registration loop
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* operator/registration: switch to Kubebuilder client
Fixes#239
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* operator/registration: adapt tests to Kubebuilder client
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* unit-tests: vendor controller-runtime fake client
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* operator: add yaml annotations for correct marshalling
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* operator/RBAC: add "get" verb to ServiceAccount resources
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* operator: generate rbac
make generate-manifests
make build-rbac
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* Add elementalcli package
Create a separate package to deal with elemental-cli installation.
This brings the elemental-cli functions declared in the config package
to a new package that just parses a map[string]interface argument.
This is a step to enable usage of the elemental-cli functions with the
new elementalv1.Config.Elemental.Install type.
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* register: switch to Kubebuilder api
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* register: add mapstructure annotations for correct marshalling
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* register: reduce complexity of the run function
Make linter happy:
"cyclomatic complexity 16 of func `run` is high (> 15) (gocyclo)"
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* register: drop io/ioutil in favor of os package
io/ioutil is deprecated
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
This commit adds a rate limiter to the ManagedOSVersionChannel controller to prevent
stacking reconcile loops over the same resource in fast rates (doesn't make sense for a
ManagedOSVersionChannel). By default the controller runtime already includes an
equivalent rate limiter, but starts in the range of milliseconds, starting the exponential
rate limiter in the range of seconds is more than enough in this context.
In addition it drops the failures counter in the resource. This counter was supposed to
be used to limit the number attempts to sync in case of failure. This was a bad design,
status should not keep a counter like this as any change in status triggers a new
immediate reconcile loop, hence the counter was reaching the maximum as fast as the
controller runtime was executing reconcile loops without any rate limiter (rate limiter
applies only when there are no changes including status).
For now I think we can just live without the setting any maxium for failures. If we ever
need it I believe it should be coded and tracked within the controller itself, not in each
resource as this prevents the reconcile loop of being idempotent. Alternatively we could
prevent triggering the reconcile loop on status changes, however this prevents
reconciling if any third party (or user from the kubectl client) changes a resource status.
Fixes#257
Part of #240
Signed-off-by: David Cassany <dcassany@suse.com>
This commit adds few changes on the syncer logic:
* Makes use of ManagedOSVersionChannel status reason to track if there
is an on going synchronization rather than polling for the existence of a synchronization pod or not.
* Adds a logic to stop trying to synchronize after 4 consecutive attempts.
If it exceeds the maximum it just programs the next re-sync after the given sync
interval instead of immediately retrying.
* Adds some logging and comments here and there.
Signed-off-by: David Cassany <dcassany@suse.com>
* Implement syncer logic as part of the ManagedOSVersionChannel controller
This commit adds the logic to synchronize managedosversionchannels
within the already existing controller.
* make generate
* make build-manifests
* Update chart
* update e2e tests
Signed-off-by: David Cassany <dcassany@suse.com>
* Update vendor
* Run generation tasks
* Minor fixes in Makefile
* Remove old code
* Add remaning controllers
* Minor e2e tests improvements
* Switch osversionchannel syncer to controll runtime
* Minor fixes in controllers
* Fix unit tests
* Add new package to Dockerfile
* Update dependencies
* Add unit test helpers
* Add new machine registration controller
* Remove old machine registration controller
* Add rbac tag for secrets
* Fix container argument in chart
* Add labels to all created resources
The OnChange function of the MachineRegistration controller is becoming
too packed: move the ServiceAccount and associated Secret creation and
management in a separate function
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
If the ServiceAccount for the newly created MachineRegistration
is already there, ensure it has a link to the newly created Secret
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
A Secret referencing a missing ServiceAccount will be deleted.
While we create them one after the other, still the safest path is
to create the ServiceAccount first. Otherwise we may be exposed to
a race condition in which:
1. We create the Secret referencing an unexistent ServiceAccount
2. The Secret controller will detect a Secret referencing an unexistent
ServiceAccount and will mark it for deletion
3. The ServiceAccount is created with the reference to the Secret
4. The Secret gets removed from the controller: the controller also
updates the ServiceAccount removing the linked Secret
Fixes#197
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* operator: manage empty config in MachineRegistrations
We don't deal with empty Spec:Config in MachineRegistrations: in that
case we would end up with a nil Config structure, which we don't check
causing the operator to panic.
Just check and deal with empty (nil) MachineRegistration config.
Fixes#202
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* operator:trivial: rename var machineRegistration to registration
In order to manage a MachineRegistration resource we instantiate a var named
'registration' in all the functions of the server package, but in the
'unauthenticatedResponse' function.
Let's stay coherent: rename the variable.
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* operator: tests: expand the data structure TestInitNewInventory
This has no functional change: just extend the configuration parameter
that can be set in the data structure used for the tests.
Make use of it in the following commit.
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* operator: tests: check empty config in MachineRegistrations
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
Label objects created by elemental-operator with
"elemental.cattle.io/managed": "true"
It will used by rancher-backup operator to filter these object and
create proper backup from them.
Fixes https://github.com/rancher/elemental/issues/435
Signed-off-by: Michal Jura <mjura@suse.com>
Signed-off-by: Michal Jura <mjura@suse.com>
Mark secrets created and managed by elemental-operator.
It is needed for rancher-backup opeator to select them for backup.
Fixes https://github.com/rancher/elemental/issues/396
Signed-off-by: Michal Jura <mjura@suse.com>
Signed-off-by: Michal Jura <mjura@suse.com>
With Kubernetes 1.24, creation of ServiceAccounts no more triggers
the creation of an associated Secret resource automatically: we need
it for the ServiceAccount bound to the MachineRegistation resources.
Explicitly create it in any case.
Fixes#176
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
We need to lend the secret to the rancher-system-agent: without that
let's not even start the elemental deployment.
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
The right way to set labels for the MachineInventory objs is to set
them in the MachineRegistration:spec:machineInventoryLabels, which
will be processed by the operator.
Drop MachineRegistration spec:config:elemental:registration:labels.
Fixes#161
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
right now when the MachineRegistration is missing a 'spec.MachineName'
value we set the following hostname:
m-${System Information/Manufacturer}-${System Information/Product Name}-${System Information/UUID}
This causes an invalid hostname if config.registration.no-smbios is set
to true, failing the registration.
When no-smbios is set to false instead, we may still fail the registration
as the hostname derived by no-smbios data is truncated to 58 chars, which
may end up truncating the UUID, which is the only parameter ensuring uniqueness.
This PR changes the default MachineInventory name to a UUID prepended by "m-":
the UUID is taken from "${System Information/UUID}" when SMBIOS data is available,
otherwise the UUID is randomly generated.
Fixes: https://github.com/rancher/elemental-operator/issues/144
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
This commit changes the communication protocol between the operator and
the elemental-register client in order to take full advantage of the websocket
connection: SMBIOS data and labels are now passed via the websocket channel.
The protocol is now extensible and could be easily extended to pass arbitrary
data or request different kind of services to the operator.
This commit breaks backwards compatibility with older operators and
elemental-register clients.
Fixes#5
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
We are going to rework the communication protocol, making full use
of the bidirectional websocket we set up. Here we introduce some
helper functions that will make the communication easier.
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
We already had a deadline on the operator side: add to the
registering client to.
Share websocket configuration options as we will soon need it
for establishing a common protocol.
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
Till now, the attestation and communication with the elemental operator
were all demanded to the github.com/rancher-sandbox/go-tpm package.
Split TPM attestation from the communication with the elemental operator
demanding TPM authentication to the external library while taking full
control of the communication with the operator.
This doesn't introduce functional changes (so it will keep retrocompatibility
with the current elemental operator) and is a preparatory step to address
rancher/elemental-operator#5
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
Error: cyclomatic complexity 16 of func `(*InventoryServer).ServeHTTP` is high (> 15) (gocyclo)
Move code to update labels from headers to subfunction
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
Till now the TPM package was in charge to upgrade the HTTP connection
and manage the websocket one.
Move the connection management to the server package to split connection
management from TPM authentication.
This will allow us later to pass the smbios data and the labels through
the channel instead of abusing HTTP headers.
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
Francesco Giudici