* RBAC: restrict SeedImage controller auth to fleet-default
do not allow the seedimage-controller to operate on pods, services and
configmaps outside of the fleet-default namespace.
Fixes#457
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* RBAC: move all rbac resources to rbac.yaml
Also have all of them collected and generated via kustomize
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
---------
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* Allow cross build of seed-image ISOs
This commit makes use of the targetPlatform field on the seedImage spec
to allow building ISOs for different architectures.
It does this by spawning the initContainer using the seedImageBuilder
image and using the `elemental pull-image --platform=` command to
download the correct ISO and copies it to the attached volume.
One drawback of this approach is we don't get the caching of images in
the container runtime that we get when building natively.
Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
* seedimage: clean-up service on image download deadline
We used to just clean-up the Pod carrying the built image when hitting
the cleanupAfterMinutes deadline.
There is no need to leave the Service around, clean that up too.
Fixes#704
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* Update controllers/seedimage_controller.go
Co-authored-by: Fredrik Lönnegren <fredrik.lonnegren@gmail.com>
Signed-off-by: Francesco Giudici <francesco.giudici@gmail.com>
---------
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
Signed-off-by: Francesco Giudici <francesco.giudici@gmail.com>
Co-authored-by: Fredrik Lönnegren <fredrik.lonnegren@gmail.com>
When building an ISO, we create a Pod and a Service to expose the built
ISO when ready.
The link to the ISO is then exposed through the Elemental Operator
Deployment, that acts as an Ingress.
The Service we create to expose the Pod port is of type NodePort: this
is not needed,is just a leftover from the initial implementations, where
we usede to expose a "direct" link to the Pod.
No need to keep a NodePort service now, let's have a ClusterIP Service
type instead.
Fixes: https://github.com/rancher/elemental-operator/issues/705
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* Update system-upgrade-controller API
Signed-off-by: Andrea Mazzotti <andrea.mazzotti@suse.com>
* Update Fleet API
Signed-off-by: Andrea Mazzotti <andrea.mazzotti@suse.com>
* Sanitize dependencies
Signed-off-by: Andrea Mazzotti <andrea.mazzotti@suse.com>
---------
Signed-off-by: Andrea Mazzotti <andrea.mazzotti@suse.com>
Use the service included in elemental instead of directly triggering
elemental-register.
This will make sure all needed dependencies are started before
registering the system.
Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
TargetPlatform is used when building raw disk-images for other
platforms. An example being building rpi images on a cluster running on
x86_64 hardware.
Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
* feat: Add Type field to SeedImageSpec
Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
* feat: Add raw disk build generation to SeedImage
If SeedImageSpec.Type is set to 'raw' we now try to run elemental
build-disk to generate the disk image.
Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
* Add elemental-toolkit to seedimage-builder
Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
* feat: Update yip to v1.4.5
Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
* feat: Reset yaml
Add yip cloud-config for raw disk-image that will extract the
elemental-register configuration to /oem/registration/config.yaml and
Start the elemental-register-install.service in the post-reset hook.
Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
* feat: Use new toolkit param deploy-command
Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
---------
Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
When a seedimage resource is reconciled the output-name should stay the
same since it's mounted into a pod and the pod will not pick up changes
automatically.
Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
* Bring your own SeedImage builder
This commit adds functionality to define which build-image to use for a
SeedImage. If no build-image is provided the default one is used.
The BuildContainer only takes Name, Image, ImagePullPolicy, Args and
Command in order to limit what the user is able to do.
The user-defined build container will also mount a ConfigMap with
environment variables for device, base-image, registration-url and
ISO output-name.
Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
* feat: Add Size to SeedImageSpec
Size is used to calculate ephemeral resource requests when building the
seed-image.
Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
This commit checks on each reconcile loop if the service
account token secret is missing despite being on ready
state.
In addition it also adds optimistic locking for patch calls. The
motivations is to prevent concurrent controllers to modify
outdated data.
Signed-off-by: David Cassany <dcassany@suse.com>
If the Pod get scheduled to be deleted but the status is not updated
before the Pod reconcile loop, we may end up updating the status to
SeedImageReady to true as we found the Pod still running.
This commit adds a check if the Pod is marked for deletion: if so, let's
wait.
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
This is needed to update the configmap associated with the builder pod,
which contains registration and cloud-init data for the ISO.
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
Move the checks of the config map containing the registration data in
the createConfigMapObject() function (renamed to
reconcileConfigMapObject().
Moreover, while there, check the data included in the config map: if it
is no more up-to-date, rebuild the config map.
Fixes#456
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
Delete immediately the builder pod and the associated service, just
after resetting the conditions.
Fixes#452
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
Early in the reconcile group there is a check on the retriggerBuild field:
in case it is true, conditions are reset and retriggerBuild is immediatly set
to false.
Drop the following sets / checks as they are redundant.
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
Previously, the built iso name was a static 'elemental.iso'.
Now, the referenced MachineRegistration and the time in RFC3339 format
are part of the built iso name.
elemental-{MachineRegistration Name}-{RFC3339 date}.iso
es: elemental-myreg-2023-04-19T13:48:50.52Z.iso
Moreover, take advantage of the new httpfy functionality and pass it the
full name of the generated iso file to be served independently of the
URL in the request.
Drop also the static "elemental.iso" from the generated download URL.
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
...and add a new helper in the util package to verify is a resource is
owned by an object (identified by its UID).
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* Add client registration config utility
* Use a config-map for the seed-image pod
* Allow ConfigMaps manipulation in SeedImage RBAC
* Drop configmap-uid annotation
* go mod tidy
* Adapt tests
* Add createConfigMapObject tests
Signed-off-by: David Cassany <dcassany@suse.com>
The busybox version of base64 (which we use in our newer Seed Image
builder image) just takes the '-d' for decoding ('--decode' errors out).
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
Also, change the default image to the one build with Docker.seedimage.
The expected image should have the following binaries available:
- xorriso
- curl
- base64
The image should also have as the default entrypoint an http server
starting on port 80 serving files from the working dir.
Related to:
https://github.com/rancher/elemental-operator/issues/374
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* Add cloud-init support to seedImage
This commit adds a field to the SeedImage Spec for a cloud-config that
will be included in the built ISO.
If the cloud-config field is not set an empty file will be added to the
ISOs iso-config dir.
The reconciliation will take place in case the cloud-config is changed
and the base64 encoded value is used in an annotation in order to see if
the value has changed.
Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
* Linting
Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
* Add seedImage unit-tests
Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
---------
Signed-off-by: Fredrik Lönnegren <fredrik.lonnegren@suse.com>
Otherwise auto-install would not work:
----
rancher-7934:/system/oem # cat 99_elemental-register.yaml
name: "Elemental operator bootstrap"
stages:
network.after:
# run only if on live cd and there is a config file
- if: '[ -f /run/cos/live_mode ] && [ -f
/run/initramfs/live/livecd-cloud-config.yaml ]'
commands:
- systemd-cat -t elemental elemental-register --debug
/run/initramfs/live/
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
This improves code readability... and makes linter happy :-)
There is also a slight change: when the build pod is in an unexpected
Phase (Success or Unknown) we don't recreate the pod anymore.
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
No need to re-set the conditions at each reconcile loop when all has
been already done and is ready.
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* operator: add SeedImage CRD and controller
* SeedImage: add Ready condition to track resource status
* SeedImage: add Pod and Service creation in the reconcile loop
* SeedImage: manage Pod lifecycle and set the download URL
* SeedImage: allow the pod to fail if something goes wrong
* SeedImage: add SeedImageReady condition
* SeedImage: improve status condition updates
* SeedImage: add controller tests
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
Francesco Giudici