Adapt OSC controller

- prepare for new OSC contract when `UseGardenerNodeAgent` feature gate is enabled
gardener · Oct 26, 2023 · 96607fa · 96607fa
1 parent c7a7d33
commit 96607fa
Show file tree

Hide file tree

Showing 79 changed files with 12,536 additions and 308 deletions.
diff --git a/go.mod b/go.mod
@@ -24,11 +24,13 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible // indirect
 	github.com/ahmetb/gen-crd-api-reference-docs v0.3.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/bronze1man/yaml2json v0.0.0-20211227013850-8972abeaea25 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fatih/color v1.15.0 // indirect
 	github.com/fluent/fluent-operator/v2 v2.2.0 // indirect

diff --git a/go.sum b/go.sum
@@ -76,7 +76,6 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/blang/semver v3.5.0+incompatible h1:CGxCgetQ64DKk7rdZ++Vfnb1+ogGNnB17OJKJXD2Cfs=
 github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=

diff --git a/pkg/controller/operatingsystemconfig/actuator.go b/pkg/controller/operatingsystemconfig/actuator.go
@@ -16,47 +16,140 @@ package operatingsystemconfig
 
 import (
 	"context"
+	_ "embed"
+	"fmt"
+	"path/filepath"
 
 	"github.com/gardener/gardener/extensions/pkg/controller/operatingsystemconfig"
 	extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
 	"github.com/go-logr/logr"
-	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/pointer"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 )
 
 type actuator struct {
-	client client.Client
-	scheme *runtime.Scheme
-	logger logr.Logger
+	client               client.Client
+	useGardenerNodeAgent bool
 }
 
 // NewActuator creates a new Actuator that updates the status of the handled OperatingSystemConfigs.
-func NewActuator(mgr manager.Manager) operatingsystemconfig.Actuator {
+func NewActuator(mgr manager.Manager, useGardenerNodeAgent bool) operatingsystemconfig.Actuator {
 	return &actuator{
-		client: mgr.GetClient(),
-		scheme: mgr.GetScheme(),
-		logger: log.Log.WithName("coreos-operatingsystemconfig-actuator"),
+		client:               mgr.GetClient(),
+		useGardenerNodeAgent: useGardenerNodeAgent,
 	}
 }
 
-func (c *actuator) Reconcile(ctx context.Context, _ logr.Logger, config *extensionsv1alpha1.OperatingSystemConfig) ([]byte, *string, []string, []string, error) {
-	return c.reconcile(ctx, config)
+func (a *actuator) Reconcile(ctx context.Context, _ logr.Logger, osc *extensionsv1alpha1.OperatingSystemConfig) ([]byte, *string, []string, []string, []extensionsv1alpha1.Unit, []extensionsv1alpha1.File, error) {
+	if !a.useGardenerNodeAgent {
+		cloudConfig, command, units, files, err := a.legacyReconcile(ctx, osc)
+		if err != nil {
+			return nil, nil, nil, nil, nil, nil, fmt.Errorf("could not generate cloud config: %w", err)
+		}
+		return cloudConfig, command, units, files, nil, nil, nil
+	}
+
+	switch purpose := osc.Spec.Purpose; purpose {
+	case extensionsv1alpha1.OperatingSystemConfigPurposeProvision:
+		userData, err := a.handleProvisionOSC(ctx, osc)
+		return []byte(userData), nil, nil, nil, nil, nil, err
+
+	case extensionsv1alpha1.OperatingSystemConfigPurposeReconcile:
+		extensionUnits, extensionFiles, err := a.handleReconcileOSC(osc)
+		return nil, nil, nil, nil, extensionUnits, extensionFiles, err
+
+	default:
+		return nil, nil, nil, nil, nil, nil, fmt.Errorf("unknown purpose: %s", purpose)
+	}
 }
 
-func (c *actuator) Delete(ctx context.Context, _ logr.Logger, config *extensionsv1alpha1.OperatingSystemConfig) error {
-	return c.delete(ctx, config)
+func (a *actuator) Delete(_ context.Context, _ logr.Logger, _ *extensionsv1alpha1.OperatingSystemConfig) error {
+	return nil
 }
 
-func (c *actuator) ForceDelete(ctx context.Context, _ logr.Logger, config *extensionsv1alpha1.OperatingSystemConfig) error {
-	return c.delete(ctx, config)
+func (a *actuator) Migrate(ctx context.Context, log logr.Logger, osc *extensionsv1alpha1.OperatingSystemConfig) error {
+	return a.Delete(ctx, log, osc)
 }
 
-func (c *actuator) Restore(ctx context.Context, logger logr.Logger, config *extensionsv1alpha1.OperatingSystemConfig) ([]byte, *string, []string, []string, error) {
-	return c.Reconcile(ctx, logger, config)
+func (a *actuator) ForceDelete(ctx context.Context, log logr.Logger, osc *extensionsv1alpha1.OperatingSystemConfig) error {
+	return a.Delete(ctx, log, osc)
 }
 
-func (c *actuator) Migrate(ctx context.Context, _ logr.Logger, config *extensionsv1alpha1.OperatingSystemConfig) error {
-	return nil
+func (a *actuator) Restore(ctx context.Context, logger logr.Logger, osc *extensionsv1alpha1.OperatingSystemConfig) ([]byte, *string, []string, []string, []extensionsv1alpha1.Unit, []extensionsv1alpha1.File, error) {
+	return a.Reconcile(ctx, logger, osc)
+}
+
+//go:embed templates/containerd/run-command.sh.tpl
+var containerdTemplateContent string
+
+func (a *actuator) handleProvisionOSC(ctx context.Context, osc *extensionsv1alpha1.OperatingSystemConfig) (string, error) {
+	writeFilesToDiskScript, err := operatingsystemconfig.FilesToDiskScript(ctx, a.client, osc.Namespace, osc.Spec.Files)
+	if err != nil {
+		return "", err
+	}
+	writeUnitsToDiskScript := operatingsystemconfig.UnitsToDiskScript(osc.Spec.Units)
+
+	return `#!/bin/bash
+if [ ! -s /etc/containerd/config.toml ]; then
+  mkdir -p /etc/containerd/
+  containerd config default > /etc/containerd/config.toml
+  chmod 0644 /etc/containerd/config.toml
+fi
+mkdir -p /etc/systemd/system/containerd.service.d
+cat <<EOF > /etc/systemd/system/containerd.service.d/11-exec_config.conf
+[Service]
+ExecStart=
+ExecStart=/bin/bash -c 'PATH="/run/torcx/unpack/docker/bin:$PATH" /run/torcx/unpack/docker/bin/containerd --config /etc/containerd/config.toml'
+EOF
+chmod 0644 /etc/systemd/system/containerd.service.d/11-exec_config.conf
+` + writeFilesToDiskScript + `
+` + writeUnitsToDiskScript + `
+` + containerdTemplateContent + `
+systemctl daemon-reload
+systemctl enable containerd && systemctl restart containerd
+systemctl enable docker && systemctl restart docker
+systemctl enable gardener-node-agent && systemctl restart gardener-node-agent`, nil
+}
+
+//go:embed templates/configure-cgroupsv2.sh.tpl
+var cgroupsv2TemplateContent string
+
+func (a *actuator) handleReconcileOSC(_ *extensionsv1alpha1.OperatingSystemConfig) ([]extensionsv1alpha1.Unit, []extensionsv1alpha1.File, error) {
+	var (
+		extensionUnits []extensionsv1alpha1.Unit
+		extensionFiles []extensionsv1alpha1.File
+	)
+
+	// disable automatic updates
+	extensionUnits = append(extensionUnits,
+		extensionsv1alpha1.Unit{Name: "update-engine.service", Command: pointer.String("stop")},
+		extensionsv1alpha1.Unit{Name: "locksmithd.service", Command: pointer.String("stop")},
+	)
+
+	// blacklist sctp kernel module
+	extensionFiles = append(extensionFiles, extensionsv1alpha1.File{
+		Path:        filepath.Join("/", "etc", "modprobe.d", "sctp.conf"),
+		Content:     extensionsv1alpha1.FileContent{Inline: &extensionsv1alpha1.FileContentInline{Data: "install sctp /bin/true"}},
+		Permissions: pointer.Int32(0644),
+	})
+
+	// add scripts and dropins for kubelet cgroup driver configuration
+	filePathKubeletCGroupDriverScript := filepath.Join("/", "opt", "bin", "kubelet_cgroup_driver.sh")
+	extensionFiles = append(extensionFiles, extensionsv1alpha1.File{
+		Path:        filePathKubeletCGroupDriverScript,
+		Content:     extensionsv1alpha1.FileContent{Inline: &extensionsv1alpha1.FileContentInline{Data: cgroupsv2TemplateContent}},
+		Permissions: pointer.Int32(0755),
+	})
+	extensionUnits = append(extensionUnits, extensionsv1alpha1.Unit{
+		Name: "kubelet.service",
+		DropIns: []extensionsv1alpha1.DropIn{{
+			Name: "10-configure-cgroup-driver.conf",
+			Content: `[Service]
+ExecStartPre=` + filePathKubeletCGroupDriverScript + `
+`,
+		}},
+	})
+
+	return extensionUnits, extensionFiles, nil
 }
diff --git a/pkg/controller/operatingsystemconfig/actuator_delete.go b/pkg/controller/operatingsystemconfig/actuator_delete.go