Merge pull request #321 from beraldoleal/new-main

Sync main with peer-pods-tech-preview

Dockerfile

@@ -1,7 +1,7 @@
 # Use OpenShift golang builder image
 # These images needs to be synced with the images in the Makefile.
-ARG BUILDER_IMAGE=${BUILDER_IMAGE:-registry.ci.openshift.org/ocp/builder:rhel-8-golang-1.18-openshift-4.11}
-ARG TARGET_IMAGE=${TARGET_IMAGE:-registry.ci.openshift.org/ocp/4.11:base}
+ARG BUILDER_IMAGE=${BUILDER_IMAGE:-registry.ci.openshift.org/ocp/builder:rhel-8-golang-1.19-openshift-4.13}
+ARG TARGET_IMAGE=${TARGET_IMAGE:-registry.ci.openshift.org/ocp/4.13:base}
 FROM ${BUILDER_IMAGE} AS builder
 
 WORKDIR /workspace
@@ -20,12 +20,13 @@ RUN go mod download
 # needed for docker build but not for local builds
 RUN go mod vendor
 
-RUN GOFLAGS="" make build
+RUN make build
 
 # Use OpenShift base image
 FROM ${TARGET_IMAGE}
 WORKDIR /
 COPY --from=builder /workspace/bin/manager .
+COPY --from=builder /workspace/config/peerpods /config/peerpods
 
 RUN useradd  -r -u 499 nonroot
 RUN getent group nonroot || groupadd -o -g 499 nonroot

Makefile

@@ -3,7 +3,7 @@
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 1.3.4
+VERSION ?= 1.4.0
 
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
@@ -61,15 +61,27 @@ GOBIN=$(shell go env GOBIN)
 endif
 
 # These images needs to be synced with the default values in the Dockerfile.
-BUILDER_IMAGE ?= registry.ci.openshift.org/ocp/builder:rhel-8-golang-1.18-openshift-4.11
-TARGET_IMAGE  ?= registry.ci.openshift.org/ocp/4.11:base
+BUILDER_IMAGE ?= registry.ci.openshift.org/ocp/builder:rhel-8-golang-1.19-openshift-4.13
+TARGET_IMAGE  ?= registry.ci.openshift.org/ocp/4.13:base
 
 # Setting SHELL to bash allows bash commands to be executed by recipes.
 # This is a requirement for 'setup-envtest.sh' in the test target.
 # Options are set to exit when a recipe line exits non-zero or a piped command fails.
 SHELL = /usr/bin/env bash -o pipefail
 .SHELLFLAGS = -ec
 
+BUILTIN_CLOUD_PROVIDERS ?= aws azure
+# Build tags required to build cloud-api-adaptor are derived from BUILTIN_CLOUD_PROVIDERS.
+space := $() $()
+comma := ,
+GOFLAGS := -tags=$(subst $(space),$(comma),$(strip $(BUILTIN_CLOUD_PROVIDERS)))
+
+#
+# If SKIP_TESTS is set, the test target will *not* run `go test`.
+# This is to be able to temporarily work around test failures when doing
+# local development.
+SKIP_TESTS =
+
 .PHONY: all
 all: build
 
@@ -110,17 +122,19 @@ vet: ## Run go vet against code.
 
 .PHONY: test
 test: manifests generate fmt vet envtest ## Run tests.
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out
+ifneq (, $(SKIP_TESTS))
+	@echo Skipping tests. Unset SKIP_TESTS to actually run them.
+else
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test $(GOFLAGS) ./... -coverprofile cover.out
 	# set write flag on created folder, so that we can clean it up
 	chmod +w $(LOCALBIN)/k8s/$(ENVTEST_K8S_VERSION)*
-
-
+endif
 
 ##@ Build
 
 .PHONY: build
 build: generate fmt vet ## Build manager binary.
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -mod=mod -o bin/manager main.go
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build $(GOFLAGS) -mod=mod -o bin/manager main.go
 
 .PHONY: run
 run: manifests generate fmt vet ## Run a controller from your host.
@@ -199,7 +213,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v4.5.5
-CONTROLLER_TOOLS_VERSION ?= v0.9.2
+CONTROLLER_TOOLS_VERSION ?= v0.10.0
 
 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 .PHONY: kustomize

PROJECT

@@ -7,6 +7,10 @@ plugins:
 projectName: sandboxed-containers-operator
 repo: github.com/openshift/sandboxed-containers-operator
 resources:
+- group: confidentialcontainers
+  version: v1alpha1
+  kind: PeerPodConfig
+  path: github.com/confidential-containers/cloud-api-adaptor/peerpodconfig-ctrl/api/v1alpha1
 - controller: true
   domain: kataconfiguration.openshift.io
   group: kataconfiguration
@@ -16,4 +20,12 @@ resources:
   webhooks:
     validation: true
     webhookVersion: v1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: confidentialcontainers.org
+  kind: PeerPod
+  path: github.com/confidential-containers/cloud-api-adaptor/peerpod-ctrl/api/v1alpha1
+  version: v1alpha1
 version: "3"

api/v1/kataconfig_types.go

@@ -38,6 +38,12 @@ type KataConfigSpec struct {
 	// Sets log level on kata-equipped nodes.  Valid values are the same as for `crio --log-level`.
 	// +kubebuilder:default:="info"
 	LogLevel string `json:"logLevel,omitempty"`
+
+	// EnablePeerPods is used to transparently create pods on a remote system.
+	// For more information on how this works, please refer to the sandboxed containers documentation - https://docs.openshift.com/container-platform/latest/sandboxed_containers/deploying-sandboxed-container-workloads.html
+	// +optional
+	// +kubebuilder:default:=false
+	EnablePeerPods bool `json:"enablePeerPods"`
 }
 
 // KataConfigStatus defines the observed state of KataConfig

config/manager/manager.yaml

@@ -3,6 +3,9 @@ kind: Namespace
 metadata:
   labels:
     control-plane: controller-manager
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged
   name: "openshift-sandboxed-containers-operator"
 ---
 apiVersion: apps/v1
@@ -46,18 +49,41 @@ spec:
       - effect: NoSchedule
         key: node.kubernetes.io/memory-pressure
         operator: Exists
+      volumes:
+      - name: ssh
+        secret:
+          defaultMode: 384
+          optional: true
+          secretName: ssh-key-secret
       containers:
       - command:
         - /manager
         args:
         - --enable-leader-election
+        volumeMounts:
+        - mountPath: /root/.ssh/
+          name: ssh
+          readOnly: true
+        envFrom:
+        - secretRef:
+            name: peer-pods-secret
+            optional: true
+        - configMapRef:
+            name: peer-pods-cm
+            optional: true
         image: controller:latest
         name: manager
         env:
-        - name: KATA_MONITOR_IMAGE
+        - name: PEERPODS_NAMESPACE
+          value: "openshift-sandboxed-containers-operator"
+        - name: RELATED_IMAGE_KATA_MONITOR
           value: quay.io/openshift_sandboxed_containers/openshift-sandboxed-containers-monitor:latest
         - name: SANDBOXED_CONTAINERS_EXTENSION
           value: kata-containers
+        - name: RELATED_IMAGE_CAA
+          value: quay.io/confidential-containers/cloud-api-adaptor
+        - name: RELATED_IMAGE_PEERPODS_WEBHOOK
+          value: "quay.io/confidential-containers/peer-pods-webhook:latest" 
         imagePullPolicy: Always
         resources:
           limits:

config/manifests/bases/sandboxed-containers-operator.clusterserviceversion.yaml

@@ -13,17 +13,19 @@ metadata:
         }
       ]
     capabilities: Seamless Upgrades
-    olm.skipRange: '>=1.1.0 <1.3.2'
+    olm.skipRange: '>=1.1.0 <1.4.0'
     operatorframework.io/suggested-namespace: openshift-sandboxed-containers-operator
     operators.openshift.io/infrastructure-features: '["disconnected", "fips"]'
+    operators.openshift.io/valid-subscription: '["OpenShift Container Platform", "OpenShift
+      Platform Plus"]'
     operators.operatorframework.io/builder: operator-sdk-v1.20.1+git
+    operators.operatorframework.io/internal-objects: '["peerpods.confidentialcontainers.org","peerpodconfigs.confidentialcontainers.org"]'
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/openshift/sandboxed-containers-operator
-    operators.openshift.io/valid-subscription: '["OpenShift Container Platform", "OpenShift Platform Plus"]'
   labels:
     operatorframework.io/arch.amd64: supported
     operatorframework.io/os.linux: supported
-  name: sandboxed-containers-operator.v1.3.2
+  name: sandboxed-containers-operator.v1.4.0
 spec:
   apiservicedefinitions: {}
   customresourcedefinitions:
@@ -363,7 +365,7 @@ spec:
   maturity: beta
   provider:
     name: Red Hat
-  version: 1.3.2
+  version: 1.4.0
   webhookdefinitions:
   - admissionReviewVersions:
     - v1

config/manifests/extension-crds/confidentialcontainers.org_peerpodconfigs.yaml

@@ -0,0 +1,78 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.10.0
+  creationTimestamp: null
+  name: peerpodconfigs.confidentialcontainers.org
+spec:
+  group: confidentialcontainers.org
+  names:
+    kind: PeerPodConfig
+    listKind: PeerPodConfigList
+    plural: peerpodconfigs
+    singular: peerpodconfig
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: PeerPodConfig is the Schema for the peerpodconfigs API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PeerPodConfigSpec defines the desired state of PeerPodConfig
+            properties:
+              cloudSecretName:
+                default: peer-pods-secret
+                description: CloudSecretName is the name of the secret that holds
+                  the credentials for the cloud provider
+                type: string
+              configMapName:
+                default: peer-pods-cm
+                description: ConfigMapName is the name of the configmap that holds
+                  cloud provider specific environment Variables
+                type: string
+              instanceType:
+                description: InstanceType describes the name of the instance type
+                  of the chosen cloud provider
+                type: string
+              limit:
+                description: Limit is the max number of peer pods. This is exposed
+                  as extended resource on nodes
+                type: string
+              nodeSelector:
+                additionalProperties:
+                  type: string
+                description: NodeSelector selects the nodes on which to run the cloud-api-adaptor
+                  pods
+                type: object
+            required:
+            - cloudSecretName
+            - configMapName
+            type: object
+          status:
+            description: PeerPodConfigStatus defines the observed state of PeerPodConfig
+            properties:
+              setupCompleted:
+                description: SetupCompleted is set to true when all components have
+                  been deployed/created
+                type: boolean
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

config/manifests/extension-crds/confidentialcontainers.org_peerpods.yaml

@@ -0,0 +1,53 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.10.0
+  creationTimestamp: null
+  name: peerpods.confidentialcontainers.org
+spec:
+  group: confidentialcontainers.org
+  names:
+    kind: PeerPod
+    listKind: PeerPodList
+    plural: peerpods
+    singular: peerpod
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: PeerPod is the Schema for the peerpods API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PeerPodSpec defines the desired state of PeerPod
+            properties:
+              cloudProvider:
+                type: string
+              instanceID:
+                type: string
+            type: object
+          status:
+            description: PeerPodStatus defines the observed state of PeerPod
+            properties:
+              cleand:
+                type: boolean
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

config/manifests/extension-crds/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- confidentialcontainers.org_peerpodconfigs.yaml
+- confidentialcontainers.org_peerpods.yaml

config/manifests/kustomization.yaml

@@ -5,6 +5,7 @@ resources:
 - ../default
 - ../samples
 - ../scorecard
+- extension-crds/
 
 # [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix.
 # Do NOT uncomment sections with prefix [CERTMANAGER], as OLM does not support cert-manager.

config/peerpods/image.yaml

@@ -0,0 +1,9 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+spec:
+  containers:
+    image: quay.io/openshift_sandboxed_containers/osc-peer-pods
+    newTag: latest
+