Add wip bits of ldap operator, start using flake-parts

Author: Pythoner6

.gitignore

@@ -9,3 +9,8 @@ result
 .ghtoken
 cue.mod/gen
 secrets*.yaml
+.gradle
+.classpath
+.factorypath
+.settings
+.project

flake.lock

@@ -39,6 +39,18 @@ kustomizations: {
     "self-signed": clusterissuer.#ClusterIssuer & {
       spec: selfSigned: {}
     }
+    "letsencrypt": this=(clusterissuer.#ClusterIssuer & {
+      spec: acme: {
+        email: "[email protected]"
+        server: "https://acme-v02.api.letsencrypt.org/directory"
+        privateKeySecretRef: {
+          name: "\(this.metadata.name)-key"
+        }
+        solvers: [{
+          dns01: digitalocean: tokenSecretRef: { name: "digitalocean-token", key: "access-token" }
+        }]
+      }
+    })
   }
 }
 

flake.nix

@@ -0,0 +1,176 @@
+package main
+
+import (
+  "context"
+  "os"
+  "log"
+  "syscall"
+  "fmt"
+  "time"
+  "net/http"
+  "os/signal"
+  le "k8s.io/client-go/tools/leaderelection"
+  rl "k8s.io/client-go/tools/leaderelection/resourcelock"
+  "k8s.io/apimachinery/pkg/types"
+  "k8s.io/client-go/kubernetes"
+  discoveryv1client "k8s.io/client-go/kubernetes/typed/discovery/v1"
+  discoveryv1app "k8s.io/client-go/applyconfigurations/discovery/v1"
+  discoveryv1 "k8s.io/api/discovery/v1"
+  corev1app "k8s.io/client-go/applyconfigurations/core/v1"
+  corev1 "k8s.io/api/core/v1"
+  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+  "k8s.io/client-go/rest"
+)
+
+type Callbacks struct {
+  PodName string
+  PodUID string
+  PodIP string
+  NodeName string
+  ServiceName string
+  Namespace string
+  EndpointSlices discoveryv1client.EndpointSliceInterface
+}
+
+func (c *Callbacks) OnStartedLeading(ctx context.Context) {
+  log.Println(fmt.Sprintf("Started leading"))
+  apply := discoveryv1app.EndpointSlice(c.ServiceName, c.Namespace).
+    WithLabels(map[string]string{"kubernetes.io/service-name": c.ServiceName}).
+    WithAddressType(discoveryv1.AddressTypeIPv4).
+    WithPorts(discoveryv1app.EndpointPort().
+      WithName("ldaps").
+      WithProtocol(corev1.ProtocolTCP).
+      WithPort(636)).
+    WithEndpoints(discoveryv1app.Endpoint().
+      WithAddresses(c.PodIP).
+      WithNodeName(c.NodeName).
+      WithConditions(discoveryv1app.EndpointConditions().
+        WithReady(true).
+        WithServing(true).
+        WithTerminating(false)).
+      WithTargetRef(corev1app.ObjectReference().
+        WithKind("Pod").
+        WithName(c.PodName).
+        WithNamespace(c.Namespace).
+        WithUID(types.UID(c.PodUID))))
+  ctx, cancel := context.WithTimeout(ctx, 2*time.Second)
+  defer cancel()
+  c.EndpointSlices.Apply(ctx, apply, metav1.ApplyOptions{FieldManager: "openldap-leader"})
+  log.Println(fmt.Sprintf("Updated EndpointSlice"))
+}
+
+func (c *Callbacks) OnStoppedLeading() {
+  log.Println(fmt.Sprintf("Stopped leading"))
+}
+
+func (c *Callbacks) OnNewLeader(identity string) {
+  log.Println(fmt.Sprintf("New leader: %s", identity))
+}
+
+type Handler func(http.ResponseWriter, *http.Request)
+
+func (h Handler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
+  h(w, req)
+}
+
+func main() {
+  podName := os.Getenv("POD_NAME")
+  podUID := os.Getenv("POD_UID")
+  podIP := os.Getenv("POD_IP")
+  namespace := os.Getenv("NAMESPACE")
+  nodeName := os.Getenv("NODE_NAME")
+  serviceName := os.Getenv("SERVICE_NAME")
+
+  lockType  := rl.LeasesResourceLock
+  config, err := rest.InClusterConfig()
+  if err != nil {
+    panic(err)
+  }
+  client := kubernetes.NewForConfigOrDie(config)
+  lock, err := rl.New(lockType, namespace, serviceName, client.CoreV1(), client.CoordinationV1(), rl.ResourceLockConfig{
+    Identity: podName,
+  })
+  if err != nil {
+    panic(err)
+  }
+
+  callbacks := Callbacks{
+    PodName: podName,
+    PodUID: podUID,
+    PodIP: podIP,
+    NodeName: nodeName,
+    ServiceName: serviceName,
+    Namespace: namespace,
+    EndpointSlices: client.DiscoveryV1().EndpointSlices(namespace),
+  }
+
+  elector, err := le.NewLeaderElector(le.LeaderElectionConfig{
+    Lock: lock,
+    LeaseDuration: 15 * time.Second,
+    RenewDeadline: 10 * time.Second,
+    RetryPeriod: 2 * time.Second,
+    ReleaseOnCancel: true,
+    Callbacks: le.LeaderCallbacks{
+      OnStartedLeading: callbacks.OnStartedLeading,
+      OnStoppedLeading: callbacks.OnStoppedLeading,
+      OnNewLeader: callbacks.OnNewLeader,
+    },
+  })
+  if err != nil {
+    panic(err)
+  }
+
+  ctx, cancel := context.WithCancel(context.Background())
+  defer cancel()
+
+  canceled := false
+
+  go func() {
+    for !canceled {
+      elector.Run(ctx)
+    }
+  }()
+
+  sigint := make(chan os.Signal, 1)
+	signal.Notify(sigint, os.Interrupt)
+  sigkill := make(chan os.Signal, 1)
+	signal.Notify(sigkill, os.Kill)
+  sigterm := make(chan os.Signal, 1)
+	signal.Notify(sigterm, syscall.SIGTERM)
+
+  done := make(chan os.Signal, 1)
+
+  go func() {
+    http.ListenAndServe("0.0.0.0:80", Handler(func(w http.ResponseWriter, req *http.Request) {
+      log.Println("Stopping leader election", req)
+      close(done)
+      w.WriteHeader(http.StatusNoContent)
+      _, _ = w.Write([]byte{})
+    }))
+  }()
+
+  defer func() { log.Println("Shutting down") }()
+
+  select {
+  case <-sigint:
+    return
+  case <-sigkill:
+    return
+  case <-sigterm:
+    return
+  case <-done:
+    canceled = true
+    cancel()
+  }
+
+  for {
+    select {
+    case <-sigint:
+      return
+    case <-sigkill:
+      return
+    case <-sigterm:
+      return
+    }
+  }
+}

k8s/cert-manager/cert-manager.cue

@@ -0,0 +1,83 @@
+package main
+
+import (
+  "bytes"
+  "context"
+  "log"
+  "net/http"
+  "os"
+  "time"
+
+  discoveryv1 "k8s.io/api/discovery/v1"
+  "k8s.io/client-go/kubernetes"
+  "k8s.io/client-go/rest"
+  "k8s.io/client-go/tools/cache"
+  "k8s.io/client-go/tools/watch"
+  "k8s.io/apimachinery/pkg/fields"
+  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+  machinerywatch "k8s.io/apimachinery/pkg/watch"
+)
+
+func main() {
+  namespace := os.Getenv("NAMESPACE")
+  serviceName := os.Getenv("EXTERNAL_SERVICE_NAME")
+  podIP := os.Getenv("POD_IP")
+
+  client := http.Client{
+    Timeout: 30 * time.Second,
+  }
+  _, err := client.Post("http://localhost/stop-election", "application/json", bytes.NewReader([]byte{}))
+  if err != nil {
+    panic(err)
+  }
+
+  config, err := rest.InClusterConfig()
+  if err != nil {
+    panic(err)
+  }
+  kclient := kubernetes.NewForConfigOrDie(config)
+
+  condition := func(slice *discoveryv1.EndpointSlice) (bool, error) {
+    log.Println(slice)
+    for _, endpoint := range slice.Endpoints {
+      for _, address := range endpoint.Addresses {
+        log.Println("POD_IP =", podIP)
+        log.Println("comparing to", address)
+        if address != podIP {
+          log.Println("Found other address, done!")
+          return true, nil
+        }
+      }
+    }
+    return false, nil
+  }
+
+  watch.UntilWithSync(
+    context.Background(), 
+    cache.NewListWatchFromClient(
+      kclient.DiscoveryV1().RESTClient(), 
+      "endpointslices", 
+      namespace, 
+      fields.OneTermEqualSelector(metav1.ObjectNameField, serviceName),
+    ),
+    &discoveryv1.EndpointSlice{},
+    func(store cache.Store) (bool, error) {
+      obj, present, err := store.GetByKey(namespace + "/" + serviceName)
+      if !present || err != nil{
+        return false, nil
+      }
+      slice, ok := obj.(*discoveryv1.EndpointSlice)
+      if !ok {
+        return false, nil
+      }
+      return condition(slice) 
+    },
+    func(event machinerywatch.Event) (bool, error) {
+      if slice, ok := event.Object.(*discoveryv1.EndpointSlice); ok {
+        return condition(slice)
+      } else {
+        return false, nil
+      }
+    },
+  )
+}

src/elector/cmd/elector/main.go

@@ -0,0 +1,47 @@
+module github.com/pythoner6/netserv/src/openldap-sidecar
+
+go 1.21.4
+
+require (
+	k8s.io/api v0.29.0
+	k8s.io/apimachinery v0.29.0
+	k8s.io/client-go v0.29.0
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/oauth2 v0.10.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/term v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/klog/v2 v2.110.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
+)