Introduce Leader Election and use Deployments for agents

Dockerfile.dapper

@@ -3,7 +3,33 @@ FROM registry.suse.com/bci/golang:1.23
 ARG DAPPER_HOST_ARCH
 ENV ARCH $DAPPER_HOST_ARCH
 
-RUN zypper -n install tar gzip bash git docker less file curl wget
+# Proxy configuration
+ARG http_proxy
+ARG https_proxy
+ARG no_proxy
+
+ENV http_proxy $http_proxy
+ENV https_proxy $https_proxy
+ENV no_proxy $no_proxy
+
+# Configure zypper proxy if https_proxy is set
+RUN if [ -n "$https_proxy" ]; then \
+    PROXY_URL_NO_SCHEME=$(echo "$https_proxy" | sed -e 's#http://##g' -e 's#https://##g'); \
+    PROXY_HOST=$(echo "$PROXY_URL_NO_SCHEME" | cut -d':' -f1); \
+    PROXY_PORT=$(echo "$PROXY_URL_NO_SCHEME" | cut -d':' -f2 | cut -d'/' -f1); \
+    echo "proxy.enabled = true" >> /etc/zypp/zypp.conf; \
+    echo "proxy.host = $PROXY_HOST" >> /etc/zypp/zypp.conf; \
+    echo "proxy.port = $PROXY_PORT" >> /etc/zypp/zypp.conf; \
+    echo "proxy.protocol = http" >> /etc/zypp/zypp.conf; \
+    echo "Zypper proxy configured to $PROXY_HOST:$PROXY_PORT"; \
+    else \
+    echo "No https_proxy set, skipping zypper proxy configuration."; \
+    fi
+
+# Copy SUSE credentials
+COPY SCCcredentials /etc/zypp/credentials.d/SCCcredentials
+
+RUN zypper ref -s && zypper -n update && zypper -n install tar gzip bash git docker less file curl wget
 
 RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v1.63.4
 
@@ -23,3 +49,4 @@ WORKDIR ${DAPPER_SOURCE}
 
 ENTRYPOINT ["./scripts/entry"]
 CMD ["ci"]
+

SCCcredentials

@@ -0,0 +1,3 @@
+username = 0f58f5cc8f
+password = 4ca14dc263
+

chart/templates/_helpers.tpl

@@ -23,6 +23,17 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 {{- end }}
 
+{{/*
+Return the agent service account name
+*/}}
+{{- define "harvester-vm-dhcp-controller.agentServiceAccountName" -}}
+{{- if .Values.agent.serviceAccount.create }}
+{{- default (printf "%s-agent" (include "harvester-vm-dhcp-controller.fullname" .)) .Values.agent.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.agent.serviceAccount.name }}
+{{- end }}
+{{- end -}}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@@ -76,3 +87,14 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Return the appropriate apiVersion for rbac.
+*/}}
+{{- define "harvester-vm-dhcp-controller.rbac.apiVersion" -}}
+{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
+{{- print "rbac.authorization.k8s.io/v1" }}
+{{- else }}
+{{- print "v1" }}
+{{- end }}
+{{- end -}}

chart/templates/agent-clusterrole.yaml

@@ -0,0 +1,24 @@
+{{- if .Values.agent.enabled -}}
+{{- if .Values.agent.rbac.create -}}
+apiVersion: {{ template "harvester-vm-dhcp-controller.rbac.apiVersion" . }}
+kind: ClusterRole
+metadata:
+  name: {{ .Release.Name }}-dhcp-agent-clusterrole
+  labels:
+    {{- include "harvester-vm-dhcp-controller.labels" . | nindent 4 }}
+    app.kubernetes.io/component: agent # Override component to agent
+rules:
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: [""] # Core API group
+  resources: ["configmaps"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: [""] # Core API group
+  resources: ["events"]
+  verbs: ["create", "patch"]
+- apiGroups: ["network.harvesterhci.io"]
+  resources: ["ippools"]
+  verbs: ["get", "list", "watch"]
+{{- end -}}
+{{- end -}}

chart/templates/agent-clusterrolebinding.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.agent.enabled -}}
+{{- if .Values.agent.rbac.create -}}
+apiVersion: {{ template "harvester-vm-dhcp-controller.rbac.apiVersion" . }}
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Release.Name }}-dhcp-agent-binding
+  labels:
+    {{- include "harvester-vm-dhcp-controller.labels" . | nindent 4 }}
+    app.kubernetes.io/component: agent
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Release.Name }}-dhcp-agent-clusterrole
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "harvester-vm-dhcp-controller.agentServiceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}

chart/templates/agent-deployment.yaml

@@ -0,0 +1,69 @@
+{{- if .Values.agent.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "harvester-vm-dhcp-controller.fullname" . }}-agent
+  labels:
+    {{- include "harvester-vm-dhcp-controller.labels" . | nindent 4 }}
+    app.kubernetes.io/component: agent
+spec:
+  replicas: {{ .Values.agent.replicaCount | default 2 }}
+  selector:
+    matchLabels:
+      {{- include "harvester-vm-dhcp-controller.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: agent
+  template:
+    metadata:
+      labels:
+        {{- include "harvester-vm-dhcp-controller.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: agent
+    spec:
+      serviceAccountName: {{ include "harvester-vm-dhcp-controller.agentServiceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.agent.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}-agent
+          securityContext:
+            {{- $mergedSecContext := .Values.agent.securityContext | default dict -}}
+            {{- $capabilities := $mergedSecContext.capabilities | default dict -}}
+            {{- $addCapabilities := $capabilities.add | default list -}}
+            {{- if not (has "NET_ADMIN" $addCapabilities) -}}
+            {{- $addCapabilities = append $addCapabilities "NET_ADMIN" -}}
+            {{- end -}}
+            {{- $_ := set $capabilities "add" $addCapabilities -}}
+            {{- $_ := set $mergedSecContext "capabilities" $capabilities -}}
+            {{- toYaml $mergedSecContext | nindent 12 }}
+          image: "{{ .Values.agent.image.repository }}:{{ .Values.agent.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
+          args:
+            - {{ printf "--name=%s-agent" (include "harvester-vm-dhcp-controller.fullname" .) }}
+            # - {{ printf "--namespace=%s" .Release.Namespace }} # Rimosso
+            - "--kubeconfig=/etc/kubeconfig"
+            - {{ printf "--no-leader-election=%t" (.Values.agent.noLeaderElection | default false) }}
+            - "--nic=eth0" # Controller will update this if needed
+          ports:
+            - name: metrics
+              containerPort: 8080
+              protocol: TCP
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: IPPOOL_REF # Controller will update this value
+              value: ""
+          resources:
+            {{- toYaml .Values.agent.resources | nindent 12 }}
+      {{- with .Values.agent.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.agent.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.agent.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end -}}

chart/templates/agent-serviceaccount.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.agent.enabled -}}
+{{- if .Values.agent.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "harvester-vm-dhcp-controller.agentServiceAccountName" . }}
+  labels:
+    {{- include "harvester-vm-dhcp-controller.labels" . | nindent 4 }}
+    app.kubernetes.io/component: agent
+  {{- with .Values.agent.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}

chart/templates/deployment.yaml

@@ -35,12 +35,10 @@ spec:
           args:
           - --name
           - {{ include "harvester-vm-dhcp-controller.fullname" . }}
-          - --namespace
-          - {{ .Release.Namespace }}
-          - --image
-          - "{{ .Values.agent.image.repository }}:{{ .Values.agent.image.tag | default .Chart.AppVersion }}"
-          - --service-account-name
-          - {{ include "harvester-vm-dhcp-controller.serviceAccountName" . }}-agent
+          # --image # Rimosso: l'agent ora ha il suo deployment
+          # - "{{ .Values.agent.image.repository }}:{{ .Values.agent.image.tag | default .Chart.AppVersion }}" # Rimosso
+          # --service-account-name # Rimosso
+          # - {{ include "harvester-vm-dhcp-controller.serviceAccountName" . }}-agent # Rimosso
           ports:
           - name: metrics
             protocol: TCP
@@ -49,6 +47,15 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: AGENT_DEPLOYMENT_NAME
+              value: {{ include "harvester-vm-dhcp-controller.fullname" . }}-agent
+            - name: AGENT_CONTAINER_NAME
+              value: {{ .Chart.Name }}-agent
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           {{- with .Values.volumeMounts }}

chart/templates/rbac.yaml

@@ -52,8 +52,11 @@ rules:
   resources: [ "ippools", "virtualmachinenetworkconfigs" ]
   verbs: [ "*" ]
 - apiGroups: [ "" ]
-  resources: [ "nodes", "secrets" ]
+  resources: [ "nodes" ]
   verbs: [ "watch", "list" ]
+- apiGroups: [ "" ]
+  resources: [ "secrets" ]
+  verbs: [ "get", "watch", "list", "create", "update", "patch" ]
 - apiGroups: [ "k8s.cni.cncf.io" ]
   resources: [ "network-attachment-definitions" ]
   verbs: [ "get", "watch", "list" ]
@@ -108,6 +111,30 @@ subjects:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
+metadata:
+  name: {{ include "harvester-vm-dhcp-controller.name" . }}-deployment-manager
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  verbs: ["get", "list", "watch", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "harvester-vm-dhcp-controller.name" . }}-manage-agent-deployments
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "harvester-vm-dhcp-controller.serviceAccountName" . }} # Controller's SA
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "harvester-vm-dhcp-controller.name" . }}-deployment-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
   name: {{ include "harvester-vm-dhcp-controller.name" . }}-lease-manager
   namespace: kube-system
@@ -184,3 +211,4 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "harvester-vm-dhcp-controller.serviceAccountName" . }}-webhook
   namespace: {{ .Release.Namespace }}
+

chart/templates/serviceaccount.yaml

@@ -2,40 +2,64 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "harvester-vm-dhcp-controller.serviceAccountName" . }}
+  name: {{ include "harvester-vm-dhcp-controller.serviceAccountName" . }} # SA per il Controller
   labels:
     {{- include "harvester-vm-dhcp-controller.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
-{{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount | default true }}
+{{- end -}}
+
+{{- /*
+  Logica per determinare se creare il SA del Webhook e con quali valori.
+*/}}
+{{- $createWebhookSA := false -}}
+{{- $webhookSAName := printf "%s-webhook" (include "harvester-vm-dhcp-controller.fullname" .) -}}
+{{- $webhookSAAnnotations := dict -}}
+{{- $webhookSAAutomount := .Values.serviceAccount.automount | default true -}}
+
+{{- if .Values.webhook -}}
+  {{- $webhookEnabled := true -}}
+  {{- if hasKey .Values.webhook "enabled" -}}
+    {{- $webhookEnabled = .Values.webhook.enabled -}}
+  {{- end -}}
+
+  {{- if $webhookEnabled -}}
+    {{- $webhookSpecificSACreate := true -}}
+    {{- if and (hasKey .Values.webhook "serviceAccount") (hasKey .Values.webhook.serviceAccount "create") -}}
+      {{- $webhookSpecificSACreate = .Values.webhook.serviceAccount.create -}}
+    {{- end -}}
+
+    {{- if and .Values.serviceAccount.create $webhookSpecificSACreate -}}
+      {{- $createWebhookSA = true -}}
+      {{- if and (hasKey .Values.webhook "serviceAccount") .Values.webhook.serviceAccount -}}
+        {{- if .Values.webhook.serviceAccount.name -}}
+          {{- $webhookSAName = .Values.webhook.serviceAccount.name -}}
+        {{- end -}}
+        {{- if .Values.webhook.serviceAccount.annotations -}}
+          {{- $webhookSAAnnotations = .Values.webhook.serviceAccount.annotations -}}
+        {{- end -}}
+        {{- if hasKey .Values.webhook.serviceAccount "automount" -}}
+          {{- $webhookSAAutomount = .Values.webhook.serviceAccount.automount -}}
+        {{- end -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if $createWebhookSA -}}
 ---
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "harvester-vm-dhcp-controller.serviceAccountName" . }}-agent
-  labels:
-    {{- include "harvester-vm-dhcp-controller.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
-{{- end }}
----
-{{- if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "harvester-vm-dhcp-controller.serviceAccountName" . }}-webhook
+  name: {{ $webhookSAName }}
   labels:
-    {{- include "harvester-vm-dhcp-controller.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
+    {{- include "harvester-vm-dhcp-webhook.labels" . | nindent 4 }}
+  {{- with $webhookSAAnnotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
-{{- end }}
+automountServiceAccountToken: {{ $webhookSAAutomount }}
+{{- end -}}