Wait for the control-plane to be ready

This changes the way that jobs are created.

If spec.requireClusterReady is true then the jobs will not be created
until the remote cluster's control-plane is ready.

Author: bigkevmcd

api/v1alpha1/clusterbootstrapconfig_types.go

@@ -43,9 +43,9 @@ type JobTemplate struct {
 
 // ClusterBootstrapConfigSpec defines the desired state of ClusterBootstrapConfig
 type ClusterBootstrapConfigSpec struct {
-	ClusterSelector          metav1.LabelSelector `json:"clusterSelector"`
-	Template                 JobTemplate          `json:"jobTemplate"`
-	ControlPlaneWaitDuration *metav1.Duration     `json:"waitForControlPlane,omitempty"`
+	ClusterSelector     metav1.LabelSelector `json:"clusterSelector"`
+	Template            JobTemplate          `json:"jobTemplate"`
+	RequireClusterReady bool                 `json:"requireClusterReady"`
 }
 
 // ClusterBootstrapConfigStatus defines the observed state of ClusterBootstrapConfig
@@ -64,15 +64,6 @@ type ClusterBootstrapConfig struct {
 	Status ClusterBootstrapConfigStatus `json:"status,omitempty"`
 }
 
-// ControlPlaneWait returns the configured ControlPlaneWaitDuration or a default
-// value if not configured.
-func (c ClusterBootstrapConfig) ControlPlaneWait() time.Duration {
-	if v := c.Spec.ControlPlaneWaitDuration; v != nil {
-		return v.Duration
-	}
-	return defaultWaitDuration
-}
-
 //+kubebuilder:object:root=true
 
 // ClusterBootstrapConfigList contains a list of ClusterBootstrapConfig

api/v1alpha1/clusterbootstrapconfig_types_test.go

@@ -6889,11 +6889,12 @@ spec:
                 - generateName
                 - spec
                 type: object
-              waitForControlPlane:
-                type: string
+              requireClusterReady:
+                type: boolean
             required:
             - clusterSelector
             - jobTemplate
+            - requireClusterReady
             type: object
           status:
             description: ClusterBootstrapConfigStatus defines the observed state of

api/v1alpha1/zz_generated.deepcopy.go

@@ -5,6 +5,12 @@ generatorOptions:
   disableNameSuffixHash: true
 
 configMapGenerator:
-- name: manager-config
-  files:
+- files:
   - controller_manager_config.yaml
+  name: manager-config
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+images:
+- name: controller
+  newName: bigkevmcd/cluster-bootstrap-controller
+  newTag: ee04cdc

config/crd/bases/capi.weave.works_clusterbootstrapconfigs.yaml

@@ -6,6 +6,14 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - batch
   resources:

config/manager/kustomization.yaml

@@ -11,6 +11,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	ptrutils "k8s.io/utils/pointer"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -181,12 +182,18 @@ func makeTestClusterBootstrapConfig(opts ...func(*capiv1alpha1.ClusterBootstrapC
 }
 
 func makeTestClient(t *testing.T, objs ...runtime.Object) client.Client {
+	_, client := makeTestClientAndScheme(t, objs...)
+	return client
+}
+
+func makeTestClientAndScheme(t *testing.T, objs ...runtime.Object) (*runtime.Scheme, client.Client) {
 	t.Helper()
 	s := runtime.NewScheme()
+	test.AssertNoError(t, clientgoscheme.AddToScheme(s))
 	test.AssertNoError(t, capiv1alpha1.AddToScheme(s))
 	test.AssertNoError(t, clusterv1.AddToScheme(s))
 	test.AssertNoError(t, batchv1.AddToScheme(s))
-	return fake.NewClientBuilder().WithScheme(s).WithRuntimeObjects(objs...).Build()
+	return s, fake.NewClientBuilder().WithScheme(s).WithRuntimeObjects(objs...).Build()
 }
 
 func makeTestVolume(name, secretName string) corev1.Volume {

config/rbac/role.yaml

@@ -6,21 +6,25 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 // IsControlPlaneReady takes a client connected to a cluster and reports whether or
 // not the control-plane for the cluster is "ready".
 func IsControlPlaneReady(ctx context.Context, cl client.Client) (bool, error) {
+	logger := log.FromContext(ctx)
 	nodes := &corev1.NodeList{}
 	// https://github.com/kubernetes/enhancements/blob/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint/README.md#design-details
 	err := cl.List(ctx, nodes, client.HasLabels([]string{"node-role.kubernetes.io/control-plane"}))
 	if err != nil {
 		return false, fmt.Errorf("failed to query cluster node list: %w", err)
 	}
+	logger.Info("listed nodes", "count", len(nodes.Items))
 
 	readiness := []bool{}
 	for _, node := range nodes.Items {
 		for _, c := range node.Status.Conditions {
+			logger.Info("node status", "type", c.Type, "status", c.Status)
 			switch c.Type {
 			case corev1.NodeReady:
 				readiness = append(readiness, c.Status == corev1.ConditionTrue)
@@ -36,6 +40,7 @@ func IsControlPlaneReady(ctx context.Context, cl client.Client) (bool, error) {
 		}
 		return true
 	}
+	logger.Info("readiness", "len", len(readiness), "is-ready", isReady(readiness))
 
 	// If we have no statuses, then we really don't know if we're ready or not.
 	return (len(readiness) > 0 && isReady(readiness)), nil

controllers/bootstrap_test.go

@@ -12,8 +12,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
 
-func TestIsMasterNodeReady(t *testing.T) {
-	masterLabels := map[string]string{
+func TestIsControlPlaneReady(t *testing.T) {
+	controlPlaneLabels := map[string]string{
 		"node-role.kubernetes.io/master":        "",
 		"node-role.kubernetes.io/control-plane": "",
 		"beta.kubernetes.io/arch":               "amd64",
@@ -30,23 +30,23 @@ func TestIsMasterNodeReady(t *testing.T) {
 		wantReady  bool
 	}{
 		{
-			name:   "master node not ready",
-			labels: masterLabels,
+			name:   "control plane not ready",
+			labels: controlPlaneLabels,
 			conditions: makeConditions(
 				corev1.NodeCondition{Type: corev1.NodeReady, Status: corev1.ConditionFalse, LastHeartbeatTime: metav1.Now(), LastTransitionTime: metav1.Now(), Reason: "KubeletNotReady", Message: "container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:Network plugin returns error: cni plugin not initialized"},
 			),
 		},
 		{
-			name:   "master node ready",
-			labels: masterLabels,
+			name:   "control plane ready",
+			labels: controlPlaneLabels,
 			conditions: makeConditions(
 				corev1.NodeCondition{Type: "NetworkUnavailable", Status: "False", LastHeartbeatTime: metav1.Now(), LastTransitionTime: metav1.Now(), Reason: "CalicoIsUp", Message: "Calico is running on this node"},
 				corev1.NodeCondition{Type: "Ready", Status: "True", LastHeartbeatTime: metav1.Now(), LastTransitionTime: metav1.Now(), Reason: "KubeletReady", Message: "kubelet is posting ready status"},
 			),
 			wantReady: true,
 		},
 		{
-			name:   "no master nodes",
+			name:   "no control plane",
 			labels: map[string]string{},
 			conditions: makeConditions(
 				corev1.NodeCondition{Type: corev1.NodeReady, Status: corev1.ConditionFalse, LastHeartbeatTime: metav1.Now(), LastTransitionTime: metav1.Now(), Reason: "KubeletNotReady", Message: "container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:Network plugin returns error: cni plugin not initialized"},

controllers/cluster.go

@@ -20,14 +20,18 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"time"
 
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/clientcmd"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/source"
@@ -38,14 +42,27 @@ import (
 // ClusterBootstrapConfigReconciler reconciles a ClusterBootstrapConfig object
 type ClusterBootstrapConfigReconciler struct {
 	client.Client
-	Scheme *runtime.Scheme
+	Scheme       *runtime.Scheme
+	configParser func(b []byte) (client.Client, error)
 }
 
+func NewClusterBootstrapConfigReconciler(c client.Client, s *runtime.Scheme) *ClusterBootstrapConfigReconciler {
+	return &ClusterBootstrapConfigReconciler{
+		Client:       c,
+		Scheme:       s,
+		configParser: bytesToKubeConfig,
+	}
+}
+
+// TODO: make this configurable on the Spec
+var requeueAfterTime = time.Minute * 2
+
 //+kubebuilder:rbac:groups=capi.weave.works,resources=clusterbootstrapconfigs,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=capi.weave.works,resources=clusterbootstrapconfigs/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=capi.weave.works,resources=clusterbootstrapconfigs/finalizers,verbs=update
 //+kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters,verbs=get;list;watch;update;patch
+//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
@@ -58,7 +75,6 @@ func (r *ClusterBootstrapConfigReconciler) Reconcile(ctx context.Context, req ct
 	if err := r.Client.Get(ctx, req.NamespacedName, &clusterBootstrapConfig); err != nil {
 		return ctrl.Result{}, client.IgnoreNotFound(err)
 	}
-
 	logger.Info("cluster bootstrap config loaded", "name", clusterBootstrapConfig.ObjectMeta.Name)
 
 	clusters, err := r.getClustersBySelector(ctx, req.Namespace, clusterBootstrapConfig.Spec.ClusterSelector)
@@ -68,6 +84,22 @@ func (r *ClusterBootstrapConfigReconciler) Reconcile(ctx context.Context, req ct
 	logger.Info("identified clusters for reconciliation", "clusterCount", len(clusters))
 
 	for _, c := range clusters {
+		if clusterBootstrapConfig.Spec.RequireClusterReady {
+			clusterName := types.NamespacedName{Name: c.GetName(), Namespace: c.GetNamespace()}
+			clusterClient, err := r.clientForCluster(ctx, clusterName)
+			if err != nil {
+				return ctrl.Result{}, fmt.Errorf("failed to create client for cluster %s: %w", clusterName, err)
+			}
+
+			ready, err := IsControlPlaneReady(ctx, clusterClient)
+			if err != nil {
+				return ctrl.Result{}, fmt.Errorf("failed to check readiness of cluster %s: %w", clusterName, err)
+			}
+			if !ready {
+				logger.Info("waiting for control plane to be ready", "cluster", clusterName)
+				return ctrl.Result{RequeueAfter: time.Minute * 2}, nil
+			}
+		}
 		if err := bootstrapClusterWithConfig(ctx, logger, r.Client, c, &clusterBootstrapConfig); err != nil {
 			return ctrl.Result{}, fmt.Errorf("failed to bootstrap cluster config: %w", err)
 		}
@@ -170,3 +202,59 @@ func (r *ClusterBootstrapConfigReconciler) clusterToClusterBootstrapConfig(o cli
 	}
 	return result
 }
+
+func (r *ClusterBootstrapConfigReconciler) clientForCluster(ctx context.Context, name types.NamespacedName) (client.Client, error) {
+	kubeConfigBytes, err := r.getKubeConfig(ctx, name)
+	if err != nil {
+		return nil, err
+	}
+
+	client, err := r.configParser(kubeConfigBytes)
+	if err != nil {
+		return nil, fmt.Errorf("getting client for cluster %s: %w", name, err)
+	}
+	return client, nil
+}
+
+func (r *ClusterBootstrapConfigReconciler) getKubeConfig(ctx context.Context, cluster types.NamespacedName) ([]byte, error) {
+	secretName := types.NamespacedName{
+		Namespace: cluster.Namespace,
+		Name:      cluster.Name + "-kubeconfig",
+	}
+
+	var secret corev1.Secret
+	if err := r.Client.Get(ctx, secretName, &secret); err != nil {
+		return nil, fmt.Errorf("unable to read KubeConfig secret %q error: %w", secretName, err)
+	}
+
+	var kubeConfig []byte
+	for k := range secret.Data {
+		if k == "value" || k == "value.yaml" {
+			kubeConfig = secret.Data[k]
+			break
+		}
+	}
+
+	if len(kubeConfig) == 0 {
+		return nil, fmt.Errorf("KubeConfig secret %q doesn't contain a 'value' key ", secretName)
+	}
+
+	return kubeConfig, nil
+}
+
+func bytesToKubeConfig(b []byte) (client.Client, error) {
+	restConfig, err := clientcmd.RESTConfigFromKubeConfig(b)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse KubeConfig from secret: %w", err)
+	}
+	restMapper, err := apiutil.NewDynamicRESTMapper(restConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create RESTMapper from config: %w", err)
+	}
+
+	client, err := client.New(restConfig, client.Options{Mapper: restMapper})
+	if err != nil {
+		return nil, fmt.Errorf("failed to create a client from config: %w", err)
+	}
+	return client, nil
+}