Add basic control plane configuration and cisco nxos reconciliation

Author: felix-kaestner

Tiltfile

@@ -5,8 +5,22 @@
 # Don't track us.
 analytics_settings(False)
 
+update_settings(k8s_upsert_timeout_secs=60)
+
 allow_k8s_contexts(['minikube', 'kind-network'])
 
+load("ext://helm_remote", "helm_remote")
+
+helm_remote(
+    "cert-manager",
+    version="v1.17.2",
+    repo_url="https://charts.jetstack.io",
+    set=["crds.enabled=true"],
+    namespace="cert-manager",
+    create_namespace=True,
+    install_crds=True,
+)
+
 docker_build('controller:latest', '.', ignore=['*/*/zz_generated.deepcopy.go', 'config/crd/bases/*'], only=[
     'api/', 'cmd/', 'hack/', 'internal/', 'go.mod', 'go.sum', 'Makefile',
 ])
@@ -20,7 +34,11 @@ k8s_resource('network-operator-controller-manager', resource_deps=['controller-g
 
 # Sample resources with manual trigger mode
 k8s_yaml('./config/samples/v1alpha1_device.yaml')
-k8s_resource(new_name='leaf1', objects=['leaf1:device'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+k8s_resource(new_name='secret-basic-auth', objects=['secret-basic-auth:secret'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+k8s_resource(new_name='leaf1', objects=['leaf1:device'], resource_deps=['secret-basic-auth'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+
+k8s_resource(new_name='network-operator-issuer', objects=['network-operator:issuer'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
+k8s_resource(new_name='network-operator-ca', objects=['network-operator-ca:certificate'], resource_deps=['network-operator-issuer'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)
 
 k8s_yaml('./config/samples/v1alpha1_interface.yaml')
 k8s_resource(new_name='lo0', objects=['lo0:interface'], trigger_mode=TRIGGER_MODE_MANUAL, auto_init=False)

api/v1alpha1/device_types.go

@@ -70,21 +70,14 @@ type DeviceSpec struct {
 type TLS struct {
 	// The CA certificate to verify the server's identity.
 	// +required
-	CA *CertificateAuthority `json:"ca"`
+	CA *corev1.SecretKeySelector `json:"ca"`
 
 	// The client certificate and private key to use for mutual TLS authentication.
 	// Leave empty if mTLS is not desired.
 	// +optional
 	Certificate *CertificateSource `json:"certificate,omitempty"`
 }
 
-// CertificateAuthority represents a source for the value of a certificate authority.
-type CertificateAuthority struct {
-	// The secret must contain the following key: 'ca.crt'.
-	// +required
-	SecretRef *corev1.SecretReference `json:"secretRef,omitempty"`
-}
-
 // Bootstrap defines the configuration for device bootstrap.
 type Bootstrap struct {
 	// Template defines the multiline string template that contains the initial configuration for the device.
@@ -230,7 +223,7 @@ type LogServer struct {
 
 	// The destination port number for syslog UDP messages to
 	// the server. The default is 514.
-	// +kubebuilder:validation:Default=514
+	// +kubebuilder:default=514
 	// +optional
 	Port int64 `json:"port"`
 }
@@ -436,7 +429,7 @@ type CertificateSource struct {
 type PasswordSource struct {
 	// Selects a key of a secret.
 	// +required
-	SecretKeyRef *corev1.SecretReference `json:"secretKeyRef,omitempty"`
+	SecretKeyRef *corev1.SecretKeySelector `json:"secretKeyRef,omitempty"`
 }
 
 // DeviceStatus defines the observed state of Device.
@@ -494,6 +487,57 @@ type Device struct {
 	Status DeviceStatus `json:"status,omitempty"`
 }
 
+// GetSecretRefs returns the list of secrets referenced in the [Device] resource.
+func (d *Device) GetSecretRefs() []corev1.SecretReference {
+	refs := []corev1.SecretReference{}
+	if d.Spec.SecretRef != nil {
+		refs = append(refs, *d.Spec.SecretRef)
+	}
+	if d.Spec.TLS != nil {
+		refs = append(refs, corev1.SecretReference{Name: d.Spec.TLS.CA.Name})
+		if d.Spec.TLS.Certificate != nil {
+			refs = append(refs, *d.Spec.TLS.Certificate.SecretRef)
+		}
+	}
+	if d.Spec.Bootstrap != nil && d.Spec.Bootstrap.Template != nil {
+		if d.Spec.Bootstrap.Template.SecretRef != nil {
+			refs = append(refs, corev1.SecretReference{Name: d.Spec.Bootstrap.Template.SecretRef.Name})
+		}
+	}
+	if d.Spec.PKI != nil {
+		for _, cert := range d.Spec.PKI.Certificates {
+			if cert.Source != nil && cert.Source.SecretRef != nil {
+				refs = append(refs, *cert.Source.SecretRef)
+			}
+		}
+	}
+	for _, user := range d.Spec.User {
+		refs = append(refs, corev1.SecretReference{Name: user.Password.SecretKeyRef.Name})
+	}
+	for i := range refs {
+		if refs[i].Namespace == "" {
+			refs[i].Namespace = d.Namespace
+		}
+	}
+	return refs
+}
+
+// GetConfigMapRefs returns the list of configmaps referenced in the [Device] resource.
+func (d *Device) GetConfigMapRefs() []corev1.ObjectReference {
+	refs := []corev1.ObjectReference{}
+	if d.Spec.Bootstrap != nil && d.Spec.Bootstrap.Template != nil {
+		if d.Spec.Bootstrap.Template.ConfigMapRef != nil {
+			refs = append(refs, corev1.ObjectReference{Name: d.Spec.Bootstrap.Template.ConfigMapRef.Name})
+		}
+	}
+	for i := range refs {
+		if refs[i].Namespace == "" {
+			refs[i].Namespace = d.Namespace
+		}
+	}
+	return refs
+}
+
 // +kubebuilder:object:root=true
 
 // DeviceList contains a list of Device.

api/v1alpha1/groupversion_info.go

@@ -67,3 +67,15 @@ const (
 	// AllResourcesReadyReason indicates that all resources owned by the resource are ready.
 	AllResourcesReadyReason = "AllResourcesReady"
 )
+
+// Device reasons that are used specifically for Device objects.
+const (
+	// UnreachableReason indicates that the device is not reachable over the network.
+	DeviceUnreachableReason string = "Unreachable"
+
+	// UnsupportedReason indicates that the device platform is not supported.
+	DeviceUnsupportedReason string = "Unsupported"
+
+	// UnauthenticatedReason indicates that the provided device credentials are not valid.
+	DeviceUnauthenticatedReason string = "Unauthenticated"
+)

api/v1alpha1/zz_generated.deepcopy.go

@@ -35,6 +35,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	// Import all supported provider implementations.
+	_ "github.com/ironcore-dev/network-operator/internal/provider/cisco/nxos"
 	_ "github.com/ironcore-dev/network-operator/internal/provider/openconfig"
 
 	"github.com/ironcore-dev/network-operator/api/v1alpha1"

cmd/main.go

@@ -356,6 +356,7 @@ spec:
                             server.
                           type: string
                         port:
+                          default: 514
                           description: |-
                             The destination port number for syslog UDP messages to
                             the server. The default is 514.
@@ -556,22 +557,27 @@ spec:
                   ca:
                     description: The CA certificate to verify the server's identity.
                     properties:
-                      secretRef:
-                        description: 'The secret must contain the following key: ''ca.crt''.'
-                        properties:
-                          name:
-                            description: name is unique within a namespace to reference
-                              a secret resource.
-                            type: string
-                          namespace:
-                            description: namespace defines the space within which
-                              the secret name must be unique.
-                            type: string
-                        type: object
-                        x-kubernetes-map-type: atomic
+                      key:
+                        description: The key of the secret to select from.  Must be
+                          a valid secret key.
+                        type: string
+                      name:
+                        default: ""
+                        description: |-
+                          Name of the referent.
+                          This field is effectively required, but due to backwards compatibility is
+                          allowed to be empty. Instances of this type with an empty value here are
+                          almost certainly wrong.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                      optional:
+                        description: Specify whether the Secret or its key must be
+                          defined
+                        type: boolean
                     required:
-                    - secretRef
+                    - key
                     type: object
+                    x-kubernetes-map-type: atomic
                   certificate:
                     description: |-
                       The client certificate and private key to use for mutual TLS authentication.
@@ -611,14 +617,25 @@ spec:
                         secretKeyRef:
                           description: Selects a key of a secret.
                           properties:
-                            name:
-                              description: name is unique within a namespace to reference
-                                a secret resource.
+                            key:
+                              description: The key of the secret to select from.  Must
+                                be a valid secret key.
                               type: string
-                            namespace:
-                              description: namespace defines the space within which
-                                the secret name must be unique.
+                            name:
+                              default: ""
+                              description: |-
+                                Name of the referent.
+                                This field is effectively required, but due to backwards compatibility is
+                                allowed to be empty. Instances of this type with an empty value here are
+                                almost certainly wrong.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                               type: string
+                            optional:
+                              description: Specify whether the Secret or its key must
+                                be defined
+                              type: boolean
+                          required:
+                          - key
                           type: object
                           x-kubernetes-map-type: atomic
                       required:

config/crd/bases/network.ironcore.dev_devices.yaml

@@ -87,12 +87,11 @@ spec:
         # TODO(user): Configure the resources accordingly based on the project requirements.
         # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
         resources:
-          limits:
-            cpu: 500m
-            memory: 128Mi
           requests:
-            cpu: 10m
-            memory: 64Mi
+            cpu: 50m
+            memory: 256Mi
+          limits:
+            memory: 512Mi
         volumeMounts: []
       volumes: []
       serviceAccountName: controller-manager

config/manager/manager.yaml

@@ -4,6 +4,15 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources: