Merge branch 'feature/add-e2e-tests' into e2e_2_clusters

Author: mrog

ATTRIBUTION.txt

@@ -30,7 +30,7 @@ type NetworkIface interface {
 	ResolveNetworkStatuses(*capcv1.CloudStackCluster) error
 	ResolveNetwork(*capcv1.CloudStackCluster, *capcv1.Network) error
 	CreateIsolatedNetwork(*capcv1.CloudStackCluster) error
-	OpenFirewallRules(*capcv1.CloudStackCluster) error
+	OpenFirewallRules(networkID string) error
 	FetchPublicIP(*capcv1.CloudStackCluster) (*cloudstack.PublicIpAddress, error)
 	ResolveLoadBalancerRuleDetails(*capcv1.CloudStackCluster) error
 	GetOrCreateLoadBalancerRule(*capcv1.CloudStackCluster) error
@@ -146,6 +146,10 @@ func (c *client) CreateIsolatedNetwork(csCluster *capcv1.CloudStackCluster) (ret
 		return err
 	}
 
+	if err := c.OpenFirewallRules(zoneStatus.Network.ID); err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -268,8 +272,8 @@ func (c *client) AssociatePublicIPAddress(csCluster *capcv1.CloudStackCluster) (
 	return nil
 }
 
-func (c *client) OpenFirewallRules(csCluster *capcv1.CloudStackCluster) (retErr error) {
-	p := c.cs.Firewall.NewCreateEgressFirewallRuleParams(csCluster.Status.PublicIPNetworkID, NetworkProtocolTCP)
+func (c *client) OpenFirewallRules(networkID string) (retErr error) {
+	p := c.cs.Firewall.NewCreateEgressFirewallRuleParams(networkID, NetworkProtocolTCP)
 	_, retErr = c.cs.Firewall.CreateEgressFirewallRule(p)
 	if retErr != nil && strings.Contains(strings.ToLower(retErr.Error()), "there is already") { // Already a firewall rule here.
 		retErr = nil

pkg/cloud/network.go

@@ -127,6 +127,10 @@ var _ = Describe("Network", func() {
 				PublicIpAddresses: []*csapi.PublicIpAddress{{Id: dummies.PublicIPID, Ipaddress: "fakeIP"}}}, nil)
 		as.EXPECT().NewAssociateIpAddressParams().Return(&csapi.AssociateIpAddressParams{})
 		as.EXPECT().AssociateIpAddress(gomock.Any())
+		fs.EXPECT().NewCreateEgressFirewallRuleParams(dummies.ISONet1.ID, cloud.NetworkProtocolTCP).
+			Return(&csapi.CreateEgressFirewallRuleParams{})
+		fs.EXPECT().CreateEgressFirewallRule(&csapi.CreateEgressFirewallRuleParams{}).
+			Return(&csapi.CreateEgressFirewallRuleResponse{}, nil)
 
 		// Will add cluster tag once to Network and once to PublicIP.
 		createdByResponse := &csapi.ListTagsResponse{Tags: []*csapi.Tag{{Key: cloud.CreatedByCAPCTagName, Value: "1"}}}
@@ -159,7 +163,7 @@ var _ = Describe("Network", func() {
 			fs.EXPECT().CreateEgressFirewallRule(&csapi.CreateEgressFirewallRuleParams{}).
 				Return(&csapi.CreateEgressFirewallRuleResponse{}, nil)
 
-			Ω(client.OpenFirewallRules(dummies.CSCluster)).Should(Succeed())
+			Ω(client.OpenFirewallRules(dummies.ISONet1.ID)).Should(Succeed())
 		})
 	})
 
@@ -174,7 +178,7 @@ var _ = Describe("Network", func() {
 			fs.EXPECT().CreateEgressFirewallRule(&csapi.CreateEgressFirewallRuleParams{}).
 				Return(&csapi.CreateEgressFirewallRuleResponse{}, errors.New("there is already a rule like this"))
 
-			Ω(client.OpenFirewallRules(dummies.CSCluster)).Should(Succeed())
+			Ω(client.OpenFirewallRules(dummies.ISONet1.ID)).Should(Succeed())
 		})
 	})
 

pkg/cloud/network_test.go

@@ -0,0 +1,184 @@
+# CloudStack Cluster API Provider (CAPC) Release v.0.4.0 Evaluation Deployment Guide
+
+This document defines a manual deployment process suitable for evaluating this CAPC release.
+
+## Evaluation Environment Pre-Requisites:
+
+### - A running Kubernetes cluster for hosting CAPC
+
+This should be an easily disposable/re-creatable cluster, such as a locally-running kind (Kuberetes in Docker) cluster.
+
+Your KUBECONFIG file's *current-context* must be set to the cluster you want to use.
+
+### - CAPI clusterctl v1.0.1 (https://github.com/kubernetes-sigs/cluster-api/releases/tag/v1.0.1)
+
+This process has been tested with this version of clusterctl.  Subsequent 1.0.x versions should work as well.
+
+### - A CloudStack Environment with the following resources defined
+- Zone
+- Network
+- CAPI-compatible QEMU template (i.e., created with https://github.com/kubernetes-sigs/image-builder)
+- Machine Offerings (suitable for running Kubernetes nodes)
+- apikey and secretkey for a CloudStack user having domain administrative privileges
+- Available ACS IP Address for the k8s Control Plane endpoint (Shared network: available IP address in the network range; isolated network: public IP address)
+
+## Deployment Steps
+### Define Identity Environment Variable
+
+An environment variable named CLOUDSTACK_B64ENCODED_SECRET must be defined, containing the base64 encoding of a 
+cloud-config properties file.  This file is of the form:
+
+```
+[Global]
+api-url = <urlOfCloudStackAPI>
+api-key = <cloudstackUserApiKey>
+secret-key = <cloudstackUserSecretKey>
+```
+After defining this in a file named cloud-config, create the environment variable with:
+
+```
+export CLOUDSTACK_B64ENCODED_SECRET=$(base64 -w0 -i cloud-config 2>/dev/null || base64 -b 0 -i cloud-config)
+```
+
+For security, delete this cloud-config file after creating this environment variable.
+
+### Deploy the supplied container image archive (.tar.gz) to a suitable image registry.  
+
+*We use https://github.com/kubernetes-sigs/cluster-api/blob/main/hack/kind-install-for-capd.sh to launch a local
+docker registry integrated into a kind cluster for lightweight development and testing.*
+
+- On a computer with docker, load the provided cluster-api-provider-capc.tar.gz to docker: 
+```
+docker load --input cluster-api-provider-capc_v0.4.0.tar.gz
+```
+
+This will create image *localhost:5000/cluster-api-provider-cloudstack:v0.4.0* in your local docker.  This is suitable
+for pushing to a local registry.
+
+- (Optional) Tag this image for your registry.
+```
+docker tag localhost:5000/cluster-api-provider-cloudstack:v0.4.0 <yourRepoFqdn>/cluster-api-provider-cloudstack:v0.4.0
+```
+
+Push it to your registry (localhost:5000 if using local registry)
+```
+docker push <yourRepoFqdn>/cluster-api-provider-cloudstack:v0.4.0
+```
+
+### Create clusterctl configuration files
+A cluster-api.zip file has been provided, containing the files and directory structure suitable for configuring 
+clusterctl to work with this interim release of CAPC.  It should be restored under $HOME/.cluster-api.  It contains:
+
+```
+Archive:  /Users/jweite/Dev/cluster-api-cloudstack-v0.4.0-assets/cluster-api.zip
+* clusterctl.yaml
+* dev-repository/
+* dev-repository/infrastructure-cloudstack/
+* dev-repository/infrastructure-cloudstack/v0.4.0/
+* dev-repository/infrastructure-cloudstack/v0.4.0/cluster-template.yaml
+* dev-repository/infrastructure-cloudstack/v0.4.0/cluster-template-managed-ssh.yaml
+* dev-repository/infrastructure-cloudstack/v0.4.0/cluster-template-ssh-material.yaml
+* dev-repository/infrastructure-cloudstack/v0.4.0/infrastructure-components.yaml
+* dev-repository/infrastructure-cloudstack/v0.4.0/metadata.yaml
+```
+
+*Note: If you already have a $HOME/.cluster-api we strongly suggest you delete or stash it.*
+
+```
+cd ~
+mkdir .cluster-api
+cd .cluster-api
+unzip cluster-api.zip 
+```
+
+### Edit the clusterctl configuration files
+- **clusterctl.yaml:** in the *url* attribute replace \<USERID\> with your OS user id to form a valid absolute path to infrastructure-components.yaml.
+
+- **dev-repository/infrastructure-cloudstack/v0.4.0/infrastructure-components.yaml:** if you're not using a local registry modify the capc-controller-manager deployment, changing the spec.template.spec.containers[0].image (line 617) to correctly reflect your container registry. 
+
+### Deploy CAPI and CAPC to your bootstrap Kubernetes cluster
+```
+clusterctl init --infrastructure cloudstack
+```
+
+### Generate a manifest for the CAPI custom resources needed to allocate a workload cluster.
+
+*Set the below environment variables as appropriate for your CloudStack environment.*
+
+```
+CLOUDSTACK_ZONE_NAME=<MyZoneName> \
+CLOUDSTACK_NETWORK_NAME=<MyNetworkName> \
+CLOUDSTACK_TEMPLATE_NAME=<MyTemplateName> \
+CLOUDSTACK_CONTROL_PLANE_MACHINE_OFFERING=<MyServiceOfferingName> \
+CONTROL_PLANE_MACHINE_COUNT=1 \
+CLOUDSTACK_WORKER_MACHINE_OFFERING=<MyServiceOfferingName> \
+WORKER_MACHINE_COUNT=1 \
+CLUSTER_ENDPOINT_IP=<AvailableSharedOrPublicIP> \
+CLUSTER_ENDPOINT_PORT=6443 \
+KUBERNETES_VERSION=<KubernetesVersionOnTheImage> \
+CLUSTER_NAME=<MyClusterName> \
+clusterctl generate yaml --from ~/.cluster-api/dev-repository/infrastructure-cloudstack/v0.4.0/cluster-template.yaml > clusterTemplate.yaml
+```
+
+### Review the generated clusterTemplate.yaml and adjust as necessary
+
+
+### Provision your workload cluster
+
+```
+kubectl apply -f clusterTemplate.yaml
+```
+
+Provisioning can take several minutes to complete.  You will see a control plane VM created in CloudStack pretty quickly, 
+but it takes a while for it to complete its cloud-init to install Kubernetes and become a functioning control plane.  
+Allocation of the worker node(s) (with *md* in their VM names) won't occur until the control plane is operational.
+
+You can monitor the CAPC controller as it conducts the provisioning process with:
+```
+# Get the full name of the CAPC controller pod
+kubectl -n capc-system get pods
+
+# Tail its logs
+kubectl -n capc-system log -f <CAPCcontrollerPodFullName>
+```
+
+### Fetch a kubeconfig to access your cluster
+```
+clusterctl get kubeconfig <clusterName> > <clusterName>_kubeconfig
+```
+
+You can then either export a KUBECONFIG environment variable pointing to this file, or use kubectl's --kubeconfig=<filePath>
+flag.
+```
+export KUBECONFIG=<clusterName>_kubeconfig
+```
+
+### Examine the provisioned Kubernetes Cluster's nodes
+```
+kubectl get nodes
+```
+Expect to see a control plane and a worker node reported by Kubernetes.  Neither will report that they are ready
+because no CNI is installed yet.
+
+### Install Cilium CNI
+```
+cilium install
+```
+The above command presumes that the cilium installer is present on the local workstation.
+
+It will take a minute while it waits for cilium to become active.
+
+### Confirm that Cluster is Ready for Work
+```
+kubectl get nodes
+```
+Expect now to see both nodes list as ready.
+
+### Conclusion
+At this point the workload cluster is ready to accept workloads.  Use it in the usual way via the kubeconfig generated
+earlier
+
+### Cluster Deletion
+As mentioned in the preface, CAPC is not yet able to delete workload cluster.  To do so manually we recommend
+simply tearing-down the kind bootstrap cluster, and then manually deleting the CloudStack VMs created for it
+using the CloudStack UI, API or similar facilities.

releases/v0.4.0/EVALUATION_DEPLOYMENT.md

@@ -0,0 +1,51 @@
+# Cluster API Provider for Cloudstack (CAPC) Release Notes
+
+## Version 0.4.0
+
+These Release Notes are for the customer downloading and deploying CAPC private Version 0.4.0 released on 03/11/2022.
+
+### This release extends the v0.3.0 release of CAPC with:
+
+  * v1beta1 API declared
+  * Support for distributing cluster virtual machines across multiple CloudStack Zones/Networks
+  * Enablement of the CAPC controller metrics port
+  * Improved cleanup of CloudStack network components allocated as part of a cluster upon cluster deletion.
+  * Accelerated cluster deletion through concurrent VM deletion
+  * Node names match machine names
+  * Support for disabling TLS certificate validation for CloudStack connections (cloud_config verify-ssl boolean parameter, true by default).
+  * Example templates for implementing CAPI Machine Health Checking / Remediation of CAPC clusters
+
+### TLS Certificates
+The default mode of operation for the deployed Kubernetes cluster components is to use self-signed certificates.  Options exist for use of an enterprise certificate authority via cert-manager (https://cert-manager.io/docs/configuration/).  Detailed configuration of this component is outside the scope of this release.
+
+### Pre-conditions
+
+* The following pre-conditions must be met for CAPC to operate as designed.
+    * A functional CloudStack 4.14 or 4.16 deployment
+    * The CloudStack account used by CAPC must have domain administrator privileges or be otherwise appropriately privileged to execute the API calls specified in the below CAPC CloudStack API Calls document link.
+    * Zone(s) and Network(s) must be pre-created and available to CAPC prior to CreateCluster API call.
+    * A VM template suitable for implementing a Kubernetes node with kubeadm must be available in CloudStack.
+        * The software has been tested with RHEL-8 images created with CAPI Image-builder.
+    * Machine offerings suitable for running Kubernetes nodes must be available in CloudStack
+    * When using CloudStack Shared Networks, an unused IP address in the shared network’s address range must be available for the Kubernetes Control Plane for each cluster, upon which it will be exposed.
+
+### Release Assets :
+
+* cluster-api-provider-cloudstack-v0.4.0.tar.gz: container image of the CAPC controller
+* shasum.txt containing checksum for the released cluster-api-provider-cloudstack-v0.4.0.tar.gz
+* cluster-api.zip: configuration files for clusterctl
+    * infrastructure-components.yaml
+    * metadata.yaml
+    * cluster-template.yaml
+    * cluster-template-ssh.yaml
+* EVALUATION_DEPLOYMENT.md: instructions for manual deployment of this interim release for evaluation via clusterctl.
+* security_findings.csv: results of package security scan
+
+
+### Known Issues :
+
+* Cluster upgrade is not supported when the controlPlaneEndpoint is defined to be an IP address in a shared network.
+
+###  Future Scope/Features
+
+* Accelerated remediation of VM state drift

releases/v0.4.0/RELEASE_NOTES.md

@@ -0,0 +1,20 @@
+Component,Vulnerability,AWS Assessment
+cloud.google.com/go/storage:1.10.0,https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Astorage_project&cpe_product=cpe%3A%2F%3Astorage_project%3Astorage&cpe_version=cpe%3A%2F%3Astorage_project%3Astorage%3A1.10.0,No exploitable issue. This finding only affects applications unpacking container Image manifests.
+github.com/coreos/etcd:3.3.13+incompatible,https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aetcd&cpe_product=cpe%3A%2F%3Aetcd%3Aetcd&cpe_version=cpe%3A%2F%3Aetcd%3Aetcd%3A3.3.13,"No exploitable issue. etcd is unused in Kubernetes CAPI controllers, only the Kubernetes API server interacts with an etcd database."
+github.com/docker/distribution:2.7.1+incompatible,cpe:2.3:a:docker:docker:2.7.1,No exploitable issue. The Docker API and client are unused in a Kubernetes CAPI controller.
+github.com/grpc-ecosystem/go-grpc-middleware:1.3.0,https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Agrpc&cpe_product=cpe%3A%2F%3Agrpc%3Agrpc&cpe_version=cpe%3A%2F%3Agrpc%3Agrpc%3A1.3.0,No exploitable issue. Kubernetes controllers do not make or issue gRPC calls.
+github.com/grpc-ecosystem/go-grpc-prometheus:1.2.0,https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Agrpc&cpe_product=cpe%3A%2F%3Agrpc%3Agrpc&cpe_version=cpe%3A%2F%3Agrpc%3Agrpc%3A1.2.0,No exploitable issue. Kubernetes controllers do not make or issue gRPC calls.
+github.com/grpc-ecosystem/grpc-gateway:1.16.0,https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Agrpc&cpe_product=cpe%3A%2F%3Agrpc%3Agrpc&cpe_version=cpe%3A%2F%3Agrpc%3Agrpc%3A1.16.0,No exploitable issue. Kubernetes controllers do not make or issue gRPC calls.
+github.com/hashicorp/consul/api:1.1.0,cpe:2.3:a:hashicorp:consul:1.1.0,No exploitable issue. Consul is unused by a Kubernetes CAPI controller.
+github.com/hashicorp/consul/sdk:0.1.1,cpe:2.3:a:hashicorp:consul:0.1.1,No exploitable issue. Consul is unused by a Kubernetes CAPI controller.
+github.com/matttproud/golang_protobuf_extensions:1.0.2-0.20181231171920-c182affec369,https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Agolang&cpe_product=cpe%3A%2F%3Agolang%3Aprotobuf&cpe_version=cpe%3A%2F%3Agolang%3Aprotobuf%3A1.0.2.0.20181231171920.c182.fec369,No exploitable issue. Kubernetes controllers do not make or issue gRPC calls.
+github.com/prometheus/client_golang:1.11.0,cpe:2.3:a:prometheus:prometheus:1.11.0,No exploitable issue. The mentioned vulnerability is related to the Prometheus UI.
+github.com/prometheus/client_model:0.2.0,cpe:2.3:a:prometheus:prometheus:0.2.0,No exploitable issue. The mentioned vulnerability is related to the Prometheus UI.
+github.com/prometheus/common:0.32.1,cpe:2.3:a:prometheus:prometheus:0.32.1,No exploitable issue. The mentioned vulnerability is related to the Prometheus UI.
+github.com/prometheus/procfs:0.7.3,cpe:2.3:a:prometheus:prometheus:0.7.3,No exploitable issue. The mentioned vulnerability is related to the Prometheus UI.
+github.com/prometheus/tsdb:0.7.1,cpe:2.3:a:prometheus:prometheus:0.7.1,No exploitable issue. The mentioned vulnerability is related to the Prometheus UI.
+github.com/tmc/grpc-websocket-proxy:0.0.0-20201229170055-e5319fda7802 ,https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Agrpc&cpe_product=cpe%3A%2F%3Agrpc%3Agrpc&cpe_version=cpe%3A%2F%3Agrpc%3Agrpc%3A0.0.0.20201229170055.e5319.fda7802,No exploitable issue. Kubernetes controllers do not make or issue gRPC calls.
+go.etcd.io/etcd/client/v2:2.305.0,cpe:2.3:a:etcd:etcd:2.305.0,"No exploitable issue. etcd is unused in Kubernetes CAPI controllers, only the Kubernetes API server interacts with an etcd database."
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc:0.20.0 ,https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Agrpc&cpe_product=cpe%3A%2F%3Agrpc%3Agrpc&cpe_version=cpe%3A%2F%3Agrpc%3Agrpc%3A0.20.0,No exploitable issue. Kubernetes controllers do not make or issue gRPC calls.
+google.golang.org/grpc/cmd/protoc-gen-go-grpc:1.1.0,https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Agrpc&cpe_product=cpe%3A%2F%3Agrpc%3Agrpc&cpe_version=cpe%3A%2F%3Agrpc%3Agrpc%3A1.1.0,No exploitable issue. Kubernetes controllers do not make or issue gRPC calls.
+github.com/docker/distribution,https://github.com/advisories/GHSA-qq97-vm5h-rrhg,No exploitable issue. Vulnerable code is not actually used.

releases/v0.4.0/clusterApi.zip

@@ -0,0 +1 @@
+3ec165162ccd259ffcc6ff83bceeb64cc047a173  cluster-api-provider-cloudstack-v0.4.0.tar.gz

releases/v0.4.0/security_findings.csv

@@ -86,7 +86,7 @@ func InvalidResourceSpec(ctx context.Context, inputGetter func() CommonSpecInput
 	})
 
 	It("Should fail due to the compute resources are not sufficient for the specified offering [TC8]", func() {
-		testInvalidResource(ctx, input, "insufficient-compute-resources", "CloudStackMachine VM in error state.  Deleting associated Machine.")
+		testInvalidResource(ctx, input, "insufficient-compute-resources", "Unable to create a deployment for VM")
 	})
 
 	AfterEach(func() {