Ignition service for bootstrapping kubeadm and kubelet.

Author: Gerrit91

config/samples/example.yaml config/samples/example-kubeadm.yamlconfig/samples/example.yaml renamed to config/samples/example-kubeadm.yaml

@@ -29,33 +29,70 @@ spec:
     networks:
     - internet-mini-lab
 ---
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
+kind: MetalStackMachineTemplate
+metadata:
+  name: metal-test-controlplane
+spec:
+  template:
+    spec:
+      image: ubuntu-24.04
+      size: v1-small-x86
+---
 kind: KubeadmControlPlane
 apiVersion: controlplane.cluster.x-k8s.io/v1beta1
 metadata:
   name: metal-test-controlplane
 spec:
+  replicas: 1
+  version: v1.30.6
+  machineTemplate:
+    nodeDrainTimeout: 10m
+    infrastructureRef:
+      kind: MetalStackMachineTemplate
+      apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
+      name: metal-test-controlplane
   kubeadmConfigSpec:
     format: ignition
     initConfiguration:
       nodeRegistration: {}
     joinConfiguration:
       controlPlane: {}
       nodeRegistration: {}
-  machineTemplate:
-    nodeDrainTimeout: 10m
-    infrastructureRef:
-      kind: MetalStackMachineTemplate
-      apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
-      name: metal-test-controlplane
-  replicas: 1
-  version: v1.30.6
----
-apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
-kind: MetalStackMachineTemplate
-metadata:
-  name: metal-test-controlplane
-spec:
-  template:
-    spec:
-      image: ubuntu-24.04
-      size: v1-small-x86
+    ignition:
+      containerLinuxConfig:
+        additionalConfig: |
+          systemd:
+            units:
+            - name: cluster-api-init.service
+              enable: true
+              contents: |-
+                [Unit]
+                Description=Prepares the node for bootstrapping with cluster-api kubeadm
+                Before=kubeadm.service
+                After=network-online.target
+                Wants=network-online.target
+                [Service]
+                Type=oneshot
+                Restart=on-failure
+                RestartSec=5
+                StartLimitBurst=0
+                EnvironmentFile=/etc/environment
+                ExecStart=/var/lib/cluster-api-init/bootstrap.sh
+                [Install]
+                WantedBy=multi-user.target
+    files:
+      - path: /var/lib/cluster-api-init/bootstrap.sh
+        owner: "root:root"
+        permissions: "0744"
+        content: |
+          #!/usr/bin/env bash
+          set -eo pipefail
+          set +x
+
+          curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.30/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
+          echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list
+
+          apt-get update
+          apt-get install -y kubelet kubeadm kubectl
+          apt-mark hold kubelet kubeadm kubectl

config/samples/kustomization.yaml

@@ -2,5 +2,5 @@
 namespace: default
 
 resources:
-- example.yaml
+- example-kubeadm.yaml
 # +kubebuilder:scaffold:manifestskustomizesamples

internal/controller/metalstackcluster_controller.go

@@ -166,12 +166,12 @@ func (r *MetalStackClusterReconciler) SetupWithManager(mgr ctrl.Manager) error {
 }
 
 func (r *clusterReconciler) reconcile() error {
-	nodeCIDR, err := r.ensureNodeNetwork()
+	nodeNetworkID, err := r.ensureNodeNetwork()
 	if err != nil {
 		return fmt.Errorf("unable to ensure node network: %w", err)
 	}
 
-	r.log.Info("reconciled node network", "cidr", nodeCIDR)
+	r.log.Info("reconciled node network", "network-id", nodeNetworkID)
 
 	ip, err := r.ensureControlPlaneIP()
 	if err != nil {
@@ -197,7 +197,7 @@ func (r *clusterReconciler) reconcile() error {
 		return fmt.Errorf("failed to update infra cluster control plane endpoint: %w", err)
 	}
 
-	fwdeploy, err := r.ensureFirewallDeployment(nodeCIDR)
+	fwdeploy, err := r.ensureFirewallDeployment(nodeNetworkID)
 	if err != nil {
 		return fmt.Errorf("unable to ensure firewall deployment: %w", err)
 	}
@@ -259,15 +259,15 @@ func (r *clusterReconciler) ensureNodeNetwork() (string, error) {
 			return "", fmt.Errorf("error creating node network: %w", err)
 		}
 
-		return resp.Payload.Prefixes[0], nil
+		return *resp.Payload.ID, nil
 	case 1:
 		nw := nws[0]
 
 		if len(nw.Prefixes) == 0 {
 			return "", errors.New("node network exists but the prefix is gone")
 		}
 
-		return nw.Prefixes[0], nil
+		return *nw.ID, nil
 	default:
 		return "", fmt.Errorf("more than a single node network exists for this cluster, operator investigation is required")
 	}
@@ -399,7 +399,7 @@ func (r *clusterReconciler) findControlPlaneIP() ([]*models.V1IPResponse, error)
 	return resp.Payload, nil
 }
 
-func (r *clusterReconciler) ensureFirewallDeployment(nodeCIDR string) (*fcmv2.FirewallDeployment, error) {
+func (r *clusterReconciler) ensureFirewallDeployment(nodeNetworkID string) (*fcmv2.FirewallDeployment, error) {
 	deploy := &fcmv2.FirewallDeployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      r.infraCluster.Name,
@@ -440,7 +440,7 @@ func (r *clusterReconciler) ensureFirewallDeployment(nodeCIDR string) (*fcmv2.Fi
 
 		deploy.Spec.Template.Spec.Size = r.infraCluster.Spec.Firewall.Size
 		deploy.Spec.Template.Spec.Image = r.infraCluster.Spec.Firewall.Image
-		deploy.Spec.Template.Spec.Networks = append(r.infraCluster.Spec.Firewall.AdditionalNetworks, nodeCIDR)
+		deploy.Spec.Template.Spec.Networks = append(r.infraCluster.Spec.Firewall.AdditionalNetworks, nodeNetworkID)
 		deploy.Spec.Template.Spec.RateLimits = r.infraCluster.Spec.Firewall.RateLimits
 		deploy.Spec.Template.Spec.EgressRules = r.infraCluster.Spec.Firewall.EgressRules
 		deploy.Spec.Template.Spec.LogAcceptedConnections = ptr.Deref(r.infraCluster.Spec.Firewall.LogAcceptedConnections, false)
@@ -452,6 +452,10 @@ func (r *clusterReconciler) ensureFirewallDeployment(nodeCIDR string) (*fcmv2.Fi
 		deploy.Spec.Template.Spec.NftablesExporterVersion = ""
 		deploy.Spec.Template.Spec.NftablesExporterURL = ""
 
+		// TODO: we need to allow internet connection for the nodes before the firewall-controller can connect to the control-plane
+		// the FCM currently does not support this
+		deploy.Spec.Template.Spec.Userdata = ""
+
 		// TODO: do we need to generate ssh keys for the machines and the firewall in this controller?
 		deploy.Spec.Template.Spec.SSHPublicKeys = nil