feat: add reaper-agent per-node DaemonSet (#27)

* feat: add reaper-agent per-node DaemonSet binary

Introduces reaper-agent, a per-node Kubernetes DaemonSet that provides
operational capabilities for Reaper: ConfigMap-based config sync to host,
stale state GC with dead PID detection, health checks, and Prometheus
metrics on :9100. Gated behind the "agent" cargo feature.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: add --with-agent install flag and agent integration tests

Add --with-agent flag to install-reaper.sh for optional reaper-agent
DaemonSet deployment. Add Phase 4a integration tests that verify agent
deployment, ConfigMap sync, /healthz, /metrics, and stale state GC.
Agent tests auto-skip if the image isn't loaded into Kind.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: auto-build and load reaper-agent image in integration tests

Add scripts/build-agent-image.sh that cross-compiles the agent binary
via musl, packages it into a distroless container image, and loads it
into Kind. Wire it into Phase 2 setup so Phase 4a agent tests run
automatically instead of being skipped. Build failure is non-fatal
(tests gracefully skip if image is unavailable).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: make reaper-agent build and tests mandatory in CI

Agent image build failure now aborts the test suite instead of
silently skipping. Phase 4a agent tests fail hard if the image
isn't found — the agent is core infrastructure, not optional.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: use dedicated KUBECONFIG to avoid context conflicts

Export a per-cluster KUBECONFIG file so all kubectl commands target
the correct Kind cluster, even when the user has other clusters or
contexts active. Previously, bare kubectl defaulted to localhost:8080
if another context was selected.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: set imagePullPolicy to IfNotPresent for Kind-loaded agent image

The :latest tag defaults imagePullPolicy to Always, causing kubelet to
attempt pulling from ghcr.io instead of using the locally loaded image.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: add --agent-only flag to integration test harness

Skips cargo tests and Phase 4 integration tests, running only
infrastructure setup and Phase 4a agent tests for fast iteration.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: run reaper-agent as root and use port-forward for tests

The agent needs root to write /etc/reaper/reaper.conf and clean up
/run/reaper/ on the host. Switch from distroless:nonroot to distroless
root image with securityContext.runAsUser: 0.

Also fix healthz/metrics tests to use kubectl port-forward instead of
kubectl exec (distroless has no shell or wget).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: add BUGS.md documenting DNS annotation test flake

Documents the intermittent containerd sandbox teardown race that causes
the DNS mode annotation override test to fail under load.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: update TODO with agent Phase 2 items and mark ConfigMap eval done

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: miguelgila

Cargo.lock

@@ -10,7 +10,7 @@ license = "MIT"
 [dependencies]
 anyhow = "1"
 thiserror = "1"
-clap = { version = "4", features = ["derive"] }
+clap = { version = "4", features = ["derive", "env"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 nix = { version = "0.28", features = ["signal", "process", "user", "sched", "mount", "fs", "term"] }
@@ -23,6 +23,16 @@ protobuf = "3.3"
 containerd-shim = { version = "0.10", features = ["async", "tracing"] }
 containerd-shim-protos = { version = "0.10", features = ["async"] }
 
+# reaper-agent dependencies
+kube = { version = "0.98", features = ["runtime", "client", "derive"], optional = true }
+k8s-openapi = { version = "0.24", features = ["v1_31"], optional = true }
+prometheus-client = { version = "0.23", optional = true }
+axum = { version = "0.8", optional = true }
+futures = { version = "0.3", optional = true }
+
+[features]
+agent = ["kube", "k8s-openapi", "prometheus-client", "axum", "futures"]
+
 [dev-dependencies]
 tempfile = "3"
 serial_test = "3"
@@ -35,6 +45,11 @@ path = "src/bin/reaper-runtime/main.rs"
 name = "containerd-shim-reaper-v2"
 path = "src/bin/containerd-shim-reaper-v2/main.rs"
 
+[[bin]]
+name = "reaper-agent"
+path = "src/bin/reaper-agent/main.rs"
+required-features = ["agent"]
+
 [lints.rust]
 unexpected_cfgs = { level = "warn", check-cfg = ['cfg(tarpaulin_include)'] }
 

Cargo.toml

@@ -0,0 +1,27 @@
+# Multi-stage build for reaper-agent
+# Produces a minimal static binary for Kubernetes DaemonSet deployment.
+
+# --- Builder stage ---
+FROM messense/rust-musl-cross:x86_64-musl AS builder-amd64
+WORKDIR /work
+COPY . .
+RUN cargo build --release --features agent --bin reaper-agent --target x86_64-unknown-linux-musl
+
+FROM messense/rust-musl-cross:aarch64-musl AS builder-arm64
+WORKDIR /work
+COPY . .
+RUN cargo build --release --features agent --bin reaper-agent --target aarch64-unknown-linux-musl
+
+# --- Runtime stage ---
+# Use distroless for a minimal image with ca-certificates (needed for K8s API TLS)
+FROM gcr.io/distroless/static-debian12
+
+ARG TARGETARCH
+COPY --from=builder-amd64 /work/target/x86_64-unknown-linux-musl/release/reaper-agent /reaper-agent-amd64
+COPY --from=builder-arm64 /work/target/aarch64-unknown-linux-musl/release/reaper-agent /reaper-agent-arm64
+
+# Select binary based on target architecture
+# Note: For single-arch builds, use docker buildx with --platform
+COPY --from=builder-${TARGETARCH}64 /work/target/*/release/reaper-agent /reaper-agent
+
+ENTRYPOINT ["/reaper-agent"]

Dockerfile.agent

@@ -237,5 +237,6 @@
           - "1. Create RuntimeClass: kubectl apply -f deploy/kubernetes/runtimeclass.yaml"
           - "2. Deploy test pod: kubectl apply -f deploy/kubernetes/runtimeclass.yaml"
           - "3. Verify: kubectl logs reaper-example"
+          - "4. Optional: kubectl apply -f deploy/kubernetes/reaper-agent.yaml (config sync, GC, metrics)"
           - ""
           - "To rollback: ansible-playbook -i inventory.ini deploy/ansible/rollback-reaper.yml"

deploy/ansible/install-reaper.yml

@@ -0,0 +1,152 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: reaper-system
+  labels:
+    app.kubernetes.io/part-of: reaper
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: reaper-config
+  namespace: reaper-system
+  labels:
+    app.kubernetes.io/part-of: reaper
+    app.kubernetes.io/component: config
+data:
+  reaper.conf: |
+    # Reaper runtime configuration
+    # Managed by reaper-agent ConfigMap sync.
+    # Edit this ConfigMap to change Reaper settings on all nodes.
+    REAPER_DNS_MODE=host
+    REAPER_OVERLAY_ISOLATION=namespace
+    REAPER_ANNOTATIONS_ENABLED=true
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: reaper-agent
+  namespace: reaper-system
+  labels:
+    app.kubernetes.io/part-of: reaper
+    app.kubernetes.io/component: agent
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: reaper-agent
+  labels:
+    app.kubernetes.io/part-of: reaper
+    app.kubernetes.io/component: agent
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: reaper-agent
+  labels:
+    app.kubernetes.io/part-of: reaper
+    app.kubernetes.io/component: agent
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: reaper-agent
+subjects:
+  - kind: ServiceAccount
+    name: reaper-agent
+    namespace: reaper-system
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: reaper-agent
+  namespace: reaper-system
+  labels:
+    app.kubernetes.io/name: reaper-agent
+    app.kubernetes.io/part-of: reaper
+    app.kubernetes.io/component: agent
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: reaper-agent
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: reaper-agent
+        app.kubernetes.io/part-of: reaper
+        app.kubernetes.io/component: agent
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9100"
+        prometheus.io/path: "/metrics"
+    spec:
+      serviceAccountName: reaper-agent
+      hostPID: true
+      tolerations:
+        - operator: Exists
+          effect: NoSchedule
+      containers:
+        - name: agent
+          image: ghcr.io/miguelgila/reaper-agent:latest
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsUser: 0
+          args:
+            - --config-namespace=reaper-system
+            - --config-name=reaper-config
+            - --config-path=/host/etc/reaper/reaper.conf
+            - --state-dir=/host/run/reaper
+            - --shim-path=/host/usr/local/bin/containerd-shim-reaper-v2
+            - --runtime-path=/host/usr/local/bin/reaper-runtime
+          ports:
+            - containerPort: 9100
+              name: metrics
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: metrics
+            initialDelaySeconds: 10
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: metrics
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: 10m
+              memory: 32Mi
+            limits:
+              cpu: 100m
+              memory: 64Mi
+          volumeMounts:
+            - name: etc-reaper
+              mountPath: /host/etc/reaper
+            - name: run-reaper
+              mountPath: /host/run/reaper
+            - name: usr-local-bin
+              mountPath: /host/usr/local/bin
+              readOnly: true
+      volumes:
+        - name: etc-reaper
+          hostPath:
+            path: /etc/reaper
+            type: DirectoryOrCreate
+        - name: run-reaper
+          hostPath:
+            path: /run/reaper
+            type: DirectoryOrCreate
+        - name: usr-local-bin
+          hostPath:
+            path: /usr/local/bin
+            type: Directory

deploy/kubernetes/reaper-agent.yaml

@@ -0,0 +1,43 @@
+# Known Bugs and Flaky Tests
+
+## DNS Mode Annotation Override Test Flake
+
+**Test:** `DNS mode annotation override (host vs kubernetes)`
+**Severity:** Low (intermittent, CI-only)
+**Status:** Open
+
+### Symptoms
+
+The test times out (64s) waiting for the `reaper-dns-annot-default` or
+`reaper-dns-annot-host` pod to reach `Succeeded` phase. The pod gets stuck
+and containerd reports:
+
+```
+failed to stop sandbox: task must be stopped before deletion: running: failed precondition
+```
+
+### Root Cause
+
+A timing race in containerd's sandbox lifecycle. When the shim reports the
+container has exited, containerd sometimes tries to delete the task before
+it has fully transitioned out of the `running` state. This causes a
+`failed precondition` error that prevents sandbox teardown, leaving the pod
+stuck.
+
+This is a containerd-level issue, not a Reaper bug. It tends to surface
+under load (e.g., when many pods are created/deleted in quick succession
+during the integration test suite).
+
+### Workarounds
+
+- Re-running the test suite usually passes on retry.
+- The `--agent-only` flag skips this test entirely for fast agent iteration.
+- Running with `--no-cleanup` and re-running `--skip-cargo --no-cleanup`
+  often avoids the race since the cluster is warmer.
+
+### Related
+
+- Observed in Kind clusters with containerd v1.7+.
+- The `Combined annotations` test exercises similar annotation logic and
+  passes reliably, suggesting the issue is timing-related rather than
+  functional.

docs/BUGS.md

@@ -19,4 +19,9 @@ List of tasks to do, not ordered in any specific way.
 - [x] Add certain configuration parameters as annotations, so users can influence how Reaper works (DNS, overlay name and mount point, etc.). But ensuring adminsistrator parameters cannot be overriden.
 - [ ] Introduce more complex examples, answer this question: can we have a sssd containerd pod expose its socks file so a sample reaper pod can utilize it?
 - [ ] Produce RPM an DEB packages compatible with major distributions (SUSE, RHEL, Debian, Ubuntu). This will help with installation and deployment.
-- [ ] Evaluate if Reaper can be configured using a Kubernetes ConfigMap instead of relying on a node-level config file.
+- [x] Evaluate if Reaper can be configured using a Kubernetes ConfigMap instead of relying on a node-level config file. (Implemented via `reaper-agent` DaemonSet — PR #27)
+- [ ] reaper-agent Phase 2: Overlay GC — reconcile overlay namespaces against Kubernetes API, delete overlays for namespaces that no longer exist
+- [ ] reaper-agent Phase 2: Binary self-update — watch ConfigMap version field, download and replace shim/runtime binaries
+- [ ] reaper-agent Phase 2: Node condition reporting — patch Node object with `ReaperReady` condition
+- [ ] reaper-agent Phase 2: Mount namespace cleanup — detect and unmount stale `/run/reaper/ns/*` bind-mounts
+- [ ] Fix known bugs documented in [docs/BUGS.md](BUGS.md)