diff --git a/packages/nb-config/compositions/nboperatorbootstrap/resources/kcl-step.k b/packages/nb-config/compositions/nboperatorbootstrap/resources/kcl-step.k index 40c553a7..1baec022 100644 --- a/packages/nb-config/compositions/nboperatorbootstrap/resources/kcl-step.k +++ b/packages/nb-config/compositions/nboperatorbootstrap/resources/kcl-step.k @@ -14,6 +14,8 @@ readyBasedOnConditions = lambda o: any -> bool { # Simply check if all conditions are True len(conditions) > 0 and all_true([c.status == "True" for c in conditions]) } +# Define router indices +_router_indices = [1, 2, 3] _zitadel_project_id_secret = { apiVersion = "kubernetes.crossplane.io/v1alpha2" @@ -213,6 +215,9 @@ if parameters.accessToken.destinationType == "sc": kind = "Namespace" metadata = { name = parameters.operatorNamespace + labels = { + "hostport.rmb938.com": "true" + } } } } @@ -258,7 +263,7 @@ if parameters.accessToken.destinationType == "sc": metadata = { name = "{}-sc-nb-operator-kyverno-policy-install".format(oxr.metadata.name) annotations = { - "krm.kcl.dev/composition-resource-name": "sc-nb-operator-policy-kyverno-install" + "krm.kcl.dev/composition-resource-name" = "sc-nb-operator-policy-kyverno-install" } } spec = { @@ -268,10 +273,9 @@ if parameters.accessToken.destinationType == "sc": kind = "ClusterPolicy" metadata = { name = "nbrouter-add-security-context" - namespace = parameters.operatorNamespace annotations = { - "policies.kyverno.io/title": "Add security context to nbrouter deployment" - "policies.kyverno.io/description": "This policy updates pod security context of nbrouter deployment" + "policies.kyverno.io/title" = "Add security context to nbrouter deployment" + "policies.kyverno.io/description" = "This policy updates pod security context of nbrouter deployment" } } spec = { @@ -282,39 +286,40 @@ if parameters.accessToken.destinationType == "sc": "any" = [ { resources = { - kinds = [ - "Pod" - ] - namespaces = [ - parameters.operatorNamespace - ] + kinds = ["Pod"] + namespaces = [parameters.operatorNamespace] selector = { matchLabels = { - "app.kubernetes.io/name": "netbird-router" + "app.kubernetes.io/name" = "netbird-router" } } } } ] } - mutate = { - patchStrategicMerge = { - spec = { - securityContext = { - sysctls = [ - { - name = "net.ipv4.ip_forward" - value = "1" - } - ] - } + context = [ + { + name = "hostportclaim" + apiCall = { + urlPath = "/apis/hostport.rmb938.com/v1alpha1/namespaces/{{ request.namespace }}/hostportclaims/netbird-{{ request.object.metadata.ownerReferences[0].name | split(@, '-') | [0:-1] | join('-', @) }}" + jmesPath = "spec.hostPortName" + } + } + { + name = "hostport" + apiCall = { + urlPath = "/apis/hostport.rmb938.com/v1alpha1/hostports/{{ hostportclaim }}" + jmesPath = "status.port" } } + ] + mutate = { + patchesJson6902 = "- op: add\n path: \"/spec/containers/0/ports\"\n value: \n - name: router\n containerPort: {{ hostport }}\n hostPort: {{ hostport }}\n protocol: UDP\n- op: add\n path: \"/spec/containers/0/env/-\"\n value: {\"name\": \"NB_EXTERNAL_IP_MAP\", \"valueFrom\": {\"fieldRef\": {\"fieldPath\": \"status.hostIP\"}}}\n- op: add\n path: \"/spec/containers/0/env/-\"\n value: {\"name\": \"NB_WIREGUARD_PORT\", \"value\": \"{{ hostport }}\"}\n- op: add\n path: \"/spec/containers/0/securityContext\"\n value: {\"privileged\": true}\n- op: add\n path: \"/spec/securityContext\"\n value: {\"sysctls\": [{\"name\": \"net.ipv4.ip_forward\", \"value\": \"1\"}]}" } preconditions = { - "any" = [ + "all" = [ { - key = "{{request.operation}}" + key = "{{ request.operation }}" operator = "In" value = ["CREATE", "UPDATE"] } @@ -424,6 +429,108 @@ if parameters.accessToken.destinationType == "sc": } } } + + _nb_router_peers = [{ + apiVersion = "kubernetes.crossplane.io/v1alpha2" + kind = "Object" + metadata = { + name = "nb-router-peer-{}".format(i) + annotations = { + "krm.kcl.dev/composition-resource-name": "nb-router-peer-{}".format(i) + } + } + spec = { + forProvider = { + manifest = { + apiVersion = "netbird.io/v1" + kind = "NBRoutingPeer" + metadata = { + name = "router-{}".format(i) + namespace = parameters.operatorNamespace + finalizers = ["netbird.io/cleanup"] + labels = { + "app.kubernetes.io/component": "operator" + "app.kubernetes.io/instance": "netbird-operator" + "app.kubernetes.io/name": "kubernetes-operator" + } + } + spec = { + replicas = 1 + } + } + } + managementPolicies = spec?.managementPolicies + providerConfigRef = { + name = spec?.providerConfigsRef?.scK8sProviderName + } + } + } for i in _router_indices] + + # Create HostPortClaim resources for each router + + _hostport_claims = [{ + apiVersion = "kubernetes.crossplane.io/v1alpha2" + kind = "Object" + metadata = { + name = "sc-hostport-claim-{}".format(i) + annotations = { + "krm.kcl.dev/composition-resource-name": "sc-hostport-claim-{}".format(i) + } + } + spec = { + forProvider = { + manifest = { + apiVersion = "hostport.rmb938.com/v1alpha1" + kind = "HostPortClaim" + metadata = { + name = "netbird-router-{}".format(i) + namespace = parameters.operatorNamespace + } + spec = { + hostPortClassName = "netbird-hostports" + } + } + } + managementPolicies = spec?.managementPolicies + providerConfigRef = { + name = spec?.providerConfigsRef?.scK8sProviderName + } + } + } for i in _router_indices] + + _hostport_class = { + apiVersion = "kubernetes.crossplane.io/v1alpha2" + kind = "Object" + metadata = { + name = "{}-sc-hostport-class".format(oxr.metadata.name) + annotations = { + "krm.kcl.dev/composition-resource-name": "sc-hostport-class" + } + } + spec = { + forProvider = { + manifest = { + apiVersion = "hostport.rmb938.com/v1alpha1" + kind = "HostPortClass" + metadata = { + name = "netbird-hostports" + } + spec = { + pools = [ + { + start = 51820 + end = 51830 + } + ] + } + } + } + managementPolicies = spec?.managementPolicies + providerConfigRef = { + name = spec?.providerConfigsRef?.scK8sProviderName + } + } + } # elif parameters.accessToken.destinationType == "tenantVault": # # TODO: Implement tenant vault stuff _internal_network_policy = { @@ -474,13 +581,17 @@ _items += [ if readyBasedOnConditions(ocds["zitadel-project-id-secret"]): _items += [ - _external_access_group - _network_resource_group - _service_user + _external_access_group, + _network_resource_group, + _service_user, _access_token ] if parameters.accessToken.destinationType == "sc": - _items += [_sc_netbird_namespace, _sc_access_token_secret_copy, _sc_nb_operator_kyverno_policy, _sc_nb_op_secret_update_kyverno_policy] + _items += [_sc_netbird_namespace, _sc_access_token_secret_copy, _sc_nb_operator_kyverno_policy, _sc_nb_op_secret_update_kyverno_policy, _hostport_class] + _items += _hostport_claims + _items += _nb_router_peers + + if parameters.accessToken.destinationType == "tenantVault": _items += [_push_secret_access_token] diff --git a/packages/nb-config/compositions/operator-post-config/resources/kcl-step.k b/packages/nb-config/compositions/operator-post-config/resources/kcl-step.k index 330d49b5..6ec2e3af 100644 --- a/packages/nb-config/compositions/operator-post-config/resources/kcl-step.k +++ b/packages/nb-config/compositions/operator-post-config/resources/kcl-step.k @@ -2,8 +2,8 @@ oxr = option("params").oxr ocds = option("params").ocds -spec = oxr.spec -parameters = spec.parameters +oxr_spec = oxr.spec +parameters = oxr_spec.parameters # Initialize the items list _items = [] @@ -14,48 +14,9 @@ readyBasedOnConditions = lambda o: any -> bool { len(conditions) > 0 and all_true([c.status == "True" for c in conditions]) } -# _network_resource_group = { -# apiVersion = "vpn.netbird.crossplane.io/v1alpha1" -# kind = "NbGroup" -# metadata = { -# name = "{}-network-resource-group".format(oxr.metadata.name) -# annotations = { -# "krm.kcl.dev/composition-resource-name": "network-resource-group" -# "crossplane.io/external-name": parameters.groupNames.networkResourceGroup -# } -# } -# spec = { -# forProvider = { -# name = parameters.groupNames.networkResourceGroup -# } -# providerConfigRef = { -# name = spec?.providerConfigsRef?.netbirdProviderConfigName -# } -# managementPolicies = spec?.managementPolicies -# } -# } - - -# _nb_network = { -# apiVersion = "vpn.netbird.crossplane.io/v1alpha1" -# kind = "NbNetwork" -# metadata = { -# name = "{}-nb-network".format(oxr.metadata.name) -# annotations = { -# "krm.kcl.dev/composition-resource-name": "nb-network" -# "crossplane.io/external-name": parameters.networkResource.networkName -# } -# } -# spec = { -# forProvider = { -# name = parameters.networkResource.networkName -# } -# providerConfigRef = { -# name = spec?.providerConfigsRef?.netbirdProviderConfigName -# } -# managementPolicies = ["Observe"] -# } -# } +# Get provider config references from the XR spec +_netbird_provider_config = oxr_spec?.providerConfigsRef?.netbirdProviderConfigName +_management_policies = oxr_spec?.managementPolicies _nb_network_resource = { apiVersion = "vpn.netbird.crossplane.io/v1alpha1" @@ -80,22 +41,16 @@ _nb_network_resource = { network_name: parameters.networkResource.networkName } providerConfigRef = { - name = spec?.providerConfigsRef?.netbirdProviderConfigName + name = _netbird_provider_config } - managementPolicies = spec?.managementPolicies + managementPolicies = _management_policies } } - - -# Add the resources to the items list -_items += [ - _nb_network_resource -] - +_items += [_nb_network_resource] dxr = { **oxr } -items = _items + [dxr] +items = _items + [dxr] \ No newline at end of file diff --git a/packages/sc-nboperatorinstall/compositions/nboperatorinstall/resources/kcl-step.k b/packages/sc-nboperatorinstall/compositions/nboperatorinstall/resources/kcl-step.k index de88776e..ab15938c 100644 --- a/packages/sc-nboperatorinstall/compositions/nboperatorinstall/resources/kcl-step.k +++ b/packages/sc-nboperatorinstall/compositions/nboperatorinstall/resources/kcl-step.k @@ -67,7 +67,7 @@ _sc_argocd_operator_app_install = { ingress = { enabled = True router = { - enabled = True + enabled = False } kubernetesAPI = { enabled = False