fix: Always apply containerd patches (#644)

This commit ensures that applying containerd patches always happens.
Previously,
this only happened if mirror configuration was provided, which meant
that patches
such as enabling containerd metrics were never applied to containerd
config.

By bundling the apply patches and restart containerd script in the same
handler,
we ensure they both always get run.

Author: jimmidyson

pkg/handlers/generic/mutation/containerdrestart/restart.go renamed to pkg/handlers/generic/mutation/containerdapplypatchesandrestart/apply_patches.go

@@ -1,6 +1,6 @@
 // Copyright 2023 Nutanix. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
-package containerdrestart
+package containerdapplypatchesandrestart
 
 import (
 	_ "embed"

pkg/handlers/generic/mutation/containerdrestart/inject.go renamed to pkg/handlers/generic/mutation/containerdapplypatchesandrestart/inject.go

@@ -1,9 +1,10 @@
 // Copyright 2023 Nutanix. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
-package containerdrestart
+package containerdapplypatchesandrestart
 
 import (
 	"context"
+	_ "embed"
 
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -18,13 +19,13 @@ import (
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/common/pkg/capi/clustertopology/patches/selectors"
 )
 
-type containerdRestartPatchHandler struct{}
+type containerdApplyPatchesAndRestartPatchHandler struct{}
 
-func NewPatch() *containerdRestartPatchHandler {
-	return &containerdRestartPatchHandler{}
+func NewPatch() *containerdApplyPatchesAndRestartPatchHandler {
+	return &containerdApplyPatchesAndRestartPatchHandler{}
 }
 
-func (h *containerdRestartPatchHandler) Mutate(
+func (h *containerdApplyPatchesAndRestartPatchHandler) Mutate(
 	ctx context.Context,
 	obj *unstructured.Unstructured,
 	vars map[string]apiextensionsv1.JSON,
@@ -36,27 +37,34 @@ func (h *containerdRestartPatchHandler) Mutate(
 		"holderRef", holderRef,
 	)
 
-	file, command := generateContainerdRestartScript()
+	restartFile, restartCommand := generateContainerdRestartScript()
+
+	applyPatchesFile, applyPatchesCommand, err := generateContainerdApplyPatchesScript()
+	if err != nil {
+		return err
+	}
 
 	if err := patches.MutateIfApplicable(
 		obj, vars, &holderRef, selectors.ControlPlane(), log,
 		func(obj *controlplanev1.KubeadmControlPlaneTemplate) error {
 			log.WithValues(
 				"patchedObjectKind", obj.GetObjectKind().GroupVersionKind().String(),
 				"patchedObjectName", ctrlclient.ObjectKeyFromObject(obj),
-			).Info("adding containerd restart script to control plane kubeadm config spec")
+			).Info("adding containerd apply patches and restart scripts to control plane kubeadm config spec")
 			obj.Spec.Template.Spec.KubeadmConfigSpec.Files = append(
 				obj.Spec.Template.Spec.KubeadmConfigSpec.Files,
-				file,
+				applyPatchesFile,
+				restartFile,
 			)
 
 			log.WithValues(
 				"patchedObjectKind", obj.GetObjectKind().GroupVersionKind().String(),
 				"patchedObjectName", ctrlclient.ObjectKeyFromObject(obj),
-			).Info("adding containerd restart command to control plane kubeadm config spec")
+			).Info("adding containerd apply patches and restart commands to control plane kubeadm config spec")
 			obj.Spec.Template.Spec.KubeadmConfigSpec.PreKubeadmCommands = append(
 				obj.Spec.Template.Spec.KubeadmConfigSpec.PreKubeadmCommands,
-				command,
+				applyPatchesCommand,
+				restartCommand,
 			)
 
 			return nil
@@ -70,14 +78,22 @@ func (h *containerdRestartPatchHandler) Mutate(
 			log.WithValues(
 				"patchedObjectKind", obj.GetObjectKind().GroupVersionKind().String(),
 				"patchedObjectName", ctrlclient.ObjectKeyFromObject(obj),
-			).Info("adding containerd restart script to worker node kubeadm config template")
-			obj.Spec.Template.Spec.Files = append(obj.Spec.Template.Spec.Files, file)
+			).Info("adding containerd apply patches and restart scripts to worker node kubeadm config template")
+			obj.Spec.Template.Spec.Files = append(
+				obj.Spec.Template.Spec.Files,
+				applyPatchesFile,
+				restartFile,
+			)
 
 			log.WithValues(
 				"patchedObjectKind", obj.GetObjectKind().GroupVersionKind().String(),
 				"patchedObjectName", ctrlclient.ObjectKeyFromObject(obj),
-			).Info("adding containerd restart command to worker node kubeadm config template")
-			obj.Spec.Template.Spec.PreKubeadmCommands = append(obj.Spec.Template.Spec.PreKubeadmCommands, command)
+			).Info("adding containerd apply patches and restart commands to worker node kubeadm config template")
+			obj.Spec.Template.Spec.PreKubeadmCommands = append(
+				obj.Spec.Template.Spec.PreKubeadmCommands,
+				applyPatchesCommand,
+				restartCommand,
+			)
 
 			return nil
 		}); err != nil {

pkg/handlers/generic/mutation/containerdapplypatchesandrestart/inject_test.go

@@ -0,0 +1,168 @@
+// Copyright 2023 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package containerdapplypatchesandrestart
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	"github.com/onsi/gomega"
+	"github.com/stretchr/testify/assert"
+	bootstrapv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
+	runtimehooksv1 "sigs.k8s.io/cluster-api/exp/runtime/hooks/api/v1alpha1"
+
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/common/pkg/capi/clustertopology/handlers/mutation"
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/common/pkg/testutils/capitest"
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/common/pkg/testutils/capitest/request"
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/test/helpers"
+)
+
+func TestContainerdApplyPatchesAndRestartPatch(t *testing.T) {
+	gomega.RegisterFailHandler(Fail)
+	RunSpecs(t, "Containerd apply patches and restart mutator suite")
+}
+
+var _ = Describe("Generate Containerd apply patches and restart patches", func() {
+	// only add aws region patch
+	patchGenerator := func() mutation.GeneratePatches {
+		return mutation.NewMetaGeneratePatchesHandler("", helpers.TestEnv.Client, NewPatch()).(mutation.GeneratePatches)
+	}
+
+	testDefs := []capitest.PatchTestDef{
+		{
+			Name:        "restart script and command added to control plane kubeadm config spec",
+			RequestItem: request.NewKubeadmControlPlaneTemplateRequestItem(""),
+			ExpectedPatchMatchers: []capitest.JSONPatchMatcher{
+				{
+					Operation: "add",
+					Path:      "/spec/template/spec/kubeadmConfigSpec/files",
+					ValueMatcher: gomega.HaveExactElements(
+						gomega.HaveKeyWithValue(
+							"path", containerdApplyPatchesScriptOnRemote,
+						),
+						gomega.HaveKeyWithValue(
+							"path", ContainerdRestartScriptOnRemote,
+						),
+					),
+				},
+				{
+					Operation: "add",
+					Path:      "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands",
+					ValueMatcher: gomega.HaveExactElements(
+						containerdApplyPatchesScriptOnRemoteCommand,
+						ContainerdRestartScriptOnRemoteCommand,
+					),
+				},
+			},
+		},
+		{
+			Name: "restart script and command added to worker node kubeadm config template",
+			Vars: []runtimehooksv1.Variable{
+				capitest.VariableWithValue(
+					"builtin",
+					map[string]any{
+						"machineDeployment": map[string]any{
+							"class": "*",
+						},
+					},
+				),
+			},
+			RequestItem: request.NewKubeadmConfigTemplateRequestItem(""),
+			ExpectedPatchMatchers: []capitest.JSONPatchMatcher{
+				{
+					Operation: "add",
+					Path:      "/spec/template/spec/files",
+					ValueMatcher: gomega.HaveExactElements(
+						gomega.HaveKeyWithValue(
+							"path", containerdApplyPatchesScriptOnRemote,
+						),
+						gomega.HaveKeyWithValue(
+							"path", ContainerdRestartScriptOnRemote,
+						),
+					),
+				},
+				{
+					Operation: "add",
+					Path:      "/spec/template/spec/preKubeadmCommands",
+					ValueMatcher: gomega.HaveExactElements(
+						containerdApplyPatchesScriptOnRemoteCommand,
+						ContainerdRestartScriptOnRemoteCommand,
+					),
+				},
+			},
+		},
+	}
+
+	// create test node for each case
+	for testIdx := range testDefs {
+		tt := testDefs[testIdx]
+		It(tt.Name, func() {
+			capitest.AssertGeneratePatches(
+				GinkgoT(),
+				patchGenerator,
+				&tt,
+			)
+		})
+	}
+})
+
+func Test_generateContainerdApplyPatchesScript(t *testing.T) {
+	wantFile := bootstrapv1.File{
+		Path:        "/etc/containerd/apply-patches.sh",
+		Owner:       "",
+		Permissions: "0700",
+		Encoding:    "",
+		Append:      false,
+		//nolint:lll // just a long string
+		Content: `#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+# This script is used to merge the TOML files in the patch directory into the containerd configuration file.
+
+# Check if there are any TOML files in the patch directory, exiting if none are found.
+# Use a for loop that will only run a maximum of once to check if there are any files in the patch directory because
+# using -e does not work with globs.
+# See https://github.com/koalaman/shellcheck/wiki/SC2144 for an explanation of the following loop.
+patches_exist=false
+for file in "/etc/containerd/cre.d"/*.toml; do
+  if [ -e "${file}" ]; then
+    patches_exist=true
+  fi
+  # Always break after the first iteration.
+  break
+done
+
+if [ "${patches_exist}" = false ]; then
+  echo "No TOML files found in the patch directory: /etc/containerd/cre.d - nothing to do"
+  exit 0
+fi
+
+# Use go template variable to avoid hard-coding the toml-merge image name in this script.
+declare -r TOML_MERGE_IMAGE="ghcr.io/mesosphere/toml-merge:v0.2.0"
+
+# Check if the toml-merge image is already present in ctr images list, if not pull it.
+if ! ctr --namespace k8s.io images check "name==${TOML_MERGE_IMAGE}" | grep "${TOML_MERGE_IMAGE}" >/dev/null; then
+  ctr --namespace k8s.io images pull "${TOML_MERGE_IMAGE}"
+fi
+
+# Cleanup the temporary directory on exit.
+cleanup() {
+  ctr images unmount "${tmp_ctr_mount_dir}" || true
+}
+trap 'cleanup' EXIT
+
+# Create a temporary directory to mount the toml-merge image filesystem.
+readonly tmp_ctr_mount_dir="$(mktemp -d)"
+
+# Mount the toml-merge image filesystem and run the toml-merge binary to merge the TOML files.
+ctr --namespace k8s.io images mount "${TOML_MERGE_IMAGE}" "${tmp_ctr_mount_dir}"
+"${tmp_ctr_mount_dir}/usr/local/bin/toml-merge" -i --patch-file "/etc/containerd/cre.d/*.toml" /etc/containerd/config.toml
+`,
+	}
+	wantCmd := "/bin/bash /etc/containerd/apply-patches.sh"
+	file, cmd, _ := generateContainerdApplyPatchesScript()
+	assert.Equal(t, wantFile, file)
+	assert.Equal(t, wantCmd, cmd)
+}

pkg/handlers/generic/mutation/containerdapplypatchesandrestart/restart.go

@@ -0,0 +1,49 @@
+// Copyright 2023 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+package containerdapplypatchesandrestart
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"text/template"
+
+	bootstrapv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
+)
+
+const (
+	tomlMergeImage                              = "ghcr.io/mesosphere/toml-merge:v0.2.0"
+	containerdPatchesDirOnRemote                = "/etc/containerd/cre.d"
+	containerdApplyPatchesScriptOnRemote        = "/etc/containerd/apply-patches.sh"
+	containerdApplyPatchesScriptOnRemoteCommand = "/bin/bash " + containerdApplyPatchesScriptOnRemote
+)
+
+//go:embed templates/containerd-apply-patches.sh.gotmpl
+var containerdApplyConfigPatchesScript []byte
+
+func generateContainerdApplyPatchesScript() (bootstrapv1.File, string, error) {
+	t, err := template.New("").Parse(string(containerdApplyConfigPatchesScript))
+	if err != nil {
+		return bootstrapv1.File{}, "", fmt.Errorf("failed to parse go template: %w", err)
+	}
+
+	templateInput := struct {
+		TOMLMergeImage string
+		PatchDir       string
+	}{
+		TOMLMergeImage: tomlMergeImage,
+		PatchDir:       containerdPatchesDirOnRemote,
+	}
+
+	var b bytes.Buffer
+	err = t.Execute(&b, templateInput)
+	if err != nil {
+		return bootstrapv1.File{}, "", fmt.Errorf("failed executing template: %w", err)
+	}
+
+	return bootstrapv1.File{
+		Path:        containerdApplyPatchesScriptOnRemote,
+		Content:     b.String(),
+		Permissions: "0700",
+	}, containerdApplyPatchesScriptOnRemoteCommand, nil
+}

pkg/handlers/generic/mutation/containerdapplypatchesandrestart/templates/containerd-apply-patches.sh.gotmpl

@@ -0,0 +1,44 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+# This script is used to merge the TOML files in the patch directory into the containerd configuration file.
+
+# Check if there are any TOML files in the patch directory, exiting if none are found.
+# Use a for loop that will only run a maximum of once to check if there are any files in the patch directory because
+# using -e does not work with globs.
+# See https://github.com/koalaman/shellcheck/wiki/SC2144 for an explanation of the following loop.
+patches_exist=false
+for file in "{{ .PatchDir }}"/*.toml; do
+  if [ -e "${file}" ]; then
+    patches_exist=true
+  fi
+  # Always break after the first iteration.
+  break
+done
+
+if [ "${patches_exist}" = false ]; then
+  echo "No TOML files found in the patch directory: {{ .PatchDir }} - nothing to do"
+  exit 0
+fi
+
+# Use go template variable to avoid hard-coding the toml-merge image name in this script.
+declare -r TOML_MERGE_IMAGE="{{ .TOMLMergeImage }}"
+
+# Check if the toml-merge image is already present in ctr images list, if not pull it.
+if ! ctr --namespace k8s.io images check "name==${TOML_MERGE_IMAGE}" | grep "${TOML_MERGE_IMAGE}" >/dev/null; then
+  ctr --namespace k8s.io images pull "${TOML_MERGE_IMAGE}"
+fi
+
+# Cleanup the temporary directory on exit.
+cleanup() {
+  ctr images unmount "${tmp_ctr_mount_dir}" || true
+}
+trap 'cleanup' EXIT
+
+# Create a temporary directory to mount the toml-merge image filesystem.
+readonly tmp_ctr_mount_dir="$(mktemp -d)"
+
+# Mount the toml-merge image filesystem and run the toml-merge binary to merge the TOML files.
+ctr --namespace k8s.io images mount "${TOML_MERGE_IMAGE}" "${tmp_ctr_mount_dir}"
+"${tmp_ctr_mount_dir}/usr/local/bin/toml-merge" -i --patch-file "{{ .PatchDir }}/*.toml" /etc/containerd/config.toml