Add image-based config ISO assets

Signed-off-by: Michail Resvanis <[email protected]>

Author: mresvanis

go.mod

@@ -128,6 +128,7 @@ require (
 	sigs.k8s.io/cluster-api-provider-vsphere v1.9.3
 	sigs.k8s.io/controller-runtime v0.18.3
 	sigs.k8s.io/controller-tools v0.12.0
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd
 	sigs.k8s.io/yaml v1.4.0
 )
 
@@ -292,7 +293,6 @@ require (
 	k8s.io/component-base v0.30.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
 	k8s.io/kubectl v0.30.1 // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kustomize/api v0.16.0 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.16.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect

pkg/asset/imagebased/configimage/cabundle.go

@@ -0,0 +1,42 @@
+package configimage
+
+import (
+	"context"
+
+	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/tls"
+)
+
+// ImageBasedKubeAPIServerCompleteCABundle is the asset the generates the kube-apiserver-complete-server-ca-bundle,
+// which contains all the certs that are valid to confirm the kube-apiserver identity and it also contains the
+// Ingress Operator CA certificate.
+type ImageBasedKubeAPIServerCompleteCABundle struct {
+	tls.CertBundle
+}
+
+var _ asset.Asset = (*ImageBasedKubeAPIServerCompleteCABundle)(nil)
+
+// Dependencies returns the dependency of the cert bundle.
+func (a *ImageBasedKubeAPIServerCompleteCABundle) Dependencies() []asset.Asset {
+	return []asset.Asset{
+		&tls.KubeAPIServerLocalhostCABundle{},
+		&tls.KubeAPIServerServiceNetworkCABundle{},
+		&tls.KubeAPIServerLBCABundle{},
+		&IngressOperatorCABundle{},
+	}
+}
+
+// Generate generates the cert bundle based on its dependencies.
+func (a *ImageBasedKubeAPIServerCompleteCABundle) Generate(ctx context.Context, deps asset.Parents) error {
+	certs := []tls.CertInterface{}
+	for _, asset := range a.Dependencies() {
+		deps.Get(asset)
+		certs = append(certs, asset.(tls.CertInterface))
+	}
+	return a.CertBundle.Generate(ctx, "kube-apiserver-complete-server-ca-bundle", certs...)
+}
+
+// Name returns the human-friendly name of the asset.
+func (a *ImageBasedKubeAPIServerCompleteCABundle) Name() string {
+	return "Certificate (kube-apiserver-complete-server-ca-bundle)"
+}

pkg/asset/imagebased/configimage/cabundle_test.go

@@ -0,0 +1,90 @@
+package configimage
+
+import (
+	"bytes"
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/tls"
+)
+
+func TestCaBundle_Generate(t *testing.T) {
+	expectedBundleRaw := bytes.Join([][]byte{
+		lbCABundle().BundleRaw,
+		localhostCABundle().BundleRaw,
+		serviceNetworkCABundle().BundleRaw,
+		ingressCABundle().BundleRaw,
+	}, []byte{})
+
+	cases := []struct {
+		name         string
+		dependencies []asset.Asset
+		expected     *tls.CertBundle
+	}{
+		{
+			name: "valid dependencies",
+			dependencies: []asset.Asset{
+				lbCABundle(),
+				localhostCABundle(),
+				serviceNetworkCABundle(),
+				ingressCABundle(),
+			},
+			expected: &tls.CertBundle{
+				BundleRaw: expectedBundleRaw,
+				FileList: []*asset.File{
+					{
+						Filename: "tls/kube-apiserver-complete-server-ca-bundle.crt",
+						Data:     expectedBundleRaw,
+					},
+				},
+			},
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			parents := asset.Parents{}
+			parents.Add(tc.dependencies...)
+
+			asset := &ImageBasedKubeAPIServerCompleteCABundle{}
+			err := asset.Generate(context.TODO(), parents)
+			assert.NoError(t, err)
+			assert.Equal(t, string(tc.expected.BundleRaw), string(asset.CertBundle.BundleRaw))
+			assert.Equal(t, tc.expected.FileList, asset.CertBundle.FileList)
+		})
+	}
+}
+
+func lbCABundle() *tls.KubeAPIServerLBCABundle {
+	return &tls.KubeAPIServerLBCABundle{
+		CertBundle: tls.CertBundle{
+			BundleRaw: []byte(testCert),
+		},
+	}
+}
+
+func localhostCABundle() *tls.KubeAPIServerLocalhostCABundle {
+	return &tls.KubeAPIServerLocalhostCABundle{
+		CertBundle: tls.CertBundle{
+			BundleRaw: []byte(testCert),
+		},
+	}
+}
+
+func serviceNetworkCABundle() *tls.KubeAPIServerServiceNetworkCABundle {
+	return &tls.KubeAPIServerServiceNetworkCABundle{
+		CertBundle: tls.CertBundle{
+			BundleRaw: []byte(testCert),
+		},
+	}
+}
+
+func ingressCABundle() *IngressOperatorCABundle {
+	return &IngressOperatorCABundle{
+		CertBundle: tls.CertBundle{
+			BundleRaw: []byte(testCert),
+		},
+	}
+}

pkg/asset/imagebased/configimage/clusterconfiguration.go

@@ -0,0 +1,205 @@
+package configimage
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	k8sjson "sigs.k8s.io/json"
+
+	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/password"
+	"github.com/openshift/installer/pkg/asset/tls"
+	"github.com/openshift/installer/pkg/types"
+	"github.com/openshift/installer/pkg/types/imagebased"
+)
+
+const (
+	defaultChronyConf = `
+pool 0.rhel.pool.ntp.org iburst
+driftfile /var/lib/chrony/drift
+makestep 1.0 3
+rtcsync
+logdir /var/log/chrony`
+
+	userCABundleConfigMapName = "user-ca-bundle"
+)
+
+var (
+	clusterConfigurationFilename = filepath.Join(clusterConfigurationDir, "manifest.json")
+
+	_ asset.WritableAsset = (*ClusterConfiguration)(nil)
+)
+
+// ClusterConfiguration generates the image-based installer cluster configuration asset.
+type ClusterConfiguration struct {
+	File   *asset.File
+	Config *imagebased.SeedReconfiguration
+}
+
+// Name returns a human friendly name for the asset.
+func (*ClusterConfiguration) Name() string {
+	return "Image-based installer cluster configuration"
+}
+
+// Dependencies returns all of the dependencies directly needed to generate
+// the asset.
+func (*ClusterConfiguration) Dependencies() []asset.Asset {
+	return []asset.Asset{
+		&InstallConfig{},
+		&ClusterID{},
+		&tls.KubeAPIServerLBSignerCertKey{},
+		&tls.KubeAPIServerLocalhostSignerCertKey{},
+		&tls.KubeAPIServerServiceNetworkSignerCertKey{},
+		&tls.AdminKubeConfigSignerCertKey{},
+		&IngressOperatorSignerCertKey{},
+		&password.KubeadminPassword{},
+		&ImageBasedConfig{},
+	}
+}
+
+// Generate generates the Image-based Installer ClusterConfiguration manifest.
+func (cc *ClusterConfiguration) Generate(_ context.Context, dependencies asset.Parents) error {
+	installConfig := &InstallConfig{}
+	clusterID := &ClusterID{}
+	imageBasedConfig := &ImageBasedConfig{}
+	serverLBSignerCertKey := &tls.KubeAPIServerLBSignerCertKey{}
+	serverLocalhostSignerCertKey := &tls.KubeAPIServerLocalhostSignerCertKey{}
+	serverServiceNetworkSignerCertKey := &tls.KubeAPIServerServiceNetworkSignerCertKey{}
+	adminKubeConfigSignerCertKey := &tls.AdminKubeConfigSignerCertKey{}
+	ingressOperatorSignerCertKey := &IngressOperatorSignerCertKey{}
+
+	dependencies.Get(
+		installConfig,
+		clusterID,
+		imageBasedConfig,
+		serverLBSignerCertKey,
+		serverLocalhostSignerCertKey,
+		serverServiceNetworkSignerCertKey,
+		adminKubeConfigSignerCertKey,
+		ingressOperatorSignerCertKey,
+	)
+
+	pwd := &password.KubeadminPassword{}
+	dependencies.Get(pwd)
+	pwdHash := string(pwd.PasswordHash)
+
+	if installConfig.Config == nil || imageBasedConfig.Config == nil {
+		return cc.finish()
+	}
+
+	cc.Config = &imagebased.SeedReconfiguration{
+		APIVersion:            imagebased.SeedReconfigurationVersion,
+		BaseDomain:            installConfig.Config.BaseDomain,
+		ClusterID:             clusterID.UUID,
+		ClusterName:           installConfig.ClusterName(),
+		Hostname:              imageBasedConfig.Config.Hostname,
+		InfraID:               clusterID.InfraID,
+		KubeadminPasswordHash: pwdHash,
+		Proxy:                 installConfig.Config.Proxy,
+		PullSecret:            installConfig.Config.PullSecret,
+		RawNMStateConfig:      imageBasedConfig.Config.NetworkConfig.String(),
+		ReleaseRegistry:       imageBasedConfig.Config.ReleaseRegistry,
+		SSHKey:                installConfig.Config.SSHKey,
+	}
+
+	if len(imageBasedConfig.Config.AdditionalNTPSources) > 0 {
+		cc.Config.ChronyConfig = chronyConfWithAdditionalNTPSources(imageBasedConfig.Config.AdditionalNTPSources)
+	}
+
+	if installConfig.Config.AdditionalTrustBundle != "" {
+		cc.Config.AdditionalTrustBundle = imagebased.AdditionalTrustBundle{
+			UserCaBundle: installConfig.Config.AdditionalTrustBundle,
+		}
+
+		if installConfig.Config.AdditionalTrustBundlePolicy == types.PolicyAlways ||
+			(installConfig.Config.AdditionalTrustBundlePolicy == types.PolicyProxyOnly && installConfig.Config.Proxy != nil) {
+			cc.Config.AdditionalTrustBundle.ProxyConfigmapName = userCABundleConfigMapName
+			cc.Config.AdditionalTrustBundle.ProxyConfigmapBundle = installConfig.Config.AdditionalTrustBundle
+		}
+	}
+
+	cc.Config.KubeconfigCryptoRetention = imagebased.KubeConfigCryptoRetention{
+		KubeAPICrypto: imagebased.KubeAPICrypto{
+			ServingCrypto: imagebased.ServingCrypto{
+				LoadbalancerSignerPrivateKey:   string(serverLBSignerCertKey.Key()),
+				LocalhostSignerPrivateKey:      string(serverLocalhostSignerCertKey.Key()),
+				ServiceNetworkSignerPrivateKey: string(serverServiceNetworkSignerCertKey.Key()),
+			},
+			ClientAuthCrypto: imagebased.ClientAuthCrypto{
+				AdminCACertificate: string(adminKubeConfigSignerCertKey.Cert()),
+			},
+		},
+		IngresssCrypto: imagebased.IngresssCrypto{
+			IngressCA: string(ingressOperatorSignerCertKey.Key()),
+		},
+	}
+
+	// validation for the length of the MachineNetwork is performed in the InstallConfig
+	cc.Config.MachineNetwork = installConfig.Config.Networking.MachineNetwork[0].CIDR.String()
+
+	clusterConfigurationData, err := json.Marshal(cc.Config)
+	if err != nil {
+		return fmt.Errorf("failed to marshal image-based installer ClusterConfiguration: %w", err)
+	}
+
+	cc.File = &asset.File{
+		Filename: clusterConfigurationFilename,
+		Data:     clusterConfigurationData,
+	}
+
+	return cc.finish()
+}
+
+// Files returns the files generated by the asset.
+func (cc *ClusterConfiguration) Files() []*asset.File {
+	if cc.File != nil {
+		return []*asset.File{cc.File}
+	}
+	return []*asset.File{}
+}
+
+// Load returns ClusterConfiguration asset from the disk.
+func (cc *ClusterConfiguration) Load(f asset.FileFetcher) (bool, error) {
+	file, err := f.FetchByName(clusterConfigurationFilename)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, fmt.Errorf("failed to load %s file: %w", clusterConfigurationFilename, err)
+	}
+
+	config := &imagebased.SeedReconfiguration{}
+	strErrs, err := k8sjson.UnmarshalStrict(file.Data, config)
+	if len(strErrs) > 0 {
+		return false, fmt.Errorf("failed to unmarshal %s: %w", clusterConfigurationFilename, errors.Join(strErrs...))
+	}
+	if err != nil {
+		return false, fmt.Errorf("failed to unmarshal %s: invalid JSON syntax", clusterConfigurationFilename)
+	}
+
+	cc.File, cc.Config = file, config
+	if err = cc.finish(); err != nil {
+		return false, err
+	}
+
+	return true, nil
+}
+
+func (cc *ClusterConfiguration) finish() error {
+	if cc.Config == nil {
+		return errors.New("missing configuration or manifest file")
+	}
+	return nil
+}
+
+func chronyConfWithAdditionalNTPSources(sources []string) string {
+	content := defaultChronyConf[:]
+	for _, source := range sources {
+		content += fmt.Sprintf("\nserver %s iburst", source)
+	}
+	return content
+}