feat(v3): headless install cli flags and validation (#3133)

Author: emosbaugh

api/controllers/app/controller.go

@@ -202,11 +202,8 @@ func NewAppController(opts ...AppControllerOption) (*AppController, error) {
 	}
 
 	if controller.configValues != nil {
-		err := controller.appConfigManager.ValidateConfigValues(controller.configValues)
-		if err != nil {
-			return nil, fmt.Errorf("validate app config values: %w", err)
-		}
-		err = controller.appConfigManager.PatchConfigValues(controller.configValues)
+		// Prepopulate the config values in the UI
+		err := controller.appConfigManager.PatchConfigValues(controller.configValues)
 		if err != nil {
 			return nil, fmt.Errorf("patch app config values: %w", err)
 		}

cmd/installer/cli/api.go

@@ -28,6 +28,7 @@ type apiOptions struct {
 	apitypes.APIConfig
 
 	ManagerPort int
+	Headless    bool
 	// The mode the web will be running on, install or upgrade
 	WebMode web.Mode
 
@@ -41,6 +42,7 @@ func startAPI(ctx context.Context, cert tls.Certificate, opts apiOptions, cancel
 	if err != nil {
 		return fmt.Errorf("unable to create listener: %w", err)
 	}
+	logrus.Debugf("API server listening on port: %d", opts.ManagerPort)
 
 	go func() {
 		// If the api exits, we want to exit the entire process
@@ -52,8 +54,17 @@ func startAPI(ctx context.Context, cert tls.Certificate, opts apiOptions, cancel
 		}
 	}()
 
-	addr := fmt.Sprintf("localhost:%d", opts.ManagerPort)
-	if err := waitForAPI(ctx, addr); err != nil {
+	addr := fmt.Sprintf("https://localhost:%d", opts.ManagerPort)
+	httpClient := &http.Client{
+		Timeout: 2 * time.Second,
+		Transport: &http.Transport{
+			Proxy: nil,
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+			},
+		},
+	}
+	if err := waitForAPI(ctx, httpClient, addr); err != nil {
 		return fmt.Errorf("unable to wait for api: %w", err)
 	}
 
@@ -84,20 +95,23 @@ func serveAPI(ctx context.Context, listener net.Listener, cert tls.Certificate,
 		return fmt.Errorf("new api: %w", err)
 	}
 
-	webServer, err := web.New(web.InitialState{
-		Title:                opts.ReleaseData.Application.Spec.Title,
-		Icon:                 opts.ReleaseData.Application.Spec.Icon,
-		InstallTarget:        string(opts.InstallTarget),
-		Mode:                 opts.WebMode,
-		IsAirgap:             opts.AirgapBundle != "",
-		RequiresInfraUpgrade: opts.RequiresInfraUpgrade,
-	}, web.WithLogger(logger), web.WithAssetsFS(opts.WebAssetsFS))
-	if err != nil {
-		return fmt.Errorf("new web server: %w", err)
-	}
-
 	api.RegisterRoutes(router.PathPrefix("/api").Subrouter())
-	webServer.RegisterRoutes(router.PathPrefix("/").Subrouter())
+
+	// Only start web server for UI mode, not headless
+	if !opts.Headless {
+		webServer, err := web.New(web.InitialState{
+			Title:                opts.ReleaseData.Application.Spec.Title,
+			Icon:                 opts.ReleaseData.Application.Spec.Icon,
+			InstallTarget:        string(opts.InstallTarget),
+			Mode:                 opts.WebMode,
+			IsAirgap:             opts.AirgapBundle != "",
+			RequiresInfraUpgrade: opts.RequiresInfraUpgrade,
+		}, web.WithLogger(logger), web.WithAssetsFS(opts.WebAssetsFS))
+		if err != nil {
+			return fmt.Errorf("new web server: %w", err)
+		}
+		webServer.RegisterRoutes(router.PathPrefix("/").Subrouter())
+	}
 
 	server := &http.Server{
 		// ErrorLog outputs TLS errors and warnings to the console, we want to make sure we use the same logrus logger for them
@@ -126,16 +140,7 @@ func loggerFromOptions(opts apiOptions) (logrus.FieldLogger, error) {
 	return logger, nil
 }
 
-func waitForAPI(ctx context.Context, addr string) error {
-	httpClient := http.Client{
-		Timeout: 2 * time.Second,
-		Transport: &http.Transport{
-			Proxy: nil,
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-		},
-	}
+func waitForAPI(ctx context.Context, httpClient *http.Client, addr string) error {
 	timeout := time.After(10 * time.Second)
 	var lastErr error
 	for {
@@ -148,7 +153,7 @@ func waitForAPI(ctx context.Context, addr string) error {
 			}
 			return fmt.Errorf("api did not start in time")
 		case <-time.Tick(1 * time.Second):
-			req, err := http.NewRequestWithContext(ctx, http.MethodGet, fmt.Sprintf("https://%s/api/health", addr), nil)
+			req, err := http.NewRequestWithContext(ctx, http.MethodGet, fmt.Sprintf("%s/api/health", addr), nil)
 			if err != nil {
 				lastErr = fmt.Errorf("unable to create request: %w", err)
 				continue

cmd/installer/cli/install.go

@@ -62,6 +62,7 @@ type installFlags struct {
 	assumeYes            bool
 	overrides            string
 	configValues         string
+	headless             bool
 
 	// linux flags
 	dataDir                 string
@@ -97,6 +98,7 @@ type installConfig struct {
 	tlsCert                 tls.Certificate
 	tlsCertBytes            []byte
 	tlsKeyBytes             []byte
+	configValues            *kotsv1beta1.ConfigValues
 }
 
 // webAssetsFS is the filesystem to be used by the web component. Defaults to nil allowing the web server to use the default assets embedded in the binary. Useful for testing.
@@ -129,6 +131,7 @@ func InstallCmd(ctx context.Context, appSlug, appTitle string) *cobra.Command {
 			if err != nil {
 				return err
 			}
+
 			if err := verifyAndPrompt(ctx, cmd, appSlug, &flags, installCfg, prompts.New()); err != nil {
 				return err
 			}
@@ -346,13 +349,17 @@ func addTLSFlags(cmd *cobra.Command, flags *installFlags) error {
 
 func addManagementConsoleFlags(cmd *cobra.Command, flags *installFlags) error {
 	cmd.Flags().IntVar(&flags.managerPort, "manager-port", ecv1beta1.DefaultManagerPort, "Port on which the Manager will be served")
+	cmd.Flags().BoolVar(&flags.headless, "headless", false, "Run installation in headless mode without UI interaction.")
 
 	// If the ENABLE_V3 environment variable is set, default to the new manager experience and do
 	// not hide the manager-port flag.
 	if !isV3Enabled() {
 		if err := cmd.Flags().MarkHidden("manager-port"); err != nil {
 			return err
 		}
+		if err := cmd.Flags().MarkHidden("headless"); err != nil {
+			return err
+		}
 	}
 
 	return nil
@@ -493,12 +500,8 @@ func runManagerExperienceInstall(
 	}
 
 	var configValues apitypes.AppConfigValues
-	if flags.configValues != "" {
-		kotsConfigValues, err := helpers.ParseConfigValues(flags.configValues)
-		if err != nil {
-			return fmt.Errorf("parse config values file: %w", err)
-		}
-		configValues = apitypes.ConvertToAppConfigValues(kotsConfigValues)
+	if installCfg.configValues != nil {
+		configValues = apitypes.ConvertToAppConfigValues(installCfg.configValues)
 	}
 
 	apiConfig := apiOptions{
@@ -532,6 +535,7 @@ func runManagerExperienceInstall(
 		},
 
 		ManagerPort:     flags.managerPort,
+		Headless:        flags.headless,
 		WebMode:         web.ModeInstall,
 		MetricsReporter: metricsReporter,
 	}
@@ -543,6 +547,11 @@ func runManagerExperienceInstall(
 		return fmt.Errorf("failed to start api: %w", err)
 	}
 
+	if flags.headless {
+		// TODO(PR2): Implement headless installation orchestration
+		return fmt.Errorf("headless installation is not yet fully implemented - coming in a future release")
+	}
+
 	logrus.Infof("\nVisit the %s manager to continue: %s\n",
 		appTitle,
 		getManagerURL(flags.hostname, flags.managerPort))
@@ -718,10 +727,11 @@ func verifyAndPrompt(ctx context.Context, cmd *cobra.Command, appSlug string, fl
 	}
 
 	logrus.Debugf("checking license matches")
-	license, err := verifyLicense(installCfg.license)
+	err = verifyLicense(installCfg.license)
 	if err != nil {
 		return err
 	}
+
 	if installCfg.airgapMetadata != nil && installCfg.airgapMetadata.AirgapInfo != nil {
 		logrus.Debugf("checking airgap bundle matches binary")
 		if err := checkAirgapMatches(installCfg.airgapMetadata.AirgapInfo); err != nil {
@@ -730,7 +740,7 @@ func verifyAndPrompt(ctx context.Context, cmd *cobra.Command, appSlug string, fl
 	}
 
 	if !installCfg.isAirgap {
-		if err := maybePromptForAppUpdate(ctx, prompt, license, flags.assumeYes); err != nil {
+		if err := maybePromptForAppUpdate(ctx, prompt, installCfg.license, flags.assumeYes); err != nil {
 			if errors.As(err, &ErrorNothingElseToAdd{}) {
 				return err
 			}
@@ -796,7 +806,7 @@ func ensureAdminConsolePassword(flags *installFlags) error {
 	return nil
 }
 
-func verifyLicense(license *kotsv1beta1.License) (*kotsv1beta1.License, error) {
+func verifyLicense(license *kotsv1beta1.License) error {
 	rel := release.GetChannelRelease()
 
 	// handle the three cases that do not require parsing the license file
@@ -805,42 +815,42 @@ func verifyLicense(license *kotsv1beta1.License) (*kotsv1beta1.License, error) {
 	// 3. a license and no release, which is not OK
 	if rel == nil && license == nil {
 		// no license and no release, this is OK
-		return nil, nil
+		return nil
 	} else if rel == nil && license != nil {
 		// license is present but no release, this means we would install without vendor charts and k0s overrides
-		return nil, fmt.Errorf("a license was provided but no release was found in binary, please rerun without the license flag")
+		return fmt.Errorf("a license was provided but no release was found in binary, please rerun without the license flag")
 	} else if rel != nil && license == nil {
 		// release is present but no license, this is not OK
-		return nil, fmt.Errorf("no license was provided for %s and one is required, please rerun with '--license <path to license file>'", rel.AppSlug)
+		return fmt.Errorf("no license was provided for %s and one is required, please rerun with '--license <path to license file>'", rel.AppSlug)
 	}
 
 	// Check if the license matches the application version data
 	if rel.AppSlug != license.Spec.AppSlug {
 		// if the app is different, we will not be able to provide the correct vendor supplied charts and k0s overrides
-		return nil, fmt.Errorf("license app %s does not match binary app %s, please provide the correct license", license.Spec.AppSlug, rel.AppSlug)
+		return fmt.Errorf("license app %s does not match binary app %s, please provide the correct license", license.Spec.AppSlug, rel.AppSlug)
 	}
 
 	// Ensure the binary channel actually is present in the supplied license
 	if err := checkChannelExistence(license, rel); err != nil {
-		return nil, err
+		return err
 	}
 
 	if license.Spec.Entitlements["expires_at"].Value.StrVal != "" {
 		// read the expiration date, and check it against the current date
 		expiration, err := time.Parse(time.RFC3339, license.Spec.Entitlements["expires_at"].Value.StrVal)
 		if err != nil {
-			return nil, fmt.Errorf("parse expiration date: %w", err)
+			return fmt.Errorf("parse expiration date: %w", err)
 		}
 		if time.Now().After(expiration) {
-			return nil, fmt.Errorf("license expired on %s, please provide a valid license", expiration)
+			return fmt.Errorf("license expired on %s, please provide a valid license", expiration)
 		}
 	}
 
 	if !license.Spec.IsEmbeddedClusterDownloadEnabled {
-		return nil, fmt.Errorf("license does not have embedded cluster enabled, please provide a valid license")
+		return fmt.Errorf("license does not have embedded cluster enabled, please provide a valid license")
 	}
 
-	return license, nil
+	return nil
 }
 
 // checkChannelExistence verifies that a channel exists in a supplied license, returning a user-friendly

cmd/installer/cli/install_config.go

@@ -8,6 +8,7 @@ import (
 	"os"
 
 	"github.com/google/uuid"
+	apitypes "github.com/replicatedhq/embedded-cluster/api/types"
 	"github.com/replicatedhq/embedded-cluster/cmd/installer/goods"
 	newconfig "github.com/replicatedhq/embedded-cluster/pkg-new/config"
 	"github.com/replicatedhq/embedded-cluster/pkg-new/tlsutils"
@@ -81,6 +82,29 @@ func buildInstallFlags(cmd *cobra.Command, flags *installFlags) error {
 	}
 	flags.proxySpec = proxy
 
+	// Headless installation validation
+	if isV3Enabled() && flags.headless {
+		if err := validateHeadlessInstallFlags(flags); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func validateHeadlessInstallFlags(flags *installFlags) error {
+	if flags.configValues == "" {
+		return fmt.Errorf("--config-values flag is required for headless installation")
+	}
+
+	if flags.adminConsolePassword == "" {
+		return fmt.Errorf("--admin-console-password flag is required for headless installation")
+	}
+
+	if flags.target != string(apitypes.InstallTargetLinux) {
+		return fmt.Errorf("headless installation only supports --target=linux (got: %s)", flags.target)
+	}
+
 	return nil
 }
 
@@ -118,6 +142,13 @@ func buildInstallConfig(flags *installFlags) (*installConfig, error) {
 		if err != nil {
 			return nil, fmt.Errorf("config values file is not valid: %w", err)
 		}
+
+		// Parse the config values file
+		cv, err := helpers.ParseConfigValues(flags.configValues)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse config values file: %w", err)
+		}
+		installCfg.configValues = cv
 	}
 
 	// Airgap detection and metadata
@@ -187,7 +218,7 @@ func processTLSConfig(flags *installFlags, installCfg *installConfig) error {
 		installCfg.tlsCertBytes = certBytes
 		installCfg.tlsKeyBytes = keyBytes
 	} else if installCfg.enableManagerExperience {
-		// For manager experience, generate self-signed certificate if none provided
+		// For manager experience, generate self-signed cert if none provided, with user confirmation
 		logrus.Warn("\nNo certificate files provided. A self-signed certificate will be used, and your browser will show a security warning.")
 		logrus.Info("To use your own certificate, provide both --tls-key and --tls-cert flags.")
 
@@ -198,7 +229,7 @@ func processTLSConfig(flags *installFlags, installCfg *installConfig) error {
 				return fmt.Errorf("failed to get confirmation: %w", err)
 			}
 			if !confirmed {
-				logrus.Infof("\nInstallation cancelled. Please run the command again with the --tls-key and --tls-cert flags.\n")
+				logrus.Info("Installation cancelled. Please run the command again with the --tls-key and --tls-cert flags or use the --yes flag to continue with a self-signed certificate.\n")
 				return fmt.Errorf("installation cancelled by user")
 			}
 		}