feat: implement install and uninstall flow (#68)

add node-installer and shim-downloader to install job

Author: voigt

.github/dependabot.yml

@@ -12,6 +12,12 @@ updates:
       interval: "weekly"
     labels:
       - "area/dependencies"
+  - package-ecosystem: docker
+    directory: "/images/downloader"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "area/dependencies"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:

.github/workflows/downloader-build.yml

@@ -0,0 +1,45 @@
+name: Build shim-downloader image, sign it, and generate SBOMs
+
+on:
+  workflow_call:
+    outputs:
+      digest:
+        description: "Container image digest"
+        value: ${{jobs.build.outputs.digest}}
+
+  push:
+    branches:
+      - "main"
+      - "feat-**"
+
+jobs:
+  build:
+    uses: ./.github/workflows/container-image.yml
+    permissions:
+      contents: read
+      packages: write
+    with:
+      image-name: shim-downloader
+      dockerfile: ./images/downloader/Dockerfile
+      docker-context: ./images/downloader
+      push-image: true
+
+  sign:
+    needs: build
+    uses: ./.github/workflows/sign-image.yml
+    permissions:
+      packages: write
+      id-token: write
+    with:
+      image-repository: ${{ needs.build.outputs.repository }}
+      image-digest: ${{ needs.build.outputs.digest }}
+
+  sbom:
+    needs: build
+    uses: ./.github/workflows/sbom.yml
+    permissions:
+      packages: write
+      id-token: write
+    with:
+      image-name: shim-downloader
+      image-digest: ${{ needs.build.outputs.digest }}

.vscode/launch.json

@@ -9,7 +9,7 @@
             "type": "go",
             "request": "launch",
             "mode": "auto",
-            "program": "./cmd/main.go"
+            "program": "./cmd/rcm/main.go"
         }
     ]
 }

cmd/node-installer/uninstall.go

@@ -39,8 +39,10 @@ var uninstallCmd = &cobra.Command{
 		restarter := containerd.NewRestarter()
 
 		if err := RunUninstall(config, rootFs, hostFs, restarter); err != nil {
-			slog.Error("failed to uninstall", "error", err)
-			os.Exit(1)
+			slog.Error("failed to uninstall shim", "error", err)
+
+			// Exiting with 0 to prevent Kubernetes Jobs from running repetitively
+			os.Exit(0)
 		}
 	},
 }
@@ -50,7 +52,7 @@ func init() {
 }
 
 func RunUninstall(config Config, rootFs, hostFs afero.Fs, restarter containerd.Restarter) error {
-	slog.Info("uninstall called")
+	slog.Info("uninstall called", "shim", config.Runtime.Name)
 	shimName := config.Runtime.Name
 	runtimeName := path.Join(config.Kwasm.Path, "bin", shimName)
 
@@ -64,7 +66,7 @@ func RunUninstall(config Config, rootFs, hostFs afero.Fs, restarter containerd.R
 
 	configChanged, err := containerdConfig.RemoveRuntime(binPath)
 	if err != nil {
-		return fmt.Errorf("failed to write conteainerd config for shim '%s': %w", runtimeName, err)
+		return fmt.Errorf("failed to write containerd config for shim '%s': %w", runtimeName, err)
 	}
 
 	if !configChanged {

config/samples/test_shim_spin.yaml

@@ -1,10 +1,10 @@
 apiVersion: runtime.kwasm.sh/v1alpha1 
 kind: Shim
 metadata:
-  name: wasmtime-spin-v2
+  name: spin-v2
   labels:
-    app.kubernetes.io/name: wasmtime-spin-v2
-    app.kubernetes.io/instance: wasmtime-spin-v2
+    app.kubernetes.io/name: spin-v2
+    app.kubernetes.io/instance: spin-v2
     app.kubernetes.io/part-of: kwasm-operator
     app.kubernetes.io/managed-by: kustomize
     app.kubernetes.io/created-by: kwasm-operator
@@ -15,10 +15,10 @@ spec:
   fetchStrategy:
     type: annonymousHttp
     anonHttp:
-      location: "https://github.com/deislabs/containerd-wasm-shims/releases/download/v0.10.0/containerd-wasm-shims-v2-spin-linux-aarch64.tar.gz"
+      location: "https://github.com/spinkube/containerd-shim-spin/releases/download/v0.14.1/containerd-shim-spin-v2-linux-aarch64.tar.gz"
 
   runtimeClass:
-    name: wasmtime-spin-v2
+    name: spin-v2
     handler: spin
 
   rolloutStrategy:

images/downloader/Dockerfile

@@ -0,0 +1,5 @@
+FROM alpine:3.19.1
+
+RUN apk add --no-cache curl bash tar
+COPY download_shim.sh /download_shim.sh
+CMD bash /download_shim.sh

images/downloader/download_shim.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+declare -A levels=([DEBUG]=0 [INFO]=1 [WARN]=2 [ERROR]=3)
+script_logging_level="INFO"
+
+log() {
+    local log_message=$1
+    local log_priority=$2
+
+    #check if level exists
+    [[ ${levels[$log_priority]} ]] || return 1
+
+    #check if level is enough
+    (( ${levels[$log_priority]} < ${levels[$script_logging_level]} )) && return 2
+
+    #log here
+    d=$(date '+%Y-%m-%dT%H:%M:%S')
+    echo -e "${d}\t${log_priority}\t${log_message}"
+}
+
+log "start downloading shim from  ${SHIM_LOCATION}..." "INFO"
+
+mkdir -p /assets
+
+# overwrite default name of shim binary; use the name of shim resource instead
+# to enable installing multiple versions of the same shim
+curl -sL "${SHIM_LOCATION}"  | tar --transform "s/containerd-shim-.*/containerd-shim-${SHIM_NAME}/" -xzf - -C /assets
+log "download successful:" "INFO"
+
+ls -lah /assets

internal/controller/shim_controller.go

@@ -56,6 +56,14 @@ type ShimReconciler struct {
 	Scheme *runtime.Scheme
 }
 
+// configuration for INSTALL or UNINSTALL jobs
+type opConfig struct {
+	operation     string
+	privileged    bool
+	initContainer []corev1.Container
+	args          []string
+}
+
 //+kubebuilder:rbac:groups=runtime.kwasm.sh,resources=shims,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=runtime.kwasm.sh,resources=shims/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=runtime.kwasm.sh,resources=shims/finalizers,verbs=update
@@ -301,7 +309,7 @@ func (sr *ShimReconciler) deployJobOnNode(ctx context.Context, shim *rcmv1.Shim,
 
 	// We rely on controller-runtime to rate limit us.
 	if err := sr.Client.Patch(ctx, job, patchMethod, patchOptions); err != nil {
-		log.Error().Msgf("Unable to reconcile Job %s", err)
+		log.Error().Msgf("Unable to reconcile Job: %s", err)
 		if err := sr.updateNodeLabels(ctx, &node, shim, "failed"); err != nil {
 			log.Error().Msgf("Unable to update node label %s: %s", shim.Name, err)
 		}
@@ -321,13 +329,69 @@ func (sr *ShimReconciler) updateNodeLabels(ctx context.Context, node *corev1.Nod
 	return nil
 }
 
+// setOperationConfiguration sets operation specific configuration for the job manifest
+func (sr *ShimReconciler) setOperationConfiguration(shim *rcmv1.Shim, opConfig *opConfig) {
+	if opConfig.operation == INSTALL {
+		opConfig.initContainer = []corev1.Container{{
+			Image: os.Getenv("SHIM_DOWNLOADER_IMAGE"),
+			Name:  "downloader",
+			SecurityContext: &corev1.SecurityContext{
+				Privileged: &opConfig.privileged,
+			},
+			Env: []corev1.EnvVar{
+				{
+					Name:  "SHIM_NAME",
+					Value: shim.Name,
+				},
+				{
+					Name:  "SHIM_LOCATION",
+					Value: shim.Spec.FetchStrategy.AnonHTTP.Location,
+				},
+			},
+			VolumeMounts: []corev1.VolumeMount{
+				{
+					Name:      "shim-download",
+					MountPath: "/assets",
+				},
+			},
+		}}
+		opConfig.args = []string{
+			"install",
+			"-H",
+			"/mnt/node-root",
+			"-r",
+			shim.Name,
+		}
+	}
+
+	if opConfig.operation == UNINSTALL {
+		opConfig.initContainer = nil
+		opConfig.args = []string{
+			"uninstall",
+			"-H",
+			"/mnt/node-root",
+			"-r",
+			shim.Name,
+		}
+	}
+}
+
 // createJobManifest creates a Job manifest for a Shim.
 func (sr *ShimReconciler) createJobManifest(shim *rcmv1.Shim, node *corev1.Node, operation string) (*batchv1.Job, error) {
-	priv := true
+	opConfig := opConfig{
+		operation:  operation,
+		privileged: true,
+	}
+	sr.setOperationConfiguration(shim, &opConfig)
+
 	name := node.Name + "-" + shim.Name + "-" + operation
 	nameMax := int(math.Min(float64(len(name)), 63))
 
 	job := &batchv1.Job{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "batch/v1",
+			Kind:       "Job",
+		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name[:nameMax],
 			Namespace: os.Getenv("CONTROLLER_NAMESPACE"),
@@ -348,37 +412,32 @@ func (sr *ShimReconciler) createJobManifest(shim *rcmv1.Shim, node *corev1.Node,
 				Spec: corev1.PodSpec{
 					NodeName: node.Name,
 					HostPID:  true,
-					Volumes: []corev1.Volume{{
-						Name: "root-mount",
-						VolumeSource: corev1.VolumeSource{
-							HostPath: &corev1.HostPathVolumeSource{
-								Path: "/",
+					Volumes: []corev1.Volume{
+						{
+							Name: "shim-download",
+						},
+						{
+							Name: "root-mount",
+							VolumeSource: corev1.VolumeSource{
+								HostPath: &corev1.HostPathVolumeSource{
+									Path: "/",
+								},
 							},
 						},
-					}},
+					},
+					InitContainers: opConfig.initContainer,
 					Containers: []corev1.Container{{
-						Image: "voigt/kwasm-node-installer:" + operation,
+						Image: os.Getenv("SHIM_NODE_INSTALLER_IMAGE"),
+						Args:  opConfig.args,
 						Name:  "provisioner",
 						SecurityContext: &corev1.SecurityContext{
-							Privileged: &priv,
+							Privileged: &opConfig.privileged,
 						},
 						Env: []corev1.EnvVar{
 							{
-								Name:  "NODE_ROOT",
+								Name:  "HOST_ROOT",
 								Value: "/mnt/node-root",
 							},
-							{
-								Name:  "SHIM_LOCATION",
-								Value: shim.Spec.FetchStrategy.AnonHTTP.Location,
-							},
-							{
-								Name:  "RUNTIMECLASS_NAME",
-								Value: shim.Spec.RuntimeClass.Name,
-							},
-							{
-								Name:  "RUNTIMECLASS_HANDLER",
-								Value: shim.Spec.RuntimeClass.Handler,
-							},
 							{
 								Name:  "SHIM_FETCH_STRATEGY",
 								Value: "/mnt/node-root",
@@ -389,6 +448,10 @@ func (sr *ShimReconciler) createJobManifest(shim *rcmv1.Shim, node *corev1.Node,
 								Name:      "root-mount",
 								MountPath: "/mnt/node-root",
 							},
+							{
+								Name:      "shim-download",
+								MountPath: "/assets",
+							},
 						},
 					}},
 					RestartPolicy: corev1.RestartPolicyNever,
@@ -443,6 +506,10 @@ func (sr *ShimReconciler) createRuntimeClassManifest(shim *rcmv1.Shim) (*nodev1.
 	}
 
 	runtimeClass := &nodev1.RuntimeClass{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "node.k8s.io/v1",
+			Kind:       "RuntimeClass",
+		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:   name[:nameMax],
 			Labels: map[string]string{name[:nameMax]: "true"},

internal/shim/uninstall.go

@@ -2,7 +2,7 @@ package shim
 
 import (
 	"errors"
-	"log/slog"
+	"fmt"
 	"os"
 
 	"github.com/spinkube/runtime-class-manager/internal/state"
@@ -15,17 +15,15 @@ func (c *Config) Uninstall(shimName string) (string, error) {
 	}
 	s, ok := st.Shims[shimName]
 	if !ok {
-		slog.Warn("shim not installed", "shim", shimName)
-		return "", nil
+		return "", fmt.Errorf("shim %s not installed", shimName)
 	}
 	filePath := s.Path
 
 	err = c.hostFs.Remove(filePath)
 	if err != nil {
 		if !errors.Is(err, os.ErrNotExist) {
-			return "", err
+			return "", fmt.Errorf("shim binary at %s does not exist, nothing to delete", filePath)
 		}
-		slog.Warn("shim binary did not exist, nothing to delete")
 	}
 	st.RemoveShim(shimName)
 	if err = st.Write(); err != nil {

internal/shim/uninstall_test.go

@@ -46,7 +46,7 @@ func TestConfig_Uninstall(t *testing.T) {
 			},
 			args{"not-existing-shim"},
 			"",
-			false,
+			true,
 		},
 		{
 			"missing shim binary",