🌱 Add --baremetal-ssh-after-install-image=false to controller (#1686)

Author: guettli

api/v1beta1/conditions_const.go

@@ -233,3 +233,8 @@ const (
 	// DeprecatedRateLimitExceededCondition reports whether the rate limit has been reached.
 	DeprecatedRateLimitExceededCondition clusterv1.ConditionType = "RateLimitExceeded"
 )
+
+const (
+	// RebootSucceededCondition indicates that the machine got rebooted successfully.
+	RebootSucceededCondition clusterv1.ConditionType = "RebootSucceeded"
+)

api/v1beta1/hetznerbaremetalhost_types.go

@@ -189,6 +189,7 @@ const (
 	// RebootTypeSoftware defines the software reboot. "Send CTRL+ALT+DEL to the server".
 	RebootTypeSoftware RebootType = "sw"
 	// RebootTypeHardware defines the hardware reboot. "Execute an automatic hardware reset".
+	// The RebootTypeHardware is supported by all servers.
 	RebootTypeHardware RebootType = "hw"
 	// RebootTypeManual defines the manual reboot. "Order a manual power cycle".
 	RebootTypeManual RebootType = "man"
@@ -310,6 +311,22 @@ type ControllerGeneratedStatus struct {
 	// Conditions define the current service state of the HetznerBareMetalHost.
 	// +optional
 	Conditions clusterv1.Conditions `json:"conditions,omitempty"`
+
+	// ExternalIDs contains values from external systems.
+	// +optional
+	ExternalIDs ExternalIDs `json:"externalIDs,omitzero"`
+}
+
+// ExternalIDs contains values from external systems.
+type ExternalIDs struct {
+	// RebootAnnotationNodeBootID reflects the BootID of the Node resource in the workload-cluster.
+	// Only set when the machine gets rebooted.
+	// +optional
+	RebootAnnotationNodeBootID string `json:"rebootAnnotationNodeBootID,omitempty"`
+
+	// RebootAnnotationSince indicates when the reboot via Annotation started.
+	// +optional
+	RebootAnnotationSince metav1.Time `json:"rebootAnnotationSince,omitzero"`
 }
 
 // GetIPAddress returns the IPv6 if set, otherwise the IPv4.

api/v1beta1/zz_generated.deepcopy.go

@@ -238,6 +238,20 @@ spec:
                       ErrorType indicates the type of failure encountered when the
                       OperationalStatus is OperationalStatusError.
                     type: string
+                  externalIDs:
+                    description: ExternalIDs contains values from external systems.
+                    properties:
+                      rebootAnnotationNodeBootID:
+                        description: |-
+                          RebootAnnotationNodeBootID reflects the BootID of the Node resource in the workload-cluster.
+                          Only set when the machine gets rebooted.
+                        type: string
+                      rebootAnnotationSince:
+                        description: RebootAnnotationSince indicates when the reboot
+                          via Annotation started.
+                        format: date-time
+                        type: string
+                    type: object
                   hardwareDetails:
                     description: StatusHardwareDetails are automatically gathered
                       and should not be modified by the user.

config/crd/bases/infrastructure.cluster.x-k8s.io_hetznerbaremetalhosts.yaml

@@ -52,12 +52,13 @@ import (
 // HetznerBareMetalHostReconciler reconciles a HetznerBareMetalHost object.
 type HetznerBareMetalHostReconciler struct {
 	client.Client
-	RateLimitWaitTime   time.Duration
-	APIReader           client.Reader
-	RobotClientFactory  robotclient.Factory
-	SSHClientFactory    sshclient.Factory
-	WatchFilterValue    string
-	PreProvisionCommand string
+	RateLimitWaitTime    time.Duration
+	APIReader            client.Reader
+	RobotClientFactory   robotclient.Factory
+	SSHClientFactory     sshclient.Factory
+	WatchFilterValue     string
+	PreProvisionCommand  string
+	SSHAfterInstallImage bool
 }
 
 //+kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=hetznerbaremetalhosts,verbs=get;list;watch;create;update;patch;delete
@@ -202,6 +203,7 @@ func (r *HetznerBareMetalHostReconciler) Reconcile(ctx context.Context, req ctrl
 		RescueSSHSecret:         rescueSSHSecret,
 		SecretManager:           secretManager,
 		PreProvisionCommand:     r.PreProvisionCommand,
+		SSHAfterInstallImage:    r.SSHAfterInstallImage,
 	})
 	if err != nil {
 		return reconcile.Result{}, fmt.Errorf("failed to create scope: %w", err)

controllers/hetznerbaremetalhost_controller.go

@@ -78,7 +78,7 @@ Via MatchLabels you can specify a certain label (key and value) that identifies
 | `template.spec.sshSpec.secretRef.key.name`                       | `string`              |                           | yes      | Name is the key in the secret's data where the SSH key's name is stored                                                                            |
 | `template.spec.sshSpec.secretRef.key.publicKey`                  | `string`              |                           | yes      | PublicKey is the key in the secret's data where the SSH key's public key is stored                                                                 |
 | `template.spec.sshSpec.secretRef.key.privateKey`                 | `string`              |                           | yes      | PrivateKey is the key in the secret's data where the SSH key's private key is stored                                                               |
-| `template.spec.sshSpec.portAfterInstallImage`                    | `int`                 | `22`                      | no       | PortAfterInstallImage specifies the port that can be used to reach the server via SSH after install image completed successfully                   |
+| `template.spec.sshSpec.portAfterInstallImage`                    | `int`                 | `22`                      | no       | PortAfterInstallImage specifies the port that can be used to reach the server via SSH after install image completed successfully. If `--baremetal-ssh-after-install-image=false` is set, then this value will never be used.                   |
 | `template.spec.sshSpec.portAfterCloudInit`                       | `int`                 | `22` (install image port) | no       | PortAfterCloudInit specifies the port that can be used to reach the server via SSH after cloud init completed successfully. Deprecated. Since [PR Install Cloud-Init-Data via post-install.sh #1407](https://github.com/syself/cluster-api-provider-hetzner/pull/1407) this field is not functional.  |
 
 ## installImage.image

docs/caph/03-reference/06-hetzner-bare-metal-machine-template.md

@@ -90,19 +90,25 @@ image="$image_path/caph-staging:$tag"
 
 wait
 
-kubectl scale --replicas=1 -n mgt-system deployment/caph-controller-manager
+ns=$(kubectl get deployments.apps -A | { grep caph-controller || true; } | cut -d' ' -f1)
+if [[ -z $ns ]]; then
+    echo "failed to get namespace for caph-controller"
+    exit 1
+fi
+
+kubectl scale --replicas=1 -n "$ns" deployment/caph-controller-manager
 
-kubectl set image -n mgt-system deployment/caph-controller-manager manager="$image"
+kubectl set image -n "$ns" deployment/caph-controller-manager manager="$image"
 
-kubectl patch deployment -n mgt-system -p '[{"op": "replace", "path": "/spec/template/spec/containers/0/imagePullPolicy", "value": "Always"}]' --type='json' caph-controller-manager
+kubectl patch deployment -n "$ns" -p '[{"op": "replace", "path": "/spec/template/spec/containers/0/imagePullPolicy", "value": "Always"}]' --type='json' caph-controller-manager
 
-kubectl rollout restart -n mgt-system deployment caph-controller-manager
+kubectl rollout restart -n "$ns" deployment caph-controller-manager
 
 trap "echo 'Interrupted! Exiting...'; exit 1" SIGINT
 
-while ! kubectl rollout status deployment --timeout=3s -n mgt-system caph-controller-manager; do
+while ! kubectl rollout status deployment --timeout=3s -n "$ns" caph-controller-manager; do
     echo "Rollout failed"
-    kubectl events -n mgt-system | grep caph-controller-manager | tail -n 5
+    kubectl events -n "$ns" | grep caph-controller-manager | tail -n 5
     echo
     echo
 done

hack/update-operator-dev-deployment.sh

@@ -87,6 +87,7 @@ var (
 	preProvisionCommand                string
 	imageURLCommand                    string
 	skipWebhooks                       bool
+	sshAfterInstallImage               bool
 )
 
 func main() {
@@ -109,6 +110,8 @@ func main() {
 	fs.StringVar(&preProvisionCommand, "pre-provision-command", "", "Command to run (in rescue-system) before installing the image on bare metal servers. You can use that to check if the machine is healthy before installing the image. If the exit value is non-zero, the machine is considered unhealthy. This command must be accessible by the controller pod. You can use an initContainer to copy the command to a shared emptyDir.")
 	fs.StringVar(&imageURLCommand, "hcloud-image-url-command", "", "Command to run (in rescue-system) to provision an hcloud machine. The command will get the imageURL, bootstrap-data and machine-name of the corresponding hcloudmachine as argument. It is up to the command to download from that URL and provision the disk accordingly. This command must be accessible by the controller pod. You can use an initContainer to copy the command to a shared emptyDir. The env var OCI_REGISTRY_AUTH_TOKEN from the caph process will be set for the command, too. The command must end with the last line containing IMAGE_URL_DONE. Otherwise the execution is considered to have failed. Docs: https://syself.com/docs/caph/developers/image-url-command")
 	fs.BoolVar(&skipWebhooks, "skip-webhooks", false, "Skip setting up of webhooks. Together with --leader-elect=false, you can use `go run main.go` to run CAPH in a cluster connected via KUBECONFIG. You should scale down the caph deployment to 0 before doing that. This is only for testing!")
+	fs.BoolVar(&sshAfterInstallImage, "baremetal-ssh-after-install-image", true, "Connect to the baremetal machine after install-image and ensure it is provisioned. Current default is true, but we might change that to false. Background: Users might not want the controller to be able to ssh onto the servers")
+
 	pflag.CommandLine.AddGoFlagSet(flag.CommandLine)
 	pflag.Parse()
 
@@ -230,13 +233,14 @@ func main() {
 	}
 
 	if err = (&controllers.HetznerBareMetalHostReconciler{
-		Client:              mgr.GetClient(),
-		RobotClientFactory:  robotclient.NewFactory(),
-		SSHClientFactory:    sshclient.NewFactory(),
-		APIReader:           mgr.GetAPIReader(),
-		RateLimitWaitTime:   rateLimitWaitTime,
-		WatchFilterValue:    watchFilterValue,
-		PreProvisionCommand: preProvisionCommand,
+		Client:               mgr.GetClient(),
+		RobotClientFactory:   robotclient.NewFactory(),
+		SSHClientFactory:     sshclient.NewFactory(),
+		APIReader:            mgr.GetAPIReader(),
+		RateLimitWaitTime:    rateLimitWaitTime,
+		WatchFilterValue:     watchFilterValue,
+		PreProvisionCommand:  preProvisionCommand,
+		SSHAfterInstallImage: sshAfterInstallImage,
 	}).SetupWithManager(ctx, mgr, controller.Options{MaxConcurrentReconciles: hetznerBareMetalHostConcurrency}); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "HetznerBareMetalHost")
 		os.Exit(1)

main.go

@@ -48,6 +48,7 @@ type BareMetalHostScopeParams struct {
 	RescueSSHSecret         *corev1.Secret
 	SecretManager           *secretutil.SecretManager
 	PreProvisionCommand     string
+	SSHAfterInstallImage    bool
 }
 
 // NewBareMetalHostScope creates a new Scope from the supplied parameters.
@@ -93,23 +94,32 @@ func NewBareMetalHostScope(params BareMetalHostScopeParams) (*BareMetalHostScope
 		RescueSSHSecret:         params.RescueSSHSecret,
 		SecretManager:           params.SecretManager,
 		PreProvisionCommand:     params.PreProvisionCommand,
+		SSHAfterInstallImage:    params.SSHAfterInstallImage,
+		WorkloadClusterClientFactory: &realWorkloadClusterClientFactory{
+			logger:         params.Logger,
+			client:         params.Client,
+			cluster:        params.Cluster,
+			hetznerCluster: params.HetznerCluster,
+		},
 	}, nil
 }
 
 // BareMetalHostScope defines the basic context for an actuator to operate upon.
 type BareMetalHostScope struct {
 	logr.Logger
-	Client                  client.Client
-	SecretManager           *secretutil.SecretManager
-	RobotClient             robotclient.Client
-	SSHClientFactory        sshclient.Factory
-	HetznerBareMetalHost    *infrav1.HetznerBareMetalHost
-	HetznerBareMetalMachine *infrav1.HetznerBareMetalMachine
-	HetznerCluster          *infrav1.HetznerCluster
-	Cluster                 *clusterv1.Cluster
-	OSSSHSecret             *corev1.Secret
-	RescueSSHSecret         *corev1.Secret
-	PreProvisionCommand     string
+	Client                       client.Client
+	SecretManager                *secretutil.SecretManager
+	RobotClient                  robotclient.Client
+	SSHClientFactory             sshclient.Factory
+	HetznerBareMetalHost         *infrav1.HetznerBareMetalHost
+	HetznerBareMetalMachine      *infrav1.HetznerBareMetalMachine
+	HetznerCluster               *infrav1.HetznerCluster
+	Cluster                      *clusterv1.Cluster
+	OSSSHSecret                  *corev1.Secret
+	RescueSSHSecret              *corev1.Secret
+	PreProvisionCommand          string
+	SSHAfterInstallImage         bool
+	WorkloadClusterClientFactory WorkloadClusterClientFactory
 }
 
 // Name returns the HetznerCluster name.

pkg/scope/baremetalhost.go

@@ -29,11 +29,9 @@ import (
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/util/conditions"
 	"sigs.k8s.io/cluster-api/util/patch"
-	"sigs.k8s.io/cluster-api/util/secret"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	infrav1 "github.com/syself/cluster-api-provider-hetzner/api/v1beta1"
-	secretutil "github.com/syself/cluster-api-provider-hetzner/pkg/secrets"
 	hcloudclient "github.com/syself/cluster-api-provider-hetzner/pkg/services/hcloud/client"
 )
 
@@ -148,21 +146,7 @@ func (s *ClusterScope) ControlPlaneAPIEndpointPort() int32 {
 
 // ClientConfig return a kubernetes client config for the cluster context.
 func (s *ClusterScope) ClientConfig(ctx context.Context) (clientcmd.ClientConfig, error) {
-	cluster := client.ObjectKey{
-		Name:      fmt.Sprintf("%s-%s", s.Cluster.Name, secret.Kubeconfig),
-		Namespace: s.Cluster.Namespace,
-	}
-
-	secretManager := secretutil.NewSecretManager(s.Logger, s.Client, s.APIReader)
-	kubeconfigSecret, err := secretManager.AcquireSecret(ctx, cluster, s.HetznerCluster, false, false)
-	if err != nil {
-		return nil, fmt.Errorf("failed to acquire secret: %w", err)
-	}
-	kubeconfigBytes, ok := kubeconfigSecret.Data[secret.KubeconfigDataName]
-	if !ok {
-		return nil, fmt.Errorf("missing key %q in secret data", secret.KubeconfigDataName)
-	}
-	return clientcmd.NewClientConfigFromBytes(kubeconfigBytes)
+	return workloadClientConfigFromKubeconfigSecret(ctx, s.Logger, s.Client, s.APIReader, s.Cluster, s.HetznerCluster)
 }
 
 // ListMachines returns HCloudMachines.