Merge pull request #148 from craddm/configure-containerd

Configure containerd on isolated cluster and create Harbor service to provide internal endpoint

Author: craddm

infra/aks/__main__.py

@@ -127,6 +127,17 @@ def get_kubeconfig(
     ),
 )
 
+# Grant the managed identity Contributor role on the access vnet so it can manage network interfaces
+# This allows the creation of internal load balancers to make it easier to direct traffic between the subnets
+authorization.RoleAssignment(
+    "cluster_role_assignment_access_vnet",
+    principal_id=identity.principal_id,
+    principal_type=authorization.PrincipalType.SERVICE_PRINCIPAL,
+    # Contributor: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
+    role_definition_id=f"/subscriptions/{azure_config.require('subscriptionId')}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
+    scope=networking.access_nodes.id,
+)
+
 # Grant the managed identity Contributor role on the isolated vnet so it can manage network interfaces
 # This allows the creation of internal load balancers to make it easier to direct traffic to the right place on the isolated network
 authorization.RoleAssignment(

infra/fridge/access-cluster/__main__.py

@@ -128,6 +128,6 @@ def patch_namespace(name: str, pss: PodSecurityStandard) -> NamespacePatch:
 # Pulumi exports
 pulumi.export("fridge_api_ip_address", config.require("fridge_api_ip_address"))
 pulumi.export("harbor_fqdn", harbor.harbor_fqdn)
-pulumi.export("harbor_ip_address", config.require("harbor_ip"))
+pulumi.export("harbor_ip_address", harbor.harbor_lb_ip)
 pulumi.export("ingress_ip", ingress_nginx.ingress_ip)
 pulumi.export("ingress_ports", ingress_nginx.ingress_ports)

infra/fridge/access-cluster/components/container_registry.py

@@ -2,6 +2,7 @@
 
 import pulumi
 from pulumi import ComponentResource, ResourceOptions
+
 from pulumi_kubernetes.batch.v1 import (
     Job,
     JobSpecArgs,
@@ -15,6 +16,9 @@
     PodTemplateSpecArgs,
     Secret,
     SecurityContextArgs,
+    Service,
+    ServicePortArgs,
+    ServiceSpecArgs,
     VolumeArgs,
     VolumeMountArgs,
 )
@@ -25,8 +29,7 @@
 
 from .storage_classes import StorageClasses
 
-
-from enums import PodSecurityStandard, TlsEnvironment, tls_issuer_names
+from enums import K8sEnvironment, PodSecurityStandard, TlsEnvironment, tls_issuer_names
 
 
 class ContainerRegistryArgs:
@@ -75,6 +78,15 @@ def __init__(
             else "ReadWriteOnce",
         }
 
+        api_service_annotations = (
+            {
+                "service.beta.kubernetes.io/azure-load-balancer-internal": "true",
+                "service.beta.kubernetes.io/azure-load-balancer-internal-subnet": "networking-access-nodes",
+            }
+            if K8sEnvironment(args.config.get("k8s_env")) == K8sEnvironment.AKS
+            else {}
+        )
+
         self.harbor = Release(
             "harbor",
             ReleaseArgs(
@@ -86,10 +98,8 @@ def __init__(
                 ),
                 values={
                     "expose": {
-                        "clusterIP": {
-                            "staticClusterIP": args.config.require("harbor_ip"),
-                        },
-                        "type": "clusterIP",
+                        "type": "loadBalancer",
+                        "loadBalancer": {"annotations": api_service_annotations},
                         "tls": {
                             "enabled": False,
                             "certSource": "none",
@@ -170,6 +180,26 @@ def __init__(
             ),
         )
 
+        self.harbor_internal_loadbalancer = Service.get(
+            "harbor-internal-lb",
+            id=pulumi.Output.concat(self.harbor_ns.metadata.name, "/harbor"),
+            opts=ResourceOptions.merge(
+                child_opts,
+                ResourceOptions(
+                    depends_on=[
+                        self.harbor,
+                    ]
+                ),
+            ),
+        )
+
+        # Extract the dynamically assigned IP address
+        self.harbor_lb_ip = self.harbor_internal_loadbalancer.status.apply(
+            lambda status: status.load_balancer.ingress[0].ip
+            if status and status.load_balancer and status.load_balancer.ingress
+            else None
+        )
+
         # Create a daemonset to skip TLS verification for the harbor registry
         # This is needed while using staging/self-signed certificates for Harbor
         # A daemonset is used to run the configuration on all nodes in the cluster

infra/fridge/isolated-cluster/Pulumi.yaml

@@ -12,6 +12,9 @@ config:
   access_cluster_node_cidr:
     type: string
     description: The node CIDR of the access cluster to allow access from
+  access_cluster_stack:
+    type: string
+    description: The Pulumi stack name of the access cluster deployment
   azure_subscription_id:
     type: string
     description: Azure Subscription ID for the access cluster - use a dummy value when not deploying to AKS
@@ -43,6 +46,9 @@ config:
   minio_pool_size:
     type: string
     description: Size of the MinIO storage pool (e.g., 20Gi)
+  organization_name:
+    type: string
+    description: The Pulumi organization name
   kubernetes:context:
     value: ""
     description: Kubernetes context for the FRIDGE deployment

infra/fridge/isolated-cluster/__main__.py

@@ -23,6 +23,13 @@ def patch_namespace(name: str, pss: PodSecurityStandard) -> NamespacePatch:
 config = pulumi.Config()
 tls_environment = TlsEnvironment(config.require("tls_environment"))
 stack_name = pulumi.get_stack()
+organization = config.require("organization_name")
+project_name = config.require("project_name")
+access_stack_name = config.require("access_cluster_stack")
+
+access_stack = pulumi.StackReference(
+    f"{organization}/{project_name}/{access_stack_name}"
+)
 
 try:
     k8s_environment = K8sEnvironment(config.get("k8s_env"))
@@ -199,5 +206,24 @@ def patch_namespace(name: str, pss: PodSecurityStandard) -> NamespacePatch:
     ),
 )
 
+# Container runtime configuration (containerd)
+if k8s_environment == K8sEnvironment.AKS:
+    container_runtime_config = components.ContainerRuntimeConfig(
+        "container-runtime-config",
+        args=components.ContainerRuntimeConfigArgs(
+            config=config,
+            harbor_fqdn=access_stack.get_output("harbor_fqdn"),
+        ),
+        opts=ResourceOptions(
+            depends_on=resources,
+        ),
+    )
+else:
+    pulumi.log.warn(
+        "Container runtime configuration is only applied on AKS. "
+        "For Dawn AI and local K3s deployments, please ensure containerd is configured manually. "
+        "If you deployed K3s using the scripts in infra/k3s, containerd should already be configured correctly."
+    )
+
 # Pulumi stack outputs
 pulumi.export("fridge_api_ip", config.require("fridge_api_ip"))

infra/fridge/isolated-cluster/components/__init__.py

@@ -1,6 +1,7 @@
 from .api_server import ApiServer, ApiServerArgs
 from .block_storage import BlockStorage, BlockStorageArgs
 from .cert_manager import CertManager, CertManagerArgs
+from .container_runtime import ContainerRuntimeConfig, ContainerRuntimeConfigArgs
 from .minio_config import MinioConfigJob, MinioConfigArgs
 from .network_policies import NetworkPolicies
 from .object_storage import ObjectStorage, ObjectStorageArgs

infra/fridge/isolated-cluster/components/container_runtime.py

@@ -0,0 +1,62 @@
+import pulumi
+from pulumi import ComponentResource, Output, ResourceOptions
+from string import Template
+from enums import PodSecurityStandard
+from pulumi_kubernetes.core.v1 import Namespace
+from pulumi_kubernetes.meta.v1 import ObjectMetaArgs
+from pulumi_kubernetes.yaml import ConfigGroup
+
+
+class ContainerRuntimeConfigArgs:
+    def __init__(
+        self,
+        config: pulumi.config.Config,
+        harbor_fqdn: Output[str],
+    ) -> None:
+        self.config = config
+        self.harbor_fqdn = harbor_fqdn
+
+
+class ContainerRuntimeConfig(ComponentResource):
+    def __init__(
+        self,
+        name: str,
+        args: ContainerRuntimeConfigArgs,
+        opts: ResourceOptions | None = None,
+    ):
+        super().__init__("fridge:ContainerRuntimeConfig", name, {}, opts)
+        child_opts = ResourceOptions.merge(opts, ResourceOptions(parent=self))
+
+        self.config_ns = Namespace(
+            "container-runtime-config-ns",
+            metadata=ObjectMetaArgs(
+                name="containerd-config",
+                labels={} | PodSecurityStandard.PRIVILEGED.value,
+            ),
+            opts=child_opts,
+        )
+
+        yaml_template = open("k8s/containerd/registry_mirrors.yaml", "r").read()
+
+        registry_mirror_config = Output.all(
+            namespace=self.config_ns.metadata.name,
+            harbor_fqdn=args.harbor_fqdn,
+        ).apply(
+            lambda args: Template(yaml_template).substitute(
+                namespace=args["namespace"],
+                harbor_fqdn=args["harbor_fqdn"],
+            )
+        )
+
+        self.configure_runtime = registry_mirror_config.apply(
+            lambda yaml_content: ConfigGroup(
+                "configure-container-runtime",
+                yaml=[yaml_content],
+                opts=ResourceOptions.merge(
+                    child_opts,
+                    ResourceOptions(
+                        depends_on=[self.config_ns],
+                    ),
+                ),
+            )
+        )

infra/fridge/isolated-cluster/k8s/containerd/registry_mirrors.yaml

@@ -0,0 +1,108 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: containerd-registry-mirrors
+  namespace: ${namespace}
+data:
+  docker-io-hosts.toml: |
+    [host."http://${harbor_fqdn}/v2/proxy-docker.io"]
+      capabilities = ["pull", "resolve"]
+      skip_verify = true
+      override_path = true
+
+    # Fall back to Docker Hub if Harbor fails
+    [host."https://registry-1.docker.io"]
+      capabilities = ["pull", "resolve"]
+
+  ghcr-io-hosts.toml: |
+    [host."http://${harbor_fqdn}/v2/proxy-ghcr.io"]
+      capabilities = ["pull", "resolve"]
+      skip_verify = true
+      override_path = true
+
+    # Fall back to GHCR if Harbor fails
+    [host."https://ghcr.io"]
+      capabilities = ["pull", "resolve"]
+
+  quay-io-hosts.toml: |
+    [host."http://${harbor_fqdn}/v2/proxy-quay.io"]
+      capabilities = ["pull", "resolve"]
+      skip_verify = true
+      override_path = true
+
+    # Fall back to Quay if Harbor fails
+    [host."https://quay.io"]
+      capabilities = ["pull", "resolve"]
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: configure-containerd-mirrors
+  namespace: ${namespace}
+spec:
+  selector:
+    matchLabels:
+      app: configure-containerd-mirrors
+  template:
+    metadata:
+      labels:
+        app: configure-containerd-mirrors
+    spec:
+      initContainers:
+      - name: configure-containerd
+        image: busybox
+        command:
+        - /bin/sh
+        - -c
+        - |
+          set -e
+          echo "Configuring containerd registry mirrors..."
+          mkdir -p /host/etc/containerd/certs.d/docker.io
+          mkdir -p /host/etc/containerd/certs.d/ghcr.io
+          mkdir -p /host/etc/containerd/certs.d/quay.io
+
+          echo "Copying Docker, GHCR, and Quay registry mirror configurations..."
+          cp /config/docker-io-hosts.toml /host/etc/containerd/certs.d/docker.io/hosts.toml
+          cp /config/ghcr-io-hosts.toml /host/etc/containerd/certs.d/ghcr.io/hosts.toml
+          cp /config/quay-io-hosts.toml /host/etc/containerd/certs.d/quay.io/hosts.toml
+          echo "Containerd registry mirrors configured."
+        securityContext:
+          runAsUser: 0
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+            add:
+              - DAC_OVERRIDE
+        volumeMounts:
+        - name: host-fs
+          mountPath: /host/etc/containerd/certs.d
+        - name: config
+          mountPath: /config
+          readOnly: true
+      containers:
+        - name: wait
+          image: registry.k8s.io/pause:3.8
+          resources:
+            requests:
+              cpu: 10m
+              memory: 10Mi
+            limits:
+              cpu: 50m
+              memory: 50Mi
+          securityContext:
+            privileged: false
+            runAsNonRoot: true
+            runAsUser: 65532
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+      volumes:
+      - name: host-fs
+        hostPath:
+          path: /etc/containerd/certs.d
+          type: DirectoryOrCreate
+      - name: config
+        configMap:
+          name: containerd-registry-mirrors

infra/k3s/install.sh

@@ -5,6 +5,28 @@
 # to allow Cilium to handle all these
 echo 'Installing K3s...'
 
+# Configure containerd for private registry before K3s installation
+echo 'Configuring containerd registry settings...'
+HARBOR_HOSTNAME="${1:-harbor.fridge.internal}"  # Use argument or default
+
+sudo mkdir -p /etc/rancher/k3s
+sudo tee /etc/rancher/k3s/registries.yaml > /dev/null <<EOF
+mirrors:
+  docker.io:
+    endpoint:
+      - https://$HARBOR_HOSTNAME/v2/proxy-docker.io
+  quay.io:
+    endpoint:
+      - https://$HARBOR_HOSTNAME/v2/proxy-quay.io
+  ghcr.io:
+    endpoint:
+      - https://$HARBOR_HOSTNAME/v2/proxy-ghcr.io
+configs:
+  $HARBOR_HOSTNAME:
+    tls:
+      insecure_skip_verify: true
+EOF
+
 curl -sfL https://get.k3s.io | sh -s - \
   --flannel-backend none \
   --disable-network-policy \