Add controllers implementation

[invidian]

Draft with the progress on initial controllers implementation. Mainly opened as a backup and for some early reviews.

Signed-off-by: Mateusz Gozdek mateusz@kinvolk.io

Closes #14
Closes #15

[invidian]

If you push the following image to Tinkerbell, then this code will select one of available hardwares from Tinkerbell and install Ubuntu cloud with cloud-init from kubeadm bootstrapper:

FROM alpine:3.12

RUN apk add -U qemu-img

Pushed as 10.17.3.2/ubuntu-install.

At the moment cluster does not spawn and I don't have access to the machine to verify why. Most likely because of missing containerd, Kubernetes packages etc.

[invidian]

Tests are missing, but this can already be tried out and reviewed.

For setup workflow, follow:

• Instruction from Document development workflow #13
• https://kinvolk.io/docs/lokomotive/0.5/quickstarts/tinkerbell/ if you don't have Tinkerbell cluster.
• If you followed Lokomotive guide, also add file like: lokomotive-assets/terraform/capi.tf with the following content to add 3 more workers to libvirt for CAPI machines:

  locals {
    capi_workers = [
      "10.17.3.6",
      "10.17.3.7",
      "10.17.3.8",
    ]
  }
  
  module "tink_worker_capi" {
    source = "../terraform-modules/tinkerbell-sandbox/worker"
  
    count = length(local.capi_workers)
  
    ip   = local.capi_workers[count.index]
    name = "capi-${count.index}"
  
    sandbox = module.tinkerbell_sandbox
  
    depends_on = [
      module.tinkerbell_sandbox,
    ]
  }

• Run Terraform:

  terraform apply

• Build and push installer image to Tinkerbell registry as described in Add controllers implementation #17 (comment).
• Generate a config for your cluster:

  clusterctl config cluster capi-quickstart --infrastructure=tinkerbell:v0.0.0-dirty --kubernetes-version=v1.20.0 --control-plane-machine-count=1 --worker-machine-count=1 > test-cluster.yaml

• Add your SSH keys to config in case you need to debug it.
• Create a cluster:

  kubectl apply -f test-cluster.yaml

• When you see in the logs that workflows has been created, reboot the machines so they pick it up. If you use libvirt, run for example:

  virsh reset tinkerbell-sandbox-lokomotive-cluster-capi-0

• When your cluster is provisioned, get Kubeconfig for it and apply some CNI on it, for example Calico, so nodes becomes ready:

  clusterctl get kubeconfig capi-quickstart kubeconfig-workload
  KUBECONFIG=kubeconfig-workload kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml

• Now cluster should soon become ready, which can be checked using the following commands:

  kubectl get kubeadmcontrolplane
  kubectl get machines

[detiber]

Generally for determining spec/status I try to consider if it can be recreated, if so, then Status is ideal, but if not it needs to be in Spec.

[invidian]

HardwareID field could be derived from ProviderID, which is a required field. We would have to strip the tinkerbell:// prefix from it, so I think this one could be moved.

TemplateID and WorkflowID are unique, so they must stay I guess.

And ProviderID is required as mentioned earlier.

Do you think it's worth it to move HardwareID to status then?

[detiber]

Could this bit of config be pushed into TinkerbellClusterReconciler? It would be nice to try and keep things relatively consistent with other providers here.

[invidian]

My idea here was to have a distinction between the TinkerbellMachineReconciler, which is a controller and handles Reconcile() method. As handling both cluster and machine objects is rather complex (e.g. we need to pull plenty of dependent objects before we can start processing), I think it's a good idea to separate this controller from the object which handles just a single cluster/machine.

With separate object we can express "Given the following data sources/sinks (dependencies like Client, Tinkerbell Client etc.) reconcile me a cluster/machine with a given name (namespaced name)". This way, we can build up an API used by the controller, so it's responsibilities are minimized to what controller should do, for example it can keep the control over when to re-queue the reconciliation (like New() or IntoMachineReconcileContext() which may return nil when dependencies are not ready yet).

If we move config bits into TinkerbellClusterReconciler, then we must either extend the API of this struct or copy the fields into separate config in Reconcile() method if we want to keep the abstraction/separation I described.

Having those 2 separate should also allow easier testing, when we turn clients into interfaces and we replace them with mocks.

[detiber]

Could this bit of config be pushed into TinkerbellMachineReconciler? It would be nice to try and keep things relatively consistent with other providers here.

[detiber]

Most of this can likely be moved to the cluster template, which would allow for it to be more easily tweaked without invasive changes.

[invidian]

I felt that having it here is better, as then it can be better tested etc. I think the less clutter/boilerplate user sees (so what clusterctl config generates, which is already a lot), the better. It's also user-proof, as one might consider removing some lines from it, thinking they are not required and we're not able to validate that programatically in runtime that they are there. And cluster provisioning may fail then.

[invidian]

Now that I look into it again, on the other hand placing all this stuff in cluster template makes defined in single place... At least kubeadmconfig does not allow specifying APT repositories and packages, so there is no danger, that user will override the packages we add. And with support for other OSes, we will be able to programatically select what package version to use and how to configure those repositories. I don't think it will be possible with cluster template.

[detiber]

Not something we need to solve now, but might be good to think about how we can avoid hardcoding ubuntu here and make it easier to swap out a different underlying OS without having to make changes to the deployed binary.

[invidian]

Right. We could perhaps change to capt-install or just capt.

[detiber]

When we look to updating to support the in-development v1alpha4 version of Cluster API, this is going to get a bit messy with the way controller-runtime v0.7.0 is using contexts and passing loggers around: https://github.com/kubernetes-sigs/controller-runtime/releases/tag/v0.7.0, the biggest one being that Reconcile() will be passed a context and that context will be enriched with a logger.

[invidian]

I see. I think when the time comes to an update, we can then:

• Remove the Log field from the configuration.
• Accept context as a parameter to New(). This can actually be done right now.

[invidian]

I added a context parameter to New().

[detiber]

This feels a bit racy if we are creating multiple Clusters at the same time, how do we ensure that the id/ip we find here is the one that is used for the initial Machine instance that is created?

[invidian]

Yeah, I'm aware of that. We could do some sort of reservation here via cluster objects annotation or to create some kind of stub workflow here to mark hardware as reserved. This might have side-effects though.

how do we ensure that the id/ip we find here is the one that is used for the initial Machine instance that is created?

It's not completely random, though definitely could be improved. When we deploy controlplane node, we select hardware using this IP address, to make sure the right hardware is picked. So in case new hardware shows up in the meanwhile, we will still select the right one. But there is no protection from other cluster stealing the hardware with this IP...

Having a list of hardware UUIDs for controlplane should improve that. It should be easy to implement, so perhaps we should add it here.

[detiber]

It's a bit more complicated in our case currently because we don't have a load balancer (yet), I don't think we have a good way (other than making assumptions related to the bootstrap provider).

[invidian]

Converted back to draft, as this is now based on #8 as we use SHIM implementation from there. This should not be merged until #8 is.

[invidian]

Spotted this weird error while doing some tests:

[manager] E0111 23:40:08.975102      97 controller.go:257] controller-runtime/controller "msg"="Reconciler error" "error"="failed to create workflow: failed to create workflow in Tinkerbell: rpc error: code = Unknown desc = failed to get template with ID : failed to get template: one GetBy field must be set to build a get condition" "controller"="workflow" "name"="capi-quickstart-control-plane-jthgs" "namespace"=""

Also, I hit tinkerbell/tink#413 :|

[invidian]

Running PGPASSWORD=tinkerbell docker-compose exec db psql -U tinkerbell -c 'drop trigger events_channel ON events;' workarounds tinkerbell/tink#413 well enough.

[detiber]

Closed in favor of #32