Skip to content

Commit

Permalink
Add in Region Support
Browse files Browse the repository at this point in the history
Think big!  We should be able to support federating clouds together,
just as we federate identity, so make it so!  Anything region specific
needs to index a region at the API, and let the rest be abstracted
including site specific endpoints, credentials and configurations.  We
can now start to consider other things than openstack if the need
arises.  More pertinently we can also start thinking about moving the
provider to the site itself to prevent leaking credentials in the
honeypot at the center!  This _also_ means, we could perhaps think about
not actually exposing the cloud API at all, and doing everything via the
secure proxy... ugh, I'm exciting myself!!
  • Loading branch information
spjmurray committed Feb 19, 2024
1 parent b1039ec commit 289807c
Show file tree
Hide file tree
Showing 20 changed files with 1,430 additions and 852 deletions.
205 changes: 205 additions & 0 deletions charts/unikorn/crds/unikorn-cloud.org_regions.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,205 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.1
name: regions.unikorn-cloud.org
spec:
group: unikorn-cloud.org
names:
categories:
- unikorn
kind: Region
listKind: RegionList
plural: regions
singular: region
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.provider
name: provider
type: string
- jsonPath: .status.conditions[?(@.type=="Available")].reason
name: status
type: string
- jsonPath: .metadata.creationTimestamp
name: age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: Region defines a geographical region where clusters can be provisioned.
A region defines the endpoints that can be used to derive information about
the provider for that region.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: RegionSpec defines metadata about the region.
properties:
openstack:
description: Openstack is provider specific configuration for the
region.
properties:
compute:
description: Compute is configuration for the compute service.
properties:
flavorExtraSpecsExclude:
description: FlavorExtraSpecsExclude discards any flavors
with the listed extra specs keys.
items:
type: string
type: array
gpuDescriptors:
description: GPUDescriptors defines a set of keys that can
be probed to list GPU topology information.
items:
properties:
expression:
description: Expression describes how to extract the
number of GPUs from the property if it exists. This
must contain exactly one submatch that is a number
e.g. "^(\d+)$".
type: string
property:
description: Property is the property name to examine
e.g. "resources.VGPU".
type: string
required:
- expression
- property
type: object
type: array
serverGroupPolicy:
description: ServerGroupPolicy defines the anti-affinity policy
to use for scheduling cluster nodes. Defaults to "soft-anti-affinity".
type: string
type: object
endpoint:
description: Endpoint is the Keystone URL e.g. https://foo.bar:5000.
type: string
identity:
description: Identity is configuration for the identity service.
properties:
clusterRoles:
description: ClusterRoles are the roles required to be assigned
to an application credential in order to provision, scale
and deprovision a cluster, along with any required for CNI/CSI
functionality.
items:
type: string
type: array
type: object
image:
description: Image is configuration for the image service.
properties:
propertiesInclude:
description: PropertiesInclude defines the set of properties
that must all exist for an image to be advertised by the
provider.
items:
type: string
type: array
signingKey:
description: SigningKey defines a PEM encoded public ECDSA
signing key used to verify the image is trusted. If specified,
an image must contain the "digest" property, the value of
which must be a base64 encoded ECDSA signature of the SHA256
hash of the image ID.
format: byte
type: string
type: object
serviceAccountSecret:
description: ServiceAccountSecretName points to the secret containing
credentials required to perform the tasks the provider needs
to perform.
properties:
name:
description: Name is the name of the object.
type: string
namespace:
description: Namespace is the namespace in which the object
resides.
type: string
required:
- name
- namespace
type: object
required:
- endpoint
- serviceAccountSecret
type: object
provider:
description: Type defines the provider type.
enum:
- openstack
type: string
required:
- provider
type: object
status:
description: RegionStatus defines the status of the region.
properties:
conditions:
description: Current service state of a region.
items:
description: Condition is a generic condition type for use across
all resource types. It's generic so that the underlying controller-manager
functionality can be shared across all resources.
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
format: date-time
type: string
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, one-word, CamelCase reason for the condition's
last transition.
enum:
- Provisioning
- Provisioned
- Cancelled
- Errored
- Deprovisioning
- Deprovisioned
type: string
status:
description: Status is the status of the condition. Can be True,
False, Unknown.
type: string
type:
description: Type is the type of the condition.
enum:
- Available
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
57 changes: 57 additions & 0 deletions charts/unikorn/templates/region.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
{{- range $region := .Values.regions }}
apiVersion: unikorn-cloud.org/v1alpha1
kind: Region
metadata:
name: {{ $region.name }}
labels:
{{- include "unikorn.labels" $ | nindent 4 }}
spec:
provider: {{ $region.provider }}
{{- with $openstack := $region.openstack }}
openstack:
endpoint: {{ $openstack.endpoint }}
serviceAccountSecret:
namespace: {{ $openstack.serviceAccountSecret.namespace }}
name: {{ $openstack.serviceAccountSecret.name }}
{{- with $identity := $openstack.identity }}
{{ printf "identity:" | nindent 4 }}
{{- with $roles := $identity.clusterRoles }}
{{ printf "clusterRoles:" | nindent 6 }}
{{- range $role := $roles }}
{{ printf "- %s" $role | nindent 6 }}
{{- end }}
{{- end }}
{{- end }}
{{- with $compute := $openstack.compute }}
{{ printf "compute:" | nindent 4 }}
{{- with $policy := $compute.serverGroupPolicy }}
{{ printf "serverGroupPolicy: %s" $policy | nindent 6 }}
{{- end }}
{{- with $specs := $compute.flavorExtraSpecsExclude }}
{{ printf "flavorExtraSpecsExclude:" | nindent 6 }}
{{- range $spec := $specs }}
{{ printf "- %s" $spec | nindent 6 }}
{{- end }}
{{- end }}
{{- with $descriptors := $compute.gpuDescriptors }}
{{ printf "gpuDescriptors:" | nindent 6 }}
{{- range $descriptor := $descriptors }}
{{ printf "- property: %s" $descriptor.property | nindent 6 }}
{{ printf "expresison: %s" $descriptor.property | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
{{- with $image := $openstack.image}}
{{ printf "image:" | nindent 4 }}
{{- with $properties := $image.propertiesInclude }}
{{ printf "propertiesInclude:" | nindent 6 }}
{{- range $property := $properties }}
{{ printf "- %s" $property | nindent 6 }}
{{- end }}
{{- end }}
{{- with $signingKey := $image.signingKey }}
{{ printf "signingKey: %s" $signingKey | nindent 6 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
48 changes: 1 addition & 47 deletions charts/unikorn/templates/unikorn-server.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ rules:
- apiGroups:
- unikorn-cloud.org
resources:
- regions
- controlplaneapplicationbundles
- kubernetesclusterapplicationbundles
- helmapplications
Expand Down Expand Up @@ -107,48 +108,6 @@ spec:
{{ printf "- --oidc-issuer-ca=%s" $oidc.issuerCA | nindent 8 }}
{{- end }}
{{- end }}
{{- with $openstack := .Values.server.provider.openstack }}
{{ printf "- --openstack-endpoint=%s" $openstack.endpoint | nindent 8 }}
{{- with $secret := $openstack.serviceAccount.secret }}
{{ printf "- --openstack-serviceaccount-secret=%s" $secret.name | nindent 8 }}
{{- end }}
{{- with $identity := $openstack.identity }}
{{- range $roles := $identity.applicationCredentialRoles }}
{{ printf "- --openstack-identity-application-credential-roles=%s" (join "," $roles) | nindent 8 }}
{{- end }}
{{- end }}
{{- with $compute := $openstack.compute }}
{{- with $policy := $compute.serverGroupPolicy }}
{{ printf "- --openstack-servergroup-policy=%s" $policy | nindent 8 }}
{{- end }}
{{- with $props := $compute.flavorPropertiesExclude }}
{{ printf "- --openstack-flavor-properties-exclude=%s" (join "," $props) | nindent 8 }}
{{- end }}
{{- range $desc := $compute.flavorGpuDescriptors }}
{{ printf "- --openstack-flavor-gpu-descriptor=property=%s,expression=%s" $desc.property $desc.expression | nindent 8 }}
{{- end }}
{{- end }}
{{- with $image := $openstack.image }}
{{ with $props := $image.properties }}
{{ printf "- --openstack-image-properties=%s" (join "," $props) | nindent 8 }}
{{- end }}
{{- with $key := $image.signingKey }}
{{ printf "- --openstack-image-signing-key=%s" $key | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

{{- if .Values.server.imageSigningKey }}
- --image-signing-key={{ .Values.server.imageSigningKey }}
{{- end }}
{{- with $properties := .Values.server.imageProperties -}}
{{ printf "- --image-properties=%s" (join "," $properties) | nindent 8 }}
{{- end }}
{{- with $credentials := .Values.server.applicationCredentials -}}
{{- with $roles := $credentials.roles -}}
{{ printf "- --application-credential-roles=%s" (join "," $roles) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.server.otlpEndpoint }}
{{ printf "- --otlp-endpoint=%s" .Values.server.otlpEndpoint | nindent 8 }}
{{- end }}
Expand All @@ -157,11 +116,6 @@ spec:
containerPort: 6080
- name: prometheus
containerPort: 8080
env:
- name: KUBERNETES_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# Note, this is quite CPU intensive, especially when going wide!
# TODO: profile me.
resources:
Expand Down
Loading

0 comments on commit 289807c

Please sign in to comment.