Merge pull request k0sproject#431 from makhov/remotemachine-provision…

…-job

RemoteMachine provision job support

.github/workflows/go.yml

@@ -144,6 +144,7 @@ jobs:
           - check-capi-remote-machine-template
           - check-capi-remote-machine-template-update
           - check-capi-docker-machine-template-update
+          - check-capi-remote-machine-job-provision
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@v4

Makefile

@@ -276,7 +276,7 @@ kind-cluster:
 .PHONY: kind-deploy-k0smotron
 kind-deploy-k0smotron: release k0smotron-image-bundle.tar
 	kind load image-archive k0smotron-image-bundle.tar
-	kubectl apply -f install.yaml
+	kubectl create -f install.yaml
 	kubectl rollout restart -n k0smotron deployment/k0smotron-controller-manager
 
 sbom/spdx.json: go.mod

README.md

@@ -53,7 +53,7 @@ With k0smotron, you can run the control plane management cluster in a public or
 Getting started with k0smotron is easy. Simply install the controller into an existing cluster:
 
 ```bash
-kubectl apply -f https://docs.k0smotron.io/stable/install.yaml
+kubectl create -f https://docs.k0smotron.io/stable/install.yaml
 ```
 
 You can also install k0smotron ClusterAPI providers via `clusterctl`:

api/infrastructure/v1beta1/remote_machine_types.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1beta1
 
 import (
+	v1 "k8s.io/api/batch/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 )
@@ -99,10 +100,27 @@ type RemoteMachineSpec struct {
 	// +kubebuilder:default="root"
 	User string `json:"user,omitempty"`
 
+	// +kubebuilder:validation:Optional
+	UseSudo bool `json:"useSudo,omitempty"`
+
 	// SSHKeyRef is a reference to a secret that contains the SSH private key.
 	// The key must be placed on the secret using the key "value".
 	// +kubebuilder:validation:Optional
 	SSHKeyRef SecretRef `json:"sshKeyRef,omitempty"`
+
+	// ProvisionJob describes the kubernetes Job to use to provision the machine.
+	ProvisionJob *ProvisionJob `json:"provisionJob,omitempty"`
+}
+
+type ProvisionJob struct {
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="ssh"
+	SSHCommand string `json:"sshCommand,omitempty"`
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="scp"
+	SCPCommand string `json:"scpCommand,omitempty"`
+	// JobTemplate is the job template to use to provision the machine.
+	JobTemplate *v1.JobTemplateSpec `json:"jobSpecTemplate,omitempty"`
 }
 
 // RemoteMachineStatus defines the observed state of RemoteMachine

config/rbac/role.yaml

@@ -54,6 +54,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - bootstrap.cluster.x-k8s.io
   resources:

config/samples/capi/remotemachine/remotemachine-okta-access.yaml

@@ -0,0 +1,70 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: okta-asa-config
+  namespace: default
+data:
+  sftd.yaml: |
+    CanonicalName: "k0smotron-job-runner"
+  sft.conf: |
+    # Allow authentication as a Service User
+    section "service_auth" {
+      enable = true
+    }
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: okta-asa-enrollment-token
+stringData:
+  enrollment.token: <REDACTED>
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: okta-asa-demo-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 200Mi
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: okta-asa-demo-pod
+  namespace: default
+spec:
+  containers:
+      - name: okta-asa
+        image: makhov/okta-asa-demo:latest
+        args:
+          - sleep
+          - infinity
+        env:
+        volumeMounts:
+          - name: config
+            mountPath: /etc/sft/sftd.yaml
+            subPath: sftd.yaml
+          - name: config
+            mountPath: /root/.config/ScaleFT/sft.conf
+            subPath: sft.conf
+          - name: sftd-lib
+            mountPath: /var/lib/sftd
+          - name: enrollment-token
+            mountPath: /var/lib/sftd/enrollment.token
+            subPath: enrollment.token
+  volumes:
+    - name: config
+      configMap:
+        name: okta-asa-config
+    - name: enrollment-token
+      secret:
+        secretName: okta-asa-enrollment-token
+    - name: sftd-lib
+      persistentVolumeClaim:
+        claimName: okta-asa-demo-pvc
+

config/samples/capi/remotemachine/remotemachine-teleport-access.yaml

@@ -0,0 +1,127 @@
+# This ServiceAccount will be used to give the `tbot` pods a discrete identity
+# which can be validated by the Teleport Auth Server.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tbot
+  namespace: default
+---
+# This role grants the ability to manage secrets within the namespace - this is
+# necessary for the `kubernetes_secret` destination to work correctly.
+#
+# You may wish to add the `resourceNames` field to the role to further restrict
+# this access in sensitive environments.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: secrets-admin
+  namespace: default
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["*"]
+---
+# Bind the role to the service account created for tbot.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tbot-secrets-admin
+  namespace: default
+subjects:
+  - kind: ServiceAccount
+    name: tbot
+roleRef:
+  kind: Role
+  name:  secrets-admin
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: tbot-config
+  namespace: default
+data:
+  tbot.yaml: |
+    version: v2
+    onboarding:
+      join_method: kubernetes
+      # ensure token is set to the name of the join token you created earlier
+      token: example-bot
+    storage:
+      # a memory destination is used for the bots own state since the kubernetes
+      # join method does not require persistence.
+      type: memory
+    # ensure this is configured to the address of your Teleport Proxy or
+    # Auth Server. Prefer the address of the Teleport Proxy.
+    auth_server: teleport.example.com:443
+    outputs:
+    - type: identity
+      destination:
+        type: kubernetes_secret
+        name: identity-output
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tbot
+  namespace: default
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: tbot
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: tbot
+    spec:
+      containers:
+        - name: tbot
+          image: public.ecr.aws/gravitational/teleport:14.3.3
+          command:
+            - tbot
+          args:
+            - start
+            - -c
+            - /config/tbot.yaml
+            - --insecure
+          env:
+            # POD_NAMESPACE is required for the kubernetes_secret` destination
+            # type to work correctly.
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            # KUBERNETES_TOKEN_PATH specifies the path to the service account
+            # JWT to use for joining.
+            # This path is based on the configuration of the volume and
+            # volumeMount.
+            - name: KUBERNETES_TOKEN_PATH
+              value: /var/run/secrets/tokens/join-sa-token
+            # TELEPORT_ANONYMOUS_TELEMETRY enables the submission of anonymous
+            # usage telemetry.  This helps us shape the future development of
+            # `tbot`. You can disable this by omitting this.
+            - name: TELEPORT_ANONYMOUS_TELEMETRY
+              value: "1"
+          volumeMounts:
+            - mountPath: /config
+              name: config
+            - mountPath: /var/run/secrets/tokens
+              name: join-sa-token
+      serviceAccountName: tbot
+      volumes:
+        - name: config
+          configMap:
+            name: tbot-config
+        - name: join-sa-token
+          projected:
+            sources:
+              - serviceAccountToken:
+                  path: join-sa-token
+                  # 600 seconds is the minimum that Kubernetes supports. We
+                  # recommend this value is used.
+                  expirationSeconds: 600
+                  audience: test