Implement very rough skeleton of the start of a supervisor server

- This is just stab at a starting place because it felt easier to put something down on paper than to keep staring at a blank page
2020-10-05 17:28:19 -07:00 · 2020-10-05 17:28:19 -07:00 · 76bd462cf8
commit 76bd462cf8
parent 7eed7ba19a
8 changed files with 500 additions and 3 deletions
--- a/2
+++ b/2
@ -21,6 +21,7 @@ COPY hack ./hack
 # Build the executable binary (CGO_ENABLED=0 means static linking)
 RUN mkdir out \
  && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(hack/get-ldflags.sh)" -o out ./cmd/pinniped-server/... \
+  && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(hack/get-ldflags.sh)" -o out ./cmd/pinniped-supervisor/... \
  && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o out ./cmd/local-user-authenticator/...

 # Use a runtime image based on Debian slim
@ -28,6 +29,7 @@ FROM debian:10.5-slim

 # Copy the binaries from the build-env stage
 COPY --from=build-env /work/out/pinniped-server /usr/local/bin/pinniped-server
+COPY --from=build-env /work/out/pinniped-supervisor /usr/local/bin/pinniped-supervisor
 COPY --from=build-env /work/out/local-user-authenticator /usr/local/bin/local-user-authenticator

 # Document the port
--- a/cmd/pinniped-supervisor/main.go
+++ b/cmd/pinniped-supervisor/main.go
@ -0,0 +1,186 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"os"
+	"os/signal"
+	"time"
+
+	kubeinformers "k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/pkg/version"
+	"k8s.io/client-go/rest"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/component-base/logs"
+	"k8s.io/klog/v2"
+	"sigs.k8s.io/yaml"
+
+	"go.pinniped.dev/internal/controller/supervisorconfig"
+	"go.pinniped.dev/internal/controllerlib"
+	"go.pinniped.dev/internal/downward"
+)
+
+const (
+	singletonWorker       = 1
+	defaultResyncInterval = 3 * time.Minute
+)
+
+type helloWorld struct{}
+
+func (w *helloWorld) start(ctx context.Context, l net.Listener) error {
+	server := http.Server{
+		Handler: w,
+	}
+
+	errCh := make(chan error)
+	go func() {
+		errCh <- server.Serve(l)
+	}()
+
+	go func() {
+		select {
+		case err := <-errCh:
+			klog.InfoS("server exited", "err", err)
+		case <-ctx.Done():
+			klog.InfoS("server context cancelled", "err", ctx.Err())
+			if err := server.Shutdown(context.Background()); err != nil {
+				klog.InfoS("server shutdown failed", "err", err)
+			}
+		}
+	}()
+
+	return nil
+}
+
+func (w *helloWorld) ServeHTTP(rsp http.ResponseWriter, req *http.Request) {
+	// TODO this is just a placeholder to allow manually testing that this is reachable; we don't want a hello world endpoint
+	defer req.Body.Close()
+	_, _ = fmt.Fprintf(rsp, "Hello, world!")
+}
+
+func waitForSignal() os.Signal {
+	signalCh := make(chan os.Signal, 1)
+	signal.Notify(signalCh, os.Interrupt)
+	return <-signalCh
+}
+
+func startControllers(
+	ctx context.Context,
+	kubeClient kubernetes.Interface,
+	kubeInformers kubeinformers.SharedInformerFactory,
+	serverInstallationNamespace string,
+	staticConfig StaticConfig,
+) {
+	// Create controller manager.
+	controllerManager := controllerlib.
+		NewManager().
+		WithController(
+			supervisorconfig.NewDynamicConfigWatcherController(
+				serverInstallationNamespace,
+				staticConfig.NamesConfig.DynamicConfigMap,
+				kubeClient,
+				kubeInformers.Core().V1().ConfigMaps(),
+				controllerlib.WithInformer,
+			),
+			singletonWorker,
+		)
+
+	kubeInformers.Start(ctx.Done())
+
+	go controllerManager.Start(ctx)
+}
+
+func newK8sClient() (kubernetes.Interface, error) {
+	kubeConfig, err := restclient.InClusterConfig()
+	if err != nil {
+		return nil, fmt.Errorf("could not load in-cluster configuration: %w", err)
+	}
+
+	// Connect to the core Kubernetes API.
+	kubeClient, err := kubernetes.NewForConfig(kubeConfig)
+	if err != nil {
+		return nil, fmt.Errorf("could not load in-cluster configuration: %w", err)
+	}
+
+	return kubeClient, nil
+}
+
+func run(serverInstallationNamespace string, staticConfig StaticConfig) error {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	kubeClient, err := newK8sClient()
+	if err != nil {
+		return fmt.Errorf("cannot create k8s client: %w", err)
+	}
+
+	kubeInformers := kubeinformers.NewSharedInformerFactoryWithOptions(
+		kubeClient,
+		defaultResyncInterval,
+		kubeinformers.WithNamespace(serverInstallationNamespace),
+	)
+
+	startControllers(ctx, kubeClient, kubeInformers, serverInstallationNamespace, staticConfig)
+
+	//nolint: gosec // Intentionally binding to all network interfaces.
+	l, err := net.Listen("tcp", ":80")
+	if err != nil {
+		return fmt.Errorf("cannot create listener: %w", err)
+	}
+	defer l.Close()
+
+	helloHandler := &helloWorld{}
+	err = helloHandler.start(ctx, l)
+	if err != nil {
+		return fmt.Errorf("cannot start webhook: %w", err)
+	}
+	klog.InfoS("supervisor is ready", "address", l.Addr().String())
+
+	gotSignal := waitForSignal()
+	klog.InfoS("supervisor exiting", "signal", gotSignal)
+
+	return nil
+}
+
+type StaticConfig struct {
+	NamesConfig NamesConfigSpec `json:"names"`
+}
+
+type NamesConfigSpec struct {
+	DynamicConfigMap string `json:"dynamicConfigMap"`
+}
+
+func main() {
+	logs.InitLogs()
+	defer logs.FlushLogs()
+
+	klog.Infof("Running %s at %#v", rest.DefaultKubernetesUserAgent(), version.Get())
+	klog.Infof("Command-line arguments were: %s %s %s", os.Args[0], os.Args[1], os.Args[2])
+
+	// Discover in which namespace we are installed.
+	podInfo, err := downward.Load(os.Args[1])
+	if err != nil {
+		klog.Fatal(fmt.Errorf("could not read pod metadata: %w", err))
+	}
+
+	// Read static config.
+	data, err := ioutil.ReadFile(os.Args[2])
+	if err != nil {
+		klog.Fatal(fmt.Errorf("read file: %w", err))
+	}
+	var staticConfig StaticConfig
+	if err := yaml.Unmarshal(data, &staticConfig); err != nil {
+		klog.Fatal(fmt.Errorf("decode yaml: %w", err))
+	}
+
+	if err := run(podInfo.Namespace, staticConfig); err != nil {
+		klog.Fatal(err)
+	}
+}
--- a/deploy-supervisor/README.md
+++ b/deploy-supervisor/README.md
@ -0,0 +1,41 @@
+# Deploying the Pinniped Supervisor
+
+## What is the Pinniped Supervisor?
+
+The Pinniped Supervisor app is a component of the Pinniped OIDC and Cluster Federation solutions.
+It can be deployed when those features are needed.
+
+## Installing the Latest Version with Default Options
+
+```bash
+kubectl apply -f https://github.com/vmware-tanzu/pinniped/releases/latest/download/install-supervisor.yaml
+```
+
+## Installing an Older Version with Default Options
+
+Choose your preferred [release](https://github.com/vmware-tanzu/pinniped/releases) version number
+and use it to replace the version number in the URL below.
+
+```bash
+# Replace v0.3.0 with your preferred version in the URL below
+kubectl apply -f https://github.com/vmware-tanzu/pinniped/releases/download/v0.3.0/install-supervisor.yaml
+```
+
+## Installing with Custom Options
+
+Creating your own deployment YAML file requires `ytt` from [Carvel](https://carvel.dev/) to template the YAML files
+in the [deploy-supervisor](../deploy-supervisor) directory.
+Either [install `ytt`](https://get-ytt.io/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags).
+
+1. `git clone` this repo and `git checkout` the release version tag of the release that you would like to deploy.
+1. The configuration options are in [deploy-supervisor/values.yml](values.yaml).
+   Fill in the values in that file, or override those values using additional `ytt` command-line options in
+   the command below. Use the release version tag as the `image_tag` value.
+2. In a terminal, cd to this `deploy-supervisor` directory
+3. To generate the final YAML files, run `ytt --file .`
+4. Deploy the generated YAML using your preferred deployment tool, such as `kubectl` or [`kapp`](https://get-kapp.io/).
+   For example: `ytt --file . | kapp deploy --yes --app pinniped-supervisor --diff-changes --file -`
+
+## Configuring After Installing
+
+TODO: Provide some instructions here.
--- a/deploy-supervisor/deployment.yaml
+++ b/deploy-supervisor/deployment.yaml
@ -0,0 +1,146 @@
+#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! SPDX-License-Identifier: Apache-2.0
+
+#@ load("@ytt:data", "data")
+
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: #@ data.values.namespace
+  labels:
+    name: #@ data.values.namespace
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: #@ data.values.app_name
+  namespace: #@ data.values.namespace
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: #@ data.values.app_name + "-static-config"
+  namespace: #@ data.values.namespace
+  labels:
+    app: #@ data.values.app_name
+data:
+  #@yaml/text-templated-strings
+  pinniped.yaml: |
+    names:
+      dynamicConfigMap: (@= data.values.app_name + "-dynamic-config" @)
+---
+#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
+apiVersion: v1
+kind: Secret
+metadata:
+  name: image-pull-secret
+  namespace: #@ data.values.namespace
+  labels:
+    app: #@ data.values.app_name
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson
+#@ end
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: #@ data.values.app_name
+  namespace: #@ data.values.namespace
+  labels:
+    app: #@ data.values.app_name
+spec:
+  replicas: #@ data.values.replicas
+  selector:
+    matchLabels:
+      app: #@ data.values.app_name
+  template:
+    metadata:
+      labels:
+        app: #@ data.values.app_name
+    spec:
+      serviceAccountName: #@ data.values.app_name
+      #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
+      imagePullSecrets:
+        - name: image-pull-secret
+      #@ end
+      containers:
+        - name: pinniped-supervisor
+          #@ if data.values.image_digest:
+          image:  #@ data.values.image_repo + "@" + data.values.image_digest
+          #@ else:
+          image: #@ data.values.image_repo + ":" + data.values.image_tag
+          #@ end
+          imagePullPolicy: IfNotPresent
+          command: #! override the default entrypoint
+            - /usr/local/bin/pinniped-supervisor
+          args:
+            - /etc/podinfo #! TODO proper flag parsing instead of positional
+            - /etc/config/pinniped.yaml #! TODO proper flag parsing instead of positional
+          resources:
+            requests:
+              memory: "128Mi"
+          volumeMounts:
+            - name: config-volume
+              mountPath: /etc/config
+            - name: podinfo
+              mountPath: /etc/podinfo
+#!          livenessProbe:
+#!            httpGet:
+#!              path: /healthz
+#!              port: 443
+#!              scheme: HTTPS
+#!            initialDelaySeconds: 2
+#!            timeoutSeconds: 15
+#!            periodSeconds: 10
+#!            failureThreshold: 5
+#!          readinessProbe:
+#!            httpGet:
+#!              path: /healthz
+#!              port: 443
+#!              scheme: HTTPS
+#!            initialDelaySeconds: 2
+#!            timeoutSeconds: 3
+#!            periodSeconds: 10
+#!            failureThreshold: 3
+      volumes:
+        - name: config-volume
+          configMap:
+            name: #@ data.values.app_name + "-static-config"
+        - name: podinfo
+          downwardAPI:
+            items:
+              - path: "labels"
+                fieldRef:
+                  fieldPath: metadata.labels
+              - path: "namespace"
+                fieldRef:
+                  fieldPath: metadata.namespace
+      #! This will help make sure our multiple pods run on different nodes, making
+      #! our deployment "more" "HA".
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 50
+              podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    app: #@ data.values.app_name
+                topologyKey: kubernetes.io/hostname
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: #@ data.values.app_name
+  namespace: #@ data.values.namespace
+  labels:
+    app: #@ data.values.app_name
+spec:
+  type: ClusterIP
+  selector:
+    app: #@ data.values.app_name
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
--- a/deploy-supervisor/rbac.yaml
+++ b/deploy-supervisor/rbac.yaml
@ -0,0 +1,34 @@
+#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! SPDX-License-Identifier: Apache-2.0
+
+#@ load("@ytt:data", "data")
+
+#! Give permission to various objects within the app's own namespace
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: #@ data.values.app_name
+  namespace: #@ data.values.namespace
+  labels:
+    app: #@ data.values.app_name
+rules:
+  - apiGroups: [""]
+    resources: [configmaps]
+    verbs: [get, list, watch]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: #@ data.values.app_name
+  namespace: #@ data.values.namespace
+  labels:
+    app: #@ data.values.app_name
+subjects:
+  - kind: ServiceAccount
+    name: #@ data.values.app_name
+    namespace: #@ data.values.namespace
+roleRef:
+  kind: Role
+  name: #@ data.values.app_name
+  apiGroup: rbac.authorization.k8s.io
--- a/deploy-supervisor/values.yaml
+++ b/deploy-supervisor/values.yaml
@ -0,0 +1,22 @@
+#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
+#! SPDX-License-Identifier: Apache-2.0
+
+#@data/values
+---
+
+app_name: pinniped-supervisor
+namespace: pinniped-supervisor
+
+#! Specify how many replicas of the Pinniped server to run.
+replicas: 2
+
+#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
+image_repo: docker.io/getpinniped/pinniped-server
+image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
+image_tag: latest
+
+#! Specifies a secret to be used when pulling the above container image.
+#! Can be used when the above image_repo is a private registry.
+#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
+#! Optional.
+image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
--- a/hack/prepare-for-integration-tests.sh
+++ b/hack/prepare-for-integration-tests.sh
@ -174,15 +174,29 @@ kubectl create secret generic "$test_username" \
  --output yaml |
  kubectl apply -f -

+#
+# Deploy the Pinniped Supervisor
+#
+pushd deploy-supervisor >/dev/null
+
+log_note "Deploying the Pinniped Supervisor app to the cluster..."
+ytt --file . \
+  --data-value "image_repo=$registry_repo" \
+  --data-value "image_tag=$tag" >"$manifest"
+
+kapp deploy --yes --app "pinniped-supervisor" --diff-changes --file "$manifest"
+
+popd >/dev/null
+
+#
+# Deploy Pinniped
+#
 app_name="pinniped"
 namespace="integration"
 webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
 webhook_ca_bundle="$(kubectl get secret local-user-authenticator-tls-serving-certificate --namespace local-user-authenticator -o 'jsonpath={.data.caCertificate}')"
 discovery_url="$(TERM=dumb kubectl cluster-info | awk '/Kubernetes master/ {print $NF}')"

-#
-# Deploy Pinniped
-#
 pushd deploy >/dev/null

 log_note "Deploying the Pinniped app to the cluster..."
--- a/internal/controller/supervisorconfig/dynamic_config_watcher.go
+++ b/internal/controller/supervisorconfig/dynamic_config_watcher.go
@ -0,0 +1,52 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package supervisorconfig
+
+import (
+	corev1informers "k8s.io/client-go/informers/core/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/klog/v2"
+
+	pinnipedcontroller "go.pinniped.dev/internal/controller"
+	"go.pinniped.dev/internal/controllerlib"
+)
+
+type dynamicConfigWatcherController struct {
+	k8sClient         kubernetes.Interface
+	configMapInformer corev1informers.ConfigMapInformer
+}
+
+func NewDynamicConfigWatcherController(
+	serverInstallationNamespace string,
+	configMapName string,
+	k8sClient kubernetes.Interface,
+	configMapInformer corev1informers.ConfigMapInformer,
+	withInformer pinnipedcontroller.WithInformerOptionFunc,
+) controllerlib.Controller {
+	return controllerlib.New(
+		controllerlib.Config{
+			Name: "DynamicConfigWatcherController",
+			Syncer: &dynamicConfigWatcherController{
+				k8sClient:         k8sClient,
+				configMapInformer: configMapInformer,
+			},
+		},
+		withInformer(
+			configMapInformer,
+			pinnipedcontroller.NameAndNamespaceExactMatchFilterFactory(configMapName, serverInstallationNamespace),
+			controllerlib.InformerOption{},
+		),
+	)
+}
+
+// Sync implements controllerlib.Syncer.
+func (c *dynamicConfigWatcherController) Sync(ctx controllerlib.Context) error {
+	// TODO Watch the configmap to find the issuer name, ingress url, etc.
+	// TODO Update some kind of in-memory representation of the configuration so the discovery endpoint can use it.
+	// TODO The discovery endpoint would return an error until all missing configuration options are filled in.
+
+	klog.InfoS("DynamicConfigWatcherController sync finished")
+
+	return nil
+}