implement the NestedEtcd controller

Author: charleszheng44

Makefile

@@ -143,7 +143,7 @@ apidiff: $(GO_APIDIFF) ## Check for API differences
 generate: ## Generate code
 	$(MAKE) generate-manifests
 	$(MAKE) generate-go
-	$(MAKE) generate-bindata
+	# $(MAKE) generate-bindata
 
 .PHONY: generate-go
 generate-go: ## Runs Go related generate targets
@@ -163,8 +163,8 @@ generate-manifests: ## Generate manifests e.g. CRD, RBAC etc.
 		output:webhook:dir=./config/webhook \
 		webhook
 	## Copy files in CI folders.
-	cp -f ./config/rbac/*.yaml ./config/ci/rbac/
-	cp -f ./config/manager/manager*.yaml ./config/ci/manager/
+	# cp -f ./config/rbac/*.yaml ./config/ci/rbac/
+	# cp -f ./config/manager/manager*.yaml ./config/ci/manager/
 
 .PHONY: modules
 modules: ## Runs go mod to ensure modules are up to date.
@@ -184,8 +184,8 @@ docker-pull-prerequisites:
 .PHONY: docker-build
 docker-build: docker-pull-prerequisites ## Build the docker images for controller managers
 	DOCKER_BUILDKIT=1 docker build --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg ldflags="$(LDFLAGS)" . -t $(CONTROLLER_IMG)-$(ARCH):$(TAG)
-	$(MAKE) set-manifest-image MANIFEST_IMG=$(CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./config/manager/manager_image_patch.yaml"
-	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./config/manager/manager_pull_policy.yaml"
+	# $(MAKE) set-manifest-image MANIFEST_IMG=$(CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./config/manager/manager_image_patch.yaml"
+	# $(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./config/manager/manager_pull_policy.yaml"
 
 .PHONY: docker-push
 docker-push: ## Push the docker images

apis/controlplane/v1alpha4/nestedcomponentspec_types.go

@@ -32,9 +32,9 @@ type NestedComponentSpec struct {
 
 	// Resources defines the amount of computing resources that will be used by this component
 	// +optional
-	Resources corev1.ResourceRequirements `json:"resources",omitempty`
+	Resources corev1.ResourceRequirements `json:"resources,omitempty"`
 
 	// Replicas defines the number of replicas in the component's workload
 	// +optional
-	Replicas int32 `json:"replicas",omitempty`
+	Replicas int32 `json:"replicas,omitempty"`
 }

apis/controlplane/v1alpha4/nestedetcd_types.go

@@ -56,6 +56,9 @@ type NestedEtcdAddress struct {
 }
 
 //+kubebuilder:object:root=true
+//+kubebuilder:resource:scope=Namespaced,path=nestedetcds,shortName=netcd,categories=all
+//+kubebuilder:printcolumn:name="Ready",type="bool",JSONPath=".status.Ready"
+//+kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
 //+kubebuilder:subresource:status
 
 // NestedEtcd is the Schema for the nestedetcds API

apis/controlplane/v1alpha4/zz_generated.deepcopy.go

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{.nestedetcdName}}
+  namespace: {{.nestedetcdNamespace}}
+  labels:
+    component-name: {{.nestedetcdName}} 
+spec:
+  publishNotReadyAddresses: true
+  clusterIP: None
+  selector:
+    component-name: {{.nestedetcdName}}

config/component-templates/nested-etcd/nested-etcd-service-template.yaml

@@ -0,0 +1,87 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{.nestedetcdName}}
+  namespace: {{.nestedetcdNamespace}}
+spec:
+  replicas: 1
+  revisionHistoryLimit: 10
+  serviceName: {{.nestedetcdName}}
+  selector:
+    matchLabels:
+      component-name: {{.nestedetcdName}}
+  # etcd will not be updated, unless it is deleted
+  updateStrategy:
+    type: OnDelete
+  template:
+    metadata:
+      labels:
+        component-name: {{.nestedetcdName}}
+    spec:
+      subdomain: etcd
+      containers:
+      - name: {{.nestedetcdName}}
+        image: virtualcluster/etcd-v3.4.0
+        imagePullPolicy: Always
+        command:
+        - etcd
+        # pass the pod name(hostname) to container for composing the advertise-urls args
+        env:
+        - name: HOSTNAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        args:
+        - --name=$(HOSTNAME)
+        - --trusted-ca-file=/etc/kubernetes/pki/root/tls.crt
+        - --client-cert-auth
+        - --cert-file=/etc/kubernetes/pki/etcd/tls.crt
+        - --key-file=/etc/kubernetes/pki/etcd/tls.key
+        - --peer-client-cert-auth
+        - --peer-trusted-ca-file=/etc/kubernetes/pki/root/tls.crt
+        - --peer-cert-file=/etc/kubernetes/pki/etcd/tls.crt
+        - --peer-key-file=/etc/kubernetes/pki/etcd/tls.key
+        - --listen-peer-urls=https://0.0.0.0:2380
+        - --listen-client-urls=https://0.0.0.0:2379
+        - --initial-advertise-peer-urls=https://$(HOSTNAME).{{.nestedetcdName}}:2380
+        # we use a headless service to encapsulate each pod
+        - --advertise-client-urls=https://$(HOSTNAME).{{.nestedetcdName}}:2379
+        - --initial-cluster-state=new
+        - --initial-cluster-token=vc-etcd
+        - --data-dir=/var/lib/etcd/data
+        # --initial-cluster option will be set during runtime based on the number of replicas
+        livenessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 --cacert=/etc/kubernetes/pki/root/tls.crt --cert=/etc/kubernetes/pki/etcd/tls.crt --key=/etc/kubernetes/pki/etcd/tls.key endpoint health
+          failureThreshold: 8
+          initialDelaySeconds: 60
+          timeoutSeconds: 15
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 --cacert=/etc/kubernetes/pki/root/tls.crt --cert=/etc/kubernetes/pki/etcd/tls.crt --key=/etc/kubernetes/pki/etcd/tls.key endpoint health
+          failureThreshold: 8
+          initialDelaySeconds: 15
+          periodSeconds: 2
+          timeoutSeconds: 15
+        volumeMounts:
+        - mountPath: /etc/kubernetes/pki/etcd
+          name: {{.nestedControlPlaneName}}-etcd-crt
+          readOnly: true
+        - mountPath: /etc/kubernetes/pki/root
+          name: {{.nestedControlPlaneName}}-etcd
+          readOnly: true
+      volumes:
+      - name: {{.nestedControlPlaneName}}-etcd-crt
+        secret:
+          defaultMode: 420
+          secretName: {{.nestedControlPlaneName}}-etcd-crt
+      - name: {{.nestedControlPlaneName}}-etcd
+        secret:
+          defaultMode: 420
+          secretName: {{.nestedControlPlaneName}}-etcd

config/component-templates/nested-etcd/nested-etcd-statefulset-template.yaml

@@ -10,13 +10,24 @@ metadata:
 spec:
   group: controlplane.cluster.x-k8s.io
   names:
+    categories:
+    - all
     kind: NestedEtcd
     listKind: NestedEtcdList
     plural: nestedetcds
+    shortNames:
+    - netcd
     singular: nestedetcd
   scope: Namespaced
   versions:
-  - name: v1alpha4
+  - additionalPrinterColumns:
+    - jsonPath: .status.Ready
+      name: Ready
+      type: bool
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha4
     schema:
       openAPIV3Schema:
         description: NestedEtcd is the Schema for the nestedetcds API

config/crd/bases/controlplane.cluster.x-k8s.io_nestedetcds.yaml

@@ -6,7 +6,7 @@ resources:
 # Comment the following 4 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+# - auth_proxy_service.yaml
+# - auth_proxy_role.yaml
+# - auth_proxy_role_binding.yaml
+# - auth_proxy_client_clusterrole.yaml

config/rbac/kustomization.yaml

@@ -6,6 +6,26 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
+- apiGroups:
+  - apps
+  resources:
+  - statefulset
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - statefulset/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - controlplane.cluster.x-k8s.io
   resources: