feat: Add DNS patch

Author: jimmidyson

charts/capi-runtime-extensions/README.md

@@ -38,6 +38,8 @@ A Helm chart for capi-runtime-extensions
 | handlers.CalicoCNI.defaultPodSubnet | string | `"192.168.0.0/16"` |  |
 | handlers.CalicoCNI.defaultTigeraOperatorConfigMap.name | string | `"tigera-operator"` |  |
 | handlers.CalicoCNI.enabled | bool | `true` |  |
+| handlers.DNSPatch.enabled | bool | `true` |  |
+| handlers.DNSVars.enabled | bool | `true` |  |
 | handlers.ExtraAPIServerCertSANsPatch.enabled | bool | `true` |  |
 | handlers.ExtraAPIServerCertSANsVars.enabled | bool | `true` |  |
 | handlers.HTTPProxyPatch.enabled | bool | `true` |  |

charts/capi-runtime-extensions/values.schema.json

@@ -149,6 +149,24 @@
               "default": true
             }
           }
+        },
+        "DNSVars": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean",
+              "default": true
+            }
+          }
+        },
+        "DNSPatch": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean",
+              "default": true
+            }
+          }
         }
       }
     },

charts/capi-runtime-extensions/values.yaml

@@ -25,6 +25,10 @@ handlers:
     enabled: true
   ExtraAPIServerCertSANsPatch:
     enabled: true
+  DNSVars:
+    enabled: true
+  DNSPatch:
+    enabled: true
 
 deployment:
   replicas: 1

cmd/capi-runtime-extensions/main.go

@@ -27,6 +27,7 @@ import (
 	"github.com/d2iq-labs/capi-runtime-extensions/common/pkg/server"
 	"github.com/d2iq-labs/capi-runtime-extensions/internal/controllermanager"
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/cni/calico"
+	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/dns"
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/extraapiservercertsans"
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/httpproxy"
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/servicelbgc"
@@ -82,6 +83,8 @@ func main() {
 		httpproxy.NewPatch(),
 		extraapiservercertsans.NewVariable(),
 		extraapiservercertsans.NewPatch(),
+		dns.NewVariable(),
+		dns.NewPatch(),
 	)
 
 	// Initialize and parse command line flags.

common/pkg/openapi/patterns/distribution.go

@@ -0,0 +1,15 @@
+// Copyright 2023 D2iQ, Inc. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package patterns
+
+const (
+	// See: https://github.com/distribution/reference/blob/v0.5.0/regexp.go#L53
+	NameSeparator = `(?:[._]|__|[-]+)`
+
+	// See: https://github.com/distribution/reference/blob/v0.5.0/regexp.go#L123C18-L123C65
+	PathComponent = Alphanumeric + `(` + NameSeparator + Alphanumeric + `)*`
+
+	// See: https://github.com/distribution/reference/blob/v0.5.0/regexp.go#L130
+	ImageRegistry = `(` + DNS1123Subdomain + `|` + IPv6 + `)` + OptionalPort + `(/` + PathComponent + `)*`
+)

common/pkg/openapi/patterns/generic.go

@@ -0,0 +1,9 @@
+// Copyright 2023 D2iQ, Inc. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package patterns
+
+const (
+	// See: https://github.com/distribution/reference/blob/v0.5.0/regexp.go#L44C2-L44C28
+	Alphanumeric = `[a-z0-9]+`
+)

common/pkg/openapi/patterns/net.go

@@ -0,0 +1,13 @@
+// Copyright 2023 D2iQ, Inc. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package patterns
+
+const (
+	// See: https://github.com/distribution/reference/blob/v0.5.0/regexp.go#L91
+	IPv6 = `\[(?:[a-fA-F0-9:]+)\]`
+
+	Port = `:[0-9]+`
+
+	OptionalPort = `(` + Port + `)?`
+)

docs/content/dns.md

@@ -0,0 +1,46 @@
+---
+title: "DNS"
+---
+
+If the API server can be accessed by alternative DNS addresses then setting additional SANs on the API server
+certificate is necessary in order for clients to successfully validate the API server certificate.
+
+To enable the API server certificate SANs enable the `dnsvars` and `dnspatch`
+external patches on `ClusterClass`.
+
+```yaml
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: ClusterClass
+metadata:
+  name: <NAME>
+spec:
+  patches:
+    - name: dns
+      external:
+        generateExtension: "dnspatch.<external-config-name>"
+        discoverVariablesExtension: "dnsvars.<external-config-name>"
+```
+
+On the cluster resource then specify desired DNS image repo:
+
+```yaml
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: <NAME>
+spec:
+  topology:
+    variables:
+      - name: dns
+        value:
+          imageRepository: a.b.c.example.com
+```
+
+Applying this configuration will result in the DNS image repository being correctly set in the
+`KubeadmControlPlaneTemplate`.
+
+This hook is enabled by default, and can be explicitly disabled by omitting the `DNSVars`
+and `DNSPatch` hook from the `--runtimehooks.enabled-handlers` flag.
+
+If deploying via Helm, then this can be disabled by setting `handlers.DNSVars.enabled=false` and
+`handlers.DNSPatch.enabled=false`.

pkg/handlers/dns/inject.go

@@ -0,0 +1,113 @@
+// Copyright 2023 D2iQ, Inc. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package dns
+
+import (
+	"context"
+	_ "embed"
+
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	bootstrapv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
+	controlplanev1 "sigs.k8s.io/cluster-api/controlplane/kubeadm/api/v1beta1"
+	runtimehooksv1 "sigs.k8s.io/cluster-api/exp/runtime/hooks/api/v1alpha1"
+	"sigs.k8s.io/cluster-api/exp/runtime/topologymutation"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/d2iq-labs/capi-runtime-extensions/common/pkg/handlers"
+	"github.com/d2iq-labs/capi-runtime-extensions/pkg/capi/clustertopology/patches"
+	"github.com/d2iq-labs/capi-runtime-extensions/pkg/capi/clustertopology/patches/selectors"
+	"github.com/d2iq-labs/capi-runtime-extensions/pkg/capi/clustertopology/variables"
+)
+
+const (
+	// HandlerNamePatch is the name of the inject handler.
+	HandlerNamePatch = "DNSPatch"
+)
+
+type dnsPatchHandler struct {
+	decoder runtime.Decoder
+}
+
+var (
+	_ handlers.NamedHandler                   = &dnsPatchHandler{}
+	_ handlers.GeneratePatchesMutationHandler = &dnsPatchHandler{}
+)
+
+func NewPatch() *dnsPatchHandler {
+	scheme := runtime.NewScheme()
+	_ = bootstrapv1.AddToScheme(scheme)
+	_ = controlplanev1.AddToScheme(scheme)
+	return &dnsPatchHandler{
+		decoder: serializer.NewCodecFactory(scheme).UniversalDecoder(
+			controlplanev1.GroupVersion,
+			bootstrapv1.GroupVersion,
+		),
+	}
+}
+
+func (h *dnsPatchHandler) Name() string {
+	return HandlerNamePatch
+}
+
+func (h *dnsPatchHandler) GeneratePatches(
+	ctx context.Context,
+	req *runtimehooksv1.GeneratePatchesRequest,
+	resp *runtimehooksv1.GeneratePatchesResponse,
+) {
+	topologymutation.WalkTemplates(
+		ctx,
+		h.decoder,
+		req,
+		resp,
+		func(
+			ctx context.Context,
+			obj runtime.Object,
+			vars map[string]apiextensionsv1.JSON,
+			holderRef runtimehooksv1.HolderReference,
+		) error {
+			log := ctrl.LoggerFrom(ctx).WithValues(
+				"holderRef", holderRef,
+			)
+
+			dnsVar, found, err := variables.Get[DNSVariable](
+				vars,
+				VariableName,
+			)
+			if err != nil {
+				return err
+			}
+			if !found {
+				log.V(5).Info("DNS image repo variable not defined")
+				return nil
+			}
+
+			log = log.WithValues(
+				"variableName",
+				VariableName,
+				"variableValue",
+				dnsVar,
+			)
+
+			return patches.Generate(
+				obj, vars, &holderRef, selectors.ControlPlane(), log,
+				func(obj *controlplanev1.KubeadmControlPlaneTemplate) error {
+					log.WithValues(
+						"patchedObjectKind", obj.GetObjectKind().GroupVersionKind().String(),
+						"patchedObjectName", client.ObjectKeyFromObject(obj),
+					).Info("adding DNS image repo in kubeadm config spec")
+
+					if obj.Spec.Template.Spec.KubeadmConfigSpec.ClusterConfiguration == nil {
+						obj.Spec.Template.Spec.KubeadmConfigSpec.ClusterConfiguration = &bootstrapv1.ClusterConfiguration{}
+					}
+					obj.Spec.Template.Spec.KubeadmConfigSpec.ClusterConfiguration.DNS.ImageRepository = dnsVar.ImageRepository
+
+					return nil
+				},
+			)
+		},
+	)
+}

pkg/handlers/dns/inject_test.go

@@ -0,0 +1,123 @@
+// Copyright 2023 D2iQ, Inc. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package dns
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"testing"
+
+	. "github.com/onsi/gomega"
+	. "github.com/onsi/gomega/gstruct"
+	"gomodules.xyz/jsonpatch/v2"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	controlplanev1 "sigs.k8s.io/cluster-api/controlplane/kubeadm/api/v1beta1"
+	runtimehooksv1 "sigs.k8s.io/cluster-api/exp/runtime/hooks/api/v1alpha1"
+)
+
+func TestGeneratePatches(t *testing.T) {
+	g := NewWithT(t)
+	h := NewPatch()
+	req := &runtimehooksv1.GeneratePatchesRequest{}
+	resp := &runtimehooksv1.GeneratePatchesResponse{}
+	h.GeneratePatches(context.Background(), req, resp)
+	g.Expect(resp.Status).To(Equal(runtimehooksv1.ResponseStatusSuccess))
+	g.Expect(resp.Items).To(BeEmpty())
+}
+
+func TestGeneratePatches_KubeadmControlPlaneTemplate(t *testing.T) {
+	g := NewWithT(t)
+	h := NewPatch()
+	req := &runtimehooksv1.GeneratePatchesRequest{
+		Variables: []runtimehooksv1.Variable{
+			newVariable(
+				VariableName,
+				DNSVariable{
+					ImageRepository: "a.b.c.example.com",
+				},
+			),
+		},
+		Items: []runtimehooksv1.GeneratePatchesRequestItem{
+			requestItem(
+				"1",
+				&controlplanev1.KubeadmControlPlaneTemplate{
+					TypeMeta: v1.TypeMeta{
+						Kind:       "KubeadmControlPlaneTemplate",
+						APIVersion: controlplanev1.GroupVersion.String(),
+					},
+				},
+				&runtimehooksv1.HolderReference{
+					Kind:      "Cluster",
+					FieldPath: "spec.controlPlaneRef",
+				},
+			),
+		},
+	}
+	resp := &runtimehooksv1.GeneratePatchesResponse{}
+	h.GeneratePatches(context.Background(), req, resp)
+	g.Expect(resp.Status).To(Equal(runtimehooksv1.ResponseStatusSuccess))
+	g.Expect(resp.Items).To(ContainElement(MatchFields(IgnoreExtras, Fields{
+		"UID":       Equal(types.UID("1")),
+		"PatchType": Equal(runtimehooksv1.JSONPatchType),
+		"Patch": WithTransform(
+			func(data []byte) ([]jsonpatch.Operation, error) {
+				operations := []jsonpatch.Operation{}
+				if err := json.Unmarshal(data, &operations); err != nil {
+					return nil, err
+				}
+				return operations, nil
+			},
+			ConsistOf(MatchAllFields(Fields{
+				"Operation": Equal("add"),
+				"Path":      Equal("/spec/template/spec/kubeadmConfigSpec/clusterConfiguration"),
+				"Value": HaveKeyWithValue(
+					"dns",
+					HaveKeyWithValue(
+						"imageRepository",
+						"a.b.c.example.com",
+					),
+				),
+			})),
+		),
+	})))
+}
+
+func toJSON(v any) []byte {
+	data, err := json.Marshal(v)
+	if err != nil {
+		panic(err)
+	}
+	compacted := &bytes.Buffer{}
+	if err := json.Compact(compacted, data); err != nil {
+		panic(err)
+	}
+	return compacted.Bytes()
+}
+
+// requestItem returns a GeneratePatchesRequestItem with the given uid, variables and object.
+func requestItem(
+	uid string,
+	object any,
+	holderRef *runtimehooksv1.HolderReference,
+) runtimehooksv1.GeneratePatchesRequestItem {
+	return runtimehooksv1.GeneratePatchesRequestItem{
+		UID: types.UID(uid),
+		Object: runtime.RawExtension{
+			Raw: toJSON(object),
+		},
+		HolderReference: *holderRef,
+	}
+}
+
+// newVariable returns a runtimehooksv1.Variable with the passed name and value.
+func newVariable(name string, value any) runtimehooksv1.Variable {
+	return runtimehooksv1.Variable{
+		Name:  name,
+		Value: apiextensionsv1.JSON{Raw: toJSON(value)},
+	}
+}