(k8s) configure containerd for client k8s cluster (#979)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **New Features**
- Introduced granular Helm charts for Cluster API providers: bootstrap,
core, control plane, and infrastructure, each with dedicated
configuration, metadata, and compressed component packaging.
- Added a new configuration option to the Kubernetes app to enable using
a custom secret for patching containerd.
- Enhanced Kubernetes deployment to conditionally manage containerd
registry certificates and configuration using custom or copied secrets.

- **Documentation**
- Updated Kubernetes app documentation to include the new containerd
patching secret configuration option.

- **Chores**
- Updated version mappings and chart versions for Kubernetes and Cluster
API-related components.
- Decomposed the monolithic Cluster API provider release into multiple,
more manageable releases with explicit namespaces and dependencies.

- **Refactor**
- Removed the previous unified Cluster API provider template in favor of
new, separate provider resource definitions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

packages/apps/kubernetes/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.21.0
+version: 0.23.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/kubernetes/README.md

@@ -81,12 +81,13 @@ See the reference for components utilized in this service:
 
 ### Common Parameters
 
-| Name                    | Description                                                                                                       | Value        |
-| ----------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------ |
-| `host`                  | Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty. | `""`         |
-| `controlPlane.replicas` | Number of replicas for Kubernetes control-plane components.                                                       | `2`          |
-| `storageClass`          | StorageClass used to store user data.                                                                             | `replicated` |
-| `nodeGroups`            | nodeGroups configuration                                                                                          | `{}`         |
+| Name                                | Description                                                                                                       | Value        |
+| ----------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------ |
+| `host`                              | Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty. | `""`         |
+| `controlPlane.replicas`             | Number of replicas for Kubernetes control-plane components.                                                       | `2`          |
+| `storageClass`                      | StorageClass used to store user data.                                                                             | `replicated` |
+| `useCustomSecretForPatchContainerd` | if true, for patch containerd will be used secret: {{ .Release.Name }}-patch-containerd                           | `false`      |
+| `nodeGroups`                        | nodeGroups configuration                                                                                          | `{}`         |
 
 ### Cluster Addons
 

packages/apps/kubernetes/templates/cluster.yaml

@@ -211,12 +211,25 @@ spec:
       - ["LABEL=ephemeral", "/ephemeral"]
       - ["/ephemeral/kubelet", "/var/lib/kubelet", "none", "bind,nofail"]
       - ["/ephemeral/containerd", "/var/lib/containerd", "none", "bind,nofail"]
+      {{- $sec := lookup "v1" "Secret" .Release.Namespace (printf "%s-patch-containerd" .Release.Name) }}
+      {{- if $sec }}
+      files:
+        {{- range $key, $_ := $sec.data }}
+        - path: /etc/containerd/certs.d/{{ trimSuffix ".toml" $key }}/hosts.toml
+          contentFrom:
+            secret:
+              name: {{ .Release.Name }}-patch-containerd
+              key: {{ $key }}
+          permissions: "0400"
+        {{- end }}
+      {{- end }}
       preKubeadmCommands:
       - sed -i 's|root:x:|root::|' /etc/passwd
       - systemctl stop containerd.service
       - mkdir -p /ephemeral/kubelet /ephemeral/containerd
       - mount -o bind /ephemeral/kubelet /var/lib/kubelet
       - mount -o bind /ephemeral/containerd /var/lib/containerd
+      - sudo sed -i '/\[plugins."io.containerd.grpc.v1.cri".registry\]/,/^\[/ s|^\(\s*config_path\s*=\s*\).*|\1"/etc/containerd/certs.d"|' /etc/containerd/config.toml
       - systemctl start containerd.service
       joinConfiguration:
         nodeRegistration:

packages/apps/kubernetes/templates/copy-patch-containerd.yaml

@@ -0,0 +1,15 @@
+{{- if not .Values.useCustomSecretForPatchContainerd }}
+{{- $sourceSecret := lookup "v1" "Secret" "cozy-system" "patch-containerd" }}
+{{- if $sourceSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-patch-containerd
+  namespace: {{ .Release.Namespace }}
+type: {{ $sourceSecret.type }}
+data:
+{{- range $key, $value := $sourceSecret.data }}
+  {{ printf "%s: %s" $key ($value | quote) | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}

packages/apps/kubernetes/values.schema.json

@@ -127,6 +127,11 @@
       "description": "StorageClass used to store user data.",
       "default": "replicated"
     },
+    "useCustomSecretForPatchContainerd": {
+      "type": "boolean",
+      "description": "if true, for patch containerd will be used secret: {{ .Release.Name }}-patch-containerd",
+      "default": false
+    },
     "addons": {
       "type": "object",
       "properties": {

packages/apps/kubernetes/values.yaml

@@ -3,9 +3,11 @@
 ## @param host Hostname used to access the Kubernetes cluster externally. Defaults to `<cluster-name>.<tenant-host>` when empty.
 ## @param controlPlane.replicas Number of replicas for Kubernetes control-plane components.
 ## @param storageClass StorageClass used to store user data.
+## @param useCustomSecretForPatchContainerd if true, for patch containerd will be used secret: {{ .Release.Name }}-patch-containerd
 ##
 host: ""
 storageClass: replicated
+useCustomSecretForPatchContainerd: false
 
 ## @param nodeGroups [object] nodeGroups configuration
 ##

packages/apps/versions_map

@@ -69,7 +69,8 @@ kubernetes 0.18.0 721c12a7
 kubernetes 0.19.0 93bdf411
 kubernetes 0.20.0 609e7ede
 kubernetes 0.20.1 f9f8bb2f
-kubernetes 0.21.0 HEAD
+kubernetes 0.21.0 6130f43d
+kubernetes 0.23.0 HEAD
 mysql 0.1.0 263e47be
 mysql 0.2.0 c24a103f
 mysql 0.3.0 53f2365e

packages/core/platform/bundles/paas-full.yaml

@@ -284,9 +284,30 @@ releases:
   privileged: true
   dependsOn: [cilium,kubeovn,cert-manager]
 
-- name: capi-providers
-  releaseName: capi-providers
-  chart: cozy-capi-providers
+- name: capi-providers-bootstrap
+  releaseName: capi-providers-bootstrap
+  chart: cozy-capi-providers-bootstrap
+  namespace: cozy-cluster-api
+  privileged: true
+  dependsOn: [cilium,kubeovn,capi-operator]
+
+- name: capi-providers-core
+  releaseName: capi-providers-core
+  chart: cozy-capi-providers-core
+  namespace: cozy-cluster-api
+  privileged: true
+  dependsOn: [cilium,kubeovn,capi-operator]
+
+- name: capi-providers-cpprovider
+  releaseName: capi-providers-cpprovider
+  chart: cozy-capi-providers-cpprovider
+  namespace: cozy-cluster-api
+  privileged: true
+  dependsOn: [cilium,kubeovn,capi-operator]
+
+- name: capi-providers-infraprovider
+  releaseName: capi-providers-infraprovider
+  chart: cozy-capi-providers-infraprovider
   namespace: cozy-cluster-api
   privileged: true
   dependsOn: [cilium,kubeovn,capi-operator]

packages/system/capi-providers-bootstrap/.helmignore

@@ -0,0 +1 @@
+files/.*-components.yaml

packages/system/capi-providers-bootstrap/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-capi-providers-bootstrap
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/capi-providers-bootstrap/files/metadata.yaml

@@ -0,0 +1,41 @@
+# maps release series of major.minor to cluster-api contract version
+# the contract version may change between minor or major versions, but *not*
+# between patch versions.
+#
+# update this file only when a new major or minor version is released
+apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3
+kind: Metadata
+releaseSeries:
+  - major: 1
+    minor: 10
+    contract: v1beta1
+  - major: 1
+    minor: 9
+    contract: v1beta1
+  - major: 1
+    minor: 8
+    contract: v1beta1
+  - major: 1
+    minor: 7
+    contract: v1beta1
+  - major: 1
+    minor: 6
+    contract: v1beta1
+  - major: 1
+    minor: 5
+    contract: v1beta1
+  - major: 1
+    minor: 4
+    contract: v1beta1
+  - major: 1
+    minor: 3
+    contract: v1beta1
+  - major: 1
+    minor: 2
+    contract: v1beta1
+  - major: 1
+    minor: 1
+    contract: v1beta1
+  - major: 1
+    minor: 0
+    contract: v1beta1

packages/system/capi-providers-bootstrap/templates/configmaps.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: v1.10.1-bootstrap
+  labels:
+    bootstrap-components: cozy
+  annotations:
+    provider.cluster.x-k8s.io/compressed: "true"
+binaryData:
+  components: {{ .Files.Get "files/components.gz" | b64enc | quote }}
+data:
+  metadata: {{ .Files.Get "files/metadata.yaml" | quote }}

packages/system/capi-providers-bootstrap/templates/providers.yaml

@@ -0,0 +1,11 @@
+apiVersion: operator.cluster.x-k8s.io/v1alpha2
+kind: BootstrapProvider
+metadata:
+  name: kubeadm
+spec:
+  # https://github.com/kubernetes-sigs/cluster-api
+  version: v1.10.1-bootstrap
+  fetchConfig:
+    selector:
+      matchLabels:
+        bootstrap-components: cozy

packages/system/capi-providers-core/.helmignore

@@ -0,0 +1 @@
+files/.*-components.yaml

packages/system/capi-providers-core/Chart.yaml

@@ -1,3 +1,3 @@
 apiVersion: v2
-name: cozy-capi-providers
+name: cozy-capi-providers-core
 version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/capi-providers-core/Makefile

@@ -0,0 +1,4 @@
+export NAME=capi-providers
+export NAMESPACE=cozy-cluster-api
+
+include ../../../scripts/package.mk

packages/system/capi-providers-core/files/metadata.yaml

@@ -0,0 +1,41 @@
+# maps release series of major.minor to cluster-api contract version
+# the contract version may change between minor or major versions, but *not*
+# between patch versions.
+#
+# update this file only when a new major or minor version is released
+apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3
+kind: Metadata
+releaseSeries:
+  - major: 1
+    minor: 10
+    contract: v1beta1
+  - major: 1
+    minor: 9
+    contract: v1beta1
+  - major: 1
+    minor: 8
+    contract: v1beta1
+  - major: 1
+    minor: 7
+    contract: v1beta1
+  - major: 1
+    minor: 6
+    contract: v1beta1
+  - major: 1
+    minor: 5
+    contract: v1beta1
+  - major: 1
+    minor: 4
+    contract: v1beta1
+  - major: 1
+    minor: 3
+    contract: v1beta1
+  - major: 1
+    minor: 2
+    contract: v1beta1
+  - major: 1
+    minor: 1
+    contract: v1beta1
+  - major: 1
+    minor: 0
+    contract: v1beta1

packages/system/capi-providers-core/templates/configmaps.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: v1.10.1-core
+  labels:
+    core-components: cozy
+  annotations:
+    provider.cluster.x-k8s.io/compressed: "true"
+binaryData:
+  components: {{ .Files.Get "files/components.gz" | b64enc | quote }}
+data:
+  metadata: {{ .Files.Get "files/metadata.yaml" | quote }}

packages/system/capi-providers-core/templates/providers.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: operator.cluster.x-k8s.io/v1alpha2
+kind: CoreProvider
+metadata:
+  name: cluster-api
+spec:
+  # https://github.com/kubernetes-sigs/cluster-api
+  version: v1.10.1-core
+  fetchConfig:
+    selector:
+      matchLabels:
+        core-components: cozy

packages/system/capi-providers-cpprovider/.helmignore

@@ -0,0 +1 @@
+files/.*-components.yaml

packages/system/capi-providers-cpprovider/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-capi-providers-cpprovider
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/capi-providers-cpprovider/Makefile

@@ -0,0 +1,4 @@
+export NAME=capi-providers
+export NAMESPACE=cozy-cluster-api
+
+include ../../../scripts/package.mk

packages/system/capi-providers-cpprovider/files/metadata.yaml

@@ -0,0 +1,52 @@
+# maps release series of major.minor to cluster-api contract version
+# the contract version may change between minor or major versions, but *not*
+# between patch versions.
+#
+# update this file only when a new major or minor version is released
+apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3
+releaseSeries:
+  - major: 0
+    minor: 15
+    contract: v1beta1
+  - major: 0
+    minor: 14
+    contract: v1beta1
+  - major: 0
+    minor: 13
+    contract: v1beta1
+  - major: 0
+    minor: 12
+    contract: v1beta1
+  - major: 0
+    minor: 11
+    contract: v1beta1
+  - major: 0
+    minor: 10
+    contract: v1beta1
+  - major: 0
+    minor: 9
+    contract: v1beta1
+  - major: 0
+    minor: 8
+    contract: v1beta1
+  - major: 0
+    minor: 7
+    contract: v1beta1
+  - major: 0
+    minor: 6
+    contract: v1beta1
+  - major: 0
+    minor: 5
+    contract: v1beta1
+  - major: 0
+    minor: 4
+    contract: v1beta1
+  - major: 0
+    minor: 3
+    contract: v1beta1
+  - major: 0
+    minor: 2
+    contract: v1beta1
+  - major: 0
+    minor: 1
+    contract: v1beta1

packages/system/capi-providers-cpprovider/templates/configmaps.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: v0.15.1-cp
+  labels:
+    cp-components: cozy
+  annotations:
+    provider.cluster.x-k8s.io/compressed: "true"
+binaryData:
+  components: {{ .Files.Get "files/components.gz" | b64enc | quote }}
+data:
+  metadata: {{ .Files.Get "files/metadata.yaml" | quote }}

packages/system/capi-providers-cpprovider/templates/providers.yaml

@@ -0,0 +1,21 @@
+apiVersion: operator.cluster.x-k8s.io/v1alpha2
+kind: ControlPlaneProvider
+metadata:
+  name: kamaji
+spec:
+  # https://github.com/clastix/cluster-api-control-plane-provider-kamaji
+  version: v0.15.1-cp
+  fetchConfig:
+    selector:
+      matchLabels:
+        cp-components: cozy
+  deployment:
+    containers:
+    - name: manager
+      resources:
+        limits:
+          cpu: "1"
+          memory: 1024Mi
+        requests:
+          cpu: "10m"
+          memory: 128Mi

packages/system/capi-providers-infraprovider/.helmignore

@@ -0,0 +1 @@
+files/.*-components.yaml

packages/system/capi-providers-infraprovider/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-capi-providers-infraprovider
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/capi-providers-infraprovider/Makefile

@@ -0,0 +1,4 @@
+export NAME=capi-providers
+export NAMESPACE=cozy-cluster-api
+
+include ../../../scripts/package.mk

packages/system/capi-providers-infraprovider/files/metadata.yaml

@@ -0,0 +1,11 @@
+# maps release series of major.minor to cluster-api contract version
+# the contract version may change between minor or major versions, but *not*
+# between patch versions.
+#
+# update this file only when a new major or minor version is released
+apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3
+kind: Metadata
+releaseSeries:
+  - major: 0
+    minor: 1
+    contract: v1beta1

packages/system/capi-providers-infraprovider/templates/configmaps.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: v0.1.10-infraprovider
+  labels:
+    infraprovider-components: cozy
+  annotations:
+    provider.cluster.x-k8s.io/compressed: "true"
+binaryData:
+  components: {{ .Files.Get "files/components.gz" | b64enc | quote }}
+data:
+  metadata: {{ .Files.Get "files/metadata.yaml" | quote }}

packages/system/capi-providers-infraprovider/templates/providers.yaml

@@ -0,0 +1,11 @@
+apiVersion: operator.cluster.x-k8s.io/v1alpha2
+kind: InfrastructureProvider
+metadata:
+  name: kubevirt
+spec:
+  # https://github.com/kubernetes-sigs/cluster-api-provider-kubevirt
+  version: v0.1.10-infraprovider
+  fetchConfig:
+    selector:
+      matchLabels:
+        infraprovider-components: cozy

packages/system/capi-providers/templates/providers.yaml

@@ -1,42 +0,0 @@
----
-apiVersion: operator.cluster.x-k8s.io/v1alpha2
-kind: CoreProvider
-metadata:
-  name: cluster-api
-spec:
-  # https://github.com/kubernetes-sigs/cluster-api
-  version: v1.10.1
----
-apiVersion: operator.cluster.x-k8s.io/v1alpha2
-kind: ControlPlaneProvider
-metadata:
-  name: kamaji
-spec:
-  # https://github.com/clastix/cluster-api-control-plane-provider-kamaji
-  version: v0.15.1
-  deployment:
-    containers:
-    - name: manager
-      resources:
-        limits:
-          cpu: "1"
-          memory: 1024Mi
-        requests:
-          cpu: "10m"
-          memory: 128Mi
----
-apiVersion: operator.cluster.x-k8s.io/v1alpha2
-kind: BootstrapProvider
-metadata:
-  name: kubeadm
-spec:
-  # https://github.com/kubernetes-sigs/cluster-api
-  version: v1.10.1
----
-apiVersion: operator.cluster.x-k8s.io/v1alpha2
-kind: InfrastructureProvider
-metadata:
-  name: kubevirt
-spec:
-  # https://github.com/kubernetes-sigs/cluster-api-provider-kubevirt
-  version: v0.1.10

scripts/migrations/13

@@ -0,0 +1,8 @@
+#!/bin/sh
+# Migration 13 --> 14
+
+# Delete capi-providers
+kubectl delete hr capi-providers -n cozy-cluster-api
+
+# Write version to cozystack-version config
+kubectl create configmap -n cozy-system cozystack-version --from-literal=version=14 --dry-run=client -o yaml | kubectl apply -f-