[experiments] Introduce Cozystack CRD + controller

Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>

Makefile

@@ -57,3 +57,6 @@ generate:
 
 upload_assets: manifests
 	hack/upload-assets.sh
+
+controller-gen:
+	controller-gen object:headerFile="hack/boilerplate.go.txt" paths="./internal/controller/" paths="./api/v1alpha1/"

api/v1alpha1/cozystack_types.go

@@ -0,0 +1,26 @@
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +kubebuilder:object:root=true
+
+// Cozystack is the Schema for the Cozystack API
+type Cozystack struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	//Status CozystackStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// WorkloadList contains a list of Workload
+type CozystackList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Cozystack `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Cozystack{}, &CozystackList{})
+}

api/v1alpha1/zz_generated.deepcopy.go

@@ -25,6 +25,63 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Cozystack) DeepCopyInto(out *Cozystack) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Cozystack.
+func (in *Cozystack) DeepCopy() *Cozystack {
+	if in == nil {
+		return nil
+	}
+	out := new(Cozystack)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Cozystack) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CozystackList) DeepCopyInto(out *CozystackList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Cozystack, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CozystackList.
+func (in *CozystackList) DeepCopy() *CozystackList {
+	if in == nil {
+		return nil
+	}
+	out := new(CozystackList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CozystackList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in Selector) DeepCopyInto(out *Selector) {
 	{

cmd/cozystack-controller/main.go

@@ -206,6 +206,14 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err = (&controller.CozystackReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "CozystackConfigReconciler")
+		os.Exit(1)
+	}
+
 	// +kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {

internal/controller/cozystack_controller.go

@@ -0,0 +1,52 @@
+package controller
+
+import (
+	"context"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	cozyv1alpha1 "github.com/cozystack/cozystack/api/v1alpha1"
+)
+
+type CozystackReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+func (r *CozystackReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	l := log.FromContext(ctx)
+	c := &cozyv1alpha1.Cozystack{}
+
+	if err := r.Get(ctx, req.NamespacedName, c); err != nil {
+		if apierrors.IsNotFound(err) {
+			return ctrl.Result{}, nil
+		}
+		l.Error(err, "Unable to fetch Cozystack")
+		return ctrl.Result{}, err
+	}
+
+	if !c.DeletionTimestamp.IsZero() {
+		return ctrl.Result{}, nil
+	}
+
+	if c.Name != "cozystack" || c.Namespace != "cozy-system" {
+		l.Info("only cozy-system/cozystack Cozystack is allowed in a cluster")
+		err := r.Delete(ctx, c)
+		if err != nil {
+			l.Error(err, "Unable to delete invalid Cozystack")
+		}
+		return ctrl.Result{}, err
+	}
+
+	panic("not implemented")
+}
+
+func (r *CozystackReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&cozyv1alpha1.Cozystack{}).
+		Complete(r)
+}

internal/controller/system_helm_reconciler.go

@@ -11,9 +11,7 @@ import (
 	helmv2 "github.com/fluxcd/helm-controller/api/v2"
 	corev1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/event"
@@ -79,158 +77,6 @@ func (r *CozystackConfigReconciler) Reconcile(ctx context.Context, _ ctrl.Reques
 	}
 
 	log.Info("finished reconciliation", "updatedHelmReleases", updated)
-
-	// Check if oidc-enabled has changed from true to false
-	oidcDisabled, err := r.checkOIDCDisabledTransition(ctx)
-	if err != nil {
-		log.Error(err, "failed to check OIDC status")
-	}
-
-	if oidcDisabled {
-		type crdToDelete struct {
-			kind      string
-			name      string
-			namespace string
-			gvk       schema.GroupVersionKind
-		}
-
-		crds := []crdToDelete{
-			{
-				kind:      "ClusterKeycloak",
-				name:      "keycloak-cozy",
-				namespace: "cozy-keycloak",
-				gvk:       schema.GroupVersionKind{Group: "v1.edp.epam.com", Version: "v1alpha1", Kind: "ClusterKeycloak"},
-			},
-			{
-				kind:      "ClusterKeycloakRealm",
-				name:      "keycloakrealm-cozy",
-				namespace: "cozy-keycloak",
-				gvk:       schema.GroupVersionKind{Group: "v1.edp.epam.com", Version: "v1alpha1", Kind: "ClusterKeycloakRealm"},
-			},
-			{
-				kind:      "KeycloakClient",
-				name:      "keycloakclient",
-				namespace: "cozy-keycloak",
-				gvk:       schema.GroupVersionKind{Group: "v1.edp.epam.com", Version: "v1", Kind: "KeycloakClient"},
-			},
-			{
-				kind:      "KeycloakClient",
-				name:      "kubeapps-client",
-				namespace: "cozy-keycloak",
-				gvk:       schema.GroupVersionKind{Group: "v1.edp.epam.com", Version: "v1", Kind: "KeycloakClient"},
-			},
-			{
-				kind:      "KeycloakClientScope",
-				name:      "keycloakclientscope-cozy",
-				namespace: "cozy-keycloak",
-				gvk:       schema.GroupVersionKind{Group: "v1.edp.epam.com", Version: "v1", Kind: "KeycloakClientScope"},
-			},
-			{
-				kind:      "KeycloakClientScope",
-				name:      "kubernetes-client",
-				namespace: "cozy-keycloak",
-				gvk:       schema.GroupVersionKind{Group: "v1.edp.epam.com", Version: "v1", Kind: "KeycloakClientScope"},
-			},
-			{
-				kind:      "KeycloakRealmGroup",
-				name:      "cozystack-cluster-admin",
-				namespace: "cozy-system",
-				gvk:       schema.GroupVersionKind{Group: "v1.edp.epam.com", Version: "v1", Kind: "KeycloakRealmGroup"},
-			},
-		}
-
-		for _, crd := range crds {
-			u := &unstructured.Unstructured{}
-			u.SetGroupVersionKind(crd.gvk)
-			u.SetName(crd.name)
-			u.SetNamespace(crd.namespace)
-
-			if err := r.Get(ctx, client.ObjectKeyFromObject(u), u); err != nil {
-				if kerrors.IsNotFound(err) {
-					continue
-				}
-				log.Error(err, "failed to get "+crd.kind, "name", crd.name)
-				continue
-			}
-
-			if finalizers := u.GetFinalizers(); len(finalizers) > 0 {
-				u.SetFinalizers(nil)
-				if err := r.Update(ctx, u); err != nil {
-					log.Error(err, "failed to remove finalizers from "+crd.kind, "name", crd.name)
-					continue
-				}
-				log.Info("removed finalizers from "+crd.kind, "name", crd.name)
-			}
-
-			if err := r.Delete(ctx, u); err != nil && !kerrors.IsNotFound(err) {
-				log.Error(err, "failed to delete "+crd.kind, "name", crd.name)
-				continue
-			}
-			log.Info("deleted "+crd.kind, "name", crd.name)
-		}
-
-		for _, name := range []string{"keycloak-configure", "keycloak-operator", "keycloak"} {
-			hr := &helmv2.HelmRelease{}
-			key := client.ObjectKey{Name: name, Namespace: "cozy-keycloak"}
-
-			err := r.Get(ctx, key, hr)
-			if err != nil {
-				if kerrors.IsNotFound(err) {
-					log.Info("HelmRelease already deleted", "name", name)
-					continue
-				}
-				log.Error(err, "failed to get HelmRelease", "name", name)
-				return ctrl.Result{}, err
-			}
-
-			if err := r.Delete(ctx, hr); err != nil {
-				log.Error(err, "failed to delete HelmRelease", "name", name)
-				return ctrl.Result{}, err
-			}
-			log.Info("deletion requested for HelmRelease", "name", name)
-
-			timeout := time.After(30 * time.Second)
-			tick := time.Tick(1 * time.Second)
-		WAIT_LOOP:
-			for {
-				select {
-				case <-timeout:
-					log.Error(fmt.Errorf("timeout"), "waiting for HelmRelease to be deleted", "name", name)
-					return ctrl.Result{RequeueAfter: 10 * time.Second}, nil
-				case <-tick:
-					err := r.Get(ctx, key, &helmv2.HelmRelease{})
-					if kerrors.IsNotFound(err) {
-						log.Info("HelmRelease deletion confirmed", "name", name)
-						break WAIT_LOOP
-					} else if err != nil {
-						log.Error(err, "error checking HelmRelease deletion", "name", name)
-						return ctrl.Result{}, err
-					}
-				}
-			}
-		}
-		ns := &corev1.Namespace{}
-		nsKey := client.ObjectKey{Name: "cozy-keycloak"}
-
-		if err := r.Get(ctx, nsKey, ns); err != nil {
-			if kerrors.IsNotFound(err) {
-				log.Info("Namespace cozy-keycloak already deleted")
-			} else {
-				log.Error(err, "failed to get namespace cozy-keycloak")
-				return ctrl.Result{}, err
-			}
-		} else {
-			if ns.DeletionTimestamp == nil {
-				if err := r.Delete(ctx, ns); err != nil {
-					log.Error(err, "failed to delete namespace cozy-keycloak")
-					return ctrl.Result{}, err
-				}
-				log.Info("deletion requested for namespace cozy-keycloak")
-			} else {
-				log.Info("namespace cozy-keycloak is already being deleted")
-			}
-		}
-	}
 	return ctrl.Result{}, nil
 }
 
@@ -242,11 +88,12 @@ func (r *CozystackConfigReconciler) computeDigest(ctx context.Context) (string,
 		err := r.Get(ctx, client.ObjectKey{Namespace: configMapNamespace, Name: name}, &cm)
 		if err != nil {
 			if kerrors.IsNotFound(err) {
-				continue
+				continue // ignore missing
 			}
 			return "", err
 		}
 
+		// Sort keys for consistent hashing
 		var keys []string
 		for k := range cm.Data {
 			keys = append(keys, k)
@@ -290,34 +137,3 @@ func contains(slice []string, val string) bool {
 	}
 	return false
 }
-
-func (r *CozystackConfigReconciler) checkOIDCDisabledTransition(ctx context.Context) (bool, error) {
-	const configName = "cozystack"
-	const fieldKey = "oidc-enabled"
-	const lastOIDCStateAnnotation = "cozystack.io/last-oidc-enabled"
-
-	var cm corev1.ConfigMap
-	if err := r.Get(ctx, client.ObjectKey{Namespace: configMapNamespace, Name: configName}, &cm); err != nil {
-		return false, err
-	}
-
-	current := cm.Data[fieldKey]
-	if current != "false" && current != "true" {
-		return false, nil
-	}
-
-	last := cm.Annotations[lastOIDCStateAnnotation]
-
-	if cm.Annotations == nil {
-		cm.Annotations = map[string]string{}
-	}
-	if last != current {
-		patch := client.MergeFrom(cm.DeepCopy())
-		cm.Annotations[lastOIDCStateAnnotation] = current
-		if err := r.Patch(ctx, &cm, patch); err != nil {
-			return false, fmt.Errorf("failed to update oidc-enabled annotation: %w", err)
-		}
-	}
-
-	return last == "true" && current == "false", nil
-}

packages/core/platform/bundles/paas-full.yaml

@@ -354,7 +354,7 @@ releases:
   optional: true
   dependsOn: [cilium,kubeovn]
 
-{{- if eq $oidcEnabled "true" }}
+{{- if $oidcEnabled }}
 - name: keycloak
   releaseName: keycloak
   chart: cozy-keycloak

packages/core/platform/bundles/paas-hosted.yaml

@@ -182,7 +182,7 @@ releases:
   dependsOn: []
   {{- end }}
 
-{{- if eq $oidcEnabled "true" }}
+{{- if $oidcEnabled }}
 - name: keycloak
   releaseName: keycloak
   chart: cozy-keycloak