Stratio · lreciomelero · Oct 26, 2022 · Oct 26, 2022 · Oct 26, 2022 · Oct 27, 2022
@@ -38,7 +38,7 @@ type action struct {
 	avoidCreation      bool
 	keosCluster        commons.KeosCluster
 	clusterCredentials commons.ClusterCredentials
-	clusterConfig      commons.ClusterConfig
+	clusterConfig      *commons.ClusterConfig
 }
 
 type keosRegistry struct {
@@ -73,7 +73,7 @@ var allowCommonEgressNetPol string
 var rbacInternalLoadBalancing string
 
 // NewAction returns a new action for installing default CAPI
-func NewAction(vaultPassword string, descriptorPath string, moveManagement bool, avoidCreation bool, keosCluster commons.KeosCluster, clusterCredentials commons.ClusterCredentials, clusterConfig commons.ClusterConfig) actions.Action {
+func NewAction(vaultPassword string, descriptorPath string, moveManagement bool, avoidCreation bool, keosCluster commons.KeosCluster, clusterCredentials commons.ClusterCredentials, clusterConfig *commons.ClusterConfig) actions.Action {
 	return &action{
 		vaultPassword:      vaultPassword,
 		descriptorPath:     descriptorPath,
@@ -121,13 +121,22 @@ func (a *action) Execute(ctx *actions.ActionContext) error {
 	awsEKSEnabled := a.keosCluster.Spec.InfraProvider == "aws" && a.keosCluster.Spec.ControlPlane.Managed
 	isMachinePool := a.keosCluster.Spec.InfraProvider != "aws" && a.keosCluster.Spec.ControlPlane.Managed
 
-	privateParams := PrivateParams{
-		KeosCluster: a.keosCluster,
-		KeosRegUrl:  keosRegistry.url,
-		Private:     a.clusterConfig.Spec.Private,
+	var privateParams PrivateParams
+	if a.clusterConfig != nil {
+		privateParams = PrivateParams{
+			KeosCluster: a.keosCluster,
+			KeosRegUrl:  keosRegistry.url,
+			Private:     a.clusterConfig.Spec.Private,
+		}
+	} else {
+		privateParams = PrivateParams{
+			KeosCluster: a.keosCluster,
+			KeosRegUrl:  keosRegistry.url,
+			Private:     false,
+		}
 	}
 
-	if a.clusterConfig.Spec.Private {
+	if privateParams.Private {
 		ctx.Status.Start("Installing Private CNI 🎖️")
 		defer ctx.Status.End(false)
 		c = `sed -i 's/@sha256:[[:alnum:]_-].*$//g' ` + cniDefaultFile
@@ -222,7 +231,7 @@ func (a *action) Execute(ctx *actions.ActionContext) error {
 		}
 	}
 
-	if a.clusterConfig.Spec.Private {
+	if privateParams.Private {
 		err = provider.deployCertManager(n, keosRegistry.url, "")
 		if err != nil {
 			return err
@@ -295,7 +304,7 @@ func (a *action) Execute(ctx *actions.ActionContext) error {
 	ctx.Status.Start("Installing keos cluster operator 💻")
 	defer ctx.Status.End(false)
 
-	err = provider.deployClusterOperator(n, privateParams, a.clusterCredentials, keosRegistry, "", true)
+	err = provider.deployClusterOperator(n, privateParams, a.clusterCredentials, keosRegistry, a.clusterConfig, "", true)
 	if err != nil {
 		return errors.Wrap(err, "failed to deploy cluster operator")
 	}
@@ -317,11 +326,20 @@ func (a *action) Execute(ctx *actions.ActionContext) error {
 		ctx.Status.Start("Creating the workload cluster 💥")
 		defer ctx.Status.End(false)
 
+		if a.clusterConfig != nil {
+			// Apply cluster manifests
+			c = "kubectl apply -f " + manifestsPath + "/clusterconfig.yaml"
+			_, err = commons.ExecuteCommand(n, c)
+			if err != nil {
+				return errors.Wrap(err, "failed to apply clusterconfig manifests")
+			}
+		}
+
 		// Apply cluster manifests
 		c = "kubectl apply -f " + manifestsPath + "/keoscluster.yaml"
 		_, err = commons.ExecuteCommand(n, c)
 		if err != nil {
-			return errors.Wrap(err, "failed to apply manifests")
+			return errors.Wrap(err, "failed to apply keoscluster manifests")
 		}
 
 		time.Sleep(20 * time.Second)
@@ -498,7 +516,7 @@ func (a *action) Execute(ctx *actions.ActionContext) error {
 		ctx.Status.Start("Installing CAPx in workload cluster 🎖️")
 		defer ctx.Status.End(false)
 
-		if a.clusterConfig.Spec.Private {
+		if privateParams.Private {
 			err = provider.deployCertManager(n, keosRegistry.url, kubeconfigPath)
 			if err != nil {
 				return err
@@ -592,7 +610,7 @@ func (a *action) Execute(ctx *actions.ActionContext) error {
 				" --set clusterAPIMode=incluster-incluster" +
 				" --set replicaCount=2"
 
-			if a.clusterConfig.Spec.Private {
+			if privateParams.Private {
 				c += " --set image.repository=" + keosRegistry.url + "/autoscaling/cluster-autoscaler"
 			}
 
@@ -607,7 +625,7 @@ func (a *action) Execute(ctx *actions.ActionContext) error {
 		ctx.Status.Start("Installing keos cluster operator in workload cluster 💻")
 		defer ctx.Status.End(false)
 
-		err = provider.deployClusterOperator(n, privateParams, a.clusterCredentials, keosRegistry, kubeconfigPath, true)
+		err = provider.deployClusterOperator(n, privateParams, a.clusterCredentials, keosRegistry, a.clusterConfig, kubeconfigPath, true)
 		if err != nil {
 			return errors.Wrap(err, "failed to deploy cluster operator in workload cluster")
 		}
@@ -690,6 +708,30 @@ func (a *action) Execute(ctx *actions.ActionContext) error {
 				return errors.Wrap(err, "failed to wait for keoscluster controller ready")
 			}
 
+			if a.clusterConfig != nil {
+
+				c = "kubectl -n " + capiClustersNamespace + " patch clusterconfig " + a.clusterConfig.Metadata.Name + " -p '{\"metadata\":{\"ownerReferences\":null,\"finalizers\":null}}' --type=merge"
+				_, err = commons.ExecuteCommand(n, c)
+				if err != nil {
+					return errors.Wrap(err, "failed to remove clusterconfig ownerReferences and finalizers")
+				}
+
+				// Move clusterConfig to workload cluster
+				c = "kubectl -n " + capiClustersNamespace + " get clusterconfig " + a.clusterConfig.Metadata.Name + " -o json | kubectl apply --kubeconfig " + kubeconfigPath + " -f-"
+				_, err = commons.ExecuteCommand(n, c)
+				if err != nil {
+					return errors.Wrap(err, "failed to move clusterconfig to workload cluster")
+				}
+
+				// Delete clusterconfig in management cluster
+				c = "kubectl -n " + capiClustersNamespace + " delete clusterconfig " + a.clusterConfig.Metadata.Name
+				_, err = commons.ExecuteCommand(n, c)
+				if err != nil {
+					return errors.Wrap(err, "failed to delete clusterconfig in management cluster")
+				}
+
+			}
+
 			// Move keoscluster to workload cluster
 			c = "kubectl -n " + capiClustersNamespace + " get keoscluster " + a.keosCluster.Metadata.Name + " -o json | jq 'del(.status)' | kubectl apply --kubeconfig " + kubeconfigPath + " -f-"
 			_, err = commons.ExecuteCommand(n, c)
@@ -710,24 +752,25 @@ func (a *action) Execute(ctx *actions.ActionContext) error {
 				return errors.Wrap(err, "failed to delete keoscluster in management cluster")
 			}
 
-			err = provider.deployClusterOperator(n, privateParams, a.clusterCredentials, keosRegistry, "", false)
+			err = provider.deployClusterOperator(n, privateParams, a.clusterCredentials, keosRegistry, a.clusterConfig, "", false)
 			if err != nil {
 				return errors.Wrap(err, "failed to deploy cluster operator")
 			}
 
 			ctx.Status.End(true) // End Moving the cluster-operator
 		}
-	}
 
-	ctx.Status.Start("Executing post-install steps 🎖️")
-	defer ctx.Status.End(false)
+		ctx.Status.Start("Executing post-install steps 🎖️")
+		defer ctx.Status.End(false)
 
-	err = infra.postInstallPhase(n, kubeconfigPath)
-	if err != nil {
-		return err
-	}
+		err = infra.postInstallPhase(n, kubeconfigPath)
+		if err != nil {
+			return err
+		}
+
+		ctx.Status.End(true)
 
-	ctx.Status.End(true)
+	}
 
 	ctx.Status.Start("Generating the KEOS descriptor 📝")
 	defer ctx.Status.End(false)

@@ -56,8 +56,8 @@ const (
 	scName = "keos"
 
 	certManagerVersion   = "v1.12.3"
-	clusterOperatorChart = "0.2.0-SNAPSHOT"
-	clusterOperatorImage = "0.2.0-SNAPSHOT"
+	clusterOperatorChart = "0.2.0-PR157-SNAPSHOT"
+	clusterOperatorImage = "0.2.0-PR157-SNAPSHOT"
 
 	postInstallAnnotation = "cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes"
 )
@@ -287,7 +287,7 @@ func (p *Provider) deployCertManager(n nodes.Node, keosRegistryUrl string, kubec
 	return nil
 }
 
-func (p *Provider) deployClusterOperator(n nodes.Node, privateParams PrivateParams, clusterCredentials commons.ClusterCredentials, keosRegistry keosRegistry, kubeconfigPath string, firstInstallation bool) error {
+func (p *Provider) deployClusterOperator(n nodes.Node, privateParams PrivateParams, clusterCredentials commons.ClusterCredentials, keosRegistry keosRegistry, clusterConfig *commons.ClusterConfig, kubeconfigPath string, firstInstallation bool) error {
 	var c string
 	var err error
 	var helmRepository helmRepository
@@ -333,6 +333,20 @@ func (p *Provider) deployClusterOperator(n nodes.Node, privateParams PrivatePara
 			Flavour string `yaml:"flavour,omitempty"`
 			Version string `yaml:"version,omitempty"`
 		}{}
+
+		if clusterConfig != nil {
+			clusterConfigYAML, err := yaml.Marshal(clusterConfig)
+			if err != nil {
+				return err
+			}
+			// Write keoscluster file
+			c = "echo '" + string(clusterConfigYAML) + "' > " + manifestsPath + "/clusterconfig.yaml"
+			_, err = commons.ExecuteCommand(n, c)
+			if err != nil {
+				return errors.Wrap(err, "failed to write the keoscluster file")
+			}
+			keosCluster.Spec.ClusterConfigRef.Name = clusterConfig.Metadata.Name
+		}
 		keosClusterYAML, err := yaml.Marshal(keosCluster)
 		if err != nil {
 			return err

@@ -63,7 +63,7 @@ type ClusterOptions struct {
 	MoveManagement     bool
 	AvoidCreation      bool
 	KeosCluster        commons.KeosCluster
-	ClusterConfig      commons.ClusterConfig
+	ClusterConfig      *commons.ClusterConfig
 	ClusterCredentials commons.ClusterCredentials
 	DockerRegUrl       string
 

@@ -62,17 +62,16 @@ func ensureNodeImages(logger log.Logger, status *cli.Status, cfg *config.Cluster
 			return err
 		}
 		stratioImage := "stratio-capi-image:" + strings.Split(friendlyImageName, ":")[1]
-		// if dockerRegUrl != "" {
-		// 	cmd := exec.Command("docker", "inspect", "--type=image", stratioImage)
-		// 	if err := cmd.Run(); err == nil {
-		// 		logger.V(1).Infof("stratioImage: %s present locally", image)
-		// 	} else {
-		// 		err = buildStratioImage(logger, stratioImage, dockerfileDir)
-		// 	}
-		// } else {
-		// 	err = buildStratioImage(logger, stratioImage, dockerfileDir)
-		// }
-		err = buildStratioImage(logger, stratioImage, dockerfileDir)
+		if dockerRegUrl != "" {
+			cmd := exec.Command("docker", "inspect", "--type=image", stratioImage)
+			if err := cmd.Run(); err == nil {
+				logger.V(1).Infof("stratioImage: %s present locally", image)
+			} else {
+				err = buildStratioImage(logger, stratioImage, dockerfileDir)
+			}
+		} else {
+			err = buildStratioImage(logger, stratioImage, dockerfileDir)
+		}
 		if err != nil {
 			status.End(false)
 			return err

@@ -176,13 +176,21 @@ func validateAWSNetwork(ctx context.Context, cfg aws.Config, spec commons.KeosSp
 				}
 			}
 		}
+		if spec.Networks.AdditionalSecurityGroupId != "" {
+			if err := validateSecurityGroup(spec.Networks.AdditionalSecurityGroupId, spec.Networks.VPCID, cfg); err != nil {
+				return err
+			}
+		}
 	} else {
 		if len(spec.Networks.Subnets) > 0 {
 			return errors.New("\"vpc_id\": is required when \"subnets\" is set")
 		}
 		if len(spec.Networks.PodsSubnets) > 0 {
 			return errors.New("\"vpc_id\": is required when \"pods_subnets\" is set")
 		}
+		if spec.Networks.AdditionalSecurityGroupId != "" {
+			return errors.New("\"vpc_id\": is required when \"additional_sg_id\" is set")
+		}
 	}
 	if len(spec.Networks.Subnets) > 0 {
 		for _, s := range spec.Networks.Subnets {
@@ -194,6 +202,7 @@ func validateAWSNetwork(ctx context.Context, cfg aws.Config, spec commons.KeosSp
 			return err
 		}
 	}
+
 	return nil
 }
 
@@ -249,6 +258,44 @@ func getAWSRegions(config aws.Config) ([]string, error) {
 	return regions, nil
 }
 
+func validateSecurityGroup(sgId string, vpcId string, config aws.Config) error {
+	findSg := false
+	ec2Client := ec2.NewFromConfig(config)
+	params := ec2.DescribeSecurityGroupsInput{
+		Filters: []types.Filter{
+			{
+				Name:   toPtr[string]("group-id"),
+				Values: []string{sgId},
+			},
+		},
+	}
+	if vpcId != "" {
+		vpcFilter := types.Filter{Name: toPtr[string]("vpc-id"), Values: []string{vpcId}}
+		params.Filters = append(params.Filters, vpcFilter)
+	}
+	sgsOutput, err := ec2Client.DescribeSecurityGroups(context.Background(), &params)
+	if err != nil {
+		return err
+	}
+	for _, sg := range sgsOutput.SecurityGroups {
+		if *sg.GroupId == sgId {
+			findSg = true
+			continue
+		}
+	}
+	if !findSg {
+		errMsg := "SecurityGroup with sg_id: " + sgId + " does not exist in"
+		if vpcId == "" {
+			errMsg += " default vpc."
+		} else {
+			errMsg += " vpc: " + vpcId + "."
+		}
+		return errors.New(errMsg)
+
+	}
+	return nil
+}
+
 func getAWSVPCs(config aws.Config) ([]string, error) {
 	vpcs := []string{}
 

@@ -34,8 +34,9 @@ const (
 
 var k8sVersionSupported = []string{"1.24", "1.25", "1.26", "1.27", "1.28"}
 
-func validateCommon(spec commons.KeosSpec) error {
+func validateCommon(spec commons.KeosSpec, clusterConfig *commons.ClusterConfig) error {
 	var err error
+
 	if err = validateK8SVersion(spec.K8SVersion); err != nil {
 		return err
 	}
@@ -45,6 +46,30 @@ func validateCommon(spec commons.KeosSpec) error {
 	if err = validateVolumes(spec); err != nil {
 		return err
 	}
+	if err = validatePublicControlPlane(spec, clusterConfig); err != nil {
+		return err
+	}
+	return nil
+}
+
+func validatePublicControlPlane(spec commons.KeosSpec, clusterConfig *commons.ClusterConfig) error {
+	if spec.InfraProvider != "aws" {
+		if !spec.ControlPlane.Public {
+			return errors.New("spec.control_plane.public only can be false for aws or eks installations")
+		}
+	} else if !spec.ControlPlane.Public {
+		if clusterConfig == nil || !clusterConfig.Spec.Private {
+			return errors.New("If keoscluster's .spec.control_plane.public is false, clusterConfig .spec.private_registry must be true")
+		}
+		if spec.Networks.VPCID == "" || len(spec.Networks.Subnets) == 0 {
+			return errors.New("If keoscluster's .spec.control_plane.public is false, its .spec.networks.vpc_id and .spec.networks.subnets must be indicated.")
+		}
+		if spec.Networks.AdditionalSecurityGroupId == "" && spec.ControlPlane.Managed {
+			return errors.New("If keoscluster's .spec.control_plane.public is false and .spec.control_plane.managed, its .spec.networks.additional_sg must be indicated. This sg must be created as a requirement and must allow the internal vpc traffic.")
+		}
+
+	}
+
 	return nil
 }
 

@@ -72,3 +72,7 @@ func getFieldNames(s interface{}) []string {
 	}
 	return fieldNames
 }
+
+func toPtr[T any](v T) *T {
+	return &v
+}
@@ -24,6 +24,7 @@ type ValidateParams struct {
 	KeosCluster   commons.KeosCluster
 	SecretsPath   string
 	VaultPassword string
+	ClusterConfig *commons.ClusterConfig
 }
 
 func Cluster(params *ValidateParams) (commons.ClusterCredentials, error) {
@@ -35,7 +36,7 @@ func Cluster(params *ValidateParams) (commons.ClusterCredentials, error) {
 		return commons.ClusterCredentials{}, err
 	}
 
-	if err := validateCommon(params.KeosCluster.Spec); err != nil {
+	if err := validateCommon(params.KeosCluster.Spec, params.ClusterConfig); err != nil {
 		return commons.ClusterCredentials{}, err
 	}