Add the NodeModulesConfig controller (#711)

Reconcile NodeModulesConfig resources by creating and monitoring worker
Pods.
Use the NodeModulesConfig status to maintain the state of modules on
nodes.

Upstream-Commit: 04d0c1c

api/v1beta1/nodemodulesconfig_types.go

@@ -31,9 +31,10 @@ type ModuleConfig struct {
 }
 
 type NodeModuleSpec struct {
-	Name      string       `json:"name"`
-	Namespace string       `json:"namespace"`
-	Config    ModuleConfig `json:"config"`
+	Name               string       `json:"name"`
+	Namespace          string       `json:"namespace"`
+	Config             ModuleConfig `json:"config"`
+	ServiceAccountName string       `json:"serviceAccountName"`
 }
 
 // NodeModulesConfigSpec describes the desired state of modules on the node

bundle/manifests/kernel-module-management.clusterserviceversion.yaml

@@ -162,6 +162,8 @@ spec:
           resources:
           - pods
           verbs:
+          - create
+          - delete
           - get
           - list
           - patch
@@ -224,6 +226,12 @@ spec:
           - list
           - patch
           - watch
+        - apiGroups:
+          - kmm.sigs.x-k8s.io
+          resources:
+          - nodemodulesconfigs/status
+          verbs:
+          - patch
         - apiGroups:
           - kmm.sigs.x-k8s.io
           resources:
@@ -321,6 +329,8 @@ spec:
                 command:
                 - /usr/local/bin/manager
                 env:
+                - name: RELATED_IMAGES_WORKER
+                  value: quay.io/edge-infrastructure/kernel-module-management-worker:latest
                 - name: SSL_CERT_DIR
                   value: /etc/pki/ca-trust/extracted/pem
                 - name: OPERATOR_NAMESPACE

bundle/manifests/kmm.sigs.x-k8s.io_nodemodulesconfigs.yaml

@@ -153,10 +153,13 @@ spec:
                       type: string
                     namespace:
                       type: string
+                    serviceAccountName:
+                      type: string
                   required:
                   - config
                   - name
                   - namespace
+                  - serviceAccountName
                   type: object
                 type: array
             type: object

cmd/manager/main.go

@@ -22,8 +22,6 @@ import (
 	"os"
 	"strconv"
 
-	"github.com/rh-ecosystem-edge/kernel-module-management/internal/config"
-	ocpbuildutils "github.com/rh-ecosystem-edge/kernel-module-management/internal/utils/ocpbuild"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -48,6 +46,7 @@ import (
 	"github.com/rh-ecosystem-edge/kernel-module-management/internal/build"
 	buildocpbuild "github.com/rh-ecosystem-edge/kernel-module-management/internal/build/ocpbuild"
 	"github.com/rh-ecosystem-edge/kernel-module-management/internal/cmd"
+	"github.com/rh-ecosystem-edge/kernel-module-management/internal/config"
 	"github.com/rh-ecosystem-edge/kernel-module-management/internal/constants"
 	"github.com/rh-ecosystem-edge/kernel-module-management/internal/daemonset"
 	"github.com/rh-ecosystem-edge/kernel-module-management/internal/filter"
@@ -60,6 +59,7 @@ import (
 	signocpbuild "github.com/rh-ecosystem-edge/kernel-module-management/internal/sign/ocpbuild"
 	"github.com/rh-ecosystem-edge/kernel-module-management/internal/statusupdater"
 	"github.com/rh-ecosystem-edge/kernel-module-management/internal/syncronizedmap"
+	ocpbuildutils "github.com/rh-ecosystem-edge/kernel-module-management/internal/utils/ocpbuild"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -96,6 +96,7 @@ func main() {
 	setupLogger.Info("Creating manager", "version", Version, "git commit", GitCommit)
 
 	operatorNamespace := cmd.GetEnvOrFatalError(constants.OperatorNamespaceEnvVar, setupLogger)
+	workerImage := cmd.GetEnvOrFatalError("RELATED_IMAGES_WORKER", setupLogger)
 
 	managed, err := GetBoolEnv("KMM_MANAGED")
 	if err != nil {
@@ -181,7 +182,19 @@ func main() {
 		cmd.FatalError(setupLogger, err, "unable to create controller", "name", controllers.ModuleNMCReconcilerName)
 	}
 
+	workerHelper := controllers.NewWorkerHelper(
+		client,
+		controllers.NewPodManager(client, workerImage, scheme),
+	)
+
+	ctx := ctrl.SetupSignalHandler()
+
+	if err = controllers.NewNodeModulesConfigReconciler(client, workerHelper).SetupWithManager(ctx, mgr); err != nil {
+		cmd.FatalError(setupLogger, err, "unable to create controller", "name", controllers.NodeModulesConfigReconcilerName)
+	}
+
 	nodeKernelReconciler := controllers.NewNodeKernelReconciler(client, constants.KernelLabel, filterAPI, kernelOsDtkMapping)
+
 	if err = nodeKernelReconciler.SetupWithManager(mgr); err != nil {
 		cmd.FatalError(setupLogger, err, "unable to create controller", "name", controllers.NodeKernelReconcilerName)
 	}
@@ -251,7 +264,7 @@ func main() {
 	}
 
 	setupLogger.Info("starting manager")
-	if err = mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+	if err = mgr.Start(ctx); err != nil {
 		cmd.FatalError(setupLogger, err, "problem running manager")
 	}
 }

config/crd/bases/kmm.sigs.x-k8s.io_nodemodulesconfigs.yaml

@@ -149,10 +149,13 @@ spec:
                       type: string
                     namespace:
                       type: string
+                    serviceAccountName:
+                      type: string
                   required:
                   - config
                   - name
                   - namespace
+                  - serviceAccountName
                   type: object
                 type: array
             type: object

config/manager/kustomization.yaml

@@ -4,6 +4,9 @@ kind: Kustomization
 resources:
 - ../manager-base
 
+patches:
+- path: manager_worker_image_patch.yaml
+
 images:
 - name: controller
   newName: quay.io/edge-infrastructure/kernel-module-management-operator

config/manager/manager_worker_image_patch.yaml

@@ -0,0 +1,13 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+        - name: manager
+          env:
+            - name: RELATED_IMAGES_WORKER
+              value: worker

config/rbac/role.yaml

@@ -79,6 +79,8 @@ rules:
   resources:
   - pods
   verbs:
+  - create
+  - delete
   - get
   - list
   - patch
@@ -141,6 +143,12 @@ rules:
   - list
   - patch
   - watch
+- apiGroups:
+  - kmm.sigs.x-k8s.io
+  resources:
+  - nodemodulesconfigs/status
+  verbs:
+  - patch
 - apiGroups:
   - kmm.sigs.x-k8s.io
   resources:

controllers/module_nmc_reconciler.go

@@ -243,6 +243,10 @@ func (mnrh *moduleNMCReconcilerHelper) enableModuleOnNode(ctx context.Context, m
 		Modprobe:             mld.Modprobe,
 	}
 
+	if tls := mld.RegistryTLS; tls != nil {
+		moduleConfig.InsecurePull = tls.Insecure || tls.InsecureSkipTLSVerify
+	}
+
 	nmc := &kmmv1beta1.NodeModulesConfig{
 		ObjectMeta: metav1.ObjectMeta{Name: nodeName},
 	}