USHIFT-6797: C2CC Probe remote clusters

assets/components/c2cc/clusterrole.yaml

@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: microshift-c2cc-probe
+rules:
+- apiGroups:
+  - microshift.io
+  resources:
+  - remoteclusters
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - microshift.io
+  resources:
+  - remoteclusters/status
+  verbs:
+  - update
+  - patch
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
+  resourceNames:
+  - privileged

assets/components/c2cc/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: microshift-c2cc-probe
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: microshift-c2cc-probe
+subjects:
+- kind: ServiceAccount
+  namespace: openshift-c2cc
+  name: c2cc-probe

assets/components/c2cc/deployment.yaml

@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: openshift-c2cc
+  name: c2cc-probe
+  labels:
+    app: c2cc-probe
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: c2cc-probe
+  template:
+    metadata:
+      labels:
+        app: c2cc-probe
+      annotations:
+        target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: privileged
+    spec:
+      serviceAccountName: c2cc-probe
+      containers:
+      - name: c2cc-probe
+        image: '{{ .ReleaseImage.cli }}'
+        imagePullPolicy: IfNotPresent
+        command:
+        - /host/usr/bin/microshift
+        - c2cc-probe
+        ports:
+        - containerPort: 8080
+          name: probe
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 10
+          periodSeconds: 10
+        resources:
+          requests:
+            cpu: 50m
+            memory: 64Mi
+        volumeMounts:
+        - name: microshift-binary
+          mountPath: /host/usr/bin/microshift
+          readOnly: true
+      volumes:
+      - name: microshift-binary
+        hostPath:
+          path: /usr/bin/microshift
+          type: File
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      priorityClassName: system-cluster-critical
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      - key: node.kubernetes.io/unreachable
+        operator: Exists
+        effect: NoExecute
+        tolerationSeconds: 120
+      - key: node.kubernetes.io/not-ready
+        operator: Exists
+        effect: NoExecute
+        tolerationSeconds: 120

assets/components/c2cc/namespace.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-c2cc
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
+  annotations:
+    openshift.io/node-selector: ""
+    workload.openshift.io/allowed: "management"

assets/components/c2cc/service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: openshift-c2cc
+  name: c2cc-probe
+spec:
+  clusterIP: '{{ .ProbeServiceClusterIP }}'
+  ports:
+  - name: probe
+    port: 8080
+    targetPort: 8080
+    protocol: TCP
+  selector:
+    app: c2cc-probe

assets/components/c2cc/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: openshift-c2cc
+  name: c2cc-probe

assets/crd/microshift.io_remoteclusters.yaml

@@ -53,8 +53,28 @@ spec:
             - probeTarget
             type: object
           status:
-            description: RemoteClusterStatus is populated by the probe pod in a future
-              ticket.
+            description: RemoteClusterStatus is populated by the probe pod with health
+              probe results.
+            properties:
+              errors:
+                items:
+                  type: string
+                type: array
+              lastProbeTime:
+                format: date-time
+                type: string
+              lastSuccessfulProbe:
+                format: date-time
+                type: string
+              state:
+                default: NeverProbed
+                enum:
+                - NeverProbed
+                - Healthy
+                - Unhealthy
+                type: string
+            required:
+            - state
             type: object
         required:
         - spec

cmd/microshift/main.go

@@ -42,5 +42,6 @@ func newCommand() *cobra.Command {
 	cmd.AddCommand(cmds.NewRestoreCommand())
 	cmd.AddCommand(cmds.NewHealthcheckCommand())
 	cmd.AddCommand(cmds.NewAddNodeCommand())
+	cmd.AddCommand(cmds.NewC2CCProbeCommand())
 	return cmd
 }

pkg/apis/microshift/v1alpha1/types.go

@@ -31,8 +31,18 @@ type RemoteClusterSpec struct {
 	ProbeInterval metav1.Duration `json:"probeInterval"`
 }
 
-// RemoteClusterStatus is populated by the probe pod in a future ticket.
-type RemoteClusterStatus struct{}
+// RemoteClusterStatus is populated by the probe pod with health probe results.
+type RemoteClusterStatus struct {
+	// +kubebuilder:validation:Enum=NeverProbed;Healthy;Unhealthy
+	// +kubebuilder:default="NeverProbed"
+	State string `json:"state"`
+	// +optional
+	LastSuccessfulProbe *metav1.Time `json:"lastSuccessfulProbe,omitempty"`
+	// +optional
+	LastProbeTime *metav1.Time `json:"lastProbeTime,omitempty"`
+	// +optional
+	Errors []string `json:"errors,omitempty"`
+}
 
 // +kubebuilder:object:root=true
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

pkg/cmd/c2cc_probe.go

@@ -0,0 +1,17 @@
+package cmd
+
+import (
+	"github.com/openshift/microshift/pkg/controllers/c2cc"
+	"github.com/spf13/cobra"
+)
+
+func NewC2CCProbeCommand() *cobra.Command {
+	return &cobra.Command{
+		Use:    "c2cc-probe",
+		Short:  "Run C2CC remote cluster probe (designed to run as a pod)",
+		Hidden: true,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			return c2cc.RunProbe(cmd.Context())
+		},
+	}
+}

pkg/controllers/c2cc/controller.go

@@ -225,6 +225,7 @@ func (c *C2CCRouteManager) fullReconcile(ctx context.Context) {
 		{"service-routes", c.svcRoutes.reconcile},
 		{"nftables", c.nftMgr.reconcile},
 		{"healthcheck-crs", c.healthcheck.reconcile},
+		{"probe-deployment", c.deployProbe},
 	}
 	for _, s := range subsystems {
 		if err := s.fn(ctx); err != nil {
@@ -258,6 +259,15 @@ func (c *C2CCRouteManager) cleanupAll(ctx context.Context) {
 	if c.nftMgr != nil {
 		cleanups = append(cleanups, cleanable{"nftables", c.nftMgr.cleanup})
 	}
+	cleanups = append(cleanups, cleanable{"probe-namespace", func(ctx context.Context) error {
+		return assets.DeleteNamespaces(ctx, c2ccNamespace, c.kubeconfig)
+	}})
+	cleanups = append(cleanups, cleanable{"probe-clusterrolebinding", func(ctx context.Context) error {
+		return assets.DeleteClusterRoleBindings(ctx, c2ccClusterRoleBinding, c.kubeconfig)
+	}})
+	cleanups = append(cleanups, cleanable{"probe-clusterrole", func(ctx context.Context) error {
+		return assets.DeleteClusterRoles(ctx, c2ccClusterRole, c.kubeconfig)
+	}})
 	cleanups = append(cleanups, cleanable{"healthcheck-crd", func(ctx context.Context) error {
 		return assets.DeleteCRDs(ctx, healthcheckCRD, c.kubeconfig)
 	}})

pkg/controllers/c2cc/deploy_probe.go

@@ -0,0 +1,73 @@
+package c2cc
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"net"
+	"text/template"
+
+	"github.com/apparentlymart/go-cidr/cidr"
+	"github.com/openshift/microshift/pkg/assets"
+	"github.com/openshift/microshift/pkg/release"
+	"k8s.io/klog/v2"
+)
+
+var (
+	c2ccNamespace          = []string{"components/c2cc/namespace.yaml"}
+	c2ccServiceAccount     = []string{"components/c2cc/serviceaccount.yaml"}
+	c2ccClusterRole        = []string{"components/c2cc/clusterrole.yaml"}
+	c2ccClusterRoleBinding = []string{"components/c2cc/clusterrolebinding.yaml"}
+	c2ccDeployment         = []string{"components/c2cc/deployment.yaml"}
+	c2ccService            = []string{"components/c2cc/service.yaml"}
+)
+
+func (c *C2CCRouteManager) deployProbe(ctx context.Context) error {
+	_, svcNet, err := net.ParseCIDR(c.cfg.Network.ServiceNetwork[0])
+	if err != nil {
+		return fmt.Errorf("failed to parse local service network: %w", err)
+	}
+	probeIP, err := cidr.Host(svcNet, 11)
+	if err != nil {
+		return fmt.Errorf("failed to compute probe service ClusterIP: %w", err)
+	}
+
+	params := assets.RenderParams{
+		"ReleaseImage":          release.Image,
+		"ProbeServiceClusterIP": probeIP.String(),
+	}
+
+	if err := assets.ApplyNamespaces(ctx, c2ccNamespace, c.kubeconfig); err != nil {
+		return fmt.Errorf("failed to apply c2cc namespace: %w", err)
+	}
+	if err := assets.ApplyServiceAccounts(ctx, c2ccServiceAccount, c.kubeconfig); err != nil {
+		return fmt.Errorf("failed to apply c2cc service account: %w", err)
+	}
+	if err := assets.ApplyClusterRoles(ctx, c2ccClusterRole, c.kubeconfig); err != nil {
+		return fmt.Errorf("failed to apply c2cc cluster role: %w", err)
+	}
+	if err := assets.ApplyClusterRoleBindings(ctx, c2ccClusterRoleBinding, c.kubeconfig); err != nil {
+		return fmt.Errorf("failed to apply c2cc cluster role binding: %w", err)
+	}
+	if err := assets.ApplyDeployments(ctx, c2ccDeployment, renderTemplate, params, c.kubeconfig); err != nil {
+		return fmt.Errorf("failed to apply c2cc deployment: %w", err)
+	}
+	if err := assets.ApplyServices(ctx, c2ccService, renderTemplate, params, c.kubeconfig); err != nil {
+		return fmt.Errorf("failed to apply c2cc service: %w", err)
+	}
+
+	klog.V(4).Infof("C2CC probe assets deployed (probe ClusterIP=%s)", probeIP)
+	return nil
+}
+
+func renderTemplate(tb []byte, data assets.RenderParams) ([]byte, error) {
+	tmpl, err := template.New("").Option("missingkey=error").Parse(string(tb))
+	if err != nil {
+		return nil, err
+	}
+	var buf bytes.Buffer
+	if err := tmpl.Execute(&buf, data); err != nil {
+		return nil, err
+	}
+	return buf.Bytes(), nil
+}