Cluster capi operator

Dockerfile.rhel

@@ -0,0 +1,51 @@
+# syntax=docker/dockerfile:1.1-experimental
+
+# Copyright 2019 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Build the manager binary
+FROM registry.ci.openshift.org/ocp/builder:rhel-8-golang-1.20-openshift-4.14 as builder
+WORKDIR /workspace
+
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+
+# Cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN --mount=type=cache,target=/go/pkg/mod \
+    go mod download
+
+# Copy the sources
+COPY ./ ./
+
+# Build
+ARG package=.
+ARG ARCH
+ARG ldflags
+
+# Do not force rebuild of up-to-date packages (do not use -a) and use the compiler cache folder
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} \
+    go build -ldflags "${ldflags} -extldflags '-static'" \
+    -o manager ${package}
+
+# Production image
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=builder /workspace/manager .
+# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
+USER 65532
+ENTRYPOINT ["/manager"]

Makefile

@@ -44,7 +44,6 @@ GO_INSTALL := ./scripts/go_install.sh
 # Binaries.
 CONTROLLER_GEN := $(TOOLS_BIN_DIR)/controller-gen
 CONVERSION_GEN := $(TOOLS_BIN_DIR)/conversion-gen
-DEFAULTER_GEN := $(TOOLS_BIN_DIR)/defaulter-gen
 ENVSUBST := $(TOOLS_BIN_DIR)/envsubst
 GINKGO := $(TOOLS_BIN_DIR)/ginkgo
 GOJQ := $(TOOLS_BIN_DIR)/gojq
@@ -262,7 +261,7 @@ generate: ## Generate code
 
 .PHONY: generate-go
 generate-go: $(MOCKGEN)
-	$(MAKE) -B $(CONTROLLER_GEN) $(CONVERSION_GEN) $(DEFAULTER_GEN)
+	$(MAKE) -B $(CONTROLLER_GEN) $(CONVERSION_GEN)
 	$(CONTROLLER_GEN) \
 		paths=./api/... \
 		object:headerFile=./hack/boilerplate/boilerplate.generatego.txt

OWNERS

@@ -1,21 +1,6 @@
-# See the OWNERS docs: https://git.k8s.io/community/contributors/guide/owners.md
-
 approvers:
-  - sig-cluster-lifecycle-leads
-  - cluster-api-openstack-maintainers
-
+  - shiftstack-team
 reviewers:
-  - cluster-api-openstack-maintainers
-  - cluster-api-openstack-reviewers
-
-emeritus_approvers:
-  - ncdc
-  - chaosaffe
-  - chrigl
-  - dims
-  - gyliu513
-  - Lion-Wei
-  - m1093782566
-  - sbueringer
-  - hidekazuna
-  - chrischdi
+  - shiftstack-team
+component: "Cloud Compute"
+subcomponent: "OpenStack Provider"

OWNERS_ALIASES

@@ -1,28 +1,10 @@
-# See the OWNERS docs: https://git.k8s.io/community/contributors/guide/owners.md
-#
-# When making changes to this file, also consider if you need to update:
-# - https://github.com/kubernetes/org/blob/main/config/kubernetes-sigs/sig-cluster-lifecycle/teams.yaml
-# - https://github.com/kubernetes/test-infra/blob/master/OWNERS_ALIASES
-# - https://github.com/kubernetes/k8s.io/blob/main/groups/sig-architecture/groups.yaml
-# - https://github.com/kubernetes/k8s.io/blob/main/groups/sig-cluster-lifecycle/groups.yaml
-
 aliases:
-  # sig-cluster-lifecycle-leads are included as approvers in case it's ever
-  # operationally expedient:
-  # Source:
-  # https://github.com/kubernetes/org/blob/main/config/kubernetes/sig-cluster-lifecycle/teams.yaml
-  # correct as of 2023/05/10
-  sig-cluster-lifecycle-leads:
-    - CecileRobertMichon
-    - fabriziopandini
-    - justinsb
-    - neolit123
-    - vincepri
-  cluster-api-openstack-maintainers:
-    - jichenjc
-    - lentzi90
-    - mdbooth
-    - seanschneeweiss
-    - tobiasgiese
-  cluster-api-openstack-reviewers:
+  shiftstack-team:
+    - EmilienM
+    - MaysaMacedo
     - dulek
+    - gryf
+    - mandre
+    - mdbooth
+    - pierreprinetti
+    - stephenfin

RELEASE.md

@@ -27,6 +27,15 @@ to version 1.2.3 would be called `v1.2.3-rc.0`.
 
 It is recommended to create at least one release candidate when bumping `X` or `Y`.
 
+## Release notes
+
+Release notes are user visible information providing details of all relevant changes between releases.
+
+The content of the release notes differs depending on the type of release, specifically:
+
+- Stable releases contain a *full* changelog from the last stable release.
+- Pre-releases contain a changelog from the previous pre-release, or the last stable release if there isn't one.
+
 ## Process
 
 1. Make sure your repo is clean by git's standards. It is recommended to use a fresh checkout.
@@ -60,10 +69,12 @@ It is recommended to create at least one release candidate when bumping `X` or `
    It is good practise to get somebody else to review this PR. It is safe to perform the following steps while waiting
    for review and the promotion of the image.
 1. Run `make release` to build artifacts to be attached to the GitHub release.
-1. Generate and finalize the release notes and save them for the next step:
-    - Run `make release-notes` to gather changes since the last revision. If you need to specify a specific tag to look for changes
-      since, use `make release-notes RELEASE_NOTES_ARGS="--from <tag>"`.
-    - Pay close attention to the `## :question: Sort these by hand` section, as it contains items that need to be manually sorted.
+1. Generate and finalize the release notes and save them for the next step.
+   - Run `make release-notes RELEASE_NOTES_ARGS="--from <tag>"`.
+     - Depending on the type of release, substitute `<tag>` with the following:
+       - Stable releases: tag of the last stable release
+       - Pre-releases*: tag of the latest pre-release (or last stable release if there isn't one)
+   - Pay close attention to the `## :question: Sort these by hand` section, as it contains items that need to be manually sorted.
 1. Create a draft release in GitHub based on the tag created above
     - Name the release `Release [VERSION]` where VERSION is the full version string.
     - For a pre-release, ensure you check `This is a pre-release` in GitHub when creating the release.

api/v1alpha7/conditions_consts.go

@@ -40,6 +40,8 @@ const (
 	InstanceNotReadyReason = "InstanceNotReady"
 	// InstanceDeleteFailedReason used when deleting the instance failed.
 	InstanceDeleteFailedReason = "InstanceDeleteFailed"
+	// OpenstackErrorReason used when there is an error communicating with OpenStack.
+	OpenStackErrorReason = "OpenStackError"
 )
 
 const (

api/v1alpha7/openstackcluster_webhook.go

@@ -130,6 +130,10 @@ func (r *OpenStackCluster) ValidateUpdate(oldRaw runtime.Object) (admission.Warn
 	old.Spec.ControlPlaneAvailabilityZones = []string{}
 	r.Spec.ControlPlaneAvailabilityZones = []string{}
 
+	// Allow change to the allowAllInClusterTraffic.
+	old.Spec.AllowAllInClusterTraffic = false
+	r.Spec.AllowAllInClusterTraffic = false
+
 	if !reflect.DeepEqual(old.Spec, r.Spec) {
 		allErrs = append(allErrs, field.Forbidden(field.NewPath("spec"), "cannot be modified"))
 	}

config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: openstackclusters.infrastructure.cluster.x-k8s.io
 spec:
   group: infrastructure.cluster.x-k8s.io

config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclustertemplates.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: openstackclustertemplates.infrastructure.cluster.x-k8s.io
 spec:
   group: infrastructure.cluster.x-k8s.io

config/crd/bases/infrastructure.cluster.x-k8s.io_openstackmachines.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: openstackmachines.infrastructure.cluster.x-k8s.io
 spec:
   group: infrastructure.cluster.x-k8s.io

config/crd/bases/infrastructure.cluster.x-k8s.io_openstackmachinetemplates.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: openstackmachinetemplates.infrastructure.cluster.x-k8s.io
 spec:
   group: infrastructure.cluster.x-k8s.io

config/crd/kustomization.yaml

@@ -11,21 +11,21 @@ resources:
 - bases/infrastructure.cluster.x-k8s.io_openstackclustertemplates.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
-patchesStrategicMerge:
+patches:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
-- patches/webhook_in_openstackclusters.yaml
-- patches/webhook_in_openstackmachines.yaml
-- patches/webhook_in_openstackmachinetemplates.yaml
-- patches/webhook_in_openstackclustertemplates.yaml
+- path: patches/webhook_in_openstackclusters.yaml
+- path: patches/webhook_in_openstackmachines.yaml
+- path: patches/webhook_in_openstackmachinetemplates.yaml
+- path: patches/webhook_in_openstackclustertemplates.yaml
 # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
-- patches/cainjection_in_openstackclusters.yaml
-- patches/cainjection_in_openstackmachines.yaml
-- patches/cainjection_in_openstackmachinetemplates.yaml
-- patches/cainjection_in_openstackclustertemplates.yaml
+- path: patches/cainjection_in_openstackclusters.yaml
+- path: patches/cainjection_in_openstackmachines.yaml
+- path: patches/cainjection_in_openstackmachinetemplates.yaml
+- path: patches/cainjection_in_openstackclustertemplates.yaml
 # +kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

config/default/kustomization.yaml

@@ -7,22 +7,18 @@ commonLabels:
 
 resources:
 - namespace.yaml
-
-bases:
 - ../crd
 - ../rbac
 - ../manager
 - ../webhook
 - ../certmanager
 
-patchesStrategicMerge:
+patches:
 # Provide customizable hook for make targets.
-- manager_image_patch.yaml
-- manager_pull_policy.yaml
+- path: manager_image_patch.yaml
+- path: manager_pull_policy.yaml
   # Enable webhook.
-- manager_webhook_patch.yaml
-  # Inject certificate in the webhook definition.
-- webhookcainjection_patch.yaml
+- path: manager_webhook_patch.yaml
 
 vars:
   - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR

config/rbac/role.yaml

@@ -2,7 +2,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: manager-role
 rules:
 - apiGroups:

config/webhook/cainjection_patch.yaml

@@ -0,0 +1,3 @@
+- op: add
+  path: "/metadata/annotations/cert-manager.io~1inject-ca-from"
+  value: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)

config/webhook/kustomization.yaml

@@ -4,3 +4,11 @@ resources:
 
 configurations:
 - kustomizeconfig.yaml
+
+patches:
+# Inject certificate in the webhook definition.
+- target:
+    group: admissionregistration.k8s.io
+    version: v1
+    name: mutating-webhook-configuration|validating-webhook-configuration
+  path: cainjection_patch.yaml

config/webhook/manifests.yaml

@@ -2,7 +2,6 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
-  creationTimestamp: null
   name: mutating-webhook-configuration
 webhooks:
 - admissionReviewVersions:
@@ -72,7 +71,6 @@ webhooks:
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  creationTimestamp: null
   name: validating-webhook-configuration
 webhooks:
 - admissionReviewVersions:

controllers/openstackcluster_controller.go

@@ -155,11 +155,6 @@ func (r *OpenStackClusterReconciler) reconcileDelete(ctx context.Context, scope
 
 	clusterName := fmt.Sprintf("%s-%s", cluster.Namespace, cluster.Name)
 
-	if err = networkingService.DeletePorts(openStackCluster); err != nil {
-		handleUpdateOSCError(openStackCluster, fmt.Errorf("failed to delete ports: %w", err))
-		return reconcile.Result{}, fmt.Errorf("failed to delete ports: %w", err)
-	}
-
 	if openStackCluster.Spec.APIServerLoadBalancer.Enabled {
 		loadBalancerService, err := loadbalancer.NewService(scope)
 		if err != nil {
@@ -184,6 +179,11 @@ func (r *OpenStackClusterReconciler) reconcileDelete(ctx context.Context, scope
 			return ctrl.Result{}, fmt.Errorf("failed to delete router: %w", err)
 		}
 
+		if err = networkingService.DeletePorts(openStackCluster); err != nil {
+			handleUpdateOSCError(openStackCluster, fmt.Errorf("failed to delete ports: %w", err))
+			return reconcile.Result{}, fmt.Errorf("failed to delete ports: %w", err)
+		}
+
 		if err = networkingService.DeleteNetwork(openStackCluster, clusterName); err != nil {
 			handleUpdateOSCError(openStackCluster, fmt.Errorf("failed to delete network: %w", err))
 			return ctrl.Result{}, fmt.Errorf("failed to delete network: %w", err)