Merge branch 'main' into chore/issue-263

Author: lllamnyp

MAINTAINERS.md

@@ -4,6 +4,8 @@
 | ---------- | --------------- | ------- |
 | Andrei Kvapil | [@kvaps](https://github.com/kvaps) | Ænix |
 | George Gaál | [@gecube](https://github.com/gecube) | Ænix |
+| Kirill Klinchenkov | [@klinch0](https://github.com/klinch0) | Ænix |
+| Timofei Larkin | [@lllamnyp](https://github.com/lllamnyp) | Ænix |
 | Kirill | [@sircthulhu](https://github.com/sircthulhu) |  |
 | Alex Gluck | [@AlexGluck](https://github.com/AlexGluck) |  |
 | Oleg Kunitsyn | [@hiddenmarten](https://github.com/hiddenmarten) |  |

charts/etcd-operator/README.md

@@ -26,6 +26,11 @@
 | etcdOperator.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
 | etcdOperator.service.port | int | `9443` | Service port |
 | etcdOperator.service.type | string | `"ClusterIP"` | Service type |
+| etcdOperator.vpa.enabled | bool | `true` |  |
+| etcdOperator.vpa.maxAllowed.cpu | string | `"1000m"` |  |
+| etcdOperator.vpa.maxAllowed.memory | string | `"1Gi"` |  |
+| etcdOperator.vpa.minAllowed.cpu | string | `"100m"` |  |
+| etcdOperator.vpa.minAllowed.memory | string | `"128Mi"` |  |
 | fullnameOverride | string | `""` | Override a full name of helm release |
 | imagePullSecrets | list | `[]` |  |
 | kubeRbacProxy.args[0] | string | `"--secure-listen-address=0.0.0.0:8443"` |  |
@@ -41,6 +46,11 @@
 | kubeRbacProxy.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
 | kubeRbacProxy.service.port | int | `8443` | Service port |
 | kubeRbacProxy.service.type | string | `"ClusterIP"` | Service type |
+| kubeRbacProxy.vpa.enabled | bool | `true` |  |
+| kubeRbacProxy.vpa.maxAllowed.cpu | string | `"500m"` |  |
+| kubeRbacProxy.vpa.maxAllowed.memory | string | `"256Mi"` |  |
+| kubeRbacProxy.vpa.minAllowed.cpu | string | `"50m"` |  |
+| kubeRbacProxy.vpa.minAllowed.memory | string | `"64Mi"` |  |
 | kubernetesClusterDomain | string | `"cluster.local"` | Kubernetes cluster domain prefix |
 | nameOverride | string | `""` | Override a name of helm release |
 | nodeSelector | object | `{}` | ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ |
@@ -51,4 +61,5 @@
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | tolerations | list | `[]` | ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
+| vpa.updatePolicy | string | `"Auto"` |  |
 

charts/etcd-operator/templates/workload/deployment.yml

@@ -45,10 +45,12 @@ spec:
           readinessProbe:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- if not .Values.etcdOperator.vpa.enabled }}
           {{- with .Values.etcdOperator.resources }}
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- end }}
           {{- with .Values.etcdOperator.securityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
@@ -87,10 +89,12 @@ spec:
           readinessProbe:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- if not .Values.kubeRbacProxy.vpa.enabled }}
           {{- with .Values.kubeRbacProxy.resources }}
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- end }}
           {{- with .Values.kubeRbacProxy.securityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}

charts/etcd-operator/templates/workload/vpa.yml

@@ -0,0 +1,41 @@
+{{- if or .Values.etcdOperator.vpa.enabled .Values.kubeRbacProxy.vpa.enabled }}
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: {{ include "etcd-operator.fullname" . }}-controller-manager
+  labels:
+    {{- include "etcd-operator.labels" . | nindent 4 }}
+spec:
+  targetRef:
+    apiVersion: "apps/v1"
+    kind: Deployment
+    name: {{ include "etcd-operator.fullname" . }}-controller-manager
+  updatePolicy:
+    updateMode: {{ .Values.vpa.updatePolicy | default "Auto" | quote }}
+  resourcePolicy:
+    containerPolicies:
+    {{- if .Values.etcdOperator.vpa.enabled }}
+      - containerName: etcd-operator
+        {{- with .Values.etcdOperator.vpa.minAllowed }}
+        minAllowed:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.etcdOperator.vpa.maxAllowed }}
+        maxAllowed:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        controlledResources: ["cpu", "memory"]
+    {{- end }}
+    {{- if .Values.kubeRbacProxy.vpa.enabled }}
+      - containerName: kube-rbac-proxy
+        {{- with .Values.kubeRbacProxy.vpa.minAllowed }}
+        minAllowed:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.kubeRbacProxy.vpa.maxAllowed }}
+        maxAllowed:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        controlledResources: ["cpu", "memory"]
+    {{- end }}
+{{- end }}

charts/etcd-operator/values.schema.json

@@ -131,6 +131,36 @@
                         }
                     },
                     "type": "object"
+                },
+                "vpa": {
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "maxAllowed": {
+                            "properties": {
+                                "cpu": {
+                                    "type": "string"
+                                },
+                                "memory": {
+                                    "type": "string"
+                                }
+                            },
+                            "type": "object"
+                        },
+                        "minAllowed": {
+                            "properties": {
+                                "cpu": {
+                                    "type": "string"
+                                },
+                                "memory": {
+                                    "type": "string"
+                                }
+                            },
+                            "type": "object"
+                        }
+                    },
+                    "type": "object"
                 }
             },
             "type": "object"
@@ -227,6 +257,36 @@
                         }
                     },
                     "type": "object"
+                },
+                "vpa": {
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "maxAllowed": {
+                            "properties": {
+                                "cpu": {
+                                    "type": "string"
+                                },
+                                "memory": {
+                                    "type": "string"
+                                }
+                            },
+                            "type": "object"
+                        },
+                        "minAllowed": {
+                            "properties": {
+                                "cpu": {
+                                    "type": "string"
+                                },
+                                "memory": {
+                                    "type": "string"
+                                }
+                            },
+                            "type": "object"
+                        }
+                    },
+                    "type": "object"
                 }
             },
             "type": "object"
@@ -270,6 +330,14 @@
         },
         "tolerations": {
             "type": "array"
+        },
+        "vpa": {
+            "properties": {
+                "updatePolicy": {
+                    "type": "string"
+                }
+            },
+            "type": "object"
         }
     },
     "type": "object"

charts/etcd-operator/values.yaml

@@ -84,6 +84,15 @@ etcdOperator:
       drop:
         - ALL
 
+  vpa:
+    enabled: true
+    minAllowed:
+      cpu: 100m
+      memory: 128Mi
+    maxAllowed:
+      cpu: 1000m
+      memory: 1Gi
+
 kubeRbacProxy:
 
   image:
@@ -142,6 +151,15 @@ kubeRbacProxy:
       drop:
           - ALL
 
+  vpa:
+    enabled: true
+    minAllowed:
+      cpu: 50m
+      memory: 64Mi
+    maxAllowed:
+      cpu: 500m
+      memory: 256Mi
+
 # -- Kubernetes cluster domain prefix
 kubernetesClusterDomain: cluster.local
 
@@ -182,3 +200,6 @@ tolerations: []
 
 # -- ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
 affinity: {}
+
+vpa:
+  updatePolicy: "Auto"

cmd/kubectl-etcd/main.go

@@ -20,6 +20,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
+	_ "k8s.io/client-go/plugin/pkg/client/auth" // Import all auth providers
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/client-go/tools/portforward"
 	"k8s.io/client-go/transport/spdy"

internal/controller/etcdcluster_controller.go

@@ -111,6 +111,18 @@ func (r *EtcdClusterReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	if err != nil {
 		return ctrl.Result{}, err
 	}
+	defer func() {
+		if clusterClient != nil {
+			// nolint:errcheck
+			clusterClient.Close()
+		}
+		for i := range singleClients {
+			if singleClients[i] != nil {
+				// nolint:errcheck
+				singleClients[i].Close()
+			}
+		}
+	}()
 	state.endpointsFound = clusterClient != nil && singleClients != nil
 
 	if !state.endpointsFound {
@@ -286,6 +298,8 @@ func (r *EtcdClusterReconciler) ensureConditionalClusterObjects(
 }
 
 // updateStatusOnErr wraps error and updates EtcdCluster status
+// TODO: refactor this so the linter doesn't complain
+// nolint:unparam
 func (r *EtcdClusterReconciler) updateStatusOnErr(ctx context.Context, cluster *etcdaenixiov1alpha1.EtcdCluster, err error) (ctrl.Result, error) {
 	// The function 'updateStatusOnErr' will always return non-nil error. Hence, the ctrl.Result will always be ignored.
 	// Therefore, the ctrl.Result returned by 'updateStatus' function can be discarded.
@@ -341,9 +355,8 @@ func (r *EtcdClusterReconciler) configureAuth(ctx context.Context, cluster *etcd
 		return err
 	}
 
-	defer func() {
-		err = cli.Close()
-	}()
+	// nolint:errcheck
+	defer cli.Close()
 
 	err = testMemberList(ctx, cli)
 	if err != nil {

internal/controller/factory/etcd_client.go

@@ -2,7 +2,11 @@ package factory
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
+	"time"
 
 	"github.com/aenix-io/etcd-operator/api/v1alpha1"
 	clientv3 "go.etcd.io/etcd/client/v3"
@@ -29,6 +33,8 @@ func NewEtcdClientSet(ctx context.Context, cluster *v1alpha1.EtcdCluster, cli cl
 		cfg.Endpoints = []string{ep}
 		singleClients[i], err = clientv3.New(cfg)
 		if err != nil {
+			// nolint:errcheck
+			clusterClient.Close()
 			return nil, nil, fmt.Errorf("error building etcd single-endpoint client for endpoint %s: %w", ep, err)
 		}
 	}
@@ -56,8 +62,72 @@ func configFromCluster(ctx context.Context, cluster *v1alpha1.EtcdCluster, cli c
 		}
 	}
 	for name := range names {
-		urls = append(urls, fmt.Sprintf("%s:%s", name, "2379"))
+		urls = append(urls, fmt.Sprintf("%s.%s.%s.svc:%s", name, ep.Name, ep.Namespace, "2379"))
 	}
+	etcdClient := clientv3.Config{Endpoints: urls, DialTimeout: 5 * time.Second}
 
-	return clientv3.Config{Endpoints: urls}, nil
+	if s := cluster.Spec.Security; s != nil {
+		if s.TLS.ClientSecret == "" {
+			return clientv3.Config{}, fmt.Errorf("cannot configure client: security enabled, but client certificates not set")
+		}
+		clientSecret := &v1.Secret{}
+		err := cli.Get(ctx, types.NamespacedName{Namespace: cluster.Namespace, Name: s.TLS.ClientSecret}, clientSecret)
+		if err != nil {
+			return clientv3.Config{}, fmt.Errorf("cannot configure client: failed to get client certificate: %w", err)
+		}
+		cert, err := parseTLSSecret(clientSecret)
+		if err != nil {
+			return clientv3.Config{}, fmt.Errorf("cannot configure client: failed to extract keypair from client secret: %w", err)
+		}
+		etcdClient.TLS = &tls.Config{}
+		etcdClient.TLS.Certificates = []tls.Certificate{cert}
+		etcdClient.TLS.GetClientCertificate = func(cri *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+			return &etcdClient.TLS.Certificates[0], nil
+		}
+		caSecret := &v1.Secret{}
+		err = cli.Get(ctx, types.NamespacedName{Namespace: cluster.Namespace, Name: s.TLS.ServerSecret}, caSecret)
+		if err != nil {
+			return clientv3.Config{}, fmt.Errorf("cannot configure client: failed to get server CA secret: %w", err)
+		}
+		ca, err := parseTLSSecretCA(caSecret)
+		if err != nil {
+			return clientv3.Config{}, fmt.Errorf("cannot configure client: failed to extract Root CA from server secret: %w", err)
+		}
+		pool := x509.NewCertPool()
+		pool.AddCert(ca)
+		etcdClient.TLS.RootCAs = pool
+	}
+
+	return etcdClient, nil
+}
+
+func parseTLSSecret(secret *v1.Secret) (cert tls.Certificate, err error) {
+	certPem, ok := secret.Data["tls.crt"]
+	if !ok {
+		return tls.Certificate{}, fmt.Errorf("tls.crt not found in secret")
+	}
+	keyPem, ok := secret.Data["tls.key"]
+	if !ok {
+		return tls.Certificate{}, fmt.Errorf("tls.key not found in secret")
+	}
+	cert, err = tls.X509KeyPair(certPem, keyPem)
+	if err != nil {
+		err = fmt.Errorf("failed to load x509 key pair: %w", err)
+	}
+	return
+}
+
+func parseTLSSecretCA(secret *v1.Secret) (ca *x509.Certificate, err error) {
+	caPemBytes, ok := secret.Data["ca.crt"]
+	if !ok {
+		err = fmt.Errorf("secret does not contain ca.crt")
+		return
+	}
+	block, _ := pem.Decode(caPemBytes)
+	if block == nil {
+		err = fmt.Errorf("failed to decode PEM bytes")
+		return
+	}
+	ca, err = x509.ParseCertificate(block.Bytes)
+	return
 }