resource-agents: vSphere K8s cluster provider

[etungsten]

Issue number:
Resolves #35

Description of changes:

    vsphere-vm-resource: refactor out functions for shared use
    
    This refactors out some functions needed for implementing the vSphere K8s
    cluster provider so they can be shared between the two crates

    bottlerocket-agents: new 'vsphere-k8s-cluster-provider' agent
    
    This adds a new resource agent for provisioning vSphere K8s clusters via
    EKS-A.

Testing done:
Applied the following resource spec for a vSphere K8s cluster:

apiVersion: testsys.bottlerocket.aws/v1
kind: Resource
metadata:
  name: vsphere-k8s-cluster-1-23
  namespace: testsys-bottlerocket-aws
spec:
  agent:
    name: vsphere-k8s-cluster-resource-agent
    image: <>.dkr.ecr.us-west-2.amazonaws.com/vsphere-k8s-cluster-resource-agent:latest
    keepRunning: false
    privileged: true
    timeout: 20d
    secrets:
      vsphereCredentials: <>
    configuration:
      name: br-eksa-123
      controlPlaneEndpointIp: <>
      creation_policy: IfNotExists
      version: v1.23
      ovaName: "bottlerocket-vmware-k8s-1.23-x86_64-v1.10.1.ova"
      tufRepo:
        metadataUrl: "https://updates.bottlerocket.aws/2020-07-07/vmware-k8s-1.23/x86_64/"
        targetsUrl: "https://updates.bottlerocket.aws/targets"
      vcenterHostUrl: <>
      vcenterDatacenter: <>
      vcenterDatastore: <>
      vcenterNetwork: <>
      vcenterResourcePool: <>
      vcenterWorkloadFolder: <>
      mgmtClusterKubeconfigBase64: <>
      destructionPolicy: OnDeletion

Creation pod runs to completion without problem:

$ kubectl logs -f vsphere-k8s-clu70916266-4155-478e-9689-2b5dcead3c56-creatiwnkx6 -n testsys-bottlerocket-aws
[2022-10-21T18:53:07Z INFO  resource_agent::agent] Initializing Agent
[2022-10-21T18:53:07Z INFO  vsphere_k8s_cluster_resource_agent::vsphere_k8s_cluster_provider] Creation policy is 'Create' and cluster 'br-eksa-123' does not exist: creating cluster
[2022-10-21T18:53:08Z INFO  vsphere_k8s_cluster_resource_agent::vsphere_k8s_cluster_provider] Downloading OVA 'bottlerocket-vmware-k8s-1.23-x86_64-v1.10.1.ova'
[2022-10-21T18:53:10Z INFO  vsphere_k8s_cluster_resource_agent::vsphere_k8s_cluster_provider] Importing OVA and creating a VM template out of it
[2022-10-21T18:53:22Z INFO  vsphere_k8s_cluster_resource_agent::vsphere_k8s_cluster_provider] Tagging VM template
2022-10-21T18:53:49.895Z        V4      Logger init completed   {"vlevel": 4}
2022-10-21T18:53:50.012Z        V4      Reading bundles manifest        {"url": "https://anywhere-assets.eks.amazonaws.com/releases/bundles/18/manifest.yaml"}
2022-10-21T18:53:50.072Z        V4      Relative network path specified, using path /SDDC-Datacenter/network/sddc-cgw-network-2
2022-10-21T18:53:50.131Z        V2      Pulling docker image    {"image": "public.ecr.aws/eks-anywhere/cli-tools:v0.11.4-eks-a-18"}
2022-10-21T18:53:56.618Z        V3      Initializing long running container     {"name": "eksa_1666378430131231140", "image": "public.ecr.aws/eks-anywhere/cli-tools:v0.11.4-eks-a-18"}
2022-10-21T18:53:58.588Z        V4      Task start      {"task_name": "setup-validate"}
2022-10-21T18:53:58.588Z        V0      Performing setup and validations
2022-10-21T18:53:58.588Z        V4      Relative network path specified, using path /SDDC-Datacenter/network/sddc-cgw-network-2
2022-10-21T18:53:58.605Z        V0      ✅ Connected to server
2022-10-21T18:53:58.881Z        V0      ✅ Authenticated to vSphere
2022-10-21T18:53:59.481Z        V0      ✅ Datacenter validated
2022-10-21T18:53:59.786Z        V0      ✅ Network validated
2022-10-21T18:53:59.786Z        V1      SSHUsername is not set or is empty for VSphereMachineConfig, using default      {"machineConfig": "br-eksa-123-node", "user": "ec2-user"}
2022-10-21T18:54:00.363Z        V0      Warning: Your VM template has no snapshots. Defaulting to FullClone mode. VM provisioning might take longer.
2022-10-21T18:54:00.648Z        V0      ✅ Datastore validated
2022-10-21T18:54:00.935Z        V0      ✅ Folder validated
2022-10-21T18:54:01.224Z        V0      ✅ Resource pool validated
2022-10-21T18:54:02.329Z        V0      ✅ Control plane and Workload templates validated
2022-10-21T18:54:03.190Z        V0      Provided control plane sshAuthorizedKey is not set or is empty, auto-generating new key pair...
2022-10-21T18:54:04.517Z        V0      Private key saved to br-eksa-123/eks-a-id_rsa. Use 'ssh -i br-eksa-123/eks-a-id_rsa <username>@<Node-IP-Address>' to login to your cluster node
2022-10-21T18:54:16.033Z        V0      ✅ [email protected] user vSphere privileges validated
2022-10-21T18:54:16.033Z        V0      ✅ Vsphere Provider setup is valid
2022-10-21T18:54:17.184Z        V0      ✅ Validate certificate for registry mirror
2022-10-21T18:54:17.184Z        V0      ✅ Validate authentication for git provider
2022-10-21T18:54:17.184Z        V0      ✅ Validate cluster name
2022-10-21T18:54:17.184Z        V0      ✅ Validate gitops
2022-10-21T18:54:17.184Z        V0      ✅ Validate identity providers' name
2022-10-21T18:54:17.184Z        V0      ✅ Validate management cluster has eksa crds
2022-10-21T18:54:17.184Z        V0      ✅ Create preflight validations pass
2022-10-21T18:54:17.184Z        V4      Task finished   {"task_name": "setup-validate", "duration": "18.595666711s"}
2022-10-21T18:54:17.184Z        V4      ----------------------------------
2022-10-21T18:54:17.184Z        V4      Task start      {"task_name": "bootstrap-cluster-init"}
2022-10-21T18:54:17.184Z        V4      Task finished   {"task_name": "bootstrap-cluster-init", "duration": "2.243µs"}
2022-10-21T18:54:17.184Z        V4      ----------------------------------
2022-10-21T18:54:17.184Z        V4      Task start      {"task_name": "workload-cluster-init"}
2022-10-21T18:54:17.184Z        V0      Creating new workload cluster
2022-10-21T18:54:18.398Z        V3      Waiting for external etcd to be ready   {"cluster": "br-eksa-123"}
2022-10-21T18:56:18.609Z        V3      External etcd is ready
2022-10-21T18:56:18.609Z        V3      Waiting for control plane to be ready
2022-10-21T18:58:48.500Z        V3      Waiting for workload kubeconfig generation      {"cluster": "br-eksa-123"}
2022-10-21T18:58:49.060Z        V3      Waiting for controlplane and worker machines to be ready
2022-10-21T18:58:49.365Z        V4      Nodes are not ready yet {"total": 3, "ready": 2, "cluster name": "br-eksa-123"}
2022-10-21T18:58:49.672Z        V4      Nodes are not ready yet {"total": 3, "ready": 2, "cluster name": "br-eksa-123"}
2022-10-21T18:58:51.001Z        V4      Nodes ready     {"total": 3}
2022-10-21T18:58:51.001Z        V0      Installing networking on workload cluster
2022-10-21T18:58:52.910Z        V0      Installing storage class on cluster
2022-10-21T18:58:53.290Z        V4      Installing machine health checks on bootstrap cluster
2022-10-21T18:58:53.809Z        V4      Task finished   {"task_name": "workload-cluster-init", "duration": "4m36.62540685s"}
2022-10-21T18:58:53.809Z        V4      ----------------------------------
2022-10-21T18:58:53.809Z        V4      Task start      {"task_name": "install-resources-on-management-cluster"}
2022-10-21T18:58:53.809Z        V4      Task finished   {"task_name": "install-resources-on-management-cluster", "duration": "1.816µs"}
2022-10-21T18:58:53.809Z        V4      ----------------------------------
2022-10-21T18:58:53.809Z        V4      Task start      {"task_name": "capi-management-move"}
2022-10-21T18:58:53.809Z        V4      Task finished   {"task_name": "capi-management-move", "duration": "834ns"}
2022-10-21T18:58:53.809Z        V4      ----------------------------------
2022-10-21T18:58:53.809Z        V4      Task start      {"task_name": "eksa-components-install"}
2022-10-21T18:58:53.809Z        V0      Creating EKS-A CRDs instances on workload cluster
2022-10-21T18:58:53.812Z        V4      Applying eksa yaml resources to cluster
2022-10-21T18:58:54.339Z        V1      Applying Bundles to cluster
2022-10-21T18:58:55.001Z        V4      Applying eksd manifest to cluster
2022-10-21T18:58:57.201Z        V4      Task finished   {"task_name": "eksa-components-install", "duration": "3.391983322s"}
2022-10-21T18:58:57.201Z        V4      ----------------------------------
2022-10-21T18:58:57.201Z        V4      Task start      {"task_name": "gitops-manager-install"}
2022-10-21T18:58:57.201Z        V0      Installing GitOps Toolkit on workload cluster
2022-10-21T18:58:57.201Z        V0      GitOps field not specified, bootstrap flux skipped
2022-10-21T18:58:57.201Z        V4      Task finished   {"task_name": "gitops-manager-install", "duration": "11.854µs"}
2022-10-21T18:58:57.201Z        V4      ----------------------------------
2022-10-21T18:58:57.201Z        V4      Task start      {"task_name": "write-cluster-config"}
2022-10-21T18:58:57.201Z        V0      Writing cluster config file
2022-10-21T18:58:57.203Z        V4      Task finished   {"task_name": "write-cluster-config", "duration": "2.052509ms"}
2022-10-21T18:58:57.203Z        V4      ----------------------------------
2022-10-21T18:58:57.203Z        V4      Task start      {"task_name": "delete-kind-cluster"}
2022-10-21T18:58:57.203Z        V0      🎉 Cluster created!
2022-10-21T18:58:57.203Z        V4      Task finished   {"task_name": "delete-kind-cluster", "duration": "7.66µs"}
2022-10-21T18:58:57.203Z        V4      ----------------------------------
2022-10-21T18:58:57.203Z        V4      Task start      {"task_name": "install-curated-packages"}
--------------------------------------------------------------------------------------
The Amazon EKS Anywhere Curated Packages are only available to customers with the
Amazon EKS Anywhere Enterprise Subscription
--------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------
Curated packages cannot be installed as cert-manager is not present in the cluster.
This is most likely caused by an action to install curated packages at a workload
cluster. Refer to https://anywhere.eks.amazonaws.com/docs/tasks/troubleshoot/packages/
for how to resolve this issue.
--------------------------------------------------------------------------------------
2022-10-21T18:58:57.494Z        V0      ❌ Curated Packages Installation Failed...
2022-10-21T18:58:57.494Z        V4      Task finished   {"task_name": "install-curated-packages", "duration": "290.286471ms"}
2022-10-21T18:58:57.494Z        V4      ----------------------------------
2022-10-21T18:58:57.494Z        V4      Tasks completed {"duration": "4m58.905757983s"}
2022-10-21T18:58:57.494Z        V3      Logging out from current govc session
2022-10-21T18:58:58.119Z        V3      Cleaning up long running container      {"name": "eksa_1666378430131231140"}
[2022-10-21T18:58:58Z INFO  vsphere_k8s_cluster_resource_agent::vsphere_k8s_cluster_provider] Scaling default NodeGroup machinedeployments replicas to 0 machinedeployment.cluster.x-k8s.io/br-eksa-123-md-0 scaled

Destruction runs to completion without problem after deleting the resource:

$ kubectl logs -f vsphere-k8s-clu70916266-4155-478e-9689-2b5dcead3c56-destruktfkr -n testsys-bottlerocket-aws
[2022-10-21T18:59:57Z INFO  resource_agent::agent] Initializing Agent
2022-10-21T18:59:58.418Z        V4      Logger init completed   {"vlevel": 4}
2022-10-21T18:59:58.533Z        V4      Reading bundles manifest        {"url": "https://anywhere-assets.eks.amazonaws.com/releases/bundles/18/manifest.yaml"}
2022-10-21T18:59:58.562Z        V4      Relative network path specified, using path /SDDC-Datacenter/network/sddc-cgw-network-2
2022-10-21T18:59:58.611Z        V2      Pulling docker image    {"image": "public.ecr.aws/eks-anywhere/cli-tools:v0.11.4-eks-a-18"}
2022-10-21T19:00:04.009Z        V3      Initializing long running container     {"name": "eksa_1666378798611379528", "image": "public.ecr.aws/eks-anywhere/cli-tools:v0.11.4-eks-a-18"}
2022-10-21T19:00:06.077Z        V4      Task start      {"task_name": "setup-and-validate"}
2022-10-21T19:00:06.077Z        V0      Performing provider setup and validations
2022-10-21T19:00:06.077Z        V4      Task finished   {"task_name": "setup-and-validate", "duration": "33.101µs"}
2022-10-21T19:00:06.077Z        V4      ----------------------------------
2022-10-21T19:00:06.077Z        V4      Task start      {"task_name": "management-cluster-init"}
2022-10-21T19:00:06.077Z        V4      Task finished   {"task_name": "management-cluster-init", "duration": "1.049µs"}
2022-10-21T19:00:06.077Z        V4      ----------------------------------
2022-10-21T19:00:06.077Z        V4      Task start      {"task_name": "delete-workload-cluster"}
2022-10-21T19:00:06.077Z        V0      Deleting workload cluster
2022-10-21T19:00:33.606Z        V4      Task finished   {"task_name": "delete-workload-cluster", "duration": "27.528800824s"}
2022-10-21T19:00:33.606Z        V4      ----------------------------------
2022-10-21T19:00:33.606Z        V4      Task start      {"task_name": "clean-up-git-repo"}
2022-10-21T19:00:33.606Z        V0      Clean up Git Repo
2022-10-21T19:00:33.606Z        V0      GitOps field not specified, clean up git repo skipped
2022-10-21T19:00:33.606Z        V4      Task finished   {"task_name": "clean-up-git-repo", "duration": "9.966µs"}
2022-10-21T19:00:33.606Z        V4      ----------------------------------
2022-10-21T19:00:33.606Z        V4      Task start      {"task_name": "kind-cluster-delete"}
2022-10-21T19:00:33.606Z        V0      Bootstrap cluster information missing - skipping delete kind cluster
2022-10-21T19:00:33.606Z        V0      🎉 Cluster deleted!
2022-10-21T19:00:33.606Z        V4      Task finished   {"task_name": "kind-cluster-delete", "duration": "9.076µs"}
2022-10-21T19:00:33.606Z        V4      ----------------------------------
2022-10-21T19:00:33.606Z        V4      Tasks completed {"duration": "27.528983342s"}
2022-10-21T19:00:33.606Z        V3      Logging out from current govc session
2022-10-21T19:00:34.198Z        V3      Cleaning up long running container      {"name": "eksa_1666378798611379528"}
rpc error: code = NotFound desc = an error occurred when try to find container "b0624db8aa5f5349c38be241495784d597bd56e975fdc4064b635dbfaa782c50": not found

With testsys run vmware, the cluster can be used to run migration tests/conformance tests:

$ testsys run vmware \
   --cluster-endpoint 198.19.11.123 \
   --cluster-name br-eksa-123 \
   --target-cluster-kubeconfig-path br-eksa-123-eks-a-cluster.kubeconfig \
   --test-agent-image <>.dkr.ecr.us-west-2.amazonaws.com/sonobuoy-test-agent:latest \
   --network sddc-cgw-network-2 \
   --name vmware-123-quick \
   --ova-name bottlerocket-vmware-k8s-1.23-x86_64-v1.10.0.ova \
   --vcenter-url <> \
   --vm-count 2 \
   --vm-provider-image <>.dkr.ecr.us-west-2.amazonaws.com/vsphere-vm-resource-agent:latest \
   --vsphere-secret vcentercreds \
   --workload-folder etung \
   --upgrade-downgrade \
   --migration-agent-image <>.dkr.ecr.us-west-2.amazonaws.com/migration-test-agent:latest \
   --starting-version v1.10.0 \
   --upgrade-version v1.10.1 \
   --tuf-repo-metadata-url https://updates.bottlerocket.aws/2020-07-07/vmware-k8s-1.22/x86_64/ \
   --tuf-repo-targets-url https://updates.bottlerocket.aws/targets/
Created resource object 'br-eksa-123-vms'
Created test object 'vmware-123-quick-1-initial'
Created test object 'vmware-123-quick-2-migrate'
Created test object 'vmware-123-quick-3-migrated'
Created test object 'vmware-123-quick-4-migrate'
Created test object 'vmware-123-quick-5-final'
$ testsys status -c -r
 NAME                          TYPE         STATE       PASSED   SKIPPED   FAILED 
 Controller                    Controller   Running                               
 br-eksa-123-vms               Resource     completed                             
 vmware-123-quick-1-initial    Test         passed      1        7049      0      
 vmware-123-quick-2-migrate    Test         passed      2        0         0      
 vmware-123-quick-3-migrated   Test         passed      1        7049      0      
 vmware-123-quick-4-migrate    Test         passed      2        0         0      
 vmware-123-quick-5-final      Test         passed      1        7049      0      
 vsphere-k8s-cluster-1-23      Resource     completed 

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[etungsten]

The "Build/Images" check is failing because I changed the bottlerocket test tools image Dockerfile and the check is using the default tools image in the ECR repository.

[etungsten]

Taking this to draft until #615 merges and we push out the new tools image.

[webern]

the check is using the default tools image in the ECR repository

Really? You mean latest? That's not right.

[webern]

This is great work and exciting that we will have this functionality.

My main question is about requiring a CAPI cluster to pre-exist. I think I understand the choice... otherwise you would need a kind cluster running "docker in docker" inside this container, right? And maybe that feels just too horrible?

The other feedback I have is that vsphere_k8s_cluster_provider.rs is basically a big long procedural script. My person preference would be to look for a bunch of places where you could refactor out some functions (even if they are only being called once) just for the sake of readability.

[webern]

This agent requires a CAPI management cluster to already exist?

[etungsten]

Yes, like you mentioned in the review message, I wanted to avoid bootstrapping with kind since the docker daemon is running with vfs as the underlying storage driver and it's incredibly inefficient since each container layer is its own directory. And setting up a kind bootstrap cluster requires a lot of containers to be running. I can try again to see if this is acceptable though.

Setting up overlayfs requires installing docker on the testsys node host and mounting in /var/lib/docker into the dind container which I find unappetizing as well.

By having an external management cluster, I don't have to worry about all of that. In addition, the management cluster becomes a source of truth for the state of all provisioned clusters and I can retrieve a kubeconfig for any provisioned cluster as long as I have access to the mgmt cluster. There are cons with this approach though.

• I believe this makes integrating with cargo make test harder since the resource agent is no longer self-contained and requires an external kubeconfig (@ecpullen probably has opinions on this).
• Someone needs to maintain the management cluster and remember to upgrade the CAPI, CAPV CRDs when EKS-A bumps versions.

[webern]

Makes sense. I think this is a great solution and we can consider "Don't require an external CAPI cluster" to be a separate issue/feature-request.

[ecpullen]

The additional kubeconfig will either need to have a know location in the monorepo (like testsys.kubeconfig) or we will have to include it (as a string) in the Test.toml file. I prefer the former option, but not having to worry about it would be nice.

[etungsten]

I tried without a external management cluster and let EKS-A set up the bootstrap cluster in kind (kind running in docker that's running in docker btw lol) and it failed due to networking issues:

2022-10-25T20:35:28.490Z        V4      ----------------------------------
2022-10-25T20:35:28.490Z        V4      Task start      {"task_name": "bootstrap-cluster-init"}
2022-10-25T20:35:28.490Z        V0      Creating new bootstrap cluster
2022-10-25T20:35:28.491Z        V4      Creating kind cluster   {"name": "br-eksa-122-eks-a-cluster", "kubeconfig": "br-eksa-122/generated/br-eksa-122.kind.kubeconfig"}
2022-10-25T20:35:28.491Z        V6      Executing command       {"cmd": "/usr/bin/docker exec -i eksa_1666730106969714044 kind create cluster --name br-eksa-122-eks-a-cluster --kubeconfig br-eksa-122/generated/br-eksa-122.kind.kubeconfig --image public.ecr.aws/eks-anywhere/kubernetes-sigs/kind/node:v1.22.15-eks-d-1-22-11-eks-a-19 --config br-eksa-122/generated/kind_tmp.yaml"}
ERRO[2022-10-25T20:35:53.428755287Z] Could not add route to IPv6 network fc00:f853:ccd:e793::1/64 via device br-3443489d9de0: network is down 
time="2022-10-25T20:35:56.630430522Z" level=info msg="loading plugin \"io.containerd.event.v1.publisher\"..." runtime=io.containerd.runc.v2 type=io.containerd.event.v1
time="2022-10-25T20:35:56.630486720Z" level=info msg="loading plugin \"io.containerd.internal.v1.shutdown\"..." runtime=io.containerd.runc.v2 type=io.containerd.internal.v1
time="2022-10-25T20:35:56.630493149Z" level=info msg="loading plugin \"io.containerd.ttrpc.v1.task\"..." runtime=io.containerd.runc.v2 type=io.containerd.ttrpc.v1
time="2022-10-25T20:35:56.630582130Z" level=info msg="starting signal loop" namespace=moby path=/run/docker/containerd/daemon/io.containerd.runtime.v2.task/moby/99c8a19b51e1e85305f365229030c3b6b7e58f7423f120b88f02d0162ee1de7e pid=2752 runtime=io.containerd.runc.v2

So unless we want to invest time investigating how to get kind to work under 3 layers of container abstraction, I think we should stick with external mgmt cluster for now.

[webern]

🐢 🐢 🐢 🐢 🐢

[etungsten]

Push above addresses @webern 's comments.

• Removes the sleeps in the loop for creating and attaching tags to VM templates
• Refactor fn create_cluster to make it easier to read
• Refactor out is_cluster_creation_required to remove duplication between EKS resource agent and vSphere K8s cluster resource agent

Repeated testing and the results are the same as before as described in the PR description

[etungsten]

Push above rebases onto develop and fixes conflicts in EKS resource agent

[webern]

nice

[ecpullen]

Can you add a tutorial for using this agent somewhere?

[etungsten]

Push above adds a README for the vSphere K8s cluster resource agent on how to configure the agent and more info on how to set up the initial management cluster.

[etungsten]

Push above rebases onto develop and fixes conflicts with #537

[etungsten]

Push above addresses lints caught by mdlint during Lint github action.

[ecpullen]

Just a couple questions.

[etungsten]

Talked with @mjsterckx and we're ok with merging