clustermesh-apiserver: Add to cilium repo

Move clustermesh-apiserver to Cilium repo to ease development.

Add support scripts for mTLS config management to contrib/k8s.

Signed-off-by: Jarno Rajahalme <[email protected]>

Makefile.docker

@@ -14,9 +14,9 @@ docker-cilium-image-for-developers:
 		--build-arg LIBNETWORK_PLUGIN=\
 		-t $(DOCKER_DEV_ACCOUNT)/cilium-dev:latest . -f ./cilium-dev.Dockerfile
 
-docker-images-all: docker-cilium-image docker-plugin-image docker-hubble-relay-image docker-operator-images-all
+docker-images-all: docker-cilium-image docker-plugin-image docker-hubble-relay-image docker-clustermesh-apiserver-image docker-operator-images-all
 
-docker-images-all-unstripped: docker-cilium-image-unstripped docker-plugin-image-unstripped docker-hubble-relay-image-unstripped docker-operator-images-all-unstripped
+docker-images-all-unstripped: docker-cilium-image-unstripped docker-plugin-image-unstripped docker-hubble-relay-image-unstripped docker-clustermesh-apiserver-image-unstripped docker-operator-images-all-unstripped
 
 docker-operator-images-all: docker-operator-image docker-operator-aws-image docker-operator-azure-image docker-operator-generic-image
 
@@ -145,4 +145,22 @@ docker-hubble-relay-image-unstripped: NOSTRIP=1
 docker-hubble-relay-image-unstripped: UNSTRIPPED=-unstripped
 docker-hubble-relay-image-unstripped: docker-hubble-relay-image
 
+docker-clustermesh-apiserver-image: $(BUILD_DIR)/clustermesh-apiserver.Dockerfile build-context-update
+	$(QUIET)$(CONTAINER_ENGINE) build \
+		$(DOCKER_FLAGS) \
+		--build-arg BASE_IMAGE=${BASE_IMAGE} \
+		--build-arg NOSTRIP=${NOSTRIP} \
+		--build-arg LOCKDEBUG=${LOCKDEBUG} \
+		--build-arg RACE=${RACE}\
+		--build-arg CILIUM_SHA=$(firstword $(GIT_VERSION)) \
+		-f $(BUILD_DIR)/clustermesh-apiserver.Dockerfile \
+		-t cilium/clustermesh-apiserver$(UNSTRIPPED):$(DOCKER_IMAGE_TAG) $(DOCKER_BUILD_DIR)
+	$(QUIET)$(CONTAINER_ENGINE) tag cilium/clustermesh-apiserver$(UNSTRIPPED):$(DOCKER_IMAGE_TAG) cilium/clustermesh-apiserver$(UNSTRIPPED):$(DOCKER_IMAGE_TAG)-${GOARCH}
+	@echo "Push like this when ready:"
+	@echo "${CONTAINER_ENGINE} push cilium/clustermesh-apiserver$(UNSTRIPPED):$(DOCKER_IMAGE_TAG)-${GOARCH}"
+
+docker-clustermesh-apiserver-image-unstripped: NOSTRIP=1
+docker-clustermesh-apiserver-image-unstripped: UNSTRIPPED=-unstripped
+docker-clustermesh-apiserver-image-unstripped: docker-clustermesh-apiserver-image
+
 .PHONY: docker-image-runtime docker-image-builder docker-cilium-manifest docker-cilium-dev-manifest docker-operator-manifest docker-plugin-manifest docker-cilium-runtime-manifest docker-cilium-builder-manifest

clustermesh-apiserver.Dockerfile

@@ -0,0 +1,41 @@
+# (first line comment needed for DOCKER_BUILDKIT use)
+#
+ARG BASE_IMAGE=scratch
+
+FROM docker.io/library/golang:1.15.3 as builder
+ARG CILIUM_SHA=""
+LABEL cilium-sha=${CILIUM_SHA}
+ADD . /go/src/github.com/cilium/cilium 
+WORKDIR /go/src/github.com/cilium/cilium/clustermesh-apiserver
+ARG NOSTRIP
+ARG LOCKDEBUG
+ARG RACE
+RUN make RACE=${RACE} NOSTRIP=${NOSTRIP} LOCKDEBUG=${LOCKDEBUG}
+
+# CGO_ENABLED=0 GOOS=linux go build
+
+FROM docker.io/library/alpine:3.12.0 as certs
+ARG CILIUM_SHA=""
+LABEL cilium-sha=${CILIUM_SHA}
+RUN apk --update add ca-certificates
+
+FROM docker.io/library/golang:1.15.3 as gops
+ARG CILIUM_SHA=""
+LABEL cilium-sha=${CILIUM_SHA}
+RUN go get -d github.com/google/gops && \
+    cd /go/src/github.com/google/gops && \
+    git checkout -b v0.3.10 v0.3.10 && \
+    git --no-pager remote -v && \
+    git --no-pager log -1 && \
+    CGO_ENABLED=0 go install && \
+    strip /go/bin/gops
+
+FROM ${BASE_IMAGE}
+ARG CILIUM_SHA=""
+LABEL cilium-sha=${CILIUM_SHA}
+LABEL maintainer="[email protected]"
+COPY --from=builder /go/src/github.com/cilium/cilium/clustermesh-apiserver/etcd-config.yaml /var/lib/cilium/etcd-config.yaml
+COPY --from=builder /go/src/github.com/cilium/cilium/clustermesh-apiserver/clustermesh-apiserver /usr/bin/clustermesh-apiserver
+COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=gops /go/bin/gops /bin/gops
+ENTRYPOINT ["/usr/bin/clustermesh-apiserver"]

clustermesh-apiserver/.gitignore

@@ -0,0 +1 @@
+clustermesh-apiserver

clustermesh-apiserver/Makefile

@@ -0,0 +1,26 @@
+# Copyright 2017-2020 Authors of Cilium
+# SPDX-License-Identifier: Apache-2.0
+
+include ../Makefile.defs
+
+TARGET := clustermesh-apiserver
+
+.PHONY: all $(TARGET) clean install
+
+all: $(TARGET)
+
+$(TARGET):
+	@$(ECHO_GO)
+	$(QUIET)$(GO_BUILD) -o $@
+
+clean:
+	@$(ECHO_CLEAN)
+	-$(QUIET)rm -f $(TARGET)
+	$(QUIET)$(GO_CLEAN)
+
+install:
+	$(QUIET)$(INSTALL) -m 0755 -d $(DESTDIR)$(BINDIR)
+	$(QUIET)$(INSTALL) -m 0755 $(TARGET) $(DESTDIR)$(BINDIR)
+	$(QUIET)$(INSTALL) -m 0755 -d $(DESTDIR)$(CONFDIR)/bash_completion.d
+	./$(TARGET) completion bash > $(TARGET)_bash_completion
+	$(QUIET)$(INSTALL) -m 0644 -T $(TARGET)_bash_completion $(DESTDIR)$(CONFDIR)/bash_completion.d/$(TARGET)

clustermesh-apiserver/README.md

@@ -0,0 +1,29 @@
+# API server for Cilium ClusterMesh
+
+## Deploy the clustermesh-apiserver
+
+Cilium Helm charts automatically deploy clustermesh-apiserver when Cilium
+cluster.name is not "default". Remember to set a non-zero cluster.id in Helm as
+well. `clustermesh-apiserver` service type defaults to `NodePort`. Depending on
+your k8s provider it may be beneficial to change this to `LoadBalancer`:
+
+   $ helm install cilium ... \
+     --set clustermesh.apiserver.service.type=LoadBalancer \
+
+Additionally, if your load balancer can give you a static IP address, it may be
+specified like so:
+
+   $ helm install cilium ... \
+     --set clustermesh.apiserver.service.loadBalancerIP=xxx.xxx.xxx.xxx \
+
+## Connect Cilium clusters in to a clustermesh
+
+1. Extract a `cilium-clustermesh` secret from each cluster to be applied in another cluster:
+
+   $ contrib/k8s/k8s-extract-clustermesh-nodeport-secret.sh > cluster1-secret.json
+
+   Repeat this step in all your clusters, storing the outputs into different files.
+
+3. Apply secrets from all other clusters in each of your clusters, e.g., on cluster1:
+
+   $ contrib/k8s/k8s-import-clustermesh-secrets.sh cluster2-secret.json cluster3-secret.json ...

clustermesh-apiserver/etcd-config.yaml

@@ -0,0 +1,6 @@
+---
+trusted-ca-file: /var/lib/cilium/etcd-secrets/ca.crt
+key-file: /var/lib/cilium/etcd-secrets/tls.key
+cert-file: /var/lib/cilium/etcd-secrets/tls.crt
+endpoints:
+- https://127.0.0.1:2379