Merge pull request #225 from web-seven/224-bugprovider-loaded-provide…

…r-package-do-not-pulled-by-kubelet

local registry kyverno policy and auto creation

go.mod

@@ -5,6 +5,7 @@ go 1.21.4
 require (
 	github.com/Masterminds/semver/v3 v3.2.1
 	github.com/docker/docker v24.0.7+incompatible
+	github.com/go-logr/logr v1.4.1
 	github.com/pkg/errors v0.9.1
 	go.uber.org/zap v1.26.0
 	gopkg.in/yaml.v3 v3.0.1
@@ -63,7 +64,6 @@ require (
 	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect

internal/engine/engine.go

@@ -2,7 +2,6 @@ package engine
 
 import (
 	"context"
-	b64 "encoding/base64"
 	"fmt"
 	"net/url"
 	"strings"
@@ -13,43 +12,18 @@ import (
 	"github.com/web-seven/overlock/internal/install"
 	"github.com/web-seven/overlock/internal/install/helm"
 	"github.com/web-seven/overlock/internal/namespace"
-	"gopkg.in/yaml.v3"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/rest"
 
 	"go.uber.org/zap"
-	corev1 "k8s.io/api/core/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
-	extv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	"sigs.k8s.io/controller-runtime/pkg/builder"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-	"sigs.k8s.io/controller-runtime/pkg/event"
-	"sigs.k8s.io/controller-runtime/pkg/manager"
-	"sigs.k8s.io/controller-runtime/pkg/predicate"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )
 
-type SecretReconciler struct {
-	serverIP string
-	client.Client
-	context.CancelFunc
-}
-
 const (
-	RepoUrl                = "https://charts.crossplane.io/stable"
-	ChartName              = "crossplane"
-	ReleaseName            = "overlock-crossplane"
-	Version                = "1.15.2"
-	kindClusterRole        = "ClusterRole"
-	ProviderConfigName     = "overlock-kubernetes-provider-config"
-	helmProviderConfigName = "overlock-helm-provider-config"
-	aggregateToAdmin       = "rbac.crossplane.io/aggregate-to-admin"
-	trueVal                = "true"
-	errParsePackageName    = "package name is not valid"
+	RepoUrl             = "https://charts.crossplane.io/stable"
+	ChartName           = "crossplane"
+	ReleaseName         = "overlock-crossplane"
+	Version             = "1.17.1"
+	trueVal             = "true"
+	errParsePackageName = "package name is not valid"
 )
 
 var (
@@ -148,257 +122,6 @@ func ManagedSelector(m map[string]string) string {
 	return strings.Join(selectors, ",")
 }
 
-// Setup Kubernetes provider which has crossplane admin aggregation role assigned
-func SetupPrivilegedKubernetesProvider(ctx context.Context, configClient *rest.Config, logger *zap.SugaredLogger) error {
-
-	pcn := ProviderConfigName
-
-	sa := &corev1.ServiceAccount{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      pcn,
-			Namespace: namespace.Namespace,
-		},
-	}
-
-	saSec := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      pcn,
-			Namespace: namespace.Namespace,
-			Annotations: map[string]string{
-				"kubernetes.io/service-account.name": sa.Name,
-			},
-		},
-		Type: corev1.SecretTypeServiceAccountToken,
-	}
-
-	cr := &rbacv1.ClusterRole{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: pcn,
-		},
-		Rules: []rbacv1.PolicyRule{
-			{
-				APIGroups: []string{"*", ""},
-				Verbs:     []string{"*"},
-				Resources: []string{"*"},
-			},
-		},
-	}
-
-	crb := &rbacv1.ClusterRoleBinding{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: pcn,
-		},
-		Subjects: []rbacv1.Subject{
-			{
-				Kind:      rbacv1.ServiceAccountKind,
-				Name:      sa.Name,
-				Namespace: namespace.Namespace,
-			},
-		},
-		RoleRef: rbacv1.RoleRef{
-			APIGroup: rbacv1.GroupName,
-			Kind:     kindClusterRole,
-			Name:     cr.Name,
-		},
-	}
-
-	scheme := runtime.NewScheme()
-	rbacv1.AddToScheme(scheme)
-	corev1.AddToScheme(scheme)
-	extv1.AddToScheme(scheme)
-	ctrl, _ := client.New(configClient, client.Options{Scheme: scheme})
-	for _, res := range []client.Object{sa, saSec, cr, crb} {
-		_, err := controllerutil.CreateOrUpdate(ctx, ctrl, res, func() error {
-			return nil
-		})
-		if err != nil {
-			return err
-		}
-	}
-
-	svc := &corev1.Service{}
-	err := ctrl.Get(ctx, types.NamespacedName{Namespace: "default", Name: "kubernetes"}, svc)
-	if err != nil {
-		return err
-	}
-
-	mgr, err := manager.New(configClient, manager.Options{})
-	if err != nil {
-		return err
-	}
-	mgrContext, cancel := context.WithCancel(context.Background())
-	if err = builder.
-		ControllerManagedBy(mgr).
-		For(&corev1.ServiceAccount{}).
-		WithEventFilter(predicate.Funcs{
-			UpdateFunc: func(e event.UpdateEvent) bool {
-				return e.ObjectNew.GetName() == ProviderConfigName
-			},
-			DeleteFunc: func(e event.DeleteEvent) bool {
-				return e.Object.GetName() == ProviderConfigName
-			},
-			CreateFunc: func(e event.CreateEvent) bool {
-				return e.Object.GetName() == ProviderConfigName
-			},
-			GenericFunc: func(e event.GenericEvent) bool {
-				return e.Object.GetName() == ProviderConfigName
-			},
-		},
-		).
-		Complete(&SecretReconciler{
-			Client:     ctrl,
-			CancelFunc: cancel,
-			serverIP:   "https://" + svc.Spec.ClusterIP + ":443",
-		}); err != nil {
-		return err
-	}
-	logger.Debug("Starting reconciliation of Kubernetes Provider")
-	mgr.Start(mgrContext)
-	return nil
-}
-
-// Reconcile SvcAcc secret for make kubeconfig
-func (a *SecretReconciler) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error) {
-	sec := &corev1.Secret{}
-	err := a.Get(ctx, req.NamespacedName, sec)
-	if err != nil {
-		return reconcile.Result{}, err
-	} else if sec.GetName() != ProviderConfigName {
-		return reconcile.Result{Requeue: true}, nil
-	}
-
-	if _, err = controllerutil.CreateOrUpdate(ctx, a.Client, sec, func() error {
-		kubeconfig, _ := yaml.Marshal(&map[string]interface{}{
-			"apiVersion":      "v1",
-			"kind":            "Config",
-			"current-context": "in-cluster",
-			"clusters": []map[string]interface{}{
-				{
-					"cluster": map[string]interface{}{
-						"certificate-authority-data": b64.StdEncoding.EncodeToString(sec.Data["ca.crt"]),
-						"server":                     a.serverIP,
-					},
-					"name": "in-cluster",
-				},
-			},
-			"contexts": []map[string]interface{}{
-				{
-					"context": map[string]interface{}{
-						"cluster":   "in-cluster",
-						"user":      "in-cluster",
-						"namespace": "overlock-system",
-					},
-					"name": "in-cluster",
-				},
-			},
-			"preferences": map[string]interface{}{},
-			"users": []map[string]interface{}{
-				{
-					"name": "in-cluster",
-					"user": map[string]interface{}{
-						"token": string(sec.Data["token"]),
-					},
-				},
-			},
-		})
-
-		sec.Data["kubeconfig"] = []byte(kubeconfig)
-		return nil
-	}); err != nil {
-		return reconcile.Result{}, err
-	}
-
-	crd := &extv1.CustomResourceDefinition{}
-	err = a.Get(ctx, types.NamespacedName{Name: "providerconfigs.kubernetes.crossplane.io"}, crd)
-	if err != nil {
-		return reconcile.Result{Requeue: true}, err
-	}
-
-	pc := &unstructured.Unstructured{
-		Object: map[string]interface{}{
-			"apiVersion": "kubernetes.crossplane.io/v1alpha1",
-			"kind":       "ProviderConfig",
-			"metadata": map[string]interface{}{
-				"name": ProviderConfigName,
-			},
-		},
-	}
-
-	hpc := &unstructured.Unstructured{
-		Object: map[string]interface{}{
-			"apiVersion": "helm.crossplane.io/v1beta1",
-			"kind":       "ProviderConfig",
-			"metadata": map[string]interface{}{
-				"name": helmProviderConfigName,
-			},
-		},
-	}
-
-	envObj := &unstructured.Unstructured{
-		Object: map[string]interface{}{
-			"apiVersion": "overlock.io/v1alpha1",
-			"kind":       "Environment",
-			"metadata": map[string]interface{}{
-				"name": "environment",
-			},
-			"spec": map[string]interface{}{
-				"crossplane:": map[string]interface{}{},
-				"kyverno:":    map[string]interface{}{},
-				"name":        ReleaseName,
-				"namespace":   namespace.Namespace,
-				"configuration": map[string]interface{}{
-					"packages": []interface{}{},
-				},
-				"provider": map[string]interface{}{
-					"packages": []interface{}{},
-				},
-				"helmProviderCfgRef":       helmProviderConfigName,
-				"kubernetesProviderCfgRef": ProviderConfigName,
-			},
-		},
-	}
-
-	if _, err = controllerutil.CreateOrUpdate(ctx, a.Client, pc, func() error {
-		pc.Object["spec"] = map[string]interface{}{
-			"credentials": map[string]interface{}{
-				"secretRef": map[string]interface{}{
-					"key":       "kubeconfig",
-					"name":      ProviderConfigName,
-					"namespace": namespace.Namespace,
-				},
-				"source": "Secret",
-			},
-		}
-		return nil
-	}); err != nil {
-		return reconcile.Result{}, err
-	}
-
-	if _, err = controllerutil.CreateOrUpdate(ctx, a.Client, hpc, func() error {
-		hpc.Object["spec"] = map[string]interface{}{
-			"credentials": map[string]interface{}{
-				"secretRef": map[string]interface{}{
-					"key":       "kubeconfig",
-					"name":      ProviderConfigName,
-					"namespace": namespace.Namespace,
-				},
-				"source": "Secret",
-			},
-		}
-		return nil
-	}); err != nil {
-		return reconcile.Result{}, err
-	}
-
-	if _, err = controllerutil.CreateOrUpdate(ctx, a.Client, envObj, func() error { return nil }); err != nil {
-		return reconcile.Result{}, err
-	}
-
-	a.CancelFunc()
-
-	return reconcile.Result{}, nil
-}
-
 func BuildPack(pack v1.Package, img string, pkgMap map[string]string) error {
 	ref, err := name.ParseReference(img, name.WithDefaultRegistry(""))
 	if err != nil {

internal/environment/environment.go

@@ -16,6 +16,7 @@ import (
 	"github.com/web-seven/overlock/internal/engine"
 	"github.com/web-seven/overlock/internal/kube"
 	"github.com/web-seven/overlock/internal/namespace"
+	"github.com/web-seven/overlock/internal/policy"
 	"github.com/web-seven/overlock/internal/registry"
 	"github.com/web-seven/overlock/internal/resources"
 	"k8s.io/client-go/tools/clientcmd"
@@ -148,11 +149,19 @@ func (e *Environment) Setup(ctx context.Context, logger *zap.SugaredLogger) erro
 		return err
 	}
 
+	logger.Debug("Installing policy controller")
+	err = policy.AddPolicyConroller(ctx, configClient, "kyverno")
+	if err != nil {
+		return err
+	}
+	logger.Debug("Done")
+
 	logger.Debug("Preparing engine")
 	installer, err := engine.GetEngine(configClient)
 	if err != nil {
 		return err
 	}
+	logger.Debug("Done")
 
 	var params map[string]any
 	release, err := installer.GetRelease()

internal/environment/kind.go

@@ -102,10 +102,6 @@ func (e *Environment) configYaml(logger *zap.SugaredLogger) string {
 		Kind:       "Cluster",
 		APIVersion: "kind.x-k8s.io/v1alpha4",
 		Nodes: []KindNode{
-			{
-				Role:        "worker",
-				ExtraMounts: []KindMount{},
-			},
 			{
 				Role: "control-plane",
 				KubeadmConfigPatches: []string{

internal/namespace/namespace.go

@@ -11,7 +11,7 @@ import (
 
 const OVERLOCK_ENGINE_NAMESPACE = "OVERLOCK_ENGINE_NAMESPACE"
 
-var Namespace = "kube-system"
+var Namespace = "overlock"
 
 // Creates system namespace
 func CreateNamespace(ctx context.Context, config *rest.Config) error {