Merge pull request #773 from ecpullen/metal

Metal: Add metal k8s resource provider

Author: ecpullen

Cargo.lock

@@ -147,6 +147,35 @@ COPY --from=build-src /usr/share/licenses/testsys /licenses/testsys
 
 CMD dockerd --storage-driver vfs &>/dev/null & ./vsphere-k8s-cluster-resource-agent
 
+# =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
+# Builds the Metal K8s cluster resource agent image
+FROM public.ecr.aws/amazonlinux/amazonlinux:2 as metal-k8s-cluster-resource-agent
+
+RUN yum install -y \
+        openssh-clients \
+        tar \
+    && yum clean all
+RUN amazon-linux-extras install -y docker
+
+# Copy eksctl
+COPY --from=tools /eksctl /usr/bin/eksctl
+COPY --from=tools /licenses/eksctl /licenses/eksctl
+
+# Copy eksctl-anywhere
+COPY --from=tools /eksctl-anywhere /usr/bin/eksctl-anywhere
+COPY --from=tools /licenses/eksctl-anywhere /licenses/eksctl-anywhere
+
+# Copy kubectl
+COPY --from=tools /kubectl /usr/local/bin/kubectl
+COPY --from=tools /licenses/kubernetes /licenses/kubernetes
+
+# Copy binary
+COPY --from=build-src /src/bottlerocket/agents/bin/metal-k8s-cluster-resource-agent ./
+# Copy licenses
+COPY --from=build-src /usr/share/licenses/testsys /licenses/testsys
+
+CMD dockerd --storage-driver vfs &>/dev/null & ./metal-k8s-cluster-resource-agent
+
 # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
 # Builds the ECS test agent image
 FROM public.ecr.aws/amazonlinux/amazonlinux:2 as ecs-test-agent

Dockerfile

@@ -23,7 +23,7 @@ TESTSYS_BUILD_GOPROXY ?= direct
 # to the project.
 IMAGES = controller sonobuoy-test-agent ec2-resource-agent eks-resource-agent ecs-resource-agent \
 	migration-test-agent vsphere-vm-resource-agent vsphere-k8s-cluster-resource-agent ecs-test-agent \
-	k8s-workload-agent ecs-workload-agent
+	k8s-workload-agent ecs-workload-agent metal-k8s-cluster-resource-agent
 
 # Store targets for tagging images
 TAG_IMAGES = $(addprefix tag-, $(IMAGES))
@@ -139,7 +139,7 @@ tools:
 		./tools
 
 # Build the container image for a testsys agent
-eks-resource-agent ec2-resource-agent ecs-resource-agent vsphere-vm-resource-agent vsphere-k8s-cluster-resource-agent sonobuoy-test-agent migration-test-agent ecs-test-agent k8s-workload-agent ecs-workload-agent: show-variables fetch
+eks-resource-agent ec2-resource-agent ecs-resource-agent vsphere-vm-resource-agent vsphere-k8s-cluster-resource-agent sonobuoy-test-agent migration-test-agent ecs-test-agent k8s-workload-agent ecs-workload-agent metal-k8s-cluster-resource-agent: show-variables fetch
 	docker build $(DOCKER_BUILD_FLAGS) \
 		--build-arg ARCH="$(TESTSYS_BUILD_HOST_UNAME_ARCH)" \
 		--build-arg BUILDER_IMAGE="$(BUILDER_IMAGE)" \

Makefile

@@ -10,6 +10,8 @@ agent-common = { version = "0.0.5", path = "../../agent/agent-common" }
 aws-config = "0.54"
 aws-credential-types = "0.54"
 aws-types = "0.54"
+aws-sdk-iam = "0.24"
+aws-sdk-ssm = "0.24"
 aws-sdk-sts = "0.24"
 aws-smithy-types = "0.54"
 base64 = "0.20"

agent/utils/Cargo.toml

@@ -1,3 +1,5 @@
+use aws_sdk_iam::error::{AttachRolePolicyError, CreateRoleError, GetRoleError};
+use aws_sdk_ssm::error::{CreateActivationError, DescribeInstanceInformationError};
 use aws_sdk_sts::error::AssumeRoleError;
 use aws_sdk_sts::types::SdkError;
 use snafu::Snafu;
@@ -12,18 +14,61 @@ pub enum Error {
         source: SdkError<AssumeRoleError>,
     },
 
+    #[snafu(display(
+        "Failed to attach policy '{}' to role '{}': {}",
+        policy_arn,
+        role_name,
+        source
+    ))]
+    AttachRolePolicy {
+        role_name: String,
+        policy_arn: String,
+        source: SdkError<AttachRolePolicyError>,
+    },
+
     #[snafu(display("Failed to decode base64 blob: {}", source))]
     Base64Decode { source: base64::DecodeError },
 
-    #[snafu(display("Failed to setup environment variables: {}", what))]
-    EnvSetup { what: String },
-
     #[snafu(display("Could not convert '{}' secret to string: {}", what, source))]
     Conversion { what: String, source: FromUtf8Error },
 
+    #[snafu(display("Failed to send create SSM command: {}", source))]
+    CreateSsmActivation {
+        source: SdkError<CreateActivationError>,
+    },
+
+    #[snafu(display(
+        "Unable to create role '{}' with policy '{}': {}",
+        role_name,
+        role_policy,
+        source
+    ))]
+    CreateRole {
+        role_name: String,
+        role_policy: String,
+        source: SdkError<CreateRoleError>,
+    },
+
     #[snafu(display("Credentials were missing for assumed role '{}'", role_arn))]
     CredentialsMissing { role_arn: String },
 
+    #[snafu(display("Failed to setup environment variables: {}", what))]
+    EnvSetup { what: String },
+
+    #[snafu(display("Unable to get managed instance information: {}", source))]
+    GetManagedInstanceInfo {
+        source: SdkError<DescribeInstanceInformationError>,
+    },
+
+    #[snafu(display("Unable to get SSM role '{}': {}", role_name, source))]
+    GetSSMRole {
+        role_name: String,
+        source: SdkError<GetRoleError>,
+    },
+
+    #[snafu(display("{} was missing from {}", what, from))]
+    Missing { what: String, from: String },
+
     #[snafu(display("Secret was missing: {}", source))]
     SecretMissing {
         source: agent_common::secrets::Error,
@@ -35,3 +80,5 @@ pub enum Error {
         source: std::io::Error,
     },
 }
+
+pub type Result<T> = std::result::Result<T, Error>;

agent/utils/src/error.rs

@@ -19,6 +19,7 @@ use std::{env, fs};
 pub mod aws;
 pub mod constants;
 mod error;
+pub mod ssm;
 
 /// Decode base64 blob and write to a file at the specified path
 pub async fn base64_decode_write_file(