remove owner references from HA components (#259)

* move seaweedfs service creation to join comand

* push ttl.sh

* add ca certs

* remove secret creation on HA enable

* remove additional certs package from melange build

* remove secret ownership

.github/workflows/pull-request.yaml

@@ -81,7 +81,7 @@ jobs:
         export VERSION=${{needs.get-tag.outputs.tag}}
         export IMAGE=ttl.sh/embedded-cluster-operator-image:dev-${VERSION}
         export APKO_CONFIG=deploy/apko.tmpl.yaml
-        make apko apko-build
+        make apko apko-build-and-publish
 
   check-crds:
     runs-on: ubuntu-latest

Makefile

@@ -308,7 +308,7 @@ build-ttl.sh: export IMAGE ?= ttl.sh/${CURRENT_USER}/embedded-cluster-operator-i
 build-ttl.sh: export VERSION ?= $(shell git describe --tags --dirty --always --abbrev=8 | sed 's/^v//')
 build-ttl.sh: export MELANGE_CONFIG = deploy/melange.tmpl.yaml
 build-ttl.sh: export APKO_CONFIG = deploy/apko.tmpl.yaml
-build-ttl.sh: melange-build apko-publish
+build-ttl.sh: melange-build apko-build-and-publish
 
 .PHONY: build-chart-ttl.sh
 build-chart-ttl.sh: build-ttl.sh

controllers/installation_controller.go

@@ -422,18 +422,7 @@ func (r *InstallationReconciler) ReconcileRegistry(ctx context.Context, in *v1be
 		return fmt.Errorf("failed to get cluster config: %w", err)
 	}
 
-	serviceCIDR := util.ClusterServiceCIDR(clusterConfig, in)
-
-	err := registry.EnsureResources(ctx, in, r.Client, serviceCIDR)
-	if err != nil {
-		// Conditions may be updated so we need to update the status
-		if err := r.Status().Update(ctx, in); err != nil {
-			log.Error(err, "Failed to update installation status")
-		}
-		return fmt.Errorf("failed to ensure registry resources: %w", err)
-	}
-
-	err = registry.MigrateRegistryData(ctx, in, r.Client)
+	err := registry.MigrateRegistryData(ctx, in, r.Client)
 	if err != nil {
 		if err := r.Status().Update(ctx, in); err != nil {
 			log.Error(err, "Failed to update installation status")
@@ -1058,9 +1047,6 @@ func (r *InstallationReconciler) needsUpgrade(ctx context.Context, in *v1beta1.I
 func (r *InstallationReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&v1beta1.Installation{}).
-		Owns(&corev1.Secret{}).
-		Owns(&corev1.Service{}).
-		Owns(&batchv1.Job{}).
 		Watches(&corev1.Node{}, &handler.EnqueueRequestForObject{}).
 		Watches(&apv1b2.Plan{}, &handler.EnqueueRequestForObject{}).
 		Watches(&k0shelm.Chart{}, &handler.EnqueueRequestForObject{}).

deploy/apko.tmpl.yaml

@@ -7,6 +7,7 @@ contents:
     - ./melange.rsa.pub
   packages:
     - embedded-cluster-operator  # This is expected to be built locally by `melange`.
+    - ca-certificates-bundle
 
 accounts:
   groups:

pkg/registry/labels.go

@@ -10,15 +10,3 @@ func applyRegistryLabels(labels map[string]string, component string) map[string]
 	labels["app.kubernetes.io/managed-by"] = "embedded-cluster-operator"
 	return labels
 }
-
-func applySeaweedFSLabels(labels map[string]string, component string) map[string]string {
-	if labels == nil {
-		labels = make(map[string]string)
-	}
-	labels["app.kubernetes.io/name"] = "seaweedfs" // this is the backup/restore label for seaweedfs
-	labels["app.kubernetes.io/component"] = component
-	labels["app.kubernetes.io/instance"] = "seaweedfs"
-	labels["app.kubernetes.io/part-of"] = "embedded-cluster"
-	labels["app.kubernetes.io/managed-by"] = "embedded-cluster-operator"
-	return labels
-}

pkg/registry/migrate.go

@@ -21,6 +21,10 @@ const registryDataMigrationJobName = "registry-data-migration"
 const RegistryMigrationStatusConditionType = "RegistryMigrationStatus"
 const RegistryMigrationServiceAccountName = "registry-data-migration-serviceaccount"
 
+// registryS3SecretName is the name of the Registry secret.
+// This secret name is defined in the chart in the release metadata.
+const registryS3SecretName = "seaweedfs-s3-rw"
+
 // MigrateRegistryData should be called when transitioning from non-HA to HA airgapped installations
 // this function creates a job that will scale down the registry deployment then upload the data to s3
 // before finally creating a 'migration is complete' secret in the registry namespace

pkg/registry/registry.go

@@ -1,17 +1,9 @@
 package registry
 
 import (
-	"context"
 	"fmt"
 
-	clusterv1beta1 "github.com/replicatedhq/embedded-cluster-kinds/apis/v1beta1"
 	"github.com/replicatedhq/embedded-cluster-operator/pkg/util"
-	corev1 "k8s.io/api/core/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
 const (
@@ -24,46 +16,6 @@ const (
 	registryLowerBandIPIndex = 10
 )
 
-func EnsureResources(ctx context.Context, in *clusterv1beta1.Installation, cli client.Client, serviceCIDR string) error {
-	log := ctrl.LoggerFrom(ctx)
-
-	sfsConfig, op, err := ensureSeaweedfsS3Secret(ctx, in, cli)
-	if err != nil {
-		in.Status.SetCondition(getSeaweedfsS3SecretReadyCondition(in, metav1.ConditionFalse, "Failed", err.Error()))
-		return fmt.Errorf("ensure seaweedfs s3 secret: %w", err)
-	} else if op != controllerutil.OperationResultNone {
-		log.Info("Seaweedfs s3 secret changed", "operation", op)
-	}
-	in.Status.SetCondition(getSeaweedfsS3SecretReadyCondition(in, metav1.ConditionTrue, "SecretReady", ""))
-
-	op, err = ensureRegistryS3Secret(ctx, in, cli, sfsConfig)
-	if err != nil {
-		in.Status.SetCondition(getRegistryS3SecretReadyCondition(in, metav1.ConditionFalse, "Failed", err.Error()))
-		return fmt.Errorf("ensure registry s3 secret: %w", err)
-	} else if op != controllerutil.OperationResultNone {
-		log.Info("Registry s3 secret changed", "operation", op)
-	}
-	in.Status.SetCondition(getRegistryS3SecretReadyCondition(in, metav1.ConditionTrue, "SecretReady", ""))
-
-	seaweedfsS3ServiceIP, err := getSeaweedfsS3ServiceIP(serviceCIDR)
-	if err != nil {
-		err = fmt.Errorf("get seaweedfs s3 service IP: %w", err)
-		in.Status.SetCondition(getSeaweedfsS3ServiceReadyCondition(in, metav1.ConditionFalse, "Failed", err.Error()))
-		return err
-	}
-
-	op, err = ensureSeaweedfsS3Service(ctx, in, cli, seaweedfsS3ServiceIP)
-	if err != nil {
-		in.Status.SetCondition(getSeaweedfsS3ServiceReadyCondition(in, metav1.ConditionFalse, "Failed", err.Error()))
-		return fmt.Errorf("ensure seaweedfs s3 service: %w", err)
-	} else if op != controllerutil.OperationResultNone {
-		log.Info("Seaweedfs s3 service changed", "operation", op)
-	}
-	in.Status.SetCondition(getSeaweedfsS3ServiceReadyCondition(in, metav1.ConditionTrue, "ServiceReady", ""))
-
-	return nil
-}
-
 func RegistryNamespace() string {
 	return registryNamespace
 }
@@ -75,26 +27,3 @@ func GetRegistryServiceIP(serviceCIDR string) (string, error) {
 	}
 	return ip.String(), nil
 }
-
-func ensureRegistryNamespace(ctx context.Context, cli client.Client) error {
-	obj := &corev1.Namespace{
-		ObjectMeta: metav1.ObjectMeta{Name: registryNamespace},
-	}
-
-	err := cli.Create(ctx, obj)
-	if err != nil && !k8serrors.IsAlreadyExists(err) {
-		return fmt.Errorf("create registry namespace: %w", err)
-	}
-
-	return nil
-}
-
-func getCondition(in *clusterv1beta1.Installation, conditionType string, status metav1.ConditionStatus, reason string, message string) metav1.Condition {
-	return metav1.Condition{
-		Type:               conditionType,
-		Status:             status,
-		Reason:             reason,
-		Message:            message,
-		ObservedGeneration: in.Generation,
-	}
-}