Add support for magnum-capi-helm

* Add kubeconfig as configuration option to charm * Update magnum.conf templates to add new configuration related to magnum-capi-helm driver Change-Id: Id2eacca3cb189be5507f29f84ebcce73c0c201a5 Signed-off-by: Hemanth Nakkina <hemanth.nakkina@canonical.com>
2025-08-19 17:27:42 +05:30
parent d9f95d07b1
commit 75c50a1e18
9 changed files with 161 additions and 5 deletions
--- a/charms/magnum-k8s/README.md
+++ b/charms/magnum-k8s/README.md
@@ -34,6 +34,27 @@ Actions allow specific operations to be performed on a per-unit basis. To
 display action descriptions run `juju actions magnum`. If the charm is not
 deployed then see file `actions.yaml`.

+### Further information on testing
+
+magnum-k8s support magnum-capi-helm driver and needs external kubernetes management
+cluster.
+
+Kubernetes management cluster should already have the Cluster API deployed.
+Cluster API can be deployed by running following steps
+
+    curl -L https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.9.6/clusterctl-linux-amd64 -o clusterctl
+    sudo install -o root -g root -m 0755 clusterctl /usr/local/bin/clusterctl
+    KUBECONFIG=<kubeconfig file path> clusterctl init --core cluster-api:v1.9.6 --bootstrap canonical-kubernetes --control-plane canonical-kubernetes --infrastructure openstack:v0.11.3 --addon helm
+
+
+Also Kubernetes cluster credentials should be passed as a juju secret to the
+magnum charm via config option `kubeconfig`
+Steps to create juju secret and update config
+
+    juju add-secret secret-kubeconfig kubeconfig#file=<kubeconfig file path>
+    juju grant-secret secret-kubeconfig magnum
+    juju config magnum kubeconfig=<secret-kubeconfig URI>
+
 ## Relations

 magnum-k8s requires the following relations:
--- a/charms/magnum-k8s/charmcraft.yaml
+++ b/charms/magnum-k8s/charmcraft.yaml
@@ -32,6 +32,11 @@ config:
      default: RegionOne
      description: Name of the OpenStack region
      type: string
+    kubeconfig:
+      type: secret
+      description: |
+        Kubeconfig to connect to Cluster API management cluster.
+        The value should be juju secret.

 containers:
  magnum-api:
--- a/charms/magnum-k8s/src/charm.py
+++ b/charms/magnum-k8s/src/charm.py
@@ -18,6 +18,9 @@ This charm provide Magnum services as part of an OpenStack deployment
 """

 import logging
+from functools import (
+    cached_property,
+)
 from typing import (
    TYPE_CHECKING,
    List,
@@ -28,11 +31,17 @@ import ops_sunbeam.charm as sunbeam_charm
 import ops_sunbeam.config_contexts as sunbeam_config_contexts
 import ops_sunbeam.container_handlers as sunbeam_chandlers
 import ops_sunbeam.core as sunbeam_core
+import ops_sunbeam.guard as sunbeam_guard
 import ops_sunbeam.relation_handlers as sunbeam_rhandlers
 import ops_sunbeam.tracing as sunbeam_tracing
+import yaml
 from ops.framework import (
    StoredState,
 )
+from ops.model import (
+    ModelError,
+    SecretNotFoundError,
+)

 logger = logging.getLogger(__name__)

@@ -51,7 +60,7 @@ class MagnumConfigurationContext(sunbeam_config_contexts.ConfigContext):
    @property
    def ready(self) -> bool:
        """Whether the context has all the data is needs."""
-        return self.charm.user_id_ops.ready
+        return self.charm.user_id_ops.ready and bool(self.charm.kubeconfig)

    def context(self) -> dict:
        """Magnum configuration context."""
@@ -63,6 +72,7 @@ class MagnumConfigurationContext(sunbeam_config_contexts.ConfigContext):
            "domain_name": self.charm.domain_name,
            "domain_admin_user": username,
            "domain_admin_password": password,
+            "kubeconfig": self.charm.kubeconfig or "",
        }


@@ -121,6 +131,11 @@ class MagnumConductorPebbleHandler(sunbeam_chandlers.ServicePebbleHandler):
                "magnum",
                0o640,
            ),
+            sunbeam_core.ContainerConfigFile(
+                "/etc/magnum/kubeconfig",
+                "magnum",
+                "magnum",
+            ),
        ]

    @property
@@ -271,6 +286,20 @@ class MagnumOperatorCharm(sunbeam_charm.OSBaseOperatorAPICharm):
        )
        return pebble_handlers

+    def configure_containers(self) -> None:
+        """Configure containers on this unit."""
+        if not self.config.get("kubeconfig"):
+            raise sunbeam_guard.BlockedExceptionError(
+                "Configuration parameter kubeconfig not set"
+            )
+
+        if self.kubeconfig is None:
+            raise sunbeam_guard.BlockedExceptionError(
+                "Error in retrieving kubeconfig"
+            )
+
+        super().configure_containers()
+
    @property
    def domain_name(self) -> str:
        """Domain name to create."""
@@ -281,6 +310,21 @@ class MagnumOperatorCharm(sunbeam_charm.OSBaseOperatorAPICharm):
        """User to manage users and projects in domain_name."""
        return "magnum_domain_admin"

+    @cached_property
+    def kubeconfig(self) -> str | None:
+        """Kubeconfig content to connect to k8s management cluster."""
+        try:
+            kubeconfig_secret = self.model.get_secret(
+                id=self.config.get("kubeconfig")
+            )
+            kubeconfig_secret_content = kubeconfig_secret.get_content()
+            kubeconfig_string = kubeconfig_secret_content.get("kubeconfig")
+            kubeconfig = yaml.safe_load(kubeconfig_string)
+            return yaml.dump(kubeconfig)
+        except (SecretNotFoundError, ModelError, yaml.YAMLError) as e:
+            logger.info(f"Error in retrieving kubeconfig secret: {e}")
+            return None
+
    def _get_create_role_ops(self) -> list:
        """Generate ops request for create role."""
        return [
--- a/charms/magnum-k8s/src/templates/kubeconfig.j2
+++ b/charms/magnum-k8s/src/templates/kubeconfig.j2
@@ -0,0 +1 @@
+{{ magnum.kubeconfig }}
--- a/charms/magnum-k8s/src/templates/magnum.conf.j2
+++ b/charms/magnum-k8s/src/templates/magnum.conf.j2
@@ -67,3 +67,15 @@ ca_file = /usr/local/share/ca-certificates/ca-bundle.pem

 [audit_middleware_notifications]
 driver = log
+
+[cluster_template]
+kubernetes_allowed_network_drivers = cilium
+
+[capi_helm]
+kubeconfig_file = /etc/magnum/kubeconfig
+# Empty repo so that helm chart can be downloaded from OCI registry
+helm_chart_repo = ""
+helm_chart_name = oci://ghcr.io/canonical/charts/openstack-ck8s-cluster
+default_helm_chart_version = 0.1.0
+api_resources = {"K8sControlPlane": {"api_version": "controlplane.cluster.x-k8s.io/v1beta2", "plural_name": "ck8scontrolplanes"}, "OpenstackCluster": {"api_version": "infrastructure.cluster.x-k8s.io/v1beta1"}}
+k8s_control_plane_resource_conditions = MachinesReady,Ready,ControlPlaneComponentsHealthy
--- a/charms/magnum-k8s/tests/unit/test_magnum_charm.py
+++ b/charms/magnum-k8s/tests/unit/test_magnum_charm.py
@@ -23,6 +23,7 @@ from unittest.mock import (

 import charm
 import ops_sunbeam.test_utils as test_utils
+import yaml
 from ops.testing import (
    Harness,
 )
@@ -79,6 +80,13 @@ class TestMagnumOperatorCharm(test_utils.CharmTestCase):
        self.addCleanup(self.harness.cleanup)
        self.harness.begin()

+        # Create a secret for kubeconfig and update the charm config
+        secret_id = self.harness.add_model_secret(
+            self.harness.charm.app.name,
+            {"kubeconfig": yaml.dump({"cluster": "testcluster"})},
+        )
+        self.harness.update_config({"kubeconfig": secret_id})
+
    def add_complete_identity_resource_relation(self, harness: Harness) -> int:
        """Add complete Identity resource relation."""
        rel_id = harness.add_relation("identity-ops", "keystone")
@@ -103,9 +111,11 @@ class TestMagnumOperatorCharm(test_utils.CharmTestCase):

    def test_pebble_ready_handler(self):
        """Test pebble ready handler."""
-        self.assertEqual(self.harness.charm.seen_events, [])
+        self.assertEqual(
+            self.harness.charm.seen_events, ["ConfigChangedEvent"]
+        )
        test_utils.set_all_pebbles_ready(self.harness)
-        self.assertEqual(len(self.harness.charm.seen_events), 2)
+        self.assertEqual(len(self.harness.charm.seen_events), 3)

    def test_all_relations(self):
        """Test all integrations for operator."""
--- a/tests/all-k8s/tests.yaml
+++ b/tests/all-k8s/tests.yaml
@@ -4,6 +4,7 @@ smoke_bundles:
  - smoke
 configure:
  - zaza.sunbeam.charm_tests.k8s.setup.add_loadbalancer_annotations
+  - zaza.sunbeam.charm_tests.magnum.setup.configure
  - zaza.sunbeam.charm_tests.keystone.setup.wait_for_all_endpoints
  - zaza.openstack.charm_tests.keystone.setup.add_tempest_roles
  - zaza.openstack.charm_tests.nova.setup.create_flavors
@@ -100,8 +101,8 @@ target_deploy_status:
    workload-status: active
    workload-status-message-regex: '^$'
  magnum:
-    workload-status: active
-    workload-status-message-regex: '^$'
+    workload-status: blocked
+    workload-status-message-regex: '^.*Configuration parameter kubeconfig not set$'
  manila:
    workload-status: active
    workload-status-message-regex: '^$'
--- a/tests/local/zaza/sunbeam/charm_tests/magnum/setup.py
+++ b/tests/local/zaza/sunbeam/charm_tests/magnum/setup.py
@@ -0,0 +1,61 @@
+# Copyright (c) 2025 Canonical Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import logging
+import re
+
+import jubilant
+import zaza.model
+
+
+def configure():
+    """Setup any configurations required by Magnum.
+
+    Setup kubeconfig configuration parameter by adding a juju secret.
+    """
+    model = zaza.model.get_juju_model()
+    application = "magnum"
+    secret_name = "kubeconfig"
+    secret_content = {"kubeconfig": "fake-kubeconfig"}
+    secret_not_found_pattern = r'ERROR secret ".*" not found'
+    secret_uri: jubilant.secrettypes.SecretURI
+
+    logging.debug(f"Magnum configure: Using model {model}")
+    juju = jubilant.Juju(model=model)
+
+    create_secret = False
+    try:
+        kubeconfig_secret = juju.show_secret(identifier=secret_name)
+        secret_uri = kubeconfig_secret.uri
+        logging.debug(f"Juju secret {secret_name} found")
+    except jubilant.CLIError as e:
+        match = re.search(secret_not_found_pattern, e.stderr)
+        if not match:
+            raise
+
+        create_secret = True
+
+    if create_secret:
+        logging.debug(f"Create juju secret {secret_name}")
+        secret_uri = juju.add_secret(name=secret_name, content=secret_content)
+        juju.grant_secret(secret_uri, application)
+
+    logging.info(f"Setting {application} kubeconfig option")
+    juju.config(app=application, values={"kubeconfig": secret_uri})
+    logging.info(f"Waiting for application {application} to be active")
+    juju.wait(
+        lambda status: jubilant.all_active(status, application),
+        timeout=180,
+    )
--- a/tox.ini
+++ b/tox.ini
@@ -95,6 +95,7 @@ deps =
  git+https://github.com/openstack-charmers/zaza.git#egg=zaza
  git+https://github.com/openstack-charmers/zaza-openstack-tests.git#egg=zaza.openstack
  git+https://opendev.org/openstack/tempest.git#egg=tempest
+  git+https://github.com/canonical/jubilant.git@v1.3.0#egg=jubilant
  # Pin httpx version due to bug https://github.com/gtsystem/lightkube/issues/78
  httpx>=0.24.0,<0.28.0
  lightkube