Label nodes and update Rbac on helm charts

A new feature has been introduced that labels worker nodes where the application is set to run as a daemonset. Additionally, the role and role binding have been updated to clusterrole and clusterrolebinding, respectively. This enables the daemonset to access pods clusterwide for collecting pod info and vf metrics data. This commit includes labeling on both the sysinv side and the Kubernetes side. On an AIO machine, the given nodes have been labeled. In a Multinode setup, all nodes with worker subfunctions have been labeled. In all configurations, daemonset running pods have clusterwide access to read pod info. Test Plan: - PASSED: The build process completed with the creation of a Debian package. - PASSED: The content of the Debian package was extracted and the presence of the Helm chart tar file was confirmed. - PASSED: AIO-SX lab app was successfully uploaded, applied, removed, and deleted using the 'system application' commands. - PASSED: AIO-DX lab app was successfully uploaded, applied, removed, and deleted using the 'system application' commands. - PASSED: STANDARD lab app was successfully uploaded, applied, removed, and deleted using the 'system application' commands. - PASSED: It was verified that pods are running on the worker node only with labels. - PASSED: After deletion, all the Helm charts and all K8s resources have been removed. - PASSED: On AIO simplex, the nodes have been labeled. On multinode setup, nodes with personality worker have been labeled. - PASSED: On AIO-SX and STANDARD lab, service accounts have access to read pod info. Verified with 'kubectl auth can-i get pods --as="system:serviceaccount:node-interface-metrics-exporter:node-interface-metrics-exporter-sa"'. Story: 2010918 Task: 49479 Change-Id: I45312823651ab8e092440d4c006d105cc305b02e Signed-off-by: AbhishekJ <abhishek.jaiswal@windriver.com>
2024-01-30 19:02:13 +05:30 · 2024-01-30 19:02:13 +05:30 · 15f9e092f2
commit 15f9e092f2
parent c7512355e3
6 changed files with 81 additions and 25 deletions
--- a/python3-k8sapp-node-interface-metrics-exporter/k8sapp_node_interface_metrics_exporter/k8sapp_node_interface_metrics_exporter/common/constants.py
+++ b/python3-k8sapp-node-interface-metrics-exporter/k8sapp_node_interface_metrics_exporter/k8sapp_node_interface_metrics_exporter/common/constants.py
@ -1,5 +1,5 @@
 #
-# Copyright (c) 2023 Wind River Systems, Inc.
+# Copyright (c) 2023-2024 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@ -18,3 +18,5 @@ HELM_LABEL_PARAMETER = 'podLabels'
 HELM_COMPONENT_LABEL = 'app.starlingx.io/component'
 HELM_COMPONENT_LABEL_VALUE_PLATFORM = 'platform'
 HELM_COMPONENT_LABEL_VALUE_APPLICATION = 'application'
+
+NODE_LABEL = 'starlingx.io/interface-metrics=true'
--- a/python3-k8sapp-node-interface-metrics-exporter/k8sapp_node_interface_metrics_exporter/k8sapp_node_interface_metrics_exporter/lifecycle/lifecycle_node_interface_metrics_exporter.py
+++ b/python3-k8sapp-node-interface-metrics-exporter/k8sapp_node_interface_metrics_exporter/k8sapp_node_interface_metrics_exporter/lifecycle/lifecycle_node_interface_metrics_exporter.py
@ -1,5 +1,5 @@
 #
-# Copyright (c) 2023 Wind River Systems, Inc.
+# Copyright (c) 2023-2024 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@ -42,10 +42,17 @@ class NodeInterfaceMetricsExporterAppLifecycleOperator(base.AppLifecycleOperator
                if hook_info.relative_timing == inv_constants.APP_LIFECYCLE_TIMING_POST:
                    return self.post_apply(app_op, app, hook_info)

+                if hook_info.relative_timing == inv_constants.APP_LIFECYCLE_TIMING_PRE:
+                    # on pre apply hook adding Label
+                    self.assign_host_label(app_op)
+
        if hook_info.lifecycle_type == inv_constants.APP_LIFECYCLE_TYPE_OPERATION:
            if hook_info.operation == inv_constants.APP_REMOVE_OP:
                if hook_info.relative_timing == inv_constants.APP_LIFECYCLE_TIMING_POST:
+                    # on post remove hook removing labels
+                    self.remove_host_labels(app_op)
                    return self.post_remove(app)
+
        super(
            NodeInterfaceMetricsExporterAppLifecycleOperator, self
        ).app_lifecycle_actions(context, conductor_obj, app_op, app, hook_info)
@ -172,3 +179,42 @@ class NodeInterfaceMetricsExporterAppLifecycleOperator(base.AppLifecycleOperator
                namespace=app_constants.HELM_NS_METRICS_EXPORTER,
                grace_periods_seconds=0,
            )
+
+    def assign_host_label(self, app_op):
+        """
+        function to assign labels
+        """
+        hosts = app_op._dbapi.ihost_get_list()
+        label_key, label_value = app_constants.NODE_LABEL.split('=')
+        label_dict = {"label_key": label_key, "label_value": label_value}
+        for host in hosts:
+            # subfunctions can have values like "controller,worker", "worker"
+            # "controller", "storage"
+            # checking if contains worker "worker" in "controller,worker"
+            if inv_constants.WORKER in host.subfunctions:
+                # assign Label
+                LOG.info("assign label Node={} has role={}".format(host.hostname, host.subfunctions))
+                try:
+                    app_op._dbapi.label_create(
+                        host.id, {"host_id": host.id, **label_dict}
+                    )
+                except exception.HostLabelAlreadyExists:
+                    pass
+                app_op._update_kubernetes_labels(host.hostname, {label_key: label_value})
+
+    def remove_host_labels(self, app_op):
+        """
+        function to remove labels
+        """
+        hosts = app_op._dbapi.ihost_get_list()
+        for host in hosts:
+            # subfunctions can have values like "controller,worker", "worker"
+            # "controller", "storage"
+            # checking if contains worker "worker" in "controller,worker"
+            if inv_constants.WORKER in host.subfunctions:
+                LOG.info("remove label Node={} has role={}".format(host.hostname, host.subfunctions))
+                # remove Label
+                lbl_obj = app_op._find_label(host.uuid, app_constants.NODE_LABEL)
+                if lbl_obj:
+                    app_op._dbapi.label_destroy(lbl_obj.uuid)
+                    app_op._update_kubernetes_labels(host.hostname, {lbl_obj.label_key: None})
--- a/stx-node-interface-metrics-exporter-helm/stx-node-interface-metrics-exporter-helm/helm-charts/node-interface-metrics-exporter/templates/daemonset.yaml
+++ b/stx-node-interface-metrics-exporter-helm/stx-node-interface-metrics-exporter-helm/helm-charts/node-interface-metrics-exporter/templates/daemonset.yaml
@ -1,9 +1,10 @@
 #
-# Copyright (c) 2023 Wind River Systems, Inc.
+# Copyright (c) 2023-2024 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #

+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@ -48,6 +49,7 @@ spec:
        volumeMounts:
          - mountPath: /data/sys
            name: sys
+      serviceAccountName: node-interface-metrics-exporter-sa
      volumes:
        - hostPath:
            path: /sys
--- a/stx-node-interface-metrics-exporter-helm/stx-node-interface-metrics-exporter-helm/helm-charts/node-interface-metrics-exporter/templates/role.yaml
+++ b/stx-node-interface-metrics-exporter-helm/stx-node-interface-metrics-exporter-helm/helm-charts/node-interface-metrics-exporter/templates/role.yaml
@ -1,24 +1,31 @@
 #
-# Copyright (c) 2023 Wind River Systems, Inc.
+# Copyright (c) 2023-2024 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+apiVersion: v1
+kind: ServiceAccount
 metadata:
-  name: node-interface-metrics-role
-  namespace: node-interface-metrics-exporter
+  labels:
+    app: {{ .Values.labels.app }}
+  name: {{ .Values.name }}-sa
+  namespace: {{ .Values.namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: {{ .Values.labels.app }}
+  name: {{ .Values.name }}-cluster-role
+  # "namespace" omitted since ClusterRoles are not namespaced
 rules:
- apiGroups:
-  - ""
+- apiGroups: [""] # core API group
  resources:
  - pods
  - pods/log
  verbs:
-  - create
  - get
  - list
  - watch
-  - patch
-  - delete
--- a/stx-node-interface-metrics-exporter-helm/stx-node-interface-metrics-exporter-helm/helm-charts/node-interface-metrics-exporter/templates/rolebinding.yaml
+++ b/stx-node-interface-metrics-exporter-helm/stx-node-interface-metrics-exporter-helm/helm-charts/node-interface-metrics-exporter/templates/rolebinding.yaml
@ -1,21 +1,20 @@
 #
-# Copyright (c) 2023 Wind River Systems, Inc.
+# Copyright (c) 2023-2024 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
  labels:
-    app: ""
-  name: node-interface-metrics-rolebinding
-  namespace: node-interface-metrics-exporter
+    app: {{ .Values.labels.app }}
+  name: {{ .Values.name }}-rolebinding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: node-interface-metrics-role
+  kind: ClusterRole
+  name: {{ .Values.name }}-cluster-role
 subjects:
 - kind: ServiceAccount
-  name: node-interface-metrics-role
-  namespace: node-interface-metrics-exporter
+  name: {{ .Values.name }}-sa # name of your service account
+  namespace: {{ .Values.namespace }} # this is the namespace your service account is in
--- a/stx-node-interface-metrics-exporter-helm/stx-node-interface-metrics-exporter-helm/helm-charts/node-interface-metrics-exporter/values.yaml
+++ b/stx-node-interface-metrics-exporter-helm/stx-node-interface-metrics-exporter-helm/helm-charts/node-interface-metrics-exporter/values.yaml
@ -3,12 +3,12 @@
 # Declare variables to be passed into your templates.

 image:
-    repository: starlingx/metrics-exporter-api
-    tag: stx.9.0-v0.0.1
+  repository: starlingx/metrics-exporter-api
+  tag: stx.9.0-v0.0.1

 namespace: node-interface-metrics-exporter
 imagePullSecrets: default-registry-key

 name: node-interface-metrics-exporter
 labels:
-    app: nime-app
+  app: nime-app