Add in-place updates test extension

Signed-off-by: Alex Demicev <alex.demicev@lambdal.com>

Author: alexander-demicev

Makefile

@@ -126,8 +126,10 @@ ORG ?= rancher
 CONTROLLER_IMAGE_NAME := cluster-api-provider-rke2
 BOOTSTRAP_IMAGE_NAME := $(CONTROLLER_IMAGE_NAME)-bootstrap
 CONTROLPLANE_IMAGE_NAME = $(CONTROLLER_IMAGE_NAME)-controlplane
+TEST_EXTENSION_IMAGE_NAME := $(CONTROLLER_IMAGE_NAME)-test-extension
 BOOTSTRAP_IMG ?= $(REGISTRY)/$(ORG)/$(BOOTSTRAP_IMAGE_NAME)
 CONTROLPLANE_IMG ?= $(REGISTRY)/$(ORG)/$(CONTROLPLANE_IMAGE_NAME)
+TEST_EXTENSION_IMG ?= $(REGISTRY)/$(ORG)/$(TEST_EXTENSION_IMAGE_NAME)
 IID_FILE ?= $(shell mktemp)
 LOCAL_IMAGES = $(shell pwd)/out/images
 
@@ -351,6 +353,18 @@ docker-build-rke2-control-plane:
 	$(MAKE) set-manifest-image MANIFEST_IMG=$(CONTROLPLANE_IMG) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./controlplane/config/default/manager_image_patch.yaml"
 	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./controlplane/config/default/manager_pull_policy.yaml"
 
+.PHONY: docker-build-test-extension
+docker-build-test-extension: buildx-machine docker-pull-prerequisites ## Build the e2e test Runtime Extension image
+	DOCKER_BUILDKIT=1 BUILDX_BUILDER=$(MACHINE) docker buildx build \
+			--platform $(ARCH) \
+			--load \
+			--build-arg builder_image=$(GO_CONTAINER_IMAGE) \
+			--build-arg goproxy=$(GOPROXY) \
+			--build-arg package=./test/extension \
+			--build-arg ldflags="$(LDFLAGS)" . -t $(TEST_EXTENSION_IMG):$(TAG)
+	$(MAKE) set-manifest-image MANIFEST_IMG=$(TEST_EXTENSION_IMG) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./test/extension/config/default/manager_image_patch.yaml"
+	$(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./test/extension/config/default/manager_pull_policy.yaml"
+
 ## --------------------------------------
 ## Testing
 ## --------------------------------------
@@ -427,16 +441,17 @@ test-e2e: ## Run the end-to-end tests
 # https://www.suse.com/support/kb/doc/?id=000020048
 .PHONY: inotify-check
 inotify-check:
-	@if [ `cat /proc/sys/fs/inotify/max_user_instances` -le 256 ]; then \
+	@if [ -r /proc/sys/fs/inotify/max_user_instances ] && [ `cat /proc/sys/fs/inotify/max_user_instances` -le 256 ]; then \
 		echo -e "\033[0;31mfs.inotify.max_user_instances is too low, test may fail (sudo sysctl fs.inotify.max_user_instances=8192)\033[0m";\
 	 fi
-	@if [ `cat /proc/sys/fs/inotify/max_user_watches` -le 8192 ]; then \
+	@if [ -r /proc/sys/fs/inotify/max_user_watches ] && [ `cat /proc/sys/fs/inotify/max_user_watches` -le 8192 ]; then \
 		echo -e "\033[0;31mfs.inotify.max_user_watches is too low, tests may fail (sudo sysctl fs.inotify.max_user_watches=1048576)\033[0m"; \
 	 fi
 
 .PHONY: e2e-image
 e2e-image:
 	TAG=$(TAG) $(MAKE) docker-build
+	TAG=$(TAG) $(MAKE) docker-build-test-extension
 
 .PHONY: compile-e2e
 compile-e2e: ## Test e2e compilation

test/extension/config/certmanager/certificate.yaml

@@ -0,0 +1,31 @@
+# Self-signed Issuer + Certificate used by cert-manager to provision the TLS
+# material the test extension serves its Runtime SDK webhook on.
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  # This name is referenced from kustomizeconfig.yaml.
+  name: serving-cert
+  namespace: system
+spec:
+  # SERVICE_NAME and SERVICE_NAMESPACE are substituted by kustomize replacements
+  # defined in config/default/kustomization.yaml.
+  dnsNames:
+    - SERVICE_NAME.SERVICE_NAMESPACE.svc
+    - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  # The secret name is NOT prefixed by kustomize so the manager_webhook_patch
+  # can reference it directly.
+  secretName: rke2-test-extension-webhook-service-cert
+  subject:
+    organizations:
+      - Rancher by SUSE

test/extension/config/certmanager/kustomization.yaml

@@ -0,0 +1,5 @@
+resources:
+  - certificate.yaml
+
+configurations:
+  - kustomizeconfig.yaml

test/extension/config/certmanager/kustomizeconfig.yaml

@@ -0,0 +1,9 @@
+# Teaches kustomize how to update Certificate.spec.issuerRef.name when the
+# Issuer name gets a kustomize prefix.
+nameReference:
+  - kind: Issuer
+    group: cert-manager.io
+    fieldSpecs:
+      - kind: Certificate
+        group: cert-manager.io
+        path: spec/issuerRef/name

test/extension/config/default/kustomization.yaml

@@ -0,0 +1,61 @@
+# All resources are kustomize-namespaced under rke2-test-extension-system and
+# kustomize-prefixed with rke2-test-extension-. The webhook serving Secret name
+# is intentionally NOT prefixed (see manager_webhook_patch.yaml) so the
+# Deployment's volume reference stays stable.
+namespace: rke2-test-extension-system
+
+namePrefix: rke2-test-extension-
+
+labels:
+  - includeSelectors: true
+    pairs:
+      cluster.x-k8s.io/provider: runtime-extension-rke2-test
+
+resources:
+  - namespace.yaml
+  - manager.yaml
+  - service.yaml
+  - ../rbac
+  - ../certmanager
+
+patches:
+  - path: manager_image_patch.yaml
+  - path: manager_pull_policy.yaml
+  - path: manager_webhook_patch.yaml
+
+# Inject the Service name/namespace into the Certificate's dnsNames so cert-manager
+# generates a cert valid for the webhook Service FQDN.
+replacements:
+  - source:
+      kind: Service
+      name: webhook-service
+      version: v1
+      fieldPath: .metadata.name
+    targets:
+      - select:
+          group: cert-manager.io
+          kind: Certificate
+          version: v1
+        fieldPaths:
+          - .spec.dnsNames.0
+          - .spec.dnsNames.1
+        options:
+          create: true
+          delimiter: .
+  - source:
+      kind: Service
+      name: webhook-service
+      version: v1
+      fieldPath: .metadata.namespace
+    targets:
+      - select:
+          group: cert-manager.io
+          kind: Certificate
+          version: v1
+        fieldPaths:
+          - .spec.dnsNames.0
+          - .spec.dnsNames.1
+        options:
+          create: true
+          delimiter: .
+          index: 1

test/extension/config/default/manager.yaml

@@ -0,0 +1,80 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+  labels:
+    control-plane: controller-manager
+spec:
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+  replicas: 1
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: manager
+      labels:
+        control-plane: controller-manager
+    spec:
+      containers:
+        - command:
+            - /manager
+          args:
+            - "--leader-elect"
+            - "--diagnostics-address=${CAPRKE2_TEST_EXTENSION_DIAGNOSTICS_ADDRESS:=:8443}"
+            - "--insecure-diagnostics=${CAPRKE2_TEST_EXTENSION_INSECURE_DIAGNOSTICS:=false}"
+            - "--v=${CAPRKE2_TEST_EXTENSION_DEBUG_LEVEL:=2}"
+          image: controller:latest
+          name: manager
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_UID
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.uid
+          ports:
+            - containerPort: 9440
+              name: healthz
+              protocol: TCP
+            - containerPort: 8443
+              name: metrics
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: healthz
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: healthz
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            runAsUser: 65532
+            runAsGroup: 65532
+          terminationMessagePolicy: FallbackToLogsOnError
+          resources:
+            limits:
+              cpu: 200m
+              memory: 128Mi
+            requests:
+              cpu: 10m
+              memory: 64Mi
+      terminationGracePeriodSeconds: 10
+      serviceAccountName: manager
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane

test/extension/config/default/manager_image_patch.yaml

@@ -0,0 +1,11 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+        - image: ghcr.io/rancher/cluster-api-provider-rke2-test-extension:dev
+          name: manager

test/extension/config/default/manager_pull_policy.yaml

@@ -0,0 +1,11 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+        - name: manager
+          imagePullPolicy: Always

test/extension/config/default/manager_webhook_patch.yaml

@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+        - name: manager
+          ports:
+            - containerPort: 9443
+              name: webhook-server
+              protocol: TCP
+          volumeMounts:
+            - mountPath: /tmp/k8s-webhook-server/serving-certs
+              name: cert
+              readOnly: true
+      volumes:
+        - name: cert
+          secret:
+            secretName: rke2-test-extension-webhook-service-cert

test/extension/config/default/namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: runtime-extension-rke2-test
+    control-plane: controller-manager
+  name: system