Update bpfd deployment

Before this patch we deployed the bpf daemon manually via
kustomize... However this method couldn't be packaged into a
bundle via the operator SDK (see
operator-framework/operator-lifecycle-manager#1022 (comment))

This commit changes the way its deployed to have the bpfd-operator itself
reconcile/deploy the bpfd daemon.

Mainly it now ensures the daemon is configured correctly via the
bpfd configmap and deployed.

Signed-off-by: Andrew Stoycos <[email protected]>

Author: astoycos

bpfd-operator/cmd/bpfd-operator/main.go

@@ -32,7 +32,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
 	bpfdiov1alpha1 "github.com/redhat-et/bpfd/bpfd-operator/api/v1alpha1"
-	"github.com/redhat-et/bpfd/bpfd-operator/pkg/bpfd-operator"
+	bpfdoperator "github.com/redhat-et/bpfd/bpfd-operator/pkg/bpfd-operator"
 	//+kubebuilder:scaffold:imports
 )
 

bpfd-operator/config/bpfd-deployment/config.yaml

@@ -4,12 +4,17 @@ metadata:
   name: config
   namespace: kube-system
 data:
+  ## Can be configured at runtime
+  bpfd.namespace: bpfd
+  bpfd.agent.image: quay.io/bpfd/bpfd-agent:main
+  bpfd.image: quay.io/bpfd/bpfd:main
+  bpfd.log.level: "debug"
+  ## Must be configured at startup
   bpfd.toml: |
     [tls] # REQUIRED
     ca_cert = "/etc/bpfd/certs/ca/ca.crt"
     cert = "/etc/bpfd/certs/bpfd/tls.crt"
     key = "/etc/bpfd/certs/bpfd/tls.key"
     client_cert = "/etc/bpfd/certs/bpfd-client/tls.crt"
     client_key = "/etc/bpfd/certs/bpfd-client/tls.key"
-  bpfd.log.level: "debug"
   

bpfd-operator/config/bpfd-deployment/kustomization.yaml

@@ -2,7 +2,6 @@ resources:
 - cert-issuer.yaml
 - config.yaml
 - certs.yaml
-- daemonset.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:

bpfd-operator/config/default/kustomization.yaml

@@ -42,5 +42,5 @@ kind: Kustomization
 resources:
 - ../crd
 - ../rbac
-- ../bpfd-operator-deployment
 - ../bpfd-deployment
+- ../bpfd-operator-deployment

bpfd-operator/config/manifests/kustomization.yaml

@@ -2,7 +2,7 @@
 # used to generate the 'manifests/' directory in a bundle.
 resources:
 - bases/bpfd-operator.clusterserviceversion.yaml
-- ../default
+- ../openshift
 - ../samples
 - ../scorecard
 

bpfd-operator/config/rbac/bpfd-operator-role/role.yaml

@@ -51,6 +51,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:

bpfd-operator/go.mod

@@ -7,7 +7,6 @@ require (
 	github.com/pelletier/go-toml v1.9.5
 	github.com/redhat-et/bpfd/clients/gobpfd v0.0.0-20221122124347-10ccb612fd2a
 	google.golang.org/grpc v1.51.0
-	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.26.0
 	k8s.io/apimachinery v0.26.0
 	k8s.io/client-go v0.26.0
@@ -24,7 +23,7 @@ require (
 	github.com/go-logr/zapr v1.2.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
@@ -35,7 +34,8 @@ require (
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/kr/pretty v0.3.0 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -60,6 +60,7 @@ require (
 	google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.26.0 // indirect
 	k8s.io/component-base v0.26.0 // indirect

bpfd-operator/go.sum

@@ -29,15 +29,22 @@ import (
 	bpfdiov1alpha1 "github.com/redhat-et/bpfd/bpfd-operator/api/v1alpha1"
 	gobpfd "github.com/redhat-et/bpfd/clients/gobpfd/v1"
 	"google.golang.org/grpc/credentials"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes/scheme"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
 const (
-	bpfdMapFs             = "/run/bpfd/fs/maps"
-	DefaultConfigPath     = " /etc/bpfd/bpfd.toml"
-	DefaultRootCaPath     = "/etc/bpfd/certs/ca/ca.crt"
-	DefaultClientCertPath = "/etc/bpfd/certs/bpfd-client/tls.crt"
-	DefaultClientKeyPath  = "/etc/bpfd/certs/bpfd-client/tls.key"
+	BpfdDsName             = "bpfd-daemon"
+	BpfdConfigName         = "bpfd-config"
+	BpfdDaemonManifestPath = "./config/bpfd-deployment/daemonset.yaml"
+	bpfdMapFs              = "/run/bpfd/fs/maps"
+	DefaultConfigPath      = " /etc/bpfd/bpfd.toml"
+	DefaultRootCaPath      = "/etc/bpfd/certs/ca/ca.crt"
+	DefaultClientCertPath  = "/etc/bpfd/certs/bpfd-client/tls.crt"
+	DefaultClientKeyPath   = "/etc/bpfd/certs/bpfd-client/tls.key"
 )
 
 type Tls struct {
@@ -280,3 +287,40 @@ func AttachConversion(attachment BpfdAttachType) *bpfdiov1alpha1.BpfProgramAttac
 
 	panic("Attachment Type is unknown")
 }
+
+func LoadAndConfigureBpfdDs(config *corev1.ConfigMap) *appsv1.DaemonSet {
+	// Load static bpfd deployment from disk
+	file, err := os.Open(BpfdDaemonManifestPath)
+	if err != nil {
+		panic(err)
+	}
+
+	b, err := ioutil.ReadAll(file)
+	if err != nil {
+		panic(err)
+	}
+
+	decode := scheme.Codecs.UniversalDeserializer().Decode
+	obj, _, _ := decode(b, nil, nil)
+
+	staticBpfdDeployment := obj.(*appsv1.DaemonSet)
+
+	// Runtime Configurable fields
+	bpfdNamespace := config.Data["bpfd.namespace"]
+	bpfdImage := config.Data["bpfd.image"]
+	bpfdAgentImage := config.Data["bpfd.agent.image"]
+	bpfdLogLevel := config.Data["bpfd.log.level"]
+
+	// Annotate the log level on the ds so we get automatic restarts on changes.
+	if staticBpfdDeployment.Spec.Template.ObjectMeta.Annotations == nil {
+		staticBpfdDeployment.Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+	}
+	staticBpfdDeployment.Spec.Template.ObjectMeta.Annotations["bpfd.io.bpfd.loglevel"] = bpfdLogLevel
+	staticBpfdDeployment.Name = "bpfd-daemon"
+	staticBpfdDeployment.Namespace = bpfdNamespace
+	staticBpfdDeployment.Spec.Template.Spec.Containers[0].Image = bpfdImage
+	staticBpfdDeployment.Spec.Template.Spec.Containers[1].Image = bpfdAgentImage
+	controllerutil.AddFinalizer(staticBpfdDeployment, "bpfd.io.operator/finalizer")
+
+	return staticBpfdDeployment
+}

bpfd-operator/internal/bpfd-client-helpers.go

@@ -62,7 +62,7 @@ type bpfProgramConditionType string
 
 const (
 	BpfdAgentFinalizer                             = "bpfd.io.agent/finalizer"
-	retryDurationAgent                             = 10 * time.Second
+	retryDurationAgent                             = 5 * time.Second
 	BpfProgCondLoaded      bpfProgramConditionType = "Loaded"
 	BpfProgCondNotLoaded   bpfProgramConditionType = "NotLoaded"
 	BpfProgCondNotUnloaded bpfProgramConditionType = "NotUnLoaded"
@@ -115,10 +115,6 @@ func (b bpfProgramConditionType) Condition() metav1.Condition {
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
-// TODO(user): Modify the Reconcile function to compare the state specified by
-// the BpfProgram object against the actual cluster state, and then
-// perform operations to make the cluster state reflect the state specified by
-// the user.
 // This should be called in the following scenarios
 // 1. A new BpfProgramConfig Object is created
 // 2. An BpfProgramConfig Object is Updated (i.e one of the following fields change
@@ -129,7 +125,7 @@ func (b bpfProgramConditionType) Condition() metav1.Condition {
 //
 // 3. Our NodeLabels are updated and the Node is no longer selected by an BpfProgramConfig
 //
-// 4. An bpfProgramCongfig Object is deleted
+// 4. An bpfProgramConfig Object is deleted
 // For more details, check Reconcile and its Result here:
 // - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/reconcile
 func (r *BpfProgramReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
@@ -174,7 +170,7 @@ func (r *BpfProgramReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	// Reconcile every BpfProgramConfig Object
 	// note: This doesn't necessarily result in any extra grpc calls to bpfd
 	for _, BpfProgramConfig := range BpfProgramConfigs.Items {
-		retry, err := r.reconcilBpfProgramConfig(ctx, &BpfProgramConfig, ourNode, existingConfigs)
+		retry, err := r.reconcileBpfProgramConfig(ctx, &BpfProgramConfig, ourNode, existingConfigs)
 		if err != nil {
 			r.Logger.Error(err, "Reconciling BpfProgramConfig Failed", "BpfProgramConfigName", BpfProgramConfig.Name, "Retrying", retry)
 			return ctrl.Result{Requeue: retry, RequeueAfter: retryDurationAgent}, nil
@@ -184,9 +180,9 @@ func (r *BpfProgramReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	return ctrl.Result{Requeue: false}, nil
 }
 
-// reconcilBpfProgramConfig reconciles the existing node state to the user intent
+// reconcileBpfProgramConfig reconciles the existing node state to the user intent
 // within a single BpfProgramConfig Object.
-func (r *BpfProgramReconciler) reconcilBpfProgramConfig(ctx context.Context,
+func (r *BpfProgramReconciler) reconcileBpfProgramConfig(ctx context.Context,
 	BpfProgramConfig *bpfdiov1alpha1.BpfProgramConfig,
 	ourNode *v1.Node,
 	nodeState map[string]internal.ExistingReq) (bool, error) {
@@ -348,17 +344,14 @@ func (r *BpfProgramReconciler) reconcilBpfProgramConfig(ctx context.Context,
 				Maps:        maps,
 			}
 
-			r.Logger.V(1).Info("Updating programs", "Programs", bpfProgram.Spec.Programs)
+			r.Logger.V(1).Info("Updating programs from nodestate", "Programs", bpfProgram.Spec.Programs)
 			// Update bpfProgram once successfully loaded
 			if err = r.Update(ctx, bpfProgram, &client.UpdateOptions{}); err != nil {
 				return false, fmt.Errorf("failed to create bpfProgram object: %v",
 					err)
 			}
 
 			r.updateStatus(ctx, bpfProgram, BpfProgCondLoaded)
-
-			r.Logger.Info("Updated Programs on bpfProgram Object from nodeState",
-				"bpfProgramName", bpfProgram.Name)
 		} else {
 			// Program exists and bpfProgram K8s Object is up to date
 			r.Logger.Info("Ignoring Object Change nothing to reconcile on node")
@@ -390,10 +383,10 @@ func (r *BpfProgramReconciler) loadBpfdProgram(ctx context.Context, loadRequest
 		Maps:        maps,
 	}
 
-	r.Logger.V(1).Info("Updating programs", "Programs", prog.Spec.Programs)
+	r.Logger.V(1).Info("updating programs after load", "Programs", prog.Spec.Programs)
 	// Update bpfProgram once successfully loaded
 	if err = r.Update(ctx, prog, &client.UpdateOptions{}); err != nil {
-		return false, fmt.Errorf("failed to create bpfProgram object: %v",
+		return false, fmt.Errorf("failed to update bpfProgram programs: %v",
 			err)
 	}
 	return false, nil
@@ -416,6 +409,14 @@ func (r *BpfProgramReconciler) unloadBpfdProgram(ctx context.Context, prog *bpfd
 			return true, fmt.Errorf("failed to unload bpfProgram via bpfd: %v",
 				err)
 		}
+		delete(prog.Spec.Programs, uuid)
+	}
+
+	r.Logger.V(1).Info("updating programs after unload", "Programs", prog.Spec.Programs)
+	// Update bpfProgram once successfully unloaded
+	if err := r.Update(ctx, prog, &client.UpdateOptions{}); err != nil {
+		return false, fmt.Errorf("failed to update bpfProgram programs: %v",
+			err)
 	}
 
 	return false, nil
@@ -459,11 +460,20 @@ func (r *BpfProgramReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Complete(r)
 }
 
-// Only return node updates for our node
+// Only return node updates for our node (all events)
 func nodePredicate(nodeName string) predicate.Funcs {
 	return predicate.Funcs{
 		GenericFunc: func(e event.GenericEvent) bool {
 			return e.Object.GetLabels()["kubernetes.io/hostname"] == nodeName
 		},
+		CreateFunc: func(e event.CreateEvent) bool {
+			return e.Object.GetLabels()["kubernetes.io/hostname"] == nodeName
+		},
+		UpdateFunc: func(e event.UpdateEvent) bool {
+			return e.ObjectNew.GetLabels()["kubernetes.io/hostname"] == nodeName
+		},
+		DeleteFunc: func(e event.DeleteEvent) bool {
+			return e.Object.GetLabels()["kubernetes.io/hostname"] == nodeName
+		},
 	}
 }