Add provisioning HTTP servers

This commit adds a HTTP server that enables a device which is being
provisioned to get its configuration via HTTP. Devices can also report
their status and thus transition out of the Provisioning Phase.

Author: swagner-de

cmd/main.go

@@ -15,6 +15,7 @@ import (
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
+	"k8s.io/klog/v2"
 	"k8s.io/utils/ptr"
 
 	// Set runtime concurrency to match CPU limit imposed by Kubernetes
@@ -38,6 +39,7 @@ import (
 	// Import all supported provider implementations.
 	_ "github.com/ironcore-dev/network-operator/internal/provider/cisco/nxos"
 	_ "github.com/ironcore-dev/network-operator/internal/provider/openconfig"
+	"github.com/ironcore-dev/network-operator/internal/provisioning"
 
 	"github.com/ironcore-dev/network-operator/api/core/v1alpha1"
 	corecontroller "github.com/ironcore-dev/network-operator/internal/controller/core"
@@ -72,6 +74,8 @@ func main() {
 	var watchFilterValue string
 	var providerName string
 	var requeueInterval time.Duration
+	var provisioningHTTPPort int
+	var provisioningHTTPValidateSourceIP bool
 	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.")
@@ -86,6 +90,8 @@ func main() {
 	flag.StringVar(&watchFilterValue, "watch-filter", "", fmt.Sprintf("Label value that the controller watches to reconcile api objects. Label key is always %q. If unspecified, the controller watches for all api objects.", v1alpha1.WatchLabel))
 	flag.StringVar(&providerName, "provider", "openconfig", "The provider to use for the controller. If not specified, the default provider is used. Available providers: "+strings.Join(provider.Providers(), ", "))
 	flag.DurationVar(&requeueInterval, "requeue-interval", 30*time.Second, "The interval after which Kubernetes resources should be reconciled again regardless of whether they have changed.")
+	flag.IntVar(&provisioningHTTPPort, "provisioning-http-port", 8080, "The port on which the provisioning HTTP server listens.")
+	flag.BoolVar(&provisioningHTTPValidateSourceIP, "provisioning-http-validate-source-ip", false, "If set, the provisioning HTTP server will validate the source IP of incoming requests against the DeviceIPLabel of Device resources.")
 	opts := zap.Options{
 		Development: true,
 		TimeEncoder: zapcore.ISO8601TimeEncoder,
@@ -365,6 +371,25 @@ func main() {
 			os.Exit(1)
 		}
 	}
+	provisioningProvider, ok := prov().(provider.ProvisioningProvider)
+	if provisioningHTTPPort != 0 && ok {
+		provisioningServer := provisioning.HTTPServer{
+			Client:           mgr.GetClient(),
+			Port:             provisioningHTTPPort,
+			Logger:           klog.NewKlogr().WithName("provisioning"),
+			Recorder:         mgr.GetEventRecorderFor("provisioning"),
+			ValidateSourceIP: provisioningHTTPValidateSourceIP,
+			Provider:         provisioningProvider,
+		}
+		setupLog.Info("Starting provisioning HTTP server", "port", provisioningHTTPPort, "validateSourceIP", provisioningHTTPValidateSourceIP)
+		go func() {
+			if err := provisioningServer.Start(ctx); err != nil {
+				setupLog.Error(err, "provisioning HTTP server failed")
+				os.Exit(1)
+			}
+		}()
+	}
+
 	// +kubebuilder:scaffold:builder
 
 	if metricsCertWatcher != nil {

internal/deviceutil/deviceutil.go

@@ -14,6 +14,7 @@ import (
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -62,6 +63,28 @@ func GetDeviceByName(ctx context.Context, r client.Reader, namespace, name strin
 	return obj, nil
 }
 
+func GetDeviceBySerial(ctx context.Context, r client.Reader, namespace, serial string) (*v1alpha1.Device, error) {
+	deviceList := &v1alpha1.DeviceList{}
+	listOpts := &client.ListOptions{
+		LabelSelector: labels.SelectorFromSet(labels.Set{v1alpha1.DeviceSerialLabel: serial}),
+	}
+
+	if namespace != "" {
+		listOpts.Namespace = namespace
+	}
+
+	if err := r.List(ctx, deviceList, listOpts); err != nil {
+		return nil, fmt.Errorf("failed to list %s objects: %w", v1alpha1.GroupVersion.WithKind(v1alpha1.DeviceKind).String(), err)
+	}
+	if len(deviceList.Items) == 0 {
+		return nil, fmt.Errorf("no %s object found with serial %q", v1alpha1.GroupVersion.WithKind(v1alpha1.DeviceKind).String(), serial)
+	}
+	if len(deviceList.Items) > 1 {
+		return nil, fmt.Errorf("multiple %s objects found with serial %q", v1alpha1.GroupVersion.WithKind(v1alpha1.DeviceKind).String(), serial)
+	}
+	return &deviceList.Items[0], nil
+}
+
 // Connection holds the necessary information to connect to a device's API.
 //
 // TODO(felix-kaestner): find a better place for this struct, maybe in a 'connection' package?