Code and config change: Packet to equinixmetal

[ipochi]

This PR builds on top of #1537 by adding code and configuration changes to migrate from Packet to Equinix Metal.

Addresses: #1546

The following changes will take affect after this PR is merged.

1. Terraform provider packethost/packet is replaced with equinix/metal.
2. Cluster configuration for Equinix Metal is changed from cluster "packet" {} to cluster "equinixmetal" {}

Migration steps:

Backup existing clusters state file

cd assets/terraform/
terraform state pull > terraform.tfstate.backup

1. Uninstall packet-ccm helm release

   helm uninstall packet-ccm --namespace kube-system
   
   

2. Replace the packethost/packet Terraform provider with equinix/metal:

terraform state replace-provider packethost/packet equinix/metal

3. Replace all references of packet_ to metal_ in the terraform state file.

 sed -i 's/packet_/metal_/g' terraform.tfstate

4. Change the module name module.packet to module.equinixmetal in the terraform state file

sed -i 's/module.packet/module.equinixmetal/g' terraform.tfstate

5. Edit the cluster module in cluster configuration file(lokocfg) from packet to equinixmetal, example:

cluster "equinixmetal" {}

6. Upgrade
   Note: Do not forget the --skip-pre-update-health-check flag

    lokoctl cluster apply --skip-components --skip-pre-update-health-check

Terraform plan should reflect the following changes: Lokomotive control plane and components update, removal of packet-ccm , update of the lokoctl-version and the addition of cloud-provider-equinix-metal.

Upgrade Lokomotive cluster to the latest release by proceeding with the cluster apply in step 5 with yes

7. Update MetalLB:

lokoctl component apply metallb

[invidian]

sed -i 's/packet_/metal_/g' terraform.tfstate

I'd rather use terraform state mv. Why sed?

[invidian]

I'm not sure if it make sense to break down the renaming into this many commits. Even though it would be a single, large changeset, it would be more atomic to do those changes in single commit, especially that we also mix some link fixing as part of this PR.

I also think some mentions of Packet are still not renamed, as git grep -i packet gives plenty of legitimate results, like:

.golangci.yml:    - packet
.golangci.yml:    - packet_fluo
...
assets/charts/control-plane/packet-ccm/Chart.yaml:name: packet-ccm
...
docs/configuration-reference/components/cluster-autoscaler.md:  provider = "packet"
...
scripts/find-updates.sh:get_latest_release packethost/terraform-provider-packet
...
test/calico/metadata_access_test.go:    case testutil.PlatformPacket, testutil.PlatformPacketARM:
...

I'm fine if some of those should be considered out of scope for this PR, but still it would be nice to remain as consistent as possible.

Perhaps this one requires a migration or a feature request to Flatcar?

assets/terraform-modules/equinixmetal/flatcar-linux/kubernetes/cl/controller.yaml.tmpl:        ExecStart=/bin/sh -c 'echo "ETCD_LISTEN_CLIENT_URLS=https://$COREOS_PACKET_IPV4_PRIVATE_0:2379" > /etc/kubernetes/etcd.config && echo "ETCD_LISTEN_PEER_URLS=https://$COREOS_PACKET_IPV4_PRIVATE_0:2380" >> /etc/kubernetes/etcd.config && echo "ETCD_LISTEN_METRICS_URLS=http://$COREOS_PACKET_IPV4_PRIVATE_0:2381" >> /etc/kubernetes/etcd.config'

But overall looks good. Nice work @ipochi, a lot of effort into making this finally happen!

[ipochi]

sed -i 's/packet_/metal_/g' terraform.tfstate

I'd rather use terraform state mv. Why sed?

Migration Guide used sed so thats what I went with.

[invidian]

Migration Guide used sed so thats what I went with.

Hmm, can we at least try to see if terraform state mv works?

[ipochi]

@invidian
Regarding the so many commits. It was getting harder to track and also would be harder to review.

I've tried to make sure that after every commit I run lokoctl apply on an existing cluster(before the name change) so that there are no plan changes.

Making it a single large commit would be a lot to deal with review and maintain sanity.

However what we can do is that we can review as multiple commits and then when I get LGTM I can squash all commits into one.

[ipochi]

@invidian
addressed some feedback, migrated from packet-ccm to cloud-provider-equinix-metal.

[invidian]

LGTM, but there is still some code referencing Packet from what I see. Is it going to be addressed in the following PR?

[ipochi]

1. Regarding the usage of terraform mv instead of sed

I couldn't get it to work for all the resources, example:

terraform state mv module.worker-small.data.metal_project.project module.worker-small.data.packet_project.project

Error: Invalid state move request

Cannot move module.worker-small.data.metal_project.project to
module.worker-small.data.packet_project.project: resource types don't match.

This makes use use sed for only the above data resource. Instead I'd propose using sed for all the steps as is the case with the migration guide.

2. For cluster-autoscaler

Upstream repo does not have any changes w.r.t renaming from Packet -> Equinix Metal.
Upstream autoscaler helm chart expects cloudProvider: packet

We have an optional Provider field in component config which we set it to packet and a packet config block.
If we change the user facing variables from packet to equinixmetal , internally we have to do some mapping in either go code or in helm templates along the lines of:

if cloudProvider is equinixmetal, then set `--cloudProvider= packet`

which by the looks of it is hacky and ugly.

I am of the opinion that we should leave the cluster-autoscaler as is. Instead focus on updating to the latest helm chart. The latest release has a commit that fixes some API errors (no sure if it fixes everything) but it would be good to get the latest chart.

Your opinions: @invidian @iaguis ?

[iaguis]

1. If we need to use sed for one of them I agree using it for all of them makes sense.
2. I agree we shouldn't make the changes upstream just now. Let's leave it as Packet.

[invidian]

Sounds good to me as well. Thanks for investigating @ipochi 👍

[invidian]

I still see a lot of references to Packet, which can definitely be changed to Equnix Metal:

$ git grep -i packet | grep -v cluster-autoscaler | grep -v vendor | grep -v formerly | grep -v packethost | grep -v packet.ipxe | grep -v PACKET_AUTH | grep -v prometheus-operator | grep -v calico | grep -v terraform-provider-packet | grep -v scripts/update | grep -v CHANGELOG.md | grep -v COREOS_PACKET | grep -i packet
README.md:* [Packet quickstart](https://kinvolk.io/docs/lokomotive/latest/quickstarts/packet)
README.md:* [Kubernetes storage with Rook Ceph on Packet cloud](https://kinvolk.io/docs/lokomotive/latest/how-to-guides/rook-ceph-storage)
README.md:* [Setting up an HTTP ingress controller on Lokomotive with MetalLB and Contour on Packet](https://kinvolk.io/docs/lokomotive/latest/how-to-guides/ingress-with-contour-metallb)
assets/terraform-modules/equinixmetal/flatcar-linux/kubernetes/bootkube.tf:  # Select private Packet NIC by using the can-reach Calico autodetection option with the first
assets/terraform-modules/equinixmetal/flatcar-linux/kubernetes/bootkube.tf:  # Block access to Packet metadata service.
assets/terraform-modules/equinixmetal/flatcar-linux/kubernetes/bootkube.tf:  # https://www.packet.com/developers/docs/servers/key-features/metadata/
assets/terraform-modules/equinixmetal/flatcar-linux/kubernetes/bootkube.tf:  # metadata.packet.net should always resolve to 192.80.8.124.
assets/terraform-modules/equinixmetal/flatcar-linux/kubernetes/cl/controller.yaml.tmpl:          # Use 10.0.0.0/8 as this is Packet private network CIDR.
assets/terraform-modules/equinixmetal/flatcar-linux/kubernetes/controllers.tf:      // With newer Packet provider, changing userdata causes re-creation of the device,
assets/terraform-modules/equinixmetal/flatcar-linux/kubernetes/controllers.tf:    flatcar_linux_oem    = "packet"
assets/terraform-modules/equinixmetal/flatcar-linux/kubernetes/controllers.tf:  platform = "packet"
assets/terraform-modules/equinixmetal/flatcar-linux/kubernetes/workers/cl/worker.yaml.tmpl:          # Use 10.0.0.0/8 as this is Packet private network CIDR.
assets/terraform-modules/equinixmetal/flatcar-linux/kubernetes/workers/workers.tf:      // With newer Packet provider, changing userdata causes re-creation of the device,
assets/terraform-modules/equinixmetal/flatcar-linux/kubernetes/workers/workers.tf:    flatcar_linux_oem    = "packet"
...

[ipochi]

@invidian

assets/terraform-modules/equinixmetal/flatcar-linux/kubernetes/controllers.tf:    flatcar_linux_oem    = "packet"
assets/terraform-modules/equinixmetal/flatcar-linux/kubernetes/controllers.tf:  platform = "packet"
assets/terraform-modules/equinixmetal/flatcar-linux/kubernetes/workers/workers.tf:    flatcar_linux_oem    = "packet"
assets/terraform-modules/equinixmetal/flatcar-linux/kubernetes/workers/workers.tf:  platform = "packet"
assets/terraform-modules/tinkerbell-sandbox/assets/deploy/docker-compose.yml:      PACKET_ENV: ${PACKET_ENV:-testing}
assets/terraform-modules/tinkerbell-sandbox/assets/deploy/docker-compose.yml:      PACKET_VERSION: ${PACKET_VERSION:-ignored}
assets/terraform-modules/tinkerbell-sandbox/assets/deploy/docker-compose.yml:      API_AUTH_TOKEN: ${PACKET_API_AUTH_TOKEN:-ignored}
assets/terraform-modules/tinkerbell-sandbox/assets/deploy/docker-compose.yml:      API_CONSUMER_TOKEN: ${PACKET_CONSUMER_TOKEN:-ignored}
assets/terraform-modules/tinkerbell-sandbox/assets/deploy/docker-compose.yml:      PACKET_ENV: ${PACKET_ENV:-testing}
assets/terraform-modules/tinkerbell-sandbox/assets/deploy/docker-compose.yml:      PACKET_VERSION: ${PACKET_VERSION:-ignored}
assets/terraform-modules/tinkerbell-sandbox/assets/deploy/docker-compose.yml:      PACKET_ENV: testing
assets/terraform-modules/tinkerbell-sandbox/assets/deploy/docker-compose.yml:      PACKET_VERSION: ${PACKET_VERSION:-ignored}
assets/terraform-modules/tinkerbell-sandbox/assets/setup.sh:			| .hosts += [ $ip, "tinkerbell.\($facility).packet.net" ]
ci/packet/packet-cluster.lokocfg.envsubst:  facility = "$PACKET_LOCATION"
ci/packet/packet-cluster.lokocfg.envsubst:  project_id = "$PACKET_PROJECT_ID"
ci/packet/packet-cluster.lokocfg.envsubst:  packet {
ci/packet/packet-cluster.lokocfg.envsubst:    project_id = "$PACKET_PROJECT_ID"
ci/packet/packet-cluster.lokocfg.envsubst:    facility   = "$PACKET_LOCATION"
ci/packet_arm/packet_arm-cluster.lokocfg.envsubst:  facility = "$PACKET_LOCATION"
ci/packet_arm/packet_arm-cluster.lokocfg.envsubst:  project_id = "$PACKET_PROJECT_ID"
ci/packet_fluo/packet_fluo-cluster.lokocfg.envsubst:  facility = "$PACKET_LOCATION"
ci/packet_fluo/packet_fluo-cluster.lokocfg.envsubst:  project_id = "$PACKET_PROJECT_ID"
ci/scripts/deploy-cluster.sh:packet|packet_fluo)
ci/scripts/deploy-cluster.sh:    export PACKET_LOCATION=${AVAIL_LOCATIONS_ARRAY[$RANDOM % ${#AVAIL_LOCATIONS_ARRAY[@]}]}
ci/scripts/deploy-cluster.sh:packet_arm)
ci/scripts/deploy-cluster.sh:    export PACKET_LOCATION=${AVAIL_LOCATIONS_ARRAY[$RANDOM % ${#AVAIL_LOCATIONS_ARRAY[@]}]}
ci/scripts/deploy-cluster.sh:cat "$platform-cluster.lokocfg.envsubst" | envsubst '$AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY $PUB_KEY $CLUSTER_ID $AWS_DEFAULT_REGION $AWS_DNS_ZONE $AWS_DNS_ZONE_ID $PACKET_PROJECT_ID $EMAIL $GITHUB_CLIENT_ID $GITHUB_CLIENT_SECRET $DEX_STATIC_CLIENT_CLUSTERAUTH_ID $DEX_STATIC_CLIENT_CLUSTERAUTH_SECRET $GANGWAY_REDIRECT_URL $GANGWAY_SESSION_KEY $DEX_INGRESS_HOST $GANGWAY_INGRESS_HOST $ISSUER_HOST $REDIRECT_URI $API_SERVER_URL $AUTHORIZE_URL $TOKEN_URL $PACKET_LOCATION $ARM_SUBSCRIPTION_ID $ARM_TENANT_ID $ARM_CLIENT_ID $ARM_CLIENT_SECRET' >"$platform-cluster.lokocfg"
ci/scripts/deploy-cluster.sh:  if [ "$platform" == "packet" ] || [ "$platform" == "packet_fluo" ]; then
test/platform/equinixmetal/equinixmetal_test.go:		t.Fatalf("Creating Packet API client: %v", err)
test/platform/equinixmetal/equinixmetal_test.go:	projectID := os.Getenv("PACKET_PROJECT_ID")
test/platform/equinixmetal/equinixmetal_test.go:		t.Fatalf("Packet project ID can't be empty. Is %q environment variable set?", "PACKET_PROJECT_ID")
test/platform/equinixmetal/equinixmetal_test.go:		t.Fatalf("No Packet device found with hostname %q", hostname)

The following things show packet, some of them are related to cluster autoscaler.

Not sure if any of them needs to change or the potential impact of breakage in CI.

[invidian]

@ipochi I think the following can still be changed, though they require changes to CI configuration as well. I think all can be rolled out gracefully though.

ci/packet/packet-cluster.lokocfg.envsubst:  facility = "$PACKET_LOCATION"
ci/packet/packet-cluster.lokocfg.envsubst:  project_id = "$PACKET_PROJECT_ID"
ci/packet/packet-cluster.lokocfg.envsubst:  packet {
ci/packet/packet-cluster.lokocfg.envsubst:    project_id = "$PACKET_PROJECT_ID"
ci/packet/packet-cluster.lokocfg.envsubst:    facility   = "$PACKET_LOCATION"
ci/packet_arm/packet_arm-cluster.lokocfg.envsubst:  facility = "$PACKET_LOCATION"
ci/packet_arm/packet_arm-cluster.lokocfg.envsubst:  project_id = "$PACKET_PROJECT_ID"
ci/packet_fluo/packet_fluo-cluster.lokocfg.envsubst:  facility = "$PACKET_LOCATION"
ci/packet_fluo/packet_fluo-cluster.lokocfg.envsubst:  project_id = "$PACKET_PROJECT_ID"
ci/scripts/deploy-cluster.sh:packet|packet_fluo)
ci/scripts/deploy-cluster.sh:    export PACKET_LOCATION=${AVAIL_LOCATIONS_ARRAY[$RANDOM % ${#AVAIL_LOCATIONS_ARRAY[@]}]}
ci/scripts/deploy-cluster.sh:packet_arm)
ci/scripts/deploy-cluster.sh:    export PACKET_LOCATION=${AVAIL_LOCATIONS_ARRAY[$RANDOM % ${#AVAIL_LOCATIONS_ARRAY[@]}]}
ci/scripts/deploy-cluster.sh:cat "$platform-cluster.lokocfg.envsubst" | envsubst '$AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY $PUB_KEY $CLUSTER_ID $AWS_DEFAULT_REGION $AWS_DNS_ZONE $AWS_DNS_ZONE_ID $PACKET_PROJECT_ID $EMAIL $GITHUB_CLIENT_ID $GITHUB_CLIENT_SECRET $DEX_STATIC_CLIENT_CLUSTERAUTH_ID $DEX_STATIC_CLIENT_CLUSTERAUTH_SECRET $GANGWAY_REDIRECT_URL $GANGWAY_SESSION_KEY $DEX_INGRESS_HOST $GANGWAY_INGRESS_HOST $ISSUER_HOST $REDIRECT_URI $API_SERVER_URL $AUTHORIZE_URL $TOKEN_URL $PACKET_LOCATION $ARM_SUBSCRIPTION_ID $ARM_TENANT_ID $ARM_CLIENT_ID $ARM_CLIENT_SECRET' >"$platform-cluster.lokocfg"
ci/scripts/deploy-cluster.sh:  if [ "$platform" == "packet" ] || [ "$platform" == "packet_fluo" ]; then
test/platform/equinixmetal/equinixmetal_test.go:                t.Fatalf("Creating Packet API client: %v", err)
test/platform/equinixmetal/equinixmetal_test.go:        projectID := os.Getenv("PACKET_PROJECT_ID")
test/platform/equinixmetal/equinixmetal_test.go:                t.Fatalf("Packet project ID can't be empty. Is %q environment variable set?", "PACKET_PROJECT_ID")
test/platform/equinixmetal/equinixmetal_test.go:                t.Fatalf("No Packet device found with hostname %q", hostname)

[ipochi]

@ipochi I think the following can still be changed, though they require changes to CI configuration as well. I think all can be rolled out gracefully though.

ci/packet/packet-cluster.lokocfg.envsubst:  facility = "$PACKET_LOCATION"
ci/packet/packet-cluster.lokocfg.envsubst:  project_id = "$PACKET_PROJECT_ID"
ci/packet/packet-cluster.lokocfg.envsubst:  packet {
ci/packet/packet-cluster.lokocfg.envsubst:    project_id = "$PACKET_PROJECT_ID"
ci/packet/packet-cluster.lokocfg.envsubst:    facility   = "$PACKET_LOCATION"
ci/packet_arm/packet_arm-cluster.lokocfg.envsubst:  facility = "$PACKET_LOCATION"
ci/packet_arm/packet_arm-cluster.lokocfg.envsubst:  project_id = "$PACKET_PROJECT_ID"
ci/packet_fluo/packet_fluo-cluster.lokocfg.envsubst:  facility = "$PACKET_LOCATION"
ci/packet_fluo/packet_fluo-cluster.lokocfg.envsubst:  project_id = "$PACKET_PROJECT_ID"
ci/scripts/deploy-cluster.sh:packet|packet_fluo)
ci/scripts/deploy-cluster.sh:    export PACKET_LOCATION=${AVAIL_LOCATIONS_ARRAY[$RANDOM % ${#AVAIL_LOCATIONS_ARRAY[@]}]}
ci/scripts/deploy-cluster.sh:packet_arm)
ci/scripts/deploy-cluster.sh:    export PACKET_LOCATION=${AVAIL_LOCATIONS_ARRAY[$RANDOM % ${#AVAIL_LOCATIONS_ARRAY[@]}]}
ci/scripts/deploy-cluster.sh:cat "$platform-cluster.lokocfg.envsubst" | envsubst '$AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY $PUB_KEY $CLUSTER_ID $AWS_DEFAULT_REGION $AWS_DNS_ZONE $AWS_DNS_ZONE_ID $PACKET_PROJECT_ID $EMAIL $GITHUB_CLIENT_ID $GITHUB_CLIENT_SECRET $DEX_STATIC_CLIENT_CLUSTERAUTH_ID $DEX_STATIC_CLIENT_CLUSTERAUTH_SECRET $GANGWAY_REDIRECT_URL $GANGWAY_SESSION_KEY $DEX_INGRESS_HOST $GANGWAY_INGRESS_HOST $ISSUER_HOST $REDIRECT_URI $API_SERVER_URL $AUTHORIZE_URL $TOKEN_URL $PACKET_LOCATION $ARM_SUBSCRIPTION_ID $ARM_TENANT_ID $ARM_CLIENT_ID $ARM_CLIENT_SECRET' >"$platform-cluster.lokocfg"
ci/scripts/deploy-cluster.sh:  if [ "$platform" == "packet" ] || [ "$platform" == "packet_fluo" ]; then
test/platform/equinixmetal/equinixmetal_test.go:                t.Fatalf("Creating Packet API client: %v", err)
test/platform/equinixmetal/equinixmetal_test.go:        projectID := os.Getenv("PACKET_PROJECT_ID")
test/platform/equinixmetal/equinixmetal_test.go:                t.Fatalf("Packet project ID can't be empty. Is %q environment variable set?", "PACKET_PROJECT_ID")
test/platform/equinixmetal/equinixmetal_test.go:                t.Fatalf("No Packet device found with hostname %q", hostname)

These would require changes in the ci repo as well right ?

[invidian]

Yes, but I'm fine with doing this changes in the lockstep. Adding support for new names here, then changing CI, then removing the support from here.

[ipochi]

Yes, but I'm fine with doing this changes in the lockstep. Adding support for new names here, then changing CI, then removing the support from here.

Updated all the necessary references, please review.
Corresponding CI PR is at kinvolk/lokomotive-ci/pull/196

[ipochi]

Finally I have the CI green for Packet in a separate pipeline.

https://yard.lokomotive-k8s.net/teams/main/pipelines/packet-to-em-test/jobs/test-lokomotive-equinixmetal-deployment/builds/2

The issue was related to CCM on two folds.

1. Newer CCM provides multiple peers support via comma separated values in the same annotation. However MetalLB fails to consume this information and fails. Thereby BGP session is never established and hence the Prometheus component metrics test metallb_bgp_session_up fails.

This patch fixes the issue: kinvolk/metallb@86016b7

It is a workaround and ideally the fix should be in CCM.

Issue: kubernetes-sigs/cloud-provider-equinix-metal#199

2. For Lokomotive in Equinix Metal , we don't want the CCM to interfere in loadbalancing but only care about BGP. The setting for that is loadbalancer: empty://. However despite setting the required setting, Node and Service reconcilers are started.

More details on the issue: kubernetes-sigs/cloud-provider-equinix-metal#200

PR: kubernetes-sigs/cloud-provider-equinix-metal#201

/cc @iaguis @invidian @surajssd

[ipochi]

@invidian @iaguis @surajssd

CI is Green for Equinix Metal and Equinix Metal ARM in separate pipelines

https://yard.lokomotive-k8s.net/teams/main/pipelines/packet-to-em-test/jobs/test-lokomotive-equinixmetal-deployment/builds/2

https://yard.lokomotive-k8s.net/teams/main/pipelines/packet-to-em-test-arm/jobs/test-lokomotive-equinixmetal-deployment/builds/2

Once this is merged and its corresponding CI PR https://github.com/kinvolk/lokomotive-ci/pull/196 , we would need to pause the pipelines, rename them and unpause them.

[invidian]

CI is Green for Equinix Metal and Equinix Metal ARM in separate pipelines

Why can't we make it pass on existing pipelines?

[ipochi]

CI is Green for Equinix Metal and Equinix Metal ARM in separate pipelines

Why can't we make it pass on existing pipelines?

Need to merge https://github.com/kinvolk/lokomotive-ci/pull/196 first, then unpause and rename and updates pipelines.
Then we can pass on existing pipelines.

[invidian]

Need to merge kinvolk/lokomotive-ci#196 first, then unpause and rename and updates pipelines.
Then we can pass on existing pipelines

This won't be existing pipelines anymore.

[iaguis]

Let's just merge this and switch the CIs later if that's easier. It's not that big of a deal if we're not in a perfect CI state all the time.

[invidian]

LGTM

[ipochi]

@surajssd @invidian
Squashed commits and rebased.

Please review again.

[invidian]

If CI is passing somewhere and Ingress remains working, LGTM 👍