MGMT-15704: Assisted service should create Day2 import CR for hub clu…

…ster.

When managing a cluster via ZTP, either through MCE or any other method that results in assisted installer being conmfigured in ZTP mode, we want to import the local cluster into ZTP or which the assisted-operator is running.

The intent is to allow the user to perform day2 operations on the local cluster, to allow the addition of workers and so on.

Presently this is only possible via manual efforts and is not very customer friendly.

This PR aims to resolve this by adding functionality to import the local cluster as described above.

cmd/main.go

@@ -63,6 +63,7 @@ import (
 	"github.com/openshift/assisted-service/pkg/generator"
 	"github.com/openshift/assisted-service/pkg/k8sclient"
 	"github.com/openshift/assisted-service/pkg/leader"
+	"github.com/openshift/assisted-service/pkg/localclusterimport"
 	logconfig "github.com/openshift/assisted-service/pkg/log"
 	"github.com/openshift/assisted-service/pkg/mirrorregistries"
 	"github.com/openshift/assisted-service/pkg/ocm"
@@ -162,6 +163,8 @@ var Options struct {
 	AllowConvergedFlow                   bool          `envconfig:"ALLOW_CONVERGED_FLOW" default:"true"`
 	PreprovisioningImageControllerConfig controllers.PreprovisioningImageControllerConfig
 	BMACConfig                           controllers.BMACConfig
+	EnableLocalClusterImport             bool   `envconfig:"ENABLE_LOCAL_CLUSTER_IMPORT" default:"true"`
+	LocalClusterImportNamespace          string `envconfig:"LOCAL_CLUSTER_IMPORT_NAMESPACE" defualt:"local-cluster"`
 
 	// Directory containing pre-generated TLS certs/keys for the ephemeral installer
 	ClusterTLSCertOverrideDir string `envconfig:"EPHEMERAL_INSTALLER_CLUSTER_TLS_CERTS_OVERRIDE_DIR" default:""`
@@ -205,6 +208,23 @@ func maxDuration(dur time.Duration, durations ...time.Duration) time.Duration {
 	return ret
 }
 
+func importLocalCluster(ctrlMgr manager.Manager, log *logrus.Logger) {
+	if !Options.EnableLocalClusterImport {
+		log.Debug("EnableClusterImport disabled in options, skipping...")
+		return
+	}
+	// Splitting into API reader and writer interfaces as the reader bypasses the cache settings that are on the regular client
+	// and we need to be able to read secrets that we cannot read with the client due to how the cache is configured.
+	// The cachedApiClient can be used for writes as these are unaffected by cache.
+	localClusterImportOperations := localclusterimport.NewLocalClusterImportOperations(ctrlMgr.GetAPIReader(), ctrlMgr.GetClient(), log)
+	localClusterImport := localclusterimport.NewLocalClusterImport(&localClusterImportOperations, Options.LocalClusterImportNamespace, log)
+	err := localClusterImport.ImportLocalCluster()
+	if err != nil {
+		// Failure to import the local cluster is not fatal but we should warn in the log.
+		log.Warnf("Could not import local cluster due to error %s", err.Error())
+	}
+}
+
 func main() {
 	err := envconfig.Process(common.EnvConfigPrefix, &Options)
 	if err == nil {
@@ -641,6 +661,10 @@ func main() {
 		}
 	}()
 
+	if Options.EnableKubeAPI {
+		importLocalCluster(ctrlMgr, log)
+	}
+
 	// Interrupt servers on SIGINT/SIGTERM
 	stop := make(chan os.Signal, 1)
 	signal.Notify(stop, os.Interrupt, syscall.SIGINT, syscall.SIGTERM)

config/rbac/role.yaml

@@ -273,6 +273,12 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - dnses
+  verbs:
+  - get
 - apiGroups:
   - config.openshift.io
   resources:
@@ -410,6 +416,7 @@ rules:
   resources:
   - clusterimagesets
   verbs:
+  - create
   - get
   - list
   - watch

deploy/olm-catalog/manifests/assisted-service-operator.clusterserviceversion.yaml

@@ -618,6 +618,12 @@ spec:
           - get
           - list
           - watch
+        - apiGroups:
+          - config.openshift.io
+          resources:
+          - dnses
+          verbs:
+          - get
         - apiGroups:
           - config.openshift.io
           resources:
@@ -755,6 +761,7 @@ spec:
           resources:
           - clusterimagesets
           verbs:
+          - create
           - get
           - list
           - watch

go.mod

@@ -3,6 +3,7 @@ module github.com/openshift/assisted-service
 go 1.18
 
 require (
+    github.com/hashicorp/go-multierror v1.1.1
 	github.com/IBM/netaddr v1.5.0
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d

internal/controller/controllers/clusterdeployments_controller.go

@@ -111,10 +111,11 @@ const minimalOpenShiftVersionForDefaultNetworkTypeOVNKubernetes = "4.12.0-0.0"
 // +kubebuilder:rbac:groups=hive.openshift.io,resources=clusterdeployments,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=hive.openshift.io,resources=clusterdeployments/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=hive.openshift.io,resources=clusterdeployments/finalizers,verbs=update
-// +kubebuilder:rbac:groups=hive.openshift.io,resources=clusterimagesets,verbs=get;list;watch
+// +kubebuilder:rbac:groups=hive.openshift.io,resources=clusterimagesets,verbs=get;list;watch;create
 // +kubebuilder:rbac:groups=extensions.hive.openshift.io,resources=agentclusterinstalls,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=extensions.hive.openshift.io,resources=agentclusterinstalls/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=extensions.hive.openshift.io,resources=agentclusterinstalls/finalizers,verbs=update
+// +kubebuilder:rbac:groups=config.openshift.io,resources=dnses,verbs=get
 
 func (r *ClusterDeploymentsReconciler) Reconcile(origCtx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	ctx := addRequestIdIfNeeded(origCtx)