add support for running webassembly workloads using the spin runtime

.vscode/settings.json

@@ -33,6 +33,7 @@
         "usermod",
         "usermode",
         "vgdisplay",
-        "virt"
+        "virt",
+        "wasmtime"
     ]
 }

README.md

@@ -228,6 +228,23 @@ kubectl linstor volume list
 popd
 ```
 
+Execute an [example WebAssembly (Wasm) Spin workload](https://github.com/rgl/spin-http-rust-example):
+
+```bash
+export KUBECONFIG=$PWD/kubeconfig.yml
+kubectl apply -f example-spin.yml
+kubectl rollout status deployment/example-spin
+kubectl get ingresses,services,pods,deployments
+example_spin_ip="$(kubectl get ingress/example-spin -o json | jq -r .status.loadBalancer.ingress[0].ip)"
+example_spin_fqdn="$(kubectl get ingress/example-spin -o json | jq -r .spec.rules[0].host)"
+example_spin_url="http://$example_spin_fqdn"
+curl --resolve "$example_spin_fqdn:80:$example_spin_ip" "$example_spin_url"
+echo "$example_spin_ip $example_spin_fqdn" | sudo tee -a /etc/hosts
+curl "$example_spin_url"
+xdg-open "$example_spin_url"
+kubectl delete -f example-spin.yml
+```
+
 Destroy the infrastructure:
 
 ```bash

do

@@ -18,6 +18,11 @@ talos_qemu_guest_agent_extension_version="8.2.3"
 # renovate: datasource=docker depName=siderolabs/drbd extractVersion=^(?<version>.+)-v registryUrl=https://ghcr.io
 talos_drbd_extension_version="9.2.8"
 
+# see https://github.com/siderolabs/extensions/pkgs/container/spin
+# see https://github.com/siderolabs/extensions/tree/main/container-runtime/spin
+# renovate: datasource=docker depName=siderolabs/spin registryUrl=https://ghcr.io
+talos_spin_extension_version="0.13.1"
+
 # see https://github.com/piraeusdatastore/piraeus-operator/releases
 # renovate: datasource=github-releases depName=piraeusdatastore/piraeus-operator
 piraeus_operator_version="2.5.1"
@@ -58,6 +63,7 @@ input:
   systemExtensions:
     - imageRef: ghcr.io/siderolabs/qemu-guest-agent:$talos_qemu_guest_agent_extension_version
     - imageRef: ghcr.io/siderolabs/drbd:$talos_drbd_extension_version-v$talos_version
+    - imageRef: ghcr.io/siderolabs/spin:v$talos_spin_extension_version
 output:
   kind: image
   imageOptions:

example-spin.yml

@@ -0,0 +1,94 @@
+---
+# see https://kubernetes.io/docs/concepts/services-networking/ingress/
+# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#ingress-v1-networking-k8s-io
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: example-spin
+spec:
+  rules:
+    - host: example-spin.example.test
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: example-spin
+                port:
+                  name: web
+---
+# see https://kubernetes.io/docs/concepts/services-networking/service/#type-clusterip
+# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#service-v1-core
+# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#serviceport-v1-core
+apiVersion: v1
+kind: Service
+metadata:
+  name: example-spin
+spec:
+  type: ClusterIP
+  selector:
+    app: example-spin
+  ports:
+    - name: web
+      port: 80
+      protocol: TCP
+      targetPort: web
+---
+# see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#deployment-v1-apps
+# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#podtemplatespec-v1-core
+# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#container-v1-core
+# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#probe-v1-core
+# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#httpgetaction-v1-core
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: example-spin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: example-spin
+  template:
+    metadata:
+      labels:
+        app: example-spin
+    spec:
+      runtimeClassName: wasmtime-spin-v2
+      enableServiceLinks: false
+      containers:
+        - name: example
+          # see https://github.com/rgl/spin-http-rust-example
+          # see https://github.com/rgl/spin-http-rust-example/pkgs/container/spin-http-rust-example
+          image: ghcr.io/rgl/spin-http-rust-example:0.3.1
+          ports:
+            - name: web
+              containerPort: 80
+          readinessProbe:
+            httpGet:
+              path: /healthz/ready
+              port: web
+          resources:
+            requests:
+              memory: 32Mi
+              cpu: '0.1'
+            limits:
+              memory: 32Mi
+              cpu: '0.1'
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              #drop:
+              #  - ALL
+              # TODO use non-privileged port and drop ALL when the following
+              #      issue is resolved.
+              #      https://github.com/spinkube/containerd-shim-spin/issues/52
+              add:
+                - NET_BIND_SERVICE
+            readOnlyRootFilesystem: false
+            runAsNonRoot: true
+            runAsUser: 65534 # 65534 is the uid of the nobody user.
+            runAsGroup: 65534 # 65534 is the gid of the nogroup group.
+            seccompProfile:
+              type: RuntimeDefault

talos.tf

@@ -111,6 +111,16 @@ data "talos_machine_configuration" "controller" {
               "# Source cilium.tf\n${local.cilium_external_lb_manifest}",
             ])
           },
+          {
+            name     = "spin"
+            contents = <<-EOF
+            apiVersion: node.k8s.io/v1
+            kind: RuntimeClass
+            metadata:
+              name: wasmtime-spin-v2
+            handler: spin
+            EOF
+          }
         ],
       },
     }),