feat: extensions services config

Support config files for extension services. Fixes: #7791 Co-authored-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> Signed-off-by: Noel Georgi <git@frezbo.dev>
siderolabs · Feb 6, 2024 · 1e6c8c4 · 1e6c8c4
1 parent 989ca3a
commit 1e6c8c4
Show file tree

Hide file tree

Showing 36 changed files with 2,189 additions and 238 deletions.
diff --git a/api/resource/definitions/runtime/runtime.proto b/api/resource/definitions/runtime/runtime.proto
@@ -17,6 +17,22 @@ message EventSinkConfigSpec {
   string endpoint = 1;
 }
 
+// ExtensionServicesConfigFile describes extensions service config files.
+message ExtensionServicesConfigFile {
+  string content = 1;
+  string mount_path = 2;
+}
+
+// ExtensionServicesConfigSpec describes status of rendered extensions service config files.
+message ExtensionServicesConfigSpec {
+  repeated ExtensionServicesConfigFile files = 2;
+}
+
+// ExtensionServicesConfigStatusSpec describes status of rendered extensions service config files.
+message ExtensionServicesConfigStatusSpec {
+  string spec_version = 1;
+}
+
 // KernelModuleSpecSpec describes Linux kernel module to load.
 message KernelModuleSpecSpec {
   string name = 1;

diff --git a/hack/release.toml b/hack/release.toml
@@ -61,6 +61,24 @@ Talos Linux starting from this release uses RSA key for Kubernetes API Server Se
         title = "OpenNebula"
         description = """\
 Talos Linux now supports OpenNebula platform.
+"""
+
+    [notes.extensions]
+        title = "Extension Services Config"
+        description = """\
+Talos now supports supplying configuration files for extension services that can be mounted into the extension service container.
+The extension service configuration is a separate config document. An example is shown below:
+
+```yaml
+---
+apiVersion: v1alpha1
+kind: ExtensionServicesConfig
+config:
+    - name: nut-client
+      configFiles:
+        - content: MONITOR ${upsmonHost} 1 remote pass password
+          mountPath: /usr/local/etc/nut/upsmon.conf
+```
 """
 
 [make_deps]

diff --git a/internal/app/machined/pkg/controllers/cri/seccomp_profile.go b/internal/app/machined/pkg/controllers/cri/seccomp_profile.go
@@ -18,7 +18,7 @@ import (
 	"github.com/siderolabs/talos/pkg/machinery/resources/cri"
 )
 
-// SeccompProfileController manages v1alpha1.Stats which is the current snaphot of the machine CPU and Memory consumption.
+// SeccompProfileController manages SeccompProfiles.
 type SeccompProfileController struct{}
 
 // Name implements controller.StatsController interface.

diff --git a/internal/app/machined/pkg/controllers/cri/seccomp_profile_test.go b/internal/app/machined/pkg/controllers/cri/seccomp_profile_test.go
@@ -85,29 +85,6 @@ func (suite *CRISeccompProfileSuite) TestReconcileSeccompProfile() {
 		})
 	}
 
-	suite.AssertWithin(1*time.Second, 100*time.Millisecond, func() error {
-		seccompProfile, err := ctest.Get[*criseccompresource.SeccompProfile](
-			suite,
-			criseccompresource.NewSeccompProfile("audit.json").Metadata(),
-		)
-		if err != nil {
-			if state.IsNotFoundError(err) {
-				return retry.ExpectedError(err)
-			}
-
-			return err
-		}
-
-		spec := seccompProfile.TypedSpec()
-
-		suite.Assert().Equal("audit.json", spec.Name)
-		suite.Assert().Equal(map[string]interface{}{
-			"defaultAction": "SCMP_ACT_LOG",
-		}, spec.Value)
-
-		return nil
-	})
-
 	// test deletion
 	cfg = config.NewMachineConfig(container.NewV1Alpha1(&v1alpha1.Config{
 		MachineConfig: &v1alpha1.MachineConfig{

diff --git a/internal/app/machined/pkg/controllers/runtime/extension_service.go b/internal/app/machined/pkg/controllers/runtime/extension_service.go
@@ -11,24 +11,30 @@ import (
 	"path/filepath"
 
 	"github.com/cosi-project/runtime/pkg/controller"
+	"github.com/cosi-project/runtime/pkg/safe"
 	"go.uber.org/zap"
 	"gopkg.in/yaml.v3"
 
 	"github.com/siderolabs/talos/internal/app/machined/pkg/system"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/system/services"
 	extservices "github.com/siderolabs/talos/pkg/machinery/extensions/services"
+	"github.com/siderolabs/talos/pkg/machinery/resources/runtime"
 )
 
 // ServiceManager is the interface to the v1alpha1 services subsystems.
 type ServiceManager interface {
+	IsRunning(id string) (system.Service, bool, error)
 	Load(services ...system.Service) []string
+	Stop(ctx context.Context, serviceIDs ...string) (err error)
 	Start(serviceIDs ...string) error
 }
 
 // ExtensionServiceController creates extension services based on the extension service configuration found in the rootfs.
 type ExtensionServiceController struct {
 	V1Alpha1Services ServiceManager
 	ConfigPath       string
+
+	configStatusCache map[string]string
 }
 
 // Name implements controller.Controller interface.
@@ -38,7 +44,13 @@ func (ctrl *ExtensionServiceController) Name() string {
 
 // Inputs implements controller.Controller interface.
 func (ctrl *ExtensionServiceController) Inputs() []controller.Input {
-	return nil
+	return []controller.Input{
+		{
+			Namespace: runtime.NamespaceName,
+			Type:      runtime.ExtensionServicesConfigStatusType,
+			Kind:      controller.InputStrong,
+		},
+	}
 }
 
 // Outputs implements controller.Controller interface.
@@ -48,15 +60,16 @@ func (ctrl *ExtensionServiceController) Outputs() []controller.Output {
 
 // Run implements controller.Controller interface.
 //
-//nolint:gocyclo
+//nolint:gocyclo,cyclop
 func (ctrl *ExtensionServiceController) Run(ctx context.Context, r controller.Runtime, logger *zap.Logger) error {
+	// wait for controller runtime to be ready
 	select {
 	case <-ctx.Done():
 		return nil
 	case <-r.EventCh():
 	}
 
-	// controller runs only once, as services are static
+	// extensions loading only needs to run once, as services are static
 	serviceFiles, err := os.ReadDir(ctrl.ConfigPath)
 	if err != nil {
 		if os.IsNotExist(err) {
@@ -69,6 +82,21 @@ func (ctrl *ExtensionServiceController) Run(ctx context.Context, r controller.Ru
 		return err
 	}
 
+	// load initial state of configStatuses
+	if ctrl.configStatusCache == nil {
+		configStatuses, err := safe.ReaderListAll[*runtime.ExtensionServicesConfigStatus](ctx, r)
+		if err != nil {
+			return fmt.Errorf("error listing extension services config: %w", err)
+		}
+
+		ctrl.configStatusCache = make(map[string]string, configStatuses.Len())
+
+		for iter := configStatuses.Iterator(); iter.Next(); {
+			ctrl.configStatusCache[iter.Value().Metadata().ID()] = iter.Value().TypedSpec().SpecVersion
+		}
+	}
+
+	// load services from definitions into the service runner framework
 	extServices := map[string]struct{}{}
 
 	for _, serviceFile := range serviceFiles {
@@ -110,7 +138,46 @@ func (ctrl *ExtensionServiceController) Run(ctx context.Context, r controller.Ru
 		}
 	}
 
-	return nil
+	// watch for changes in the configStatuses
+	for {
+		select {
+		case <-ctx.Done():
+			return nil
+		case <-r.EventCh():
+		}
+
+		configStatuses, err := safe.ReaderListAll[*runtime.ExtensionServicesConfigStatus](ctx, r)
+		if err != nil {
+			return fmt.Errorf("error listing extension services config: %w", err)
+		}
+
+		configStatusesPresent := map[string]struct{}{}
+
+		for iter := configStatuses.Iterator(); iter.Next(); {
+			configStatusesPresent[iter.Value().Metadata().ID()] = struct{}{}
+
+			if ctrl.configStatusCache[iter.Value().Metadata().ID()] == iter.Value().TypedSpec().SpecVersion {
+				continue
+			}
+
+			if err = ctrl.handleRestart(ctx, logger, "ext-"+iter.Value().Metadata().ID(), iter.Value().TypedSpec().SpecVersion); err != nil {
+				return err
+			}
+
+			ctrl.configStatusCache[iter.Value().Metadata().ID()] = iter.Value().TypedSpec().SpecVersion
+		}
+
+		// cleanup configStatusesCache
+		for id := range ctrl.configStatusCache {
+			if _, ok := configStatusesPresent[id]; !ok {
+				if err = ctrl.handleRestart(ctx, logger, "ext-"+id, "nan"); err != nil {
+					return err
+				}
+
+				delete(ctrl.configStatusCache, id)
+			}
+		}
+	}
 }
 
 func (ctrl *ExtensionServiceController) loadSpec(path string) (extservices.Spec, error) {
@@ -129,3 +196,30 @@ func (ctrl *ExtensionServiceController) loadSpec(path string) (extservices.Spec,
 
 	return spec, nil
 }
+
+func (ctrl *ExtensionServiceController) handleRestart(ctx context.Context, logger *zap.Logger, svcName, specVersion string) error {
+	_, running, err := ctrl.V1Alpha1Services.IsRunning(svcName)
+	if err != nil {
+		return nil //nolint:nilerr // IsRunning returns an error only if the service is not found, so ignore it
+	}
+
+	// this means it's a new config and the service runner is already waiting for the config to start the service
+	// we don't need restart it again since it will be started automatically
+	if running && specVersion == "1" {
+		return nil
+	}
+
+	logger.Warn("extension service config changed, restarting", zap.String("service", svcName))
+
+	if running {
+		if err = ctrl.V1Alpha1Services.Stop(ctx, svcName); err != nil {
+			return fmt.Errorf("error stopping extension service %s: %w", svcName, err)
+		}
+	}
+
+	if err = ctrl.V1Alpha1Services.Start(svcName); err != nil {
+		return fmt.Errorf("error starting extension service %s: %w", svcName, err)
+	}
+
+	return nil
+}