Merge pull request #87 from OpenCHAMI/rainest/dhcp-refactor

Add CoreDHCP to Helm

lbnl/helm/scripts/install.sh

@@ -10,7 +10,6 @@ helm install \
   --set bss.deployment.image.repository="${repo}" \
   --set init.job.image.repository="${repo}" \
   --set smd.deployment.image.repository="${repo}" \
-  --set dnsmasq.deployment.image.repository="${repo}" \
   --set hydra.deployment.image.repository="${repo}" \
   --set hydra_consent.deployment.image.repository="${repo}" \
   --set swiss_army_knife.deployment.image.repository="${repo}" \

lbnl/helm/scripts/template.sh

@@ -10,7 +10,6 @@ helm template \
   --set init.job.image.repository="${repo}" \
   --set smd.deployment.image.repository="${repo}" \
   --set postgres.deployment.image.repository="${repo}" \
-  --set dnsmasq.deployment.image.repository="${repo}" \
   --set hydra.deployment.image.repository="${repo}" \
   --set hydra_consent.deployment.image.repository="${repo}" \
   --set swiss_army_knife.deployment.image.repository="${repo}" \

lbnl/helm/scripts/upgrade.sh

@@ -10,7 +10,6 @@ helm upgrade \
   --set init.job.image.repository="${repo}" \
   --set smd.deployment.image.repository="${repo}" \
   --set postgres.deployment.image.repository="${repo}" \
-  --set dnsmasq.deployment.image.repository="${repo}" \
   --set hydra.deployment.image.repository="${repo}" \
   --set hydra_consent.deployment.image.repository="${repo}" \
   --set swiss_army_knife.deployment.image.repository="${repo}" \

lbnl/helm/templates/coredhcp/configmap.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredhcp
+  namespace: {{ .Release.Namespace }}
+data:
+  config.yaml: |
+    server4:
+      listen:
+        - 0.0.0.0:67
+      plugins:
+        # Base CoreDHCP config
+        - server_id: {{ .Values.coredhcp.config.server_id }}
+        - dns: {{ .Values.coredhcp.config.dns | join " " }}
+        - router: {{ .Values.coredhcp.config.router }}
+        - netmask: {{ .Values.coredhcp.config.netmask }}
+        - range: /leases/leases.txt {{ .Values.coredhcp.config.range.start }} {{ .Values.coredhcp.config.range.end }} {{ .Values.coredhcp.config.range.duration }}
+        #
+        # CoreSMD config
+        # Args: ochami_base_url boot_script_base_url ca_cert_path cache_update_interval long_lease_time single_port_mode
+        # SMD does not currently provide HTTPS, but we have to provide a cert for the positional arguments, so "" in arg 3 disables HTTPS.
+        # We need single port mode to allow TFTP requests to traverse container network NAT tables successfully.
+        - coresmd: http://smd:{{ .Values.smd.service.port }} http://bss:{{ .Values.bss.service.port }} "" 30s 1h true
+        #
+        # Optionally include the file plugin here if it matters which IPs get assigned to which
+        # MACs. Otherwise, unknown MACs get passed to the bootloop "catch-all" plugin below.
+        #
+        {{ if .Values.coredhcp.leaseMap.name }}
+        - file /static/{{ .Values.coredhcp.leaseMap.key }}
+        {{ end }}
+        # Args: storage_path ipxe_script_path short_lease_time ip_pool_start ip_pool_end
+        - bootloop: /leases/coredhcp.db default {{ .Values.coredhcp.config.unrecognized_range.duration }} {{ .Values.coredhcp.config.unrecognized_range.start }} {{ .Values.coredhcp.config.unrecognized_range.end }}

lbnl/helm/templates/coredhcp/deployment.yaml

@@ -0,0 +1,60 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coredhcp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: coredhcp
+spec:
+  replicas: {{ .Values.coredhcp.deployment.replicaCount }}
+  selector:
+    matchLabels:
+      app: coredhcp
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: coredhcp
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/coredhcp/configmap.yaml") . | sha256sum }}
+    spec:
+      containers:
+        - name: coredhcp
+          image: {{ .Values.coredhcp.deployment.image.repository }}/{{ .Values.coredhcp.deployment.image.name }}:{{ .Values.coredhcp.deployment.image.tag }}
+          imagePullPolicy: {{ .Values.coredhcp.deployment.image.pullPolicy }}
+          args:
+            - "/coredhcp"
+            - "-L"
+            - "debug"
+          ports:
+              # TODO ideall we'd run as non-root with DHCP and TFTP traffic forwarded to high ports from the Service,
+              # but upstream coresmd currently hardcodes port 69
+            - name: dhcp
+              containerPort: 67
+              protocol: UDP
+            - name: tftp
+              containerPort: 69
+              protocol: UDP
+          volumeMounts:
+            - mountPath: /leases
+              name: leases
+            - mountPath: /etc/coredhcp/
+              name: config
+            {{- if .Values.coredhcp.leaseMap.name }}
+            - mountPath: /static
+              name: static
+            {{- end }}
+      volumes:
+        - name: leases
+          emptyDir:
+            sizeLimit: 512M
+        - name: config
+          configMap:
+            name: coredhcp
+        {{- if .Values.coredhcp.leaseMap.name }}
+        - name: static
+          configMap:
+            name: {{ .Values.coredhcp.leaseMap.name }}
+        {{- end }}

lbnl/helm/templates/coredhcp/service.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: coredhcp
+  {{- with .Values.coredhcp.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.coredhcp.service.type }}
+  ports:
+    - port: {{ .Values.coredhcp.service.dhcp.port }}
+      targetPort: 67
+      name: dhcp
+      protocol: UDP
+    - port: {{ .Values.coredhcp.service.tftp.port }}
+      targetPort: 69
+      name: tftp
+      protocol: UDP
+  selector:
+    app: coredhcp

lbnl/helm/templates/tests/jobs.yaml

@@ -32,3 +32,21 @@ spec:
         - curl
         - --fail
         - "http://bss.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.bss.service.port }}/boot/v1/hosts"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ .Release.Name }}-test-tftp"
+  annotations:
+    "helm.sh/hook": test
+spec:
+  restartPolicy: OnFailure
+  containers:
+    - name: "{{ .Release.Name }}-curl"
+      image: curlimages/curl
+      command:
+        - "curl"
+        - "--fail"
+        - "-svo"
+        - "/dev/null"
+        - "tftp://coredhcp.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.coredhcp.service.tftp.port }}/ipxe-x86_64.efi"

lbnl/helm/values.yaml

@@ -35,7 +35,7 @@ bss:
       repository: ghcr.io/openchami
       name: bss
       pullPolicy: IfNotPresent
-      tag: "v1.31.3"
+      tag: "v1.32.0"
     containerPort: 27778
   dbname: bssdb
 
@@ -51,51 +51,56 @@ gke:
     port: 80
   securityPolicy: lbnl-nersc
 
-tftpd:
+coredhcp:
   deployment:
     replicaCount: 1
     image:
       repository: ghcr.io/openchami
-      name: tftpd
+      name: coredhcp
       pullPolicy: IfNotPresent
-      tag: "0.1"
-    containerPort: 69
-
-  service:
-    type: LoadBalancer
-    port: 69
-    # Since GKE external network LoadBalancers are not proxied, it might be a
-    # good idea to add an annotation like loadBalancerSourceRanges to limit who
-    # can access the Service.
-    annotations:
-
-dnsmasq:
-  deployment:
-    replicaCount: 1
-    image:
-      repository: ghcr.io/openchami
-      name: dnsmasq
-      pullPolicy: IfNotPresent
-      tag: dynamic
-    dhcp_port: 67
-    tftp_port: 69
+      tag: v0.3.0
 
   service:
+    tftp:
+      port: 69
     dhcp:
-      type: LoadBalancer
       port: 67
-      # Since GKE external network LoadBalancers are not proxied, it might be a
-      # good idea to add an annotation like loadBalancerSourceRanges to limit who
-      # can access the Service.
-      annotations:
+    type: LoadBalancer
+    annotations:
 
-    tftp:
-      type: LoadBalancer
-      port: 69
-      # Since GKE external network LoadBalancers are not proxied, it might be a
-      # good idea to add an annotation like loadBalancerSourceRanges to limit who
-      # can access the Service.
-      annotations:
+  # provide a ConfigMap containing static lease configuration for the CoreDHCP file plugin.
+  # the plugin is disabled if the name is empty.
+  leaseMap:
+    name: ""
+    key: "file_leases.txt"
+  # TODO there are a couple options for handling config. we could be very prescriptive
+  # and build a configuration file from specific enumerated values only (the current approach), or
+  # just treat the contents under coredhcp.config as a complete config and toYaml them to produce
+  # a ConfigMap. We could offer a bring your own ConfigMap alternative with either approach. IDK
+  # if we'd expect users to often need settings outside the chosen exposed settings with the
+  # prescriptive approach.
+  config:
+    # with the exception of dns, you _must_ set values appropriate to your network
+    # in this section. the default values are only examples.
+    #
+    # server_id is the address external nodes will use to talk to your DHCP server.
+    # this value will also be used to set the service's LoadBalancer IP.
+    server_id: 192.168.0.254
+    dns:
+      - 1.1.1.1
+      - 1.0.0.1
+    # router is the default gateway for your node network.
+    router: 172.16.0.254
+    # netmask defines the range of addresses the DHCP server will allocate.
+    netmask: 255.255.255.0
+    range:
+      start: 172.16.0.10
+      end: 172.16.0.200
+      duration: 60s
+    unrecognized_range:
+      start: 172.16.0.201
+      end: 172.16.0.220
+      duration: 60s
 
 hydra:
   deployment: