assets/charts/control-plane: add packet-ccm Helm chart

This commit add packet-ccm Helm chart based on manifests from
https://github.com/packethost/packet-ccm/tree/master/deploy/template,
but with Lokomotive-specific modifications like using image with BGP
Node Selector support, enabled leader election for HA, removed
unnecessary RBAC grants etc.

This chart will be used to enable CCM on Packet platform.

Refs #548

Signed-off-by: Mateusz Gozdek <[email protected]>

assets/charts/control-plane/packet-ccm/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

assets/charts/control-plane/packet-ccm/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: packet-ccm
+description: A Helm chart for deploying packet-ccm on Packet cluster.
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: v2.0.0

assets/charts/control-plane/packet-ccm/templates/deployment.yaml

@@ -0,0 +1,183 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: packet-cloud-controller-manager
+  labels:
+    app: packet-cloud-controller-manager
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: packet-cloud-controller-manager
+  template:
+    metadata:
+      labels:
+        app: packet-cloud-controller-manager
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      dnsPolicy: Default
+      hostNetwork: true
+      serviceAccountName: cloud-controller-manager
+      tolerations:
+        # This taint is set by all kubelets running `--cloud-provider=external`
+        # so we should tolerate it to schedule the Packet CCM.
+        - key: "node.cloudprovider.kubernetes.io/uninitialized"
+          value: "true"
+          effect: "NoSchedule"
+        - key: "CriticalAddonsOnly"
+          operator: "Exists"
+        # Cloud controller manager should be able to run on masters.
+        - key: "node-role.kubernetes.io/master"
+          effect: NoSchedule
+      containers:
+      # Use our own image until https://github.com/packethost/packet-ccm/pull/101 and
+      # https://github.com/packethost/packet-ccm/pull/107 are merged and released.
+      # This image must also support amd64 and arm64 architectures.
+      - image: quay.io/kinvolk/packet-ccm:kinvolk
+        name: packet-cloud-controller-manager
+        command:
+          - "./packet-cloud-controller-manager"
+          - "--cloud-provider=packet"
+          # This should allow running multiple instances of the Packet CCM when HA is needed.
+          - "--leader-elect=true"
+          - "--provider-config=/etc/cloud-sa/cloud-sa.json"
+          - "--v=2"
+        env:
+        # Enable BGP only on node pools, which are configured by Lokomotive to have BGP enabled.
+        - name: PACKET_BGP_NODE_SELECTOR
+          value: lokomotive.alpha.kinvolk.io/bgp-enabled=true
+        # Set right annotations for compatibility with MetalLB component.
+        - name: PACKET_ANNOTATION_LOCAL_ASN
+          value: metallb.lokomotive.io/my-asn
+        - name: PACKET_ANNOTATION_PEER_ASNS
+          value: metallb.lokomotive.io/peer-asn
+        - name: PACKET_ANNOTATION_PEER_IPS
+          value: metallb.lokomotive.io/peer-address
+        # Disable MetalLB ConfigMap management, as it is managed by MetalLB component itself.
+        - name: PACKET_LB_CONFIGMAP
+          value: disabled
+        resources:
+          requests:
+            cpu: 100m
+            memory: 50Mi
+        volumeMounts:
+          - name: cloud-sa-volume
+            readOnly: true
+            mountPath: "/etc/cloud-sa"
+      volumes:
+        - name: cloud-sa-volume
+          secret:
+            secretName: packet-cloud-config
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cloud-controller-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:cloud-controller-manager
+rules:
+- apiGroups:
+  # reason: so ccm can read and update nodes and annotations
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - '*'
+- apiGroups:
+  # reason: so ccm can update the status of nodes
+  - ""
+  resources:
+  - nodes/status
+  verbs:
+  - patch
+- apiGroups:
+  # This is not really used at the moment, but without this CCM prints warnings every second
+  # trying to enable the watch.
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  # Reason: So CCM can publish for example leader election or node removal events.
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: system:cloud-controller-manager
+rules:
+- apiGroups:
+  # Reason: So ccm can read and update lease.
+  - "coordination.k8s.io"
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  # Reason: Required for leader election.
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: system:cloud-controller-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:cloud-controller-manager
+subjects:
+- kind: ServiceAccount
+  name: cloud-controller-manager
+  namespace: {{ .Release.Namespace }}
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: system:cloud-controller-manager-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+  name: cloud-controller-manager
+  namespace: {{ .Release.Namespace }}
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: system:cloud-controller-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: system:cloud-controller-manager
+subjects:
+- kind: ServiceAccount
+  name: cloud-controller-manager
+  namespace: {{ .Release.Namespace }}

assets/charts/control-plane/packet-ccm/templates/secrets.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: packet-cloud-config
+stringData:
+  cloud-sa.json: |
+    {
+      "apiKey": "{{ .Values.apiKey }}",
+      "projectID": "{{ .Values.projectID }}"
+    }

assets/charts/control-plane/packet-ccm/values.yaml

@@ -0,0 +1,2 @@
+apiKey:
+projectID: