Allow defaulting annotations for LB services (#2)

Used to inject `service.beta.kubernetes.io/exoscale-loadbalancer-service-instancepool-id`. The annotation is required for the LB service to work.

The CCM deployment is moved to a subdir to allow separating the files in the setup process.

Author: bastjan

class/defaults.yml

@@ -16,3 +16,5 @@ parameters:
 
     nodeSelector:
       node-role.kubernetes.io/control-plane: ""
+
+    serviceLoadBalancerDefaultAnnotations: {}

class/exoscale-cloud-controller-manager.yml

@@ -16,4 +16,8 @@ parameters:
       - input_paths:
           - ${_base_directory}/component/main.jsonnet
         input_type: jsonnet
-        output_path: exoscale-cloud-controller-manager/
+        output_path: exoscale-cloud-controller-manager/manager
+      - input_paths:
+          - ${_base_directory}/component/service-loadbalancer-default-annotations.jsonnet
+        input_type: jsonnet
+        output_path: exoscale-cloud-controller-manager/support

component/espejote-templates/service-loadbalancer-default-annotations.jsonnet

@@ -0,0 +1,30 @@
+local esp = import 'espejote.libsonnet';
+local defaultAnnotations = import 'service-loadbalancer-default-annotations/annotations.json';
+
+local lbServices = std.filter(
+  function(s) std.get(s.spec, 'type') == 'LoadBalancer',
+  esp.context().services
+);
+
+local defaultedAnnotationsForService = function(s) {
+  [if !std.objectHas(std.get(s.metadata, 'annotations', {}), k) then k]: defaultAnnotations[k]
+  for k in std.objectFields(defaultAnnotations)
+};
+
+local annotationPatchForService = function(s) {
+  apiVersion: s.apiVersion,
+  kind: s.kind,
+  metadata: {
+    name: s.metadata.name,
+    namespace: s.metadata.namespace,
+    annotations: defaultedAnnotationsForService(s),
+  },
+};
+
+std.filter(
+  function(p) p.metadata.annotations != {},
+  std.map(
+    annotationPatchForService,
+    lbServices,
+  ),
+)

component/service-loadbalancer-default-annotations.jsonnet

@@ -0,0 +1,82 @@
+local esp = import 'lib/espejote.libsonnet';
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+
+local inv = kap.inventory();
+local params = inv.parameters.exoscale_cloud_controller_manager;
+
+local namespace = params.namespace;
+
+local sa = kube.ServiceAccount('service-loadbalancer-default-annotations-manager') {
+  metadata+: {
+    namespace: namespace,
+  },
+};
+
+local cr = kube.ClusterRole('espejote:service-loadbalancer-default-annotations') {
+  rules: [
+    {
+      apiGroups: [ '' ],
+      resources: [ 'services' ],
+      verbs: [ 'get', 'list', 'watch', 'update', 'patch' ],
+    },
+  ],
+};
+
+local crb = kube.ClusterRoleBinding('espejote:service-loadbalancer-default-annotations') {
+  roleRef_: cr,
+  subjects_: [ sa ],
+};
+
+local jsonnetlib = esp.jsonnetLibrary('service-loadbalancer-default-annotations', namespace) {
+  spec: {
+    data: {
+      'annotations.json': std.manifestJson(params.serviceLoadBalancerDefaultAnnotations),
+    },
+  },
+};
+
+local managedresource =
+  assert std.member(inv.applications, 'espejote') : 'The serviceLoadBalancerDefaultAnnotations patch depends on espejote';
+  esp.managedResource('service-loadbalancer-default-annotations', namespace) {
+    metadata+: {
+      annotations: {
+        'syn.tools/description': |||
+          This ManagedResource adds default annotations to all services with `spec.type: LoadBalancer`.
+          Annotations are taken from a JsonnetLibrary with the same name.
+          The JsonnetLibrary contains a file `annotations.json` with the annotations to be added.
+          If an annotation is already set on the service, it will not be overridden.
+        |||,
+      },
+    },
+    spec: {
+      serviceAccountRef: { name: sa.metadata.name },
+      context: [
+        {
+          name: 'services',
+          resource: {
+            apiVersion: 'v1',
+            kind: 'Service',
+            namespace: '',
+          },
+        },
+      ],
+      triggers: [
+        {
+          name: 'service',
+          watchContextResource: {
+            name: 'services',
+          },
+        },
+      ],
+      template: importstr 'espejote-templates/service-loadbalancer-default-annotations.jsonnet',
+    },
+  };
+
+if std.length(params.serviceLoadBalancerDefaultAnnotations) > 0 then
+  {
+    '50_service_loadbalancer_default_annotations_rbac': [ namespace, sa, cr, crb ],
+    '50_service_loadbalancer_default_annotations_managedresource': [ jsonnetlib, managedresource ],
+  }
+else
+  {}

docs/modules/ROOT/pages/references/parameters.adoc

@@ -44,3 +44,20 @@ default:: `{node-role.kubernetes.io/control-plane: ""}`
 
 The node selector for the cloud-controller-manager deployment.
 Change this if you don't want to run the cloud-controller-manager on your cluster's control plane nodes.
+
+== `serviceLoadBalancerDefaultAnnotations`
+
+[horizontal]
+type:: dictionary
+default:: `{}`
+example::
++
+[source,yaml]
+----
+serviceLoadBalancerDefaultAnnotations:
+  service.beta.kubernetes.io/exoscale-loadbalancer-service-instancepool-id: 7026DCCB-39B4-451B-AB38-EB527CC836A4
+----
+
+Creates an espejote `ManagedResource` adding default annotations to Services with `spec.type: LoadBalancer`.
+
+Can be used to inject the `service.beta.kubernetes.io/exoscale-loadbalancer-service-instancepool-id` annotation which is required to create a LoadBalancer on Exoscale.

tests/defaults.yml

@@ -1,6 +1,17 @@
-# Overwrite parameters here
+applications:
+  - espejote
 
 parameters:
   facts:
     cloud: exoscale
     region: ch-gva-2
+
+  kapitan:
+    dependencies:
+      - type: https
+        source: https://raw.githubusercontent.com/projectsyn/component-espejote/v0.2.0/lib/espejote.libsonnet
+        output_path: vendor/lib/espejote.libsonnet
+
+  exoscale_cloud_controller_manager:
+    serviceLoadBalancerDefaultAnnotations:
+      service.beta.kubernetes.io/exoscale-loadbalancer-service-instancepool-id: 7026dccb-39b4-451b-ab38-eb527cc836a4