Implement MachinePool Machines in CAPI, CAPD, and clusterctl

Author: Jont828

api/v1beta1/common_types.go

@@ -61,6 +61,11 @@ const (
 	// update that disallows a pre-existing Cluster to be populated with Topology information and Class.
 	ClusterTopologyUnsafeUpdateClassNameAnnotation = "unsafe.topology.cluster.x-k8s.io/disable-update-class-name-check"
 
+	// FallbackMachineLabel indicates that a Machine belongs to a MachinePool that does not support MachinePool Machines.
+	// As such, these Machines exist to create a consistent user experience and will not have an infrastructure reference. The user will
+	// also be prevented from deleting these Machines.
+	FallbackMachineLabel = "machinepool.cluster.x-k8s.io/fallback-machine"
+
 	// ProviderNameLabel is the label set on components in the provider manifest.
 	// This label allows to easily identify all the components belonging to a provider; the clusterctl
 	// tool uses this label for implementing provider's lifecycle operations.
@@ -151,6 +156,15 @@ const (
 	// VariableDefinitionFromInline indicates a patch or variable was defined in the `.spec` of a ClusterClass
 	// rather than from an external patch extension.
 	VariableDefinitionFromInline = "inline"
+
+	// ServiceAccountGroupName is the group name for service accounts.
+	ServiceAccountGroupName = "system:serviceaccounts"
+
+	// CAPIServiceAccountGroupName is the group name for service accounts in the capi-system namespace.
+	CAPIServiceAccountGroupName = "system:serviceaccounts:capi-system"
+
+	// CAPIServiceAccountUsername is the name for the service account used by the CAPI core controller manager.
+	CAPIServiceAccountUsername = "system:serviceaccount:capi-system:capi-manager"
 )
 
 // NodeUninitializedTaint can be added to Nodes at creation by the bootstrap provider, e.g. the

api/v1beta1/machine_types.go

@@ -43,6 +43,10 @@ const (
 	// MachineDeploymentNameLabel is the label set on machines if they're controlled by MachineDeployment.
 	MachineDeploymentNameLabel = "cluster.x-k8s.io/deployment-name"
 
+	// MachinePoolNameLabel is the label indicating the name of the MachinePool a Machine is controlled by.
+	// Note: The value of this label may be a hash if the MachinePool name is longer than 63 characters.
+	MachinePoolNameLabel = "cluster.x-k8s.io/pool-name"
+
 	// MachineControlPlaneNameLabel is the label set on machines if they're controlled by a ControlPlane.
 	// Note: The value of this label may be a hash if the control plane name is longer than 63 characters.
 	MachineControlPlaneNameLabel = "cluster.x-k8s.io/control-plane-name"

api/v1beta1/machine_webhook.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1beta1
 
 import (
+	"context"
 	"fmt"
 	"strings"
 	"time"
@@ -27,6 +28,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	"sigs.k8s.io/cluster-api/util/version"
 )
@@ -35,14 +37,15 @@ const defaultNodeDeletionTimeout = 10 * time.Second
 
 func (m *Machine) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
-		For(m).
+		For(&Machine{}).
+		WithValidator(MachineValidator(mgr.GetScheme())).
 		Complete()
 }
 
-// +kubebuilder:webhook:verbs=create;update,path=/validate-cluster-x-k8s-io-v1beta1-machine,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=cluster.x-k8s.io,resources=machines,versions=v1beta1,name=validation.machine.cluster.x-k8s.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
-// +kubebuilder:webhook:verbs=create;update,path=/mutate-cluster-x-k8s-io-v1beta1-machine,mutating=true,failurePolicy=fail,matchPolicy=Equivalent,groups=cluster.x-k8s.io,resources=machines,versions=v1beta1,name=default.machine.cluster.x-k8s.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
+// +kubebuilder:webhook:verbs=create;update;delete,path=/validate-cluster-x-k8s-io-v1beta1-machine,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=cluster.x-k8s.io,resources=machines,versions=v1beta1,name=validation.machine.cluster.x-k8s.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
+// +kubebuilder:webhook:verbs=create;update;delete,path=/mutate-cluster-x-k8s-io-v1beta1-machine,mutating=true,failurePolicy=fail,matchPolicy=Equivalent,groups=cluster.x-k8s.io,resources=machines,versions=v1beta1,name=default.machine.cluster.x-k8s.io,sideEffects=None,admissionReviewVersions=v1;v1beta1
 
-var _ webhook.Validator = &Machine{}
+var _ webhook.CustomValidator = &machineValidator{}
 var _ webhook.Defaulter = &Machine{}
 
 // Default implements webhook.Defaulter so a webhook will be registered for the type.
@@ -57,7 +60,10 @@ func (m *Machine) Default() {
 	}
 
 	if m.Spec.InfrastructureRef.Namespace == "" {
-		m.Spec.InfrastructureRef.Namespace = m.Namespace
+		// Don't autofill namespace for MachinePool Machines since the infraRef will be populated by the MachinePool controller.
+		if !isMachinePoolMachine(m) {
+			m.Spec.InfrastructureRef.Namespace = m.Namespace
+		}
 	}
 
 	if m.Spec.Version != nil && !strings.HasPrefix(*m.Spec.Version, "v") {
@@ -70,36 +76,96 @@ func (m *Machine) Default() {
 	}
 }
 
+// MachineValidator creates a new CustomValidator for Machines.
+func MachineValidator(scheme *runtime.Scheme) webhook.CustomValidator {
+	// Note: The error return parameter is always nil and will be dropped with the next CR release.
+	decoder, _ := admission.NewDecoder(scheme)
+	return &machineValidator{
+		decoder: decoder,
+	}
+}
+
+// machineValidator implements a defaulting webhook for Machine.
+type machineValidator struct {
+	decoder *admission.Decoder
+}
+
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
-func (m *Machine) ValidateCreate() error {
+func (*machineValidator) ValidateCreate(_ context.Context, obj runtime.Object) error {
+	m, ok := obj.(*Machine)
+	if !ok {
+		return apierrors.NewBadRequest(fmt.Sprintf("expected a Machine but got a %T", obj))
+	}
+
 	return m.validate(nil)
 }
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type.
-func (m *Machine) ValidateUpdate(old runtime.Object) error {
-	oldM, ok := old.(*Machine)
+func (*machineValidator) ValidateUpdate(_ context.Context, oldObj runtime.Object, newObj runtime.Object) error {
+	newM, ok := newObj.(*Machine)
+	if !ok {
+		return apierrors.NewBadRequest(fmt.Sprintf("expected a Machine but got a %T", newObj))
+	}
+
+	oldM, ok := oldObj.(*Machine)
 	if !ok {
-		return apierrors.NewBadRequest(fmt.Sprintf("expected a Machine but got a %T", old))
+		return apierrors.NewBadRequest(fmt.Sprintf("expected a Machine but got a %T", oldObj))
 	}
-	return m.validate(oldM)
+	return newM.validate(oldM)
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type.
-func (m *Machine) ValidateDelete() error {
+func (*machineValidator) ValidateDelete(ctx context.Context, obj runtime.Object) error {
+	m, ok := obj.(*Machine)
+	if !ok {
+		return apierrors.NewBadRequest(fmt.Sprintf("expected a Machine but got a %T", obj))
+	}
+
+	req, err := admission.RequestFromContext(ctx)
+	if err != nil {
+		return apierrors.NewBadRequest(fmt.Sprintf("expected a admission.Request inside context: %v", err))
+	}
+
+	// Fallback machines are placeholders for InfraMachinePools that do not support MachinePool Machines. These have
+	// no bootstrap or infrastructure data and cannot be deleted by users. They instead exist to provide a consistent
+	// user experience for MachinePool Machines.
+	if _, isFallbackMachine := m.Labels[FallbackMachineLabel]; isFallbackMachine {
+		if !isControllerRequest(req) {
+			return apierrors.NewBadRequest("this Machine is a placeholder for InfraMachinePools that do not support MachinePool Machines and cannot be deleted by users, scale down the MachinePool instead to delete")
+		}
+	}
+
 	return nil
 }
 
+func isControllerRequest(req admission.Request) bool {
+	if req.UserInfo.Username == CAPIServiceAccountUsername {
+		return true
+	}
+
+	for _, group := range req.UserInfo.Groups {
+		if group == ServiceAccountGroupName || group == CAPIServiceAccountGroupName {
+			return true
+		}
+	}
+
+	return false
+}
+
 func (m *Machine) validate(old *Machine) error {
 	var allErrs field.ErrorList
 	specPath := field.NewPath("spec")
 	if m.Spec.Bootstrap.ConfigRef == nil && m.Spec.Bootstrap.DataSecretName == nil {
-		allErrs = append(
-			allErrs,
-			field.Required(
-				specPath.Child("bootstrap", "data"),
-				"expected either spec.bootstrap.dataSecretName or spec.bootstrap.configRef to be populated",
-			),
-		)
+		// MachinePool Machines don't have a bootstrap configRef, so don't require it. The bootstrap config is instead owned by the MachinePool.
+		if !isMachinePoolMachine(m) {
+			allErrs = append(
+				allErrs,
+				field.Required(
+					specPath.Child("bootstrap", "data"),
+					"expected either spec.bootstrap.dataSecretName or spec.bootstrap.configRef to be populated",
+				),
+			)
+		}
 	}
 
 	if m.Spec.Bootstrap.ConfigRef != nil && m.Spec.Bootstrap.ConfigRef.Namespace != m.Namespace {
@@ -113,15 +179,18 @@ func (m *Machine) validate(old *Machine) error {
 		)
 	}
 
-	if m.Spec.InfrastructureRef.Namespace != m.Namespace {
-		allErrs = append(
-			allErrs,
-			field.Invalid(
-				specPath.Child("infrastructureRef", "namespace"),
-				m.Spec.InfrastructureRef.Namespace,
-				"must match metadata.namespace",
-			),
-		)
+	// InfraRef can be empty for MachinePool Machines so skip the check in that case.
+	if !isMachinePoolMachine(m) {
+		if m.Spec.InfrastructureRef.Namespace != m.Namespace {
+			allErrs = append(
+				allErrs,
+				field.Invalid(
+					specPath.Child("infrastructureRef", "namespace"),
+					m.Spec.InfrastructureRef.Namespace,
+					"must match metadata.namespace",
+				),
+			)
+		}
 	}
 
 	if old != nil && old.Spec.ClusterName != m.Spec.ClusterName {
@@ -142,3 +211,17 @@ func (m *Machine) validate(old *Machine) error {
 	}
 	return apierrors.NewInvalid(GroupVersion.WithKind("Machine").GroupKind(), m.Name, allErrs)
 }
+
+func isMachinePoolMachine(m *Machine) bool {
+	if m.OwnerReferences == nil {
+		return false
+	}
+
+	for _, owner := range m.OwnerReferences {
+		if owner.Kind == "MachinePool" {
+			return true
+		}
+	}
+
+	return false
+}