Copy dependencies of systemd units

copy pull secret file into the VM

this removes code adding the pull-secret to the
cluster using `oc`, instead it copies the  pull
secret file to /opt/crc/crc-pullsecret which is
then used by a systemd service in the bundle to
add the pull secret to the cluster for both the
openshift and microshift presets

Update cluster user passwords via systemd

this copies the generated kubeadmin and developer
user passwords to `/opt/crc/` which is then  used
by a systemd service and modifies the needed  ocp
resources

Use systemd to add the root CA for API server access

this removes the code patching the configmap admin-kubeconfig-client-ca
to use the custom CA, instead it copies the generated CA to '/opt/crc/'
which is then used by a systemd service to created the required  secret
and updates the configmap

Author: anjannath

pkg/crc/cluster/cluster.go

@@ -3,7 +3,6 @@ package cluster
 import (
 	"context"
 	"crypto/x509"
-	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"math"
@@ -179,40 +178,6 @@ func EnsureSSHKeyPresentInTheCluster(ctx context.Context, ocConfig oc.Config, ss
 	return nil
 }
 
-func EnsurePullSecretPresentInTheCluster(ctx context.Context, ocConfig oc.Config, pullSec PullSecretLoader) error {
-	if err := WaitForOpenshiftResource(ctx, ocConfig, "secret"); err != nil {
-		return err
-	}
-
-	stdout, stderr, err := ocConfig.RunOcCommandPrivate("get", "secret", "pull-secret", "-n", "openshift-config", "-o", `jsonpath="{['data']['\.dockerconfigjson']}"`)
-	if err != nil {
-		return fmt.Errorf("Failed to get pull secret %v: %s", err, stderr)
-	}
-	decoded, err := base64.StdEncoding.DecodeString(stdout)
-	if err != nil {
-		return err
-	}
-	if err := validation.ImagePullSecret(string(decoded)); err == nil {
-		return nil
-	}
-
-	logging.Info("Adding user's pull secret to the cluster...")
-	content, err := pullSec.Value()
-	if err != nil {
-		return err
-	}
-	base64OfPullSec := base64.StdEncoding.EncodeToString([]byte(content))
-	cmdArgs := []string{"patch", "secret", "pull-secret", "-p",
-		fmt.Sprintf(`'{"data":{".dockerconfigjson":"%s"}}'`, base64OfPullSec),
-		"-n", "openshift-config", "--type", "merge"}
-
-	_, stderr, err = ocConfig.RunOcCommandPrivate(cmdArgs...)
-	if err != nil {
-		return fmt.Errorf("Failed to add Pull secret %v: %s", err, stderr)
-	}
-	return nil
-}
-
 func EnsureGeneratedClientCAPresentInTheCluster(ctx context.Context, ocConfig oc.Config, sshRunner *ssh.Runner, selfSignedCACert *x509.Certificate, adminCert string) error {
 	selfSignedCAPem := crctls.CertToPem(selfSignedCACert)
 	if err := WaitForOpenshiftResource(ctx, ocConfig, "configmaps"); err != nil {
@@ -232,13 +197,10 @@ func EnsureGeneratedClientCAPresentInTheCluster(ctx context.Context, ocConfig oc
 	}
 
 	logging.Info("Updating root CA cert to admin-kubeconfig-client-ca configmap...")
-	jsonPath := fmt.Sprintf(`'{"data": {"ca-bundle.crt": %q}}'`, selfSignedCAPem)
-	cmdArgs := []string{"patch", "configmap", "admin-kubeconfig-client-ca",
-		"-n", "openshift-config", "--patch", jsonPath}
-	_, stderr, err = ocConfig.RunOcCommand(cmdArgs...)
-	if err != nil {
-		return fmt.Errorf("Failed to patch admin-kubeconfig-client-ca config map with new CA` %v: %s", err, stderr)
+	if err := sshRunner.CopyDataPrivileged(selfSignedCAPem, "/opt/crc/custom-ca.crt", 0644); err != nil {
+		return fmt.Errorf("Failed to copy generated CA file to VM: %v", err)
 	}
+
 	if err := sshRunner.CopyFile(constants.KubeconfigFilePath, ocConfig.KubeconfigPath, 0644); err != nil {
 		return fmt.Errorf("Failed to copy generated kubeconfig file to VM: %v", err)
 	}

pkg/crc/cluster/kubeadmin_password.go

@@ -13,7 +13,7 @@ import (
 
 	"github.com/crc-org/crc/v2/pkg/crc/constants"
 	"github.com/crc-org/crc/v2/pkg/crc/logging"
-	"github.com/crc-org/crc/v2/pkg/crc/oc"
+	"github.com/crc-org/crc/v2/pkg/crc/ssh"
 	"golang.org/x/crypto/bcrypt"
 )
 
@@ -29,7 +29,7 @@ func GenerateKubeAdminUserPassword() error {
 }
 
 // UpdateKubeAdminUserPassword updates the htpasswd secret
-func UpdateKubeAdminUserPassword(ctx context.Context, ocConfig oc.Config, newPassword string) error {
+func UpdateKubeAdminUserPassword(ctx context.Context, sshRunner *ssh.Runner, newPassword string) error {
 	if newPassword != "" {
 		logging.Infof("Overriding password for kubeadmin user")
 		if err := os.WriteFile(constants.GetKubeAdminPasswordPath(), []byte(strings.TrimSpace(newPassword)), 0600); err != nil {
@@ -41,39 +41,14 @@ func UpdateKubeAdminUserPassword(ctx context.Context, ocConfig oc.Config, newPas
 	if err != nil {
 		return fmt.Errorf("Cannot read the kubeadmin user password from file: %w", err)
 	}
-	credentials := map[string]string{
-		"developer": "developer",
-		"kubeadmin": kubeAdminPassword,
-	}
 
-	if err := WaitForOpenshiftResource(ctx, ocConfig, "secret"); err != nil {
+	if err := sshRunner.CopyDataPrivileged([]byte(kubeAdminPassword), "/opt/crc/pass_kubeadmin", 0600); err != nil {
 		return err
 	}
 
-	given, stderr, err := ocConfig.RunOcCommandPrivate("get", "secret", "htpass-secret", "-n", "openshift-config", "-o", `jsonpath="{.data.htpasswd}"`)
-	if err != nil {
-		return fmt.Errorf("%s:%v", stderr, err)
-	}
-	ok, externals, err := compareHtpasswd(given, credentials)
-	if err != nil {
+	if err := sshRunner.CopyDataPrivileged([]byte("developer"), "/opt/crc/pass_developer", 0600); err != nil {
 		return err
 	}
-	if ok {
-		return nil
-	}
-
-	logging.Infof("Changing the password for the kubeadmin user")
-	expected, err := getHtpasswd(credentials, externals)
-	if err != nil {
-		return err
-	}
-	cmdArgs := []string{"patch", "secret", "htpass-secret", "-p",
-		fmt.Sprintf(`'{"data":{"htpasswd":"%s"}}'`, expected),
-		"-n", "openshift-config", "--type", "merge"}
-	_, stderr, err = ocConfig.RunOcCommandPrivate(cmdArgs...)
-	if err != nil {
-		return fmt.Errorf("Failed to update kubeadmin password %v: %s", err, stderr)
-	}
 	return nil
 }
 

pkg/crc/machine/start.go

@@ -424,6 +424,15 @@ func (client *client) Start(ctx context.Context, startConfig types.StartConfig)
 		}
 	}
 
+	// copy the pull secret into /opt/crc/pull-secret in the instance
+	pullSecret, err := startConfig.PullSecret.Value()
+	if err != nil {
+		return nil, err
+	}
+	if err := sshRunner.CopyDataPrivileged([]byte(pullSecret), "/opt/crc/pull-secret", 0600); err != nil {
+		return nil, errors.Wrap(err, "Unable to send pull-secret to instance")
+	}
+
 	// Add nameserver to VM if provided by User
 	if startConfig.NameServer != "" {
 		if err = addNameServerToInstance(sshRunner, startConfig.NameServer); err != nil {
@@ -509,6 +518,11 @@ func (client *client) Start(ctx context.Context, startConfig types.StartConfig)
 		}, nil
 	}
 
+	// Send the kubeadmin and developer new passwords to the VM
+	if err := cluster.UpdateKubeAdminUserPassword(ctx, sshRunner, startConfig.KubeAdminPassword); err != nil {
+		return nil, errors.Wrap(err, "Failed to update kubeadmin user password")
+	}
+
 	// Check the certs validity inside the vm
 	logging.Info("Verifying validity of the kubelet certificates...")
 	certsExpired, err := cluster.CheckCertsValidity(sshRunner)
@@ -541,10 +555,6 @@ func (client *client) Start(ctx context.Context, startConfig types.StartConfig)
 		return nil, err
 	}
 
-	if err := cluster.EnsurePullSecretPresentInTheCluster(ctx, ocConfig, startConfig.PullSecret); err != nil {
-		return nil, errors.Wrap(err, "Failed to update cluster pull secret")
-	}
-
 	if err := cluster.EnsureSSHKeyPresentInTheCluster(ctx, ocConfig, constants.GetPublicKeyPath()); err != nil {
 		return nil, errors.Wrap(err, "Failed to update ssh public key to machine config")
 	}
@@ -553,10 +563,6 @@ func (client *client) Start(ctx context.Context, startConfig types.StartConfig)
 		return nil, errors.Wrap(err, "Failed to update pull secret on the disk")
 	}
 
-	if err := cluster.UpdateKubeAdminUserPassword(ctx, ocConfig, startConfig.KubeAdminPassword); err != nil {
-		return nil, errors.Wrap(err, "Failed to update kubeadmin user password")
-	}
-
 	if client.monitoringEnabled() {
 		logging.Info("Enabling cluster monitoring operator...")
 		if err := cluster.StartMonitoring(ocConfig); err != nil {