Feat: Initial refactor for dynamic multi-agent architecture (Part 1)

This commit lays the groundwork for a new architecture where the main
vm-dhcp-controller dynamically manages individual vm-dhcp-agent Deployments,
one per active IPPool.

Changes include:

1.  Controller RBAC: Updated the main controller's RBAC permissions to allow
    full lifecycle management (create, get, list, watch, update, patch, delete)
    of Deployments and ServiceAccounts in its namespace, and ClusterRoleBindings
    cluster-wide.

2.  IPPool Controller Refactor (`pkg/controller/ippool/controller.go`):
    - Removed the previous `syncAgentDeployment` function (which managed a single
      static agent deployment).
    - Introduced `reconcileAgentForIPPool` as the new core reconciliation logic.
    - Implemented resource naming helpers (`sanitizeNameForKubernetes`,
      `getAgentResourceName`).
    - Implemented deletion logic for agent resources (Deployment, SA, CRB)
      when an IPPool is deleted or paused.
    - Implemented create/get logic for agent ServiceAccounts and
      ClusterRoleBindings (binding to a shared agent ClusterRole),
      including setting OwnerReferences to the IPPool.
    - `OnChange` and `OnRemove` handlers now call `reconcileAgentForIPPool`.
    - The creation/update logic for the agent Deployment itself within
      `reconcileAgentForIPPool` is still a TODO.

3.  Static Agent Helm Templates Removed/Modified:
    - Deleted `chart/templates/agent-deployment.yaml` and
      `chart/templates/agent-serviceaccount.yaml`.
    - Updated `chart/templates/rbac.yaml` to define a new shared ClusterRole
      for dynamic agent instances (`{{ .Release.Name }}-vm-dhcp-agent-shared-permissions`)
      and removed the ClusterRoleBinding for the old static agent.
    - Cleaned up obsolete fields related to the static agent in `chart/values.yaml`.

The controller now expects environment variables like
`SHARED_AGENT_CLUSTERROLE_NAME` to correctly reference shared resources.

Author: google-labs-jules[bot]

chart/templates/agent-deployment.yaml

@@ -25,14 +25,28 @@ rules:
   resources: [ "virtualmachines" ]
   verbs: [ "get", "watch", "list" ]
 ---
+# This is the new shared ClusterRole for all dynamically created DHCP agents
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "harvester-vm-dhcp-controller.name" . }}-agent
+  # Name needs to be consistent and known by the main controller (e.g., via env var)
+  # Let's use a name based on Release.Name for now.
+  # This was previously {{ .Release.Name }}-dhcp-agent-clusterrole
+  # Let's rename to {{ .Release.Name }}-vm-dhcp-agent-shared-permissions
+  name: {{ .Release.Name }}-vm-dhcp-agent-shared-permissions
 rules:
-- apiGroups: [ "network.harvesterhci.io" ]
-  resources: [ "ippools", "ippools/status" ]
-  verbs: [ "get", "watch", "list" ]
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"] # For leader election
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: [""]
+  resources: ["configmaps"] # For leader election if not using leases
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create", "patch"]
+- apiGroups: ["network.harvesterhci.io"]
+  resources: ["ippools"] # To get its IPPool config (the one specified in IPPOOL_REF)
+  verbs: ["get", "watch", "list"] # Needs get for specific IPPool, list/watch for its cache
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -79,21 +93,22 @@ subjects:
   name: {{ include "harvester-vm-dhcp-controller.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ include "harvester-vm-dhcp-controller.name" . }}-agent
-  labels:
-  {{- include "harvester-vm-dhcp-controller.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ include "harvester-vm-dhcp-controller.name" . }}-agent
-subjects:
-- kind: ServiceAccount
-  name: {{ include "harvester-vm-dhcp-controller.serviceAccountName" . }}-agent
-  namespace: {{ .Release.Namespace }}
----
+# Removed static agent ClusterRoleBinding
+# apiVersion: rbac.authorization.k8s.io/v1
+# kind: ClusterRoleBinding
+# metadata:
+#   name: {{ include "harvester-vm-dhcp-controller.name" . }}-agent
+#   labels:
+#   {{- include "harvester-vm-dhcp-controller.labels" . | nindent 4 }}
+# roleRef:
+#   apiGroup: rbac.authorization.k8s.io
+#   kind: ClusterRole
+#   name: {{ include "harvester-vm-dhcp-controller.name" . }}-agent # This role was also removed and replaced by the shared one
+# subjects:
+# - kind: ServiceAccount
+#   name: {{ include "harvester-vm-dhcp-controller.serviceAccountName" . }}-agent # Static agent SA, no longer created by default
+#   namespace: {{ .Release.Namespace }}
+# ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -117,7 +132,32 @@ metadata:
 rules:
 - apiGroups: ["apps"]
   resources: ["deployments"]
-  verbs: ["get", "list", "watch", "patch", "update"]
+  verbs: ["get", "list", "watch", "patch", "update", "create", "delete"]
+- apiGroups: [""] # Core API group
+  resources: ["serviceaccounts"]
+  verbs: ["create", "get", "list", "watch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole # New ClusterRole to manage ClusterRoleBindings
+metadata:
+  name: {{ include "harvester-vm-dhcp-controller.name" . }}-crb-manager
+rules:
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["clusterrolebindings"]
+  verbs: ["create", "get", "list", "watch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding # Bind the new ClusterRole to the controller's SA
+metadata:
+  name: {{ include "harvester-vm-dhcp-controller.name" . }}-manage-crbs
+subjects:
+- kind: ServiceAccount
+  name: {{ include "harvester-vm-dhcp-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "harvester-vm-dhcp-controller.name" . }}-crb-manager
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

chart/templates/agent-serviceaccount.yaml

@@ -10,27 +10,23 @@ image:
   # Overrides the image tag whose default is the chart appVersion.
   tag: "main-head"
 
-# Agent configuration
+# Agent configuration (defaults for dynamically created agents)
 agent:
-  enabled: true # Controls whether agent deployment and related resources are created
-  replicaCount: 2
+  replicaCount: 1 # Each dynamic agent deployment will likely have 1 replica
   image:
     repository: rancher/harvester-vm-dhcp-agent # Specific agent image
     pullPolicy: IfNotPresent
     tag: "main-head" # Or specific version for agent
   # Flag to disable leader election within the agent pods
+  # Note: Each dynamic agent instance will perform its own leader election if not disabled.
+  # Consider if leader election is needed per-agent-instance or if a different HA model is desired.
+  # For now, keeping this, assuming each agent instance (per IPPool) might need it if it were replicated.
   noLeaderElection: false
+  # serviceAccount.create, .name and rbac.create are no longer used for a single static agent.
+  # The controller creates SAs and CRBs for each dynamic agent.
+  # Annotations for dynamically created SAs could be added here if needed.
   serviceAccount:
-    # Specifies whether a service account should be created for the agent
-    create: true
-    # Annotations to add to the agent service account
     annotations: {}
-    # The name of the service account to use for the agent.
-    # If not set and create is true, a name is generated using the fullname template + "-agent"
-    name: ""
-  rbac:
-    # Specifies whether RBAC resources (ClusterRole, ClusterRoleBinding) should be created for the agent
-    create: true
   # Pod security context for agent pods
   podSecurityContext: {}
   # Security context for agent containers