feat(kurl-migration): initialize kurl migration (#3207)

* detect if kurl installation is present

* set correct configmap name

* refactor utilities for kurl migration into separate package

* address feedback

* address feedback

* address feedback

* f

* address feedback

* f

* improve dry-run test

* fix dry-run tests

* f

* address feedback

* run gofmt

* refactor dry-run type methods

* address feedback

Author: diamonwiggins

cmd/installer/cli/migration.go

@@ -0,0 +1,75 @@
+package cli
+
+import (
+	"context"
+
+	"github.com/sirupsen/logrus"
+
+	"github.com/replicatedhq/embedded-cluster/pkg-new/kurl"
+	"github.com/replicatedhq/embedded-cluster/pkg/kubeutils"
+)
+
+// detectKurlMigration checks if this is a kURL cluster that needs migration to EC.
+//
+// Migration detection works by checking two SEPARATE clusters:
+//  1. kURL cluster - accessed via /etc/kubernetes/admin.conf
+//  2. EC cluster - accessed via EC's kubeconfig path (if it exists)
+//
+// The migration scenario is: kURL cluster exists, but EC cluster does not.
+//
+// Returns:
+//   - (true, nil): Migration is needed (kURL cluster exists without EC cluster)
+//   - (false, nil): Not a migration scenario, caller should continue with normal upgrade
+//   - (false, error): Detection failed
+func detectKurlMigration(ctx context.Context) (bool, error) {
+	// Check if this is a kURL cluster
+	kurlCfg, err := kurl.GetConfig(ctx)
+	if err != nil {
+		return false, err
+	}
+	if kurlCfg == nil {
+		return false, nil // Not kURL, continue normally
+	}
+
+	logrus.Debugf("Detected kURL cluster with install directory: %s", kurlCfg.InstallDir)
+
+	// Check if EC is already installed (checks separate EC cluster)
+	ecInstalled, err := isECInstalled(ctx)
+	if err != nil {
+		return false, err
+	}
+	if ecInstalled {
+		logrus.Debugf("Embedded Cluster already installed, proceeding with normal upgrade")
+		return false, nil // EC already installed, do normal upgrade
+	}
+
+	// Migration needed - kURL cluster exists without EC cluster
+	return true, nil
+}
+
+// isECInstalled checks if Embedded Cluster is already installed by checking for
+// an EC Installation resource.
+func isECInstalled(ctx context.Context) (bool, error) {
+	// Try to create a client using EC kubeconfig (separate from kURL cluster)
+	// Using kubeutils.KubeClient() allows this to work with dryrun tests
+	kcli, err := kubeutils.KubeClient()
+	if err != nil {
+		// EC kubeconfig doesn't exist or can't connect - not installed
+		return false, nil
+	}
+
+	// Check if Installation CRD exists by trying to get the latest installation
+	// This leverages the existing kubeutils.GetLatestInstallation function
+	// which returns ErrNoInstallations{} if no installations exist
+	_, err = kubeutils.GetLatestInstallation(ctx, kcli)
+	if err != nil {
+		// If the error is ErrNoInstallations, EC is not installed (normal case)
+		if _, ok := err.(kubeutils.ErrNoInstallations); ok {
+			return false, nil
+		}
+		return false, err
+	}
+
+	// Installation exists, EC is installed
+	return true, nil
+}

cmd/installer/cli/upgrade.go

@@ -19,6 +19,7 @@ import (
 	"github.com/replicatedhq/embedded-cluster/pkg-new/replicatedapi"
 	"github.com/replicatedhq/embedded-cluster/pkg-new/validation"
 	"github.com/replicatedhq/embedded-cluster/pkg/airgap"
+	"github.com/replicatedhq/embedded-cluster/pkg/dryrun"
 	"github.com/replicatedhq/embedded-cluster/pkg/helpers"
 	"github.com/replicatedhq/embedded-cluster/pkg/kubeutils"
 	"github.com/replicatedhq/embedded-cluster/pkg/metrics"
@@ -87,14 +88,35 @@ func UpgradeCmd(ctx context.Context, appSlug, appTitle string) *cobra.Command {
 				return fmt.Errorf(`invalid --target (must be: "linux")`)
 			}
 
-			if os.Getuid() != 0 {
+			// Skip root check if dryrun mode is enabled
+			if !dryrun.Enabled() && os.Getuid() != 0 {
 				return fmt.Errorf("upgrade command must be run as root")
 			}
 
 			// set the umask to 022 so that we can create files/directories with 755 permissions
 			// this does not return an error - it returns the previous umask
 			_ = syscall.Umask(0o022)
 
+			// Check if this is a kURL cluster that needs migration to Embedded Cluster.
+			migrationNeeded, err := detectKurlMigration(ctx)
+			if err != nil {
+				return fmt.Errorf("failed to detect migration scenario: %w", err)
+			}
+
+			if migrationNeeded {
+				logrus.Info("Preparing to upgrade to Embedded Cluster...")
+				logrus.Info("")
+				logrus.Info("This upgrade will be available in a future release.")
+				logrus.Info("")
+				// TBD: In a future story, this will:
+				// 1. Export the kURL password hash for authentication compatibility
+				// 2. Generate TLS certificates for the migration API
+				// 3. Start the Admin Console API in migration mode
+				// 4. Display the manager URL for the user to complete the upgrade via UI
+				// 5. Block until the user completes the upgrade or interrupts (Ctrl+C)
+				return nil
+			}
+
 			// Set up environment variables from existing runtime config
 			existingRC, err := rcutil.GetRuntimeConfigFromCluster(ctx)
 			if err != nil {

pkg-new/kurl/kurl.go

@@ -0,0 +1,113 @@
+package kurl
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/replicatedhq/embedded-cluster/pkg/kubeutils"
+)
+
+const (
+	ConfigMapName            = "kurl-config"
+	ConfigMapKey             = "kurl_install_directory"
+	DefaultInstallDir        = "/var/lib/kurl"
+	KotsadmNamespace         = "kotsadm"
+	KubeSystemNamespace      = "kube-system"
+	KotsadmPasswordSecret    = "kotsadm-password"
+	KotsadmPasswordSecretKey = "passwordBcrypt"
+)
+
+// Config holds configuration information about a kURL cluster.
+type Config struct {
+	// Client is a kubernetes client authenticated to the kURL cluster.
+	Client client.Client
+	// InstallDir is the directory where kURL installed its assets.
+	InstallDir string
+}
+
+// GetConfig attempts to detect and return configuration for a kURL cluster.
+// Returns nil if no kURL cluster is detected, or an error if detection fails.
+func GetConfig(ctx context.Context) (*Config, error) {
+	// Check if kURL's kubeconfig file exists
+	if _, err := os.Stat(kubeutils.KURLKubeconfigPath); err != nil {
+		if os.IsNotExist(err) {
+			// File doesn't exist - not a kURL cluster
+			return nil, nil
+		}
+		// File exists but can't stat it - that's an error
+		return nil, fmt.Errorf("failed to check kurl kubeconfig at %s: %w", kubeutils.KURLKubeconfigPath, err)
+	}
+
+	// Create kURL client (will use the same path logic)
+	kcli, err := kubeutils.KURLKubeClient()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create kurl client: %w", err)
+	}
+
+	// Check for kURL ConfigMap and get install directory
+	installDir, err := getInstallDirectory(ctx, kcli)
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			return nil, nil
+		}
+		return nil, fmt.Errorf("failed to check for kurl configmap: %w", err)
+	}
+
+	return &Config{
+		Client:     kcli,
+		InstallDir: installDir,
+	}, nil
+}
+
+// getInstallDirectory reads the kURL ConfigMap in kube-system namespace
+// to determine the actual kURL installer directory (which may be customized).
+// Returns the configured directory or the default if not specified.
+func getInstallDirectory(ctx context.Context, kcli client.Client) (string, error) {
+	cm := &corev1.ConfigMap{}
+	err := kcli.Get(ctx, client.ObjectKey{
+		Namespace: KubeSystemNamespace,
+		Name:      ConfigMapName,
+	}, cm)
+	if err != nil {
+		// Return error directly without wrapping so apierrors.IsNotFound() works
+		return "", err
+	}
+
+	installDir, exists := cm.Data[ConfigMapKey]
+	if !exists || installDir == "" {
+		// Return default if not customized
+		return DefaultInstallDir, nil
+	}
+
+	return installDir, nil
+}
+
+// GetPasswordHash reads the kotsadm-password secret from the kotsadm namespace
+// and returns the bcrypt password hash. This is used during migration to preserve the
+// existing admin console password.
+func GetPasswordHash(ctx context.Context, cfg *Config, namespace string) (string, error) {
+	if namespace == "" {
+		namespace = KotsadmNamespace
+	}
+
+	secret := &corev1.Secret{}
+	err := cfg.Client.Get(ctx, client.ObjectKey{
+		Namespace: namespace,
+		Name:      KotsadmPasswordSecret,
+	}, secret)
+	if err != nil {
+		return "", fmt.Errorf("read kotsadm-password secret from cluster: %w", err)
+	}
+
+	passwordHash, exists := secret.Data[KotsadmPasswordSecretKey]
+	if !exists || len(passwordHash) == 0 {
+		return "", fmt.Errorf("kotsadm-password secret is missing required passwordBcrypt data")
+	}
+
+	return string(passwordHash), nil
+}