Sync

scylladb · Jun 24, 2024 · 5b15d2b · 5b15d2b
1 parent 25f1cf9
commit 5b15d2b
Show file tree

Hide file tree

Showing 21 changed files with 166 additions and 39 deletions.
diff --git a/deploy/manager/dev/50_scyllacluster.yaml b/deploy/manager/dev/50_scyllacluster.yaml
@@ -24,3 +24,9 @@ spec:
           requests:
             cpu: 10m
             memory: 100Mi
+        placement:
+          tolerations:
+          - key: role
+            operator: Equal
+            value: scylla-clusters
+            effect: NoSchedule
diff --git a/deploy/manager/prod/50_scyllacluster.yaml b/deploy/manager/prod/50_scyllacluster.yaml
@@ -24,3 +24,9 @@ spec:
         requests:
           cpu: 1
           memory: 200Mi
+      placement:
+        tolerations:
+        - key: role
+          operator: Equal
+          value: scylla-clusters
+          effect: NoSchedule
diff --git a/deploy/operator.yaml b/deploy/operator.yaml
@@ -61,6 +61,12 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/finalizers
+  verbs:
+  - update
 - apiGroups:
   - ""
   resources:
@@ -96,6 +102,7 @@ rules:
   resources:
   - statefulsets
   - daemonsets
+  - daemonsets/finalizers
   - deployments
   verbs:
   - create
@@ -115,7 +122,9 @@ rules:
   - scylla.scylladb.com
   resources:
   - scyllaclusters
+  - scyllaclusters/finalizers
   - scylladbmonitorings
+  - scylladbmonitorings/finalizers
   verbs:
   - create
   - delete
@@ -139,6 +148,7 @@ rules:
   - ""
   resources:
   - configmaps
+  - configmaps/finalizers
   verbs:
   - create
   - delete
@@ -175,6 +185,8 @@ rules:
   - scylla.scylladb.com
   resources:
   - nodeconfigs
+  - nodeconfigs/status
+  - nodeconfigs/finalizers
   verbs:
   - create
   - delete
@@ -210,18 +222,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - scylla.scylladb.com
-  resources:
-  - nodeconfigs/status
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - batch
   resources:
@@ -284,6 +284,14 @@ rules:
   - patch
   - update
   - delete
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - privileged
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
 
 ---
 apiVersion: v1
@@ -5094,6 +5102,7 @@ rules:
   - ""
   resources:
   - configmaps
+  - configmaps/finalizers
   verbs:
   - get
   - list
@@ -5123,6 +5132,14 @@ rules:
   - scyllaclusters
   verbs:
   - get
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - privileged
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/deploy/operator/00_clusterrole_def.yaml b/deploy/operator/00_clusterrole_def.yaml
@@ -51,6 +51,12 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/finalizers
+  verbs:
+  - update
 - apiGroups:
   - ""
   resources:
@@ -86,6 +92,7 @@ rules:
   resources:
   - statefulsets
   - daemonsets
+  - daemonsets/finalizers
   - deployments
   verbs:
   - create
@@ -105,7 +112,9 @@ rules:
   - scylla.scylladb.com
   resources:
   - scyllaclusters
+  - scyllaclusters/finalizers
   - scylladbmonitorings
+  - scylladbmonitorings/finalizers
   verbs:
   - create
   - delete
@@ -129,6 +138,7 @@ rules:
   - ""
   resources:
   - configmaps
+  - configmaps/finalizers
   verbs:
   - create
   - delete
@@ -165,6 +175,8 @@ rules:
   - scylla.scylladb.com
   resources:
   - nodeconfigs
+  - nodeconfigs/status
+  - nodeconfigs/finalizers
   verbs:
   - create
   - delete
@@ -200,18 +212,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - scylla.scylladb.com
-  resources:
-  - nodeconfigs/status
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - batch
   resources:
@@ -274,3 +274,11 @@ rules:
   - patch
   - update
   - delete
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - privileged
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
diff --git a/deploy/operator/00_scyllacluster_member_clusterrole_def.yaml b/deploy/operator/00_scyllacluster_member_clusterrole_def.yaml
@@ -24,6 +24,7 @@ rules:
   - ""
   resources:
   - configmaps
+  - configmaps/finalizers
   verbs:
   - get
   - list
@@ -53,3 +54,11 @@ rules:
   - scyllaclusters
   verbs:
   - get
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - privileged
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
diff --git a/examples/eks/nodeconfig-alpha.yaml b/examples/eks/nodeconfig-alpha.yaml
@@ -9,7 +9,7 @@ spec:
       type: xfs
     mounts:
     - device: /dev/md/nvmes
-      mountPoint: /mnt/persistent-volumes
+      mountPoint: /var/mnt/persistent-volumes
       unsupportedOptions:
       - prjquota
     raids:

diff --git a/examples/gke/nodeconfig-alpha.yaml b/examples/gke/nodeconfig-alpha.yaml
@@ -9,7 +9,7 @@ spec:
       type: xfs
     mounts:
     - device: /dev/md/nvmes
-      mountPoint: /mnt/persistent-volumes
+      mountPoint: /var/mnt/persistent-volumes
       unsupportedOptions:
       - prjquota
     raids:

diff --git a/examples/third-party/haproxy-ingress/10_haproxy-ingress.role.yaml b/examples/third-party/haproxy-ingress/10_haproxy-ingress.role.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: haproxy-ingress
+rules:
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - privileged
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
diff --git a/...aproxy-ingress/10_clusterrolebinding.yaml → ...aproxy-ingress/20_clusterrolebinding.yaml b/...aproxy-ingress/10_clusterrolebinding.yaml → ...aproxy-ingress/20_clusterrolebinding.yaml
diff --git a/examples/third-party/haproxy-ingress/20_haproxy-ingress.rolebinding.yaml b/examples/third-party/haproxy-ingress/20_haproxy-ingress.rolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: haproxy-ingress
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: haproxy-ingress
+subjects:
+- kind: ServiceAccount
+  name: haproxy-ingress
+  namespace: haproxy-ingress
diff --git a/...xy-ingress/10_prometheus.rolebinding.yaml → ...xy-ingress/20_prometheus.rolebinding.yaml b/...xy-ingress/10_prometheus.rolebinding.yaml → ...xy-ingress/20_prometheus.rolebinding.yaml
diff --git a/...xy-ingress/10_haproxy-ingress.deploy.yaml → ...xy-ingress/50_haproxy-ingress.deploy.yaml b/...xy-ingress/10_haproxy-ingress.deploy.yaml → ...xy-ingress/50_haproxy-ingress.deploy.yaml
diff --git a/...ss/10_ingress-default-backend.deploy.yaml → ...ss/50_ingress-default-backend.deploy.yaml b/...ss/10_ingress-default-backend.deploy.yaml → ...ss/50_ingress-default-backend.deploy.yaml
diff --git a/...haproxy-ingress/10_prometheus.deploy.yaml → ...haproxy-ingress/50_prometheus.deploy.yaml b/...haproxy-ingress/10_prometheus.deploy.yaml → ...haproxy-ingress/50_prometheus.deploy.yaml
diff --git a/hack/.ci/manifests/namespaces/local-csi-driver/10_provisioner_clusterrole.yaml b/hack/.ci/manifests/namespaces/local-csi-driver/10_provisioner_clusterrole.yaml
@@ -3,6 +3,14 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: scylladb:csi-external-provisioner
 rules:
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - privileged
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
 - apiGroups:
   - ""
   resources:

diff --git a/hack/ci-deploy.sh b/hack/ci-deploy.sh
@@ -69,6 +69,7 @@ if [[ -z "${SO_CSI_DRIVER_PATH:-}" ]]; then
   echo "Skipping CSI driver creation"
 else
   kubectl_create -n=local-csi-driver -f="${SO_CSI_DRIVER_PATH}"
+  kubectl -n=local-csi-driver rollout status -f="${SO_CSI_DRIVER_PATH}"
 fi
 
 kubectl_create -f "${DEPLOY_DIR}"/manager

diff --git a/helm/scylla-manager/values.yaml b/helm/scylla-manager/values.yaml
@@ -89,6 +89,12 @@ scylla:
       requests:
         cpu: 1
         memory: 200Mi
+  placement:
+    tolerations:
+    - key: role
+      operator: Equal
+      value: scylla-clusters
+      effect: NoSchedule
 
 # Whether to create Prometheus ServiceMonitor
 serviceMonitor:

diff --git a/helm/scylla-operator/templates/clusterrole_def.yaml b/helm/scylla-operator/templates/clusterrole_def.yaml
@@ -51,6 +51,12 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/finalizers
+  verbs:
+  - update
 - apiGroups:
   - ""
   resources:
@@ -86,6 +92,7 @@ rules:
   resources:
   - statefulsets
   - daemonsets
+  - daemonsets/finalizers
   - deployments
   verbs:
   - create
@@ -105,7 +112,9 @@ rules:
   - scylla.scylladb.com
   resources:
   - scyllaclusters
+  - scyllaclusters/finalizers
   - scylladbmonitorings
+  - scylladbmonitorings/finalizers
   verbs:
   - create
   - delete
@@ -129,6 +138,7 @@ rules:
   - ""
   resources:
   - configmaps
+  - configmaps/finalizers
   verbs:
   - create
   - delete
@@ -165,6 +175,8 @@ rules:
   - scylla.scylladb.com
   resources:
   - nodeconfigs
+  - nodeconfigs/status
+  - nodeconfigs/finalizers
   verbs:
   - create
   - delete
@@ -200,18 +212,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - scylla.scylladb.com
-  resources:
-  - nodeconfigs/status
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - batch
   resources:
@@ -274,3 +274,11 @@ rules:
   - patch
   - update
   - delete
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - privileged
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use