Add basic OpenShift support, permissions and path fixes

scylladb · Dec 27, 2024 · 7b5d7ee · 7b5d7ee
1 parent ed87226
commit 7b5d7ee
Show file tree

Hide file tree

Showing 48 changed files with 459 additions and 41 deletions.
diff --git a/Makefile b/Makefile
@@ -374,14 +374,19 @@ define generate-operator-manifests
 
 	mv '$(3)'/scylla-operator/templates/operator.clusterrole.yaml '$(2)'/00_operator.clusterrole.yaml
 	mv '$(3)'/scylla-operator/templates/operator.clusterrole_def.yaml '$(2)'/00_operator.clusterrole_def.yaml
+	mv '$(3)'/scylla-operator/templates/operator.clusterrole_def_openshift.yaml '$(2)'/00_operator.clusterrole_def_openshift.yaml
 	mv '$(3)'/scylla-operator/templates/operator_remote.clusterrole.yaml '$(2)'/00_operator_remote.clusterrole.yaml
 	mv '$(3)'/scylla-operator/templates/operator_remote.clusterrole_def.yaml '$(2)'/00_operator_remote.clusterrole_def.yaml
 	mv '$(3)'/scylla-operator/templates/view_clusterrole.yaml '$(2)'/00_scyllacluster_clusterrole_view.yaml
 	mv '$(3)'/scylla-operator/templates/edit_clusterrole.yaml '$(2)'/00_scyllacluster_clusterrole_edit.yaml
 	mv '$(3)'/scylla-operator/templates/scyllacluster_member_clusterrole.yaml '$(2)'/00_scyllacluster_member_clusterrole.yaml
 	mv '$(3)'/scylla-operator/templates/scyllacluster_member_clusterrole_def.yaml '$(2)'/00_scyllacluster_member_clusterrole_def.yaml
+	mv '$(3)'/scylla-operator/templates/scyllacluster_member_clusterrole_def_openshift.yaml '$(2)'/00_scyllacluster_member_clusterrole_def_openshift.yaml
 	mv '$(3)'/scylla-operator/templates/scylladbmonitoring_prometheus_clusterrole.yaml '$(2)'/00_scylladbmonitoring_prometheus_clusterrole.yaml
 	mv '$(3)'/scylla-operator/templates/scylladbmonitoring_prometheus_clusterrole_def.yaml '$(2)'/00_scylladbmonitoring_prometheus_clusterrole_def.yaml
+	mv '$(3)'/scylla-operator/templates/scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml '$(2)'/00_scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml
+	mv '$(3)'/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole.yaml '$(2)'/00_scylladbmonitoring_grafana_clusterrole.yaml
+	mv '$(3)'/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole_def_openshift.yaml '$(2)'/00_scylladbmonitoring_grafana_clusterrole_def_openshift.yaml
 
 	mv '$(3)'/scylla-operator/templates/issuer.yaml '$(2)'/10_issuer.yaml
 	mv '$(3)'/scylla-operator/templates/certificate.yaml '$(2)'/10_certificate.yaml
@@ -415,6 +420,7 @@ define generate-manager-manifests-prod
 	mv '$(3)'/scylla-manager/templates/manager_service.yaml '$(2)'/10_manager_service.yaml
 	mv '$(3)'/scylla-manager/templates/manager_serviceaccount.yaml '$(2)'/10_manager_serviceaccount.yaml
 	mv '$(3)'/scylla-manager/templates/manager_configmap.yaml '$(2)'/10_manager_configmap.yaml
+	mv '$(3)'/scylla-manager/templates/manager_networkpolicy.yaml '$(2)'/10_manager_networkpolicy.yaml
 
 	mv '$(3)'/scylla-manager/templates/controller_clusterrolebinding.yaml '$(2)'/20_controller_clusterrolebinding.yaml
 
@@ -517,7 +523,6 @@ verify-deploy:
 	$(diff) -r '$(tmp_dir)'/manager/dev deploy/manager/dev
 	$(call concat-manifests,$(sort $(wildcard ./deploy/manager/dev/*.yaml)),'$(tmp_dir)'/manager-dev.yaml)
 	$(diff) '$(tmp_dir)'/manager-dev.yaml deploy/manager-dev.yaml
-
 .PHONY: verify-deploy
 
 # $1 - file name

diff --git a/assets/monitoring/grafana/v1alpha1/deployment.yaml b/assets/monitoring/grafana/v1alpha1/deployment.yaml
@@ -15,6 +15,7 @@ spec:
       labels:
         scylla-operator.scylladb.com/deployment-name: "{{ .scyllaDBMonitoringName }}-grafana"
     spec:
+      serviceAccountName: "{{ .scyllaDBMonitoringName }}-grafana"
       affinity:
         {{- .affinity | toYAML | nindent 8 }}
       tolerations:

diff --git a/assets/monitoring/grafana/v1alpha1/registry.go b/assets/monitoring/grafana/v1alpha1/registry.go
@@ -11,6 +11,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -31,6 +32,12 @@ var (
 		return ParseObjectTemplateOrDie[*corev1.ServiceAccount]("grafana-sa", grafanaSATemplateString)
 	})
 
+	//go:embed "rolebinding.yaml"
+	grafanaRoleBindingTemplateString string
+	GrafanaRoleBindingTemplate       = lazy.New(func() *assets.ObjectTemplate[*rbacv1.RoleBinding] {
+		return ParseObjectTemplateOrDie[*rbacv1.RoleBinding]("grafana-rolebinding", grafanaRoleBindingTemplateString)
+	})
+
 	//go:embed "configs.cm.yaml"
 	grafanaConfigsTemplateString string
 	GrafanaConfigsTemplate       = lazy.New(func() *assets.ObjectTemplate[*corev1.ConfigMap] {

diff --git a/assets/monitoring/grafana/v1alpha1/rolebinding.yaml b/assets/monitoring/grafana/v1alpha1/rolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "{{ .scyllaDBMonitoringName }}-grafana"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: scylladb:monitoring:grafana
+subjects:
+- kind: ServiceAccount
+  name: "{{ .scyllaDBMonitoringName }}-grafana"
+  namespace: "{{ .namespace }}"
diff --git a/docs/source/resources/nodeconfigs.md b/docs/source/resources/nodeconfigs.md
@@ -22,7 +22,7 @@ spec:
       type: xfs
     mounts:
     - device: /dev/md/nvmes
-      mountPoint: /mnt/persistent-volumes
+      mountPoint: /var/lib/persistent-volumes
       unsupportedOptions:
       - prjquota
   placement:

diff --git a/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole.yaml b/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole.yaml
@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: scylladb:csi-external-provisioner
+aggregationRule:
+  clusterRoleSelectors:
+  - matchLabels:
+      rbac.operator.scylladb.com/aggregate-to-csi-external-provisioner: "true"
diff --git a/...si-driver/10_provisioner_clusterrole.yaml → .../local-csi-driver/00_clusterrole_def.yaml b/...si-driver/10_provisioner_clusterrole.yaml → .../local-csi-driver/00_clusterrole_def.yaml
@@ -1,7 +1,9 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: scylladb:csi-external-provisioner
+  name: scylladb:aggregate-to-csi-external-provisioner
+  labels:
+    rbac.operator.scylladb.com/aggregate-to-csi-external-provisioner: "true"
 rules:
 - apiGroups:
   - ""

diff --git a/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole_def_openshift.yaml b/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole_def_openshift.yaml
@@ -0,0 +1,15 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: scylladb:aggregate-to-csi-external-provisioner-openshift
+  labels:
+    rbac.operator.scylladb.com/aggregate-to-csi-external-provisioner: "true"
+rules:
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - privileged
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
diff --git a/...-csi-driver/10_driver.serviceaccount.yaml → ...r/local-csi-driver/10_serviceaccount.yaml b/...-csi-driver/10_driver.serviceaccount.yaml → ...r/local-csi-driver/10_serviceaccount.yaml
diff --git a/...er/20_provisioner_clusterrolebinding.yaml → ...cal-csi-driver/20_clusterrolebinding.yaml b/...er/20_provisioner_clusterrolebinding.yaml → ...cal-csi-driver/20_clusterrolebinding.yaml
diff --git a/examples/common/local-volume-provisioner/local-csi-driver/50_daemonset.yaml b/examples/common/local-volume-provisioner/local-csi-driver/50_daemonset.yaml
@@ -29,7 +29,7 @@ spec:
         args:
         - --listen=/csi/csi.sock
         - --node-name=$(NODE_NAME)
-        - --volumes-dir=/mnt/persistent-volumes
+        - --volumes-dir=/var/lib/persistent-volumes
         - --v=2
         env:
         - name: NODE_NAME
@@ -43,7 +43,7 @@ spec:
         - name: plugin-dir
           mountPath: /csi
         - name: volumes-dir
-          mountPath: /mnt/persistent-volumes
+          mountPath: /var/lib/persistent-volumes
         ports:
         - name: healthz
           containerPort: 9809
@@ -121,5 +121,5 @@ spec:
           type: Directory
       - name: volumes-dir
         hostPath:
-          path: /mnt/persistent-volumes
+          path: /var/lib/persistent-volumes
           type: Directory
diff --git a/examples/eks/nodeconfig-alpha.yaml b/examples/eks/nodeconfig-alpha.yaml
@@ -16,7 +16,7 @@ spec:
       type: xfs
     mounts:
     - device: /dev/md/nvmes
-      mountPoint: /mnt/persistent-volumes
+      mountPoint: /var/lib/persistent-volumes
       unsupportedOptions:
       - prjquota
   placement:

diff --git a/examples/generic/nodeconfig-alpha.yaml b/examples/generic/nodeconfig-alpha.yaml
@@ -6,14 +6,14 @@ spec:
   localDiskSetup:
     loopDevices:
     - name: persistent-volumes
-      imagePath: /mnt/persistent-volumes.img
+      imagePath: /var/lib/persistent-volumes.img
       size: 80Gi
     filesystems:
     - device: /dev/loops/persistent-volumes
       type: xfs
     mounts:
     - device: /dev/loops/persistent-volumes
-      mountPoint: /mnt/persistent-volumes
+      mountPoint: /var/lib/persistent-volumes
       unsupportedOptions:
       - prjquota
   placement:

diff --git a/examples/gke/nodeconfig-alpha.yaml b/examples/gke/nodeconfig-alpha.yaml
@@ -15,7 +15,7 @@ spec:
       type: xfs
     mounts:
     - device: /dev/md/nvmes
-      mountPoint: /mnt/persistent-volumes
+      mountPoint: /var/lib/persistent-volumes
       unsupportedOptions:
       - prjquota
   placement:

diff --git a/examples/third-party/haproxy-ingress/10_haproxy-ingress.role.yaml b/examples/third-party/haproxy-ingress/10_haproxy-ingress.role.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: haproxy-ingress
+rules:
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - privileged
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
diff --git a/...aproxy-ingress/10_clusterrolebinding.yaml → ...aproxy-ingress/20_clusterrolebinding.yaml b/...aproxy-ingress/10_clusterrolebinding.yaml → ...aproxy-ingress/20_clusterrolebinding.yaml
diff --git a/examples/third-party/haproxy-ingress/20_haproxy-ingress.rolebinding.yaml b/examples/third-party/haproxy-ingress/20_haproxy-ingress.rolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: haproxy-ingress
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: haproxy-ingress
+subjects:
+- kind: ServiceAccount
+  name: haproxy-ingress
+  namespace: haproxy-ingress
diff --git a/...xy-ingress/10_prometheus.rolebinding.yaml → ...xy-ingress/20_prometheus.rolebinding.yaml b/...xy-ingress/10_prometheus.rolebinding.yaml → ...xy-ingress/20_prometheus.rolebinding.yaml
diff --git a/...xy-ingress/10_haproxy-ingress.deploy.yaml → ...xy-ingress/50_haproxy-ingress.deploy.yaml b/...xy-ingress/10_haproxy-ingress.deploy.yaml → ...xy-ingress/50_haproxy-ingress.deploy.yaml
diff --git a/...ss/10_ingress-default-backend.deploy.yaml → ...ss/50_ingress-default-backend.deploy.yaml b/...ss/10_ingress-default-backend.deploy.yaml → ...ss/50_ingress-default-backend.deploy.yaml
diff --git a/...haproxy-ingress/10_prometheus.deploy.yaml → ...haproxy-ingress/50_prometheus.deploy.yaml b/...haproxy-ingress/10_prometheus.deploy.yaml → ...haproxy-ingress/50_prometheus.deploy.yaml
@@ -32,8 +32,13 @@ spec:
         volumeMounts:
         - mountPath: /etc/prometheus/config
           name: prometheus-cfg
+        - name: prometheus
+          mountPath: /prometheus
       serviceAccountName: prometheus
       volumes:
       - configMap:
           name: prometheus-cfg
         name: prometheus-cfg
+      - name: prometheus
+        emptyDir:
+          sizeLimit: 10Mi
diff --git a/examples/third-party/prometheus-operator/50_operator.deployment.yaml b/examples/third-party/prometheus-operator/50_operator.deployment.yaml
@@ -53,7 +53,6 @@ spec:
         kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
-        runAsUser: 65534
         seccompProfile:
           type: RuntimeDefault
       serviceAccountName: prometheus-operator
diff --git a/hack/.ci/lib/e2e.sh b/hack/.ci/lib/e2e.sh
@@ -240,7 +240,7 @@ function run-e2e {
   fi
 
   ingress_class_name='haproxy'
-  ingress_custom_annotations='haproxy.org/ssl-passthrough=true'
+  ingress_custom_annotations='haproxy.org/ssl-passthrough=true,route.openshift.io/termination=passthrough'
   ingress_controller_address="$( kubectl -n=haproxy-ingress get svc haproxy-ingress --template='{{ .spec.clusterIP }}' ):9142"
 
   kubectl_create -n=e2e -f=- <<EOF

diff --git a/hack/.ci/manifests/cluster/nodeconfig-openshift-aws.yaml b/hack/.ci/manifests/cluster/nodeconfig-openshift-aws.yaml
@@ -0,0 +1,28 @@
+apiVersion: scylla.scylladb.com/v1alpha1
+kind: NodeConfig
+metadata:
+  name: cluster
+spec:
+  localDiskSetup:
+    filesystems:
+    - device: /dev/md/nvmes
+      type: xfs
+    mounts:
+    - device: /dev/md/nvmes
+      mountPoint: /var/lib/persistent-volumes
+      unsupportedOptions:
+      - prjquota
+    raids:
+    - name: nvmes
+      type: RAID0
+      RAID0:
+        devices:
+          nameRegex: ^/dev/nvme[1-9]\d*n\d+$
+  placement:
+    nodeSelector:
+      scylla.scylladb.com/node-type: scylla
+    tolerations:
+    - effect: NoSchedule
+      key: scylla-operator.scylladb.com/dedicated
+      operator: Equal
+      value: scyllaclusters
diff --git a/hack/.ci/manifests/cluster/nodeconfig.yaml b/hack/.ci/manifests/cluster/nodeconfig.yaml
@@ -5,16 +5,24 @@ metadata:
 spec:
   localDiskSetup:
     filesystems:
-    - device: /dev/nvme0n1
+    - device: /dev/md/nvmes
       type: xfs
     mounts:
-    - device: /dev/nvme0n1
-      mountPoint: /mnt/persistent-volumes
+    - device: /dev/md/nvmes
+      mountPoint: /var/lib/persistent-volumes
       unsupportedOptions:
       - prjquota
+    raids:
+    - name: nvmes
+      type: RAID0
+      RAID0:
+        devices:
+          nameRegex: ^/dev/nvme0n[1-9]\d*$
   placement:
     nodeSelector:
-      kubernetes.io/os: linux
       scylla.scylladb.com/node-type: scylla
     tolerations:
-    - operator: Exists
+    - effect: NoSchedule
+      key: scylla-operator.scylladb.com/dedicated
+      operator: Equal
+      value: scyllaclusters
diff --git a/hack/.ci/manifests/namespaces/local-csi-driver/00_clusterrole.yaml b/hack/.ci/manifests/namespaces/local-csi-driver/00_clusterrole.yaml
@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: scylladb:csi-external-provisioner
+aggregationRule:
+  clusterRoleSelectors:
+  - matchLabels:
+      rbac.operator.scylladb.com/aggregate-to-csi-external-provisioner: "true"
diff --git a/...si-driver/10_provisioner_clusterrole.yaml → .../local-csi-driver/00_clusterrole_def.yaml b/...si-driver/10_provisioner_clusterrole.yaml → .../local-csi-driver/00_clusterrole_def.yaml
@@ -1,7 +1,9 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: scylladb:csi-external-provisioner
+  name: scylladb:aggregate-to-csi-external-provisioner
+  labels:
+    rbac.operator.scylladb.com/aggregate-to-csi-external-provisioner: "true"
 rules:
 - apiGroups:
   - ""

diff --git a/hack/.ci/manifests/namespaces/local-csi-driver/00_clusterrole_def_openshift.yaml b/hack/.ci/manifests/namespaces/local-csi-driver/00_clusterrole_def_openshift.yaml
@@ -0,0 +1,15 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: scylladb:aggregate-to-csi-external-provisioner-openshift
+  labels:
+    rbac.operator.scylladb.com/aggregate-to-csi-external-provisioner: "true"
+rules:
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - privileged
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
diff --git a/...-csi-driver/10_driver.serviceaccount.yaml → ...s/local-csi-driver/10_serviceaccount.yaml b/...-csi-driver/10_driver.serviceaccount.yaml → ...s/local-csi-driver/10_serviceaccount.yaml
diff --git a/...er/20_provisioner_clusterrolebinding.yaml → ...cal-csi-driver/20_clusterrolebinding.yaml b/...er/20_provisioner_clusterrolebinding.yaml → ...cal-csi-driver/20_clusterrolebinding.yaml
diff --git a/hack/.ci/manifests/namespaces/local-csi-driver/50_daemonset.yaml b/hack/.ci/manifests/namespaces/local-csi-driver/50_daemonset.yaml
@@ -29,7 +29,7 @@ spec:
         args:
         - --listen=/csi/csi.sock
         - --node-name=$(NODE_NAME)
-        - --volumes-dir=/mnt/persistent-volumes
+        - --volumes-dir=/var/lib/persistent-volumes
         - --v=2
         env:
         - name: NODE_NAME
@@ -43,7 +43,7 @@ spec:
         - name: plugin-dir
           mountPath: /csi
         - name: volumes-dir
-          mountPath: /mnt/persistent-volumes
+          mountPath: /var/lib/persistent-volumes
         ports:
         - name: healthz
           containerPort: 9809
@@ -121,5 +121,5 @@ spec:
           type: Directory
       - name: volumes-dir
         hostPath:
-          path: /mnt/persistent-volumes
+          path: /var/lib/persistent-volumes
           type: Directory