From 7b5d7eebdd70b90f6726c20ddcad14c47b639254 Mon Sep 17 00:00:00 2001 From: Tomas Nozicka Date: Fri, 27 Dec 2024 15:51:01 +0100 Subject: [PATCH] Add basic OpenShift support, permissions and path fixes --- Makefile | 7 +- .../grafana/v1alpha1/deployment.yaml | 1 + .../monitoring/grafana/v1alpha1/registry.go | 7 ++ .../grafana/v1alpha1/rolebinding.yaml | 12 ++++ docs/source/resources/nodeconfigs.md | 2 +- .../local-csi-driver/00_clusterrole.yaml | 8 +++ ...usterrole.yaml => 00_clusterrole_def.yaml} | 4 +- .../00_clusterrole_def_openshift.yaml | 15 ++++ ...iceaccount.yaml => 10_serviceaccount.yaml} | 0 ...inding.yaml => 20_clusterrolebinding.yaml} | 0 .../local-csi-driver/50_daemonset.yaml | 6 +- examples/eks/nodeconfig-alpha.yaml | 2 +- examples/generic/nodeconfig-alpha.yaml | 4 +- examples/gke/nodeconfig-alpha.yaml | 2 +- .../10_haproxy-ingress.role.yaml | 13 ++++ ...inding.yaml => 20_clusterrolebinding.yaml} | 0 .../20_haproxy-ingress.rolebinding.yaml | 12 ++++ ...ng.yaml => 20_prometheus.rolebinding.yaml} | 0 ...oy.yaml => 50_haproxy-ingress.deploy.yaml} | 0 ...=> 50_ingress-default-backend.deploy.yaml} | 0 ....deploy.yaml => 50_prometheus.deploy.yaml} | 5 ++ .../50_operator.deployment.yaml | 1 - hack/.ci/lib/e2e.sh | 2 +- .../cluster/nodeconfig-openshift-aws.yaml | 28 ++++++++ hack/.ci/manifests/cluster/nodeconfig.yaml | 18 +++-- .../local-csi-driver/00_clusterrole.yaml | 8 +++ ...usterrole.yaml => 00_clusterrole_def.yaml} | 4 +- .../00_clusterrole_def_openshift.yaml | 15 ++++ ...iceaccount.yaml => 10_serviceaccount.yaml} | 0 ...inding.yaml => 20_clusterrolebinding.yaml} | 0 .../local-csi-driver/50_daemonset.yaml | 6 +- hack/.ci/run-e2e-openshift-aws.sh | 48 +++++++++++++ hack/ci-deploy.sh | 4 ++ .../templates/manager_networkpolicy.yaml | 17 +++++ .../templates/operator.clusterrole_def.yaml | 68 +++++++++++++++++++ .../operator.clusterrole_def_openshift.yaml | 15 ++++ .../scyllacluster_member_clusterrole_def.yaml | 7 ++ ...ster_member_clusterrole_def_openshift.yaml | 15 ++++ ...cylladbmonitoring_grafana_clusterrole.yaml | 8 +++ ...ing_grafana_clusterrole_def_openshift.yaml | 15 ++++ ..._prometheus_clusterrole_def_openshift.yaml | 15 ++++ .../validation/nodeconfig_validation_test.go | 4 +- pkg/controller/nodeconfig/resource.go | 29 +++++++- pkg/controller/scylladbmonitoring/sync.go | 1 + .../scylladbmonitoring/sync_grafana.go | 32 +++++++++ .../scylladbmonitoring/sync_grafana_test.go | 2 + pkg/test/unit/valid.nodeconfig.yaml | 2 +- .../set/nodeconfig/nodeconfig_disksetup.go | 36 ++++++---- 48 files changed, 459 insertions(+), 41 deletions(-) create mode 100644 assets/monitoring/grafana/v1alpha1/rolebinding.yaml create mode 100644 examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole.yaml rename examples/common/local-volume-provisioner/local-csi-driver/{10_provisioner_clusterrole.yaml => 00_clusterrole_def.yaml} (91%) create mode 100644 examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole_def_openshift.yaml rename examples/common/local-volume-provisioner/local-csi-driver/{10_driver.serviceaccount.yaml => 10_serviceaccount.yaml} (100%) rename examples/common/local-volume-provisioner/local-csi-driver/{20_provisioner_clusterrolebinding.yaml => 20_clusterrolebinding.yaml} (100%) create mode 100644 examples/third-party/haproxy-ingress/10_haproxy-ingress.role.yaml rename examples/third-party/haproxy-ingress/{10_clusterrolebinding.yaml => 20_clusterrolebinding.yaml} (100%) create mode 100644 examples/third-party/haproxy-ingress/20_haproxy-ingress.rolebinding.yaml rename examples/third-party/haproxy-ingress/{10_prometheus.rolebinding.yaml => 20_prometheus.rolebinding.yaml} (100%) rename examples/third-party/haproxy-ingress/{10_haproxy-ingress.deploy.yaml => 50_haproxy-ingress.deploy.yaml} (100%) rename examples/third-party/haproxy-ingress/{10_ingress-default-backend.deploy.yaml => 50_ingress-default-backend.deploy.yaml} (100%) rename examples/third-party/haproxy-ingress/{10_prometheus.deploy.yaml => 50_prometheus.deploy.yaml} (89%) create mode 100644 hack/.ci/manifests/cluster/nodeconfig-openshift-aws.yaml create mode 100644 hack/.ci/manifests/namespaces/local-csi-driver/00_clusterrole.yaml rename hack/.ci/manifests/namespaces/local-csi-driver/{10_provisioner_clusterrole.yaml => 00_clusterrole_def.yaml} (91%) create mode 100644 hack/.ci/manifests/namespaces/local-csi-driver/00_clusterrole_def_openshift.yaml rename hack/.ci/manifests/namespaces/local-csi-driver/{10_driver.serviceaccount.yaml => 10_serviceaccount.yaml} (100%) rename hack/.ci/manifests/namespaces/local-csi-driver/{20_provisioner_clusterrolebinding.yaml => 20_clusterrolebinding.yaml} (100%) create mode 100755 hack/.ci/run-e2e-openshift-aws.sh create mode 100644 helm/scylla-manager/templates/manager_networkpolicy.yaml create mode 100644 helm/scylla-operator/templates/operator.clusterrole_def_openshift.yaml create mode 100644 helm/scylla-operator/templates/scyllacluster_member_clusterrole_def_openshift.yaml create mode 100644 helm/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole.yaml create mode 100644 helm/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole_def_openshift.yaml create mode 100644 helm/scylla-operator/templates/scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml diff --git a/Makefile b/Makefile index 71fcceb04f5..849d0444759 100644 --- a/Makefile +++ b/Makefile @@ -374,14 +374,19 @@ define generate-operator-manifests mv '$(3)'/scylla-operator/templates/operator.clusterrole.yaml '$(2)'/00_operator.clusterrole.yaml mv '$(3)'/scylla-operator/templates/operator.clusterrole_def.yaml '$(2)'/00_operator.clusterrole_def.yaml + mv '$(3)'/scylla-operator/templates/operator.clusterrole_def_openshift.yaml '$(2)'/00_operator.clusterrole_def_openshift.yaml mv '$(3)'/scylla-operator/templates/operator_remote.clusterrole.yaml '$(2)'/00_operator_remote.clusterrole.yaml mv '$(3)'/scylla-operator/templates/operator_remote.clusterrole_def.yaml '$(2)'/00_operator_remote.clusterrole_def.yaml mv '$(3)'/scylla-operator/templates/view_clusterrole.yaml '$(2)'/00_scyllacluster_clusterrole_view.yaml mv '$(3)'/scylla-operator/templates/edit_clusterrole.yaml '$(2)'/00_scyllacluster_clusterrole_edit.yaml mv '$(3)'/scylla-operator/templates/scyllacluster_member_clusterrole.yaml '$(2)'/00_scyllacluster_member_clusterrole.yaml mv '$(3)'/scylla-operator/templates/scyllacluster_member_clusterrole_def.yaml '$(2)'/00_scyllacluster_member_clusterrole_def.yaml + mv '$(3)'/scylla-operator/templates/scyllacluster_member_clusterrole_def_openshift.yaml '$(2)'/00_scyllacluster_member_clusterrole_def_openshift.yaml mv '$(3)'/scylla-operator/templates/scylladbmonitoring_prometheus_clusterrole.yaml '$(2)'/00_scylladbmonitoring_prometheus_clusterrole.yaml mv '$(3)'/scylla-operator/templates/scylladbmonitoring_prometheus_clusterrole_def.yaml '$(2)'/00_scylladbmonitoring_prometheus_clusterrole_def.yaml + mv '$(3)'/scylla-operator/templates/scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml '$(2)'/00_scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml + mv '$(3)'/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole.yaml '$(2)'/00_scylladbmonitoring_grafana_clusterrole.yaml + mv '$(3)'/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole_def_openshift.yaml '$(2)'/00_scylladbmonitoring_grafana_clusterrole_def_openshift.yaml mv '$(3)'/scylla-operator/templates/issuer.yaml '$(2)'/10_issuer.yaml mv '$(3)'/scylla-operator/templates/certificate.yaml '$(2)'/10_certificate.yaml @@ -415,6 +420,7 @@ define generate-manager-manifests-prod mv '$(3)'/scylla-manager/templates/manager_service.yaml '$(2)'/10_manager_service.yaml mv '$(3)'/scylla-manager/templates/manager_serviceaccount.yaml '$(2)'/10_manager_serviceaccount.yaml mv '$(3)'/scylla-manager/templates/manager_configmap.yaml '$(2)'/10_manager_configmap.yaml + mv '$(3)'/scylla-manager/templates/manager_networkpolicy.yaml '$(2)'/10_manager_networkpolicy.yaml mv '$(3)'/scylla-manager/templates/controller_clusterrolebinding.yaml '$(2)'/20_controller_clusterrolebinding.yaml @@ -517,7 +523,6 @@ verify-deploy: $(diff) -r '$(tmp_dir)'/manager/dev deploy/manager/dev $(call concat-manifests,$(sort $(wildcard ./deploy/manager/dev/*.yaml)),'$(tmp_dir)'/manager-dev.yaml) $(diff) '$(tmp_dir)'/manager-dev.yaml deploy/manager-dev.yaml - .PHONY: verify-deploy # $1 - file name diff --git a/assets/monitoring/grafana/v1alpha1/deployment.yaml b/assets/monitoring/grafana/v1alpha1/deployment.yaml index 6a808d89edf..e9ece01c7cc 100644 --- a/assets/monitoring/grafana/v1alpha1/deployment.yaml +++ b/assets/monitoring/grafana/v1alpha1/deployment.yaml @@ -15,6 +15,7 @@ spec: labels: scylla-operator.scylladb.com/deployment-name: "{{ .scyllaDBMonitoringName }}-grafana" spec: + serviceAccountName: "{{ .scyllaDBMonitoringName }}-grafana" affinity: {{- .affinity | toYAML | nindent 8 }} tolerations: diff --git a/assets/monitoring/grafana/v1alpha1/registry.go b/assets/monitoring/grafana/v1alpha1/registry.go index 451d7b37f41..73d0e5d7677 100644 --- a/assets/monitoring/grafana/v1alpha1/registry.go +++ b/assets/monitoring/grafana/v1alpha1/registry.go @@ -11,6 +11,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" networkingv1 "k8s.io/api/networking/v1" + rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/runtime" ) @@ -31,6 +32,12 @@ var ( return ParseObjectTemplateOrDie[*corev1.ServiceAccount]("grafana-sa", grafanaSATemplateString) }) + //go:embed "rolebinding.yaml" + grafanaRoleBindingTemplateString string + GrafanaRoleBindingTemplate = lazy.New(func() *assets.ObjectTemplate[*rbacv1.RoleBinding] { + return ParseObjectTemplateOrDie[*rbacv1.RoleBinding]("grafana-rolebinding", grafanaRoleBindingTemplateString) + }) + //go:embed "configs.cm.yaml" grafanaConfigsTemplateString string GrafanaConfigsTemplate = lazy.New(func() *assets.ObjectTemplate[*corev1.ConfigMap] { diff --git a/assets/monitoring/grafana/v1alpha1/rolebinding.yaml b/assets/monitoring/grafana/v1alpha1/rolebinding.yaml new file mode 100644 index 00000000000..9238ff84b01 --- /dev/null +++ b/assets/monitoring/grafana/v1alpha1/rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "{{ .scyllaDBMonitoringName }}-grafana" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: scylladb:monitoring:grafana +subjects: +- kind: ServiceAccount + name: "{{ .scyllaDBMonitoringName }}-grafana" + namespace: "{{ .namespace }}" diff --git a/docs/source/resources/nodeconfigs.md b/docs/source/resources/nodeconfigs.md index 23ebb1a89cc..25c467a6468 100644 --- a/docs/source/resources/nodeconfigs.md +++ b/docs/source/resources/nodeconfigs.md @@ -22,7 +22,7 @@ spec: type: xfs mounts: - device: /dev/md/nvmes - mountPoint: /mnt/persistent-volumes + mountPoint: /var/lib/persistent-volumes unsupportedOptions: - prjquota placement: diff --git a/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole.yaml b/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole.yaml new file mode 100644 index 00000000000..393e347ad85 --- /dev/null +++ b/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:csi-external-provisioner +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.operator.scylladb.com/aggregate-to-csi-external-provisioner: "true" diff --git a/examples/common/local-volume-provisioner/local-csi-driver/10_provisioner_clusterrole.yaml b/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole_def.yaml similarity index 91% rename from examples/common/local-volume-provisioner/local-csi-driver/10_provisioner_clusterrole.yaml rename to examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole_def.yaml index c211a270b2f..ce9410f0350 100644 --- a/examples/common/local-volume-provisioner/local-csi-driver/10_provisioner_clusterrole.yaml +++ b/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole_def.yaml @@ -1,7 +1,9 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: scylladb:csi-external-provisioner + name: scylladb:aggregate-to-csi-external-provisioner + labels: + rbac.operator.scylladb.com/aggregate-to-csi-external-provisioner: "true" rules: - apiGroups: - "" diff --git a/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole_def_openshift.yaml b/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole_def_openshift.yaml new file mode 100644 index 00000000000..7bed98b0eb8 --- /dev/null +++ b/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole_def_openshift.yaml @@ -0,0 +1,15 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: scylladb:aggregate-to-csi-external-provisioner-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-csi-external-provisioner: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/examples/common/local-volume-provisioner/local-csi-driver/10_driver.serviceaccount.yaml b/examples/common/local-volume-provisioner/local-csi-driver/10_serviceaccount.yaml similarity index 100% rename from examples/common/local-volume-provisioner/local-csi-driver/10_driver.serviceaccount.yaml rename to examples/common/local-volume-provisioner/local-csi-driver/10_serviceaccount.yaml diff --git a/examples/common/local-volume-provisioner/local-csi-driver/20_provisioner_clusterrolebinding.yaml b/examples/common/local-volume-provisioner/local-csi-driver/20_clusterrolebinding.yaml similarity index 100% rename from examples/common/local-volume-provisioner/local-csi-driver/20_provisioner_clusterrolebinding.yaml rename to examples/common/local-volume-provisioner/local-csi-driver/20_clusterrolebinding.yaml diff --git a/examples/common/local-volume-provisioner/local-csi-driver/50_daemonset.yaml b/examples/common/local-volume-provisioner/local-csi-driver/50_daemonset.yaml index d7be54b6270..fafd604ae82 100644 --- a/examples/common/local-volume-provisioner/local-csi-driver/50_daemonset.yaml +++ b/examples/common/local-volume-provisioner/local-csi-driver/50_daemonset.yaml @@ -29,7 +29,7 @@ spec: args: - --listen=/csi/csi.sock - --node-name=$(NODE_NAME) - - --volumes-dir=/mnt/persistent-volumes + - --volumes-dir=/var/lib/persistent-volumes - --v=2 env: - name: NODE_NAME @@ -43,7 +43,7 @@ spec: - name: plugin-dir mountPath: /csi - name: volumes-dir - mountPath: /mnt/persistent-volumes + mountPath: /var/lib/persistent-volumes ports: - name: healthz containerPort: 9809 @@ -121,5 +121,5 @@ spec: type: Directory - name: volumes-dir hostPath: - path: /mnt/persistent-volumes + path: /var/lib/persistent-volumes type: Directory diff --git a/examples/eks/nodeconfig-alpha.yaml b/examples/eks/nodeconfig-alpha.yaml index bc4e6a65ff9..663a125bd05 100644 --- a/examples/eks/nodeconfig-alpha.yaml +++ b/examples/eks/nodeconfig-alpha.yaml @@ -16,7 +16,7 @@ spec: type: xfs mounts: - device: /dev/md/nvmes - mountPoint: /mnt/persistent-volumes + mountPoint: /var/lib/persistent-volumes unsupportedOptions: - prjquota placement: diff --git a/examples/generic/nodeconfig-alpha.yaml b/examples/generic/nodeconfig-alpha.yaml index b29923d799b..2df77954e70 100644 --- a/examples/generic/nodeconfig-alpha.yaml +++ b/examples/generic/nodeconfig-alpha.yaml @@ -6,14 +6,14 @@ spec: localDiskSetup: loopDevices: - name: persistent-volumes - imagePath: /mnt/persistent-volumes.img + imagePath: /var/lib/persistent-volumes.img size: 80Gi filesystems: - device: /dev/loops/persistent-volumes type: xfs mounts: - device: /dev/loops/persistent-volumes - mountPoint: /mnt/persistent-volumes + mountPoint: /var/lib/persistent-volumes unsupportedOptions: - prjquota placement: diff --git a/examples/gke/nodeconfig-alpha.yaml b/examples/gke/nodeconfig-alpha.yaml index 952d91568b8..06e68c578b9 100644 --- a/examples/gke/nodeconfig-alpha.yaml +++ b/examples/gke/nodeconfig-alpha.yaml @@ -15,7 +15,7 @@ spec: type: xfs mounts: - device: /dev/md/nvmes - mountPoint: /mnt/persistent-volumes + mountPoint: /var/lib/persistent-volumes unsupportedOptions: - prjquota placement: diff --git a/examples/third-party/haproxy-ingress/10_haproxy-ingress.role.yaml b/examples/third-party/haproxy-ingress/10_haproxy-ingress.role.yaml new file mode 100644 index 00000000000..01787839162 --- /dev/null +++ b/examples/third-party/haproxy-ingress/10_haproxy-ingress.role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: haproxy-ingress +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/examples/third-party/haproxy-ingress/10_clusterrolebinding.yaml b/examples/third-party/haproxy-ingress/20_clusterrolebinding.yaml similarity index 100% rename from examples/third-party/haproxy-ingress/10_clusterrolebinding.yaml rename to examples/third-party/haproxy-ingress/20_clusterrolebinding.yaml diff --git a/examples/third-party/haproxy-ingress/20_haproxy-ingress.rolebinding.yaml b/examples/third-party/haproxy-ingress/20_haproxy-ingress.rolebinding.yaml new file mode 100644 index 00000000000..ebe89868052 --- /dev/null +++ b/examples/third-party/haproxy-ingress/20_haproxy-ingress.rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: haproxy-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: haproxy-ingress +subjects: +- kind: ServiceAccount + name: haproxy-ingress + namespace: haproxy-ingress diff --git a/examples/third-party/haproxy-ingress/10_prometheus.rolebinding.yaml b/examples/third-party/haproxy-ingress/20_prometheus.rolebinding.yaml similarity index 100% rename from examples/third-party/haproxy-ingress/10_prometheus.rolebinding.yaml rename to examples/third-party/haproxy-ingress/20_prometheus.rolebinding.yaml diff --git a/examples/third-party/haproxy-ingress/10_haproxy-ingress.deploy.yaml b/examples/third-party/haproxy-ingress/50_haproxy-ingress.deploy.yaml similarity index 100% rename from examples/third-party/haproxy-ingress/10_haproxy-ingress.deploy.yaml rename to examples/third-party/haproxy-ingress/50_haproxy-ingress.deploy.yaml diff --git a/examples/third-party/haproxy-ingress/10_ingress-default-backend.deploy.yaml b/examples/third-party/haproxy-ingress/50_ingress-default-backend.deploy.yaml similarity index 100% rename from examples/third-party/haproxy-ingress/10_ingress-default-backend.deploy.yaml rename to examples/third-party/haproxy-ingress/50_ingress-default-backend.deploy.yaml diff --git a/examples/third-party/haproxy-ingress/10_prometheus.deploy.yaml b/examples/third-party/haproxy-ingress/50_prometheus.deploy.yaml similarity index 89% rename from examples/third-party/haproxy-ingress/10_prometheus.deploy.yaml rename to examples/third-party/haproxy-ingress/50_prometheus.deploy.yaml index d20d93e6e40..ee3fe3bf2a0 100644 --- a/examples/third-party/haproxy-ingress/10_prometheus.deploy.yaml +++ b/examples/third-party/haproxy-ingress/50_prometheus.deploy.yaml @@ -32,8 +32,13 @@ spec: volumeMounts: - mountPath: /etc/prometheus/config name: prometheus-cfg + - name: prometheus + mountPath: /prometheus serviceAccountName: prometheus volumes: - configMap: name: prometheus-cfg name: prometheus-cfg + - name: prometheus + emptyDir: + sizeLimit: 10Mi diff --git a/examples/third-party/prometheus-operator/50_operator.deployment.yaml b/examples/third-party/prometheus-operator/50_operator.deployment.yaml index 889dd30e1bb..f22bdf9cf5f 100644 --- a/examples/third-party/prometheus-operator/50_operator.deployment.yaml +++ b/examples/third-party/prometheus-operator/50_operator.deployment.yaml @@ -53,7 +53,6 @@ spec: kubernetes.io/os: linux securityContext: runAsNonRoot: true - runAsUser: 65534 seccompProfile: type: RuntimeDefault serviceAccountName: prometheus-operator diff --git a/hack/.ci/lib/e2e.sh b/hack/.ci/lib/e2e.sh index 7a7737fd6e5..ea5e075f069 100755 --- a/hack/.ci/lib/e2e.sh +++ b/hack/.ci/lib/e2e.sh @@ -240,7 +240,7 @@ function run-e2e { fi ingress_class_name='haproxy' - ingress_custom_annotations='haproxy.org/ssl-passthrough=true' + ingress_custom_annotations='haproxy.org/ssl-passthrough=true,route.openshift.io/termination=passthrough' ingress_controller_address="$( kubectl -n=haproxy-ingress get svc haproxy-ingress --template='{{ .spec.clusterIP }}' ):9142" kubectl_create -n=e2e -f=- < /dev/stderr + exit 2 +fi + +source "$( dirname "${BASH_SOURCE[0]}" )/../lib/kube.sh" +source "$( dirname "${BASH_SOURCE[0]}" )/lib/e2e.sh" +parent_dir="$( dirname "${BASH_SOURCE[0]}" )" + +trap gather-artifacts-on-exit EXIT + +REENTRANT="${REENTRANT=false}" +export REENTRANT + +SO_INSTALL_PROMETHEUS_OPERATOR="true" +export SO_INSTALL_PROMETHEUS_OPERATOR + +SO_NODECONFIG_PATH="${SO_NODECONFIG_PATH=${parent_dir}/manifests/cluster/nodeconfig-openshift-aws.yaml}" +export SO_NODECONFIG_PATH +SO_CSI_DRIVER_PATH="${SO_CSI_DRIVER_PATH=${parent_dir}/manifests/namespaces/local-csi-driver/}" +export SO_CSI_DRIVER_PATH +SO_SCYLLACLUSTER_STORAGECLASS_NAME="${SO_SCYLLACLUSTER_STORAGECLASS_NAME=scylladb-local-xfs}" +export SO_SCYLLACLUSTER_STORAGECLASS_NAME + +SCYLLA_OPERATOR_FEATURE_GATES="${SCYLLA_OPERATOR_FEATURE_GATES:-AllAlpha=true,AllBeta=true}" +export SCYLLA_OPERATOR_FEATURE_GATES + +for i in "${!KUBECONFIGS[@]}"; do + KUBECONFIG="${KUBECONFIGS[$i]}" DEPLOY_DIR="${ARTIFACTS}/deploy/${i}" timeout --foreground -v 10m "${parent_dir}/../ci-deploy.sh" "${SO_IMAGE}" & + ci_deploy_bg_pids["${i}"]=$! +done + +for pid in "${ci_deploy_bg_pids[@]}"; do + wait "${pid}" +done + +KUBECONFIG="${KUBECONFIGS[0]}" apply-e2e-workarounds +KUBECONFIG="${KUBECONFIGS[0]}" run-e2e diff --git a/hack/ci-deploy.sh b/hack/ci-deploy.sh index 9832444edc8..b17e344971c 100755 --- a/hack/ci-deploy.sh +++ b/hack/ci-deploy.sh @@ -46,6 +46,7 @@ fi kubectl_create -n prometheus-operator -f "${DEPLOY_DIR}/prometheus-operator" kubectl_create -n haproxy-ingress -f "${DEPLOY_DIR}/haproxy-ingress" +kubectl_create -n=haproxy-ingress -f="${DEPLOY_DIR}/haproxy-ingress" kubectl_create -f "${DEPLOY_DIR}"/cert-manager.yaml # Wait for cert-manager @@ -66,6 +67,7 @@ if [[ -z "${SO_NODECONFIG_PATH:-}" ]]; then echo "Skipping NodeConfig creation" else kubectl_create -f="${SO_NODECONFIG_PATH}" + kubectl wait --for='condition=Reconciled' --timeout=10m -f="${SO_NODECONFIG_PATH}" fi if [[ -z "${SO_CSI_DRIVER_PATH:-}" ]]; then @@ -95,3 +97,5 @@ kubectl wait --for condition=established crd/nodeconfigs.scylla.scylladb.com kubectl wait --for condition=established crd/scyllaoperatorconfigs.scylla.scylladb.com kubectl wait --for condition=established crd/scylladbmonitorings.scylla.scylladb.com kubectl wait --for condition=established $( find "${DEPLOY_DIR}/prometheus-operator/" -name '*.crd.yaml' -printf '-f=%p\n' ) + kubectl wait --for condition=established $( find "${DEPLOY_DIR}/prometheus-operator/" -name '*.crd.yaml' -printf '-f=%p\n' ) + kubectl -n=prometheus-operator rollout status deploy/prometheus-operator diff --git a/helm/scylla-manager/templates/manager_networkpolicy.yaml b/helm/scylla-manager/templates/manager_networkpolicy.yaml new file mode 100644 index 00000000000..24f59f1e100 --- /dev/null +++ b/helm/scylla-manager/templates/manager_networkpolicy.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + namespace: scylla-manager + name: scylla-manager-to-scylla-pod +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + app.kubernetes.io/managed-by: scylla-operator + app.kubernetes.io/name: scylla + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: scylla-manager diff --git a/helm/scylla-operator/templates/operator.clusterrole_def.yaml b/helm/scylla-operator/templates/operator.clusterrole_def.yaml index c857c2d55c0..bfbc10a0994 100644 --- a/helm/scylla-operator/templates/operator.clusterrole_def.yaml +++ b/helm/scylla-operator/templates/operator.clusterrole_def.yaml @@ -281,3 +281,71 @@ rules: - patch - update - delete +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets/finalizers + - pods/finalizers + verbs: + - update +- apiGroups: + - apps + resources: + - daemonsets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - scyllaclusters/finalizers + - scylladbdatacenters/finalizers + - scylladbmonitorings/finalizers + verbs: + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - nodeconfigs/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets/finalizers + - pods/finalizers + verbs: + - update +- apiGroups: + - apps + resources: + - daemonsets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - scyllaclusters/finalizers + - scylladbdatacenters/finalizers + - scylladbmonitorings/finalizers + verbs: + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - nodeconfigs/finalizers + verbs: + - update diff --git a/helm/scylla-operator/templates/operator.clusterrole_def_openshift.yaml b/helm/scylla-operator/templates/operator.clusterrole_def_openshift.yaml new file mode 100644 index 00000000000..88556786aa3 --- /dev/null +++ b/helm/scylla-operator/templates/operator.clusterrole_def_openshift.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:controller:aggregate-to-operator-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylla-operator: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/helm/scylla-operator/templates/scyllacluster_member_clusterrole_def.yaml b/helm/scylla-operator/templates/scyllacluster_member_clusterrole_def.yaml index 11cb8ad0b39..d5af6d0c159 100644 --- a/helm/scylla-operator/templates/scyllacluster_member_clusterrole_def.yaml +++ b/helm/scylla-operator/templates/scyllacluster_member_clusterrole_def.yaml @@ -56,3 +56,10 @@ rules: - scyllaclusters verbs: - get +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets/finalizers + verbs: + - update diff --git a/helm/scylla-operator/templates/scyllacluster_member_clusterrole_def_openshift.yaml b/helm/scylla-operator/templates/scyllacluster_member_clusterrole_def_openshift.yaml new file mode 100644 index 00000000000..7871d0307d6 --- /dev/null +++ b/helm/scylla-operator/templates/scyllacluster_member_clusterrole_def_openshift.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:aggregate-to-scyllacluster-member-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylla-member: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/helm/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole.yaml b/helm/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole.yaml new file mode 100644 index 00000000000..30d54f79fef --- /dev/null +++ b/helm/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:monitoring:grafana +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.operator.scylladb.com/aggregate-to-scylladb-monitoring-grafana: "true" diff --git a/helm/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole_def_openshift.yaml b/helm/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole_def_openshift.yaml new file mode 100644 index 00000000000..f1cf99ee147 --- /dev/null +++ b/helm/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole_def_openshift.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:aggregate-to-scylladb-monitoring-grafana-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylladb-monitoring-grafana: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/helm/scylla-operator/templates/scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml b/helm/scylla-operator/templates/scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml new file mode 100644 index 00000000000..fb293dd8149 --- /dev/null +++ b/helm/scylla-operator/templates/scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:aggregate-to-scylladb-monitoring-prometheus-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylladb-monitoring-prometheus: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/pkg/api/scylla/validation/nodeconfig_validation_test.go b/pkg/api/scylla/validation/nodeconfig_validation_test.go index 612a663b7fe..0bf9dc148ff 100644 --- a/pkg/api/scylla/validation/nodeconfig_validation_test.go +++ b/pkg/api/scylla/validation/nodeconfig_validation_test.go @@ -52,9 +52,9 @@ func TestValidateNodeConfig(t *testing.T) { return nc }(), expectedErrorList: field.ErrorList{ - &field.Error{Type: field.ErrorTypeDuplicate, Field: "spec.localDiskSetup.mounts[1].mountPoint", BadValue: "/mnt/persistent-volumes"}, + &field.Error{Type: field.ErrorTypeDuplicate, Field: "spec.localDiskSetup.mounts[1].mountPoint", BadValue: "/var/lib/persistent-volumes"}, }, - expectedErrorString: `spec.localDiskSetup.mounts[1].mountPoint: Duplicate value: "/mnt/persistent-volumes"`, + expectedErrorString: `spec.localDiskSetup.mounts[1].mountPoint: Duplicate value: "/var/lib/persistent-volumes"`, }, { name: "raid type specified but without configuration", diff --git a/pkg/controller/nodeconfig/resource.go b/pkg/controller/nodeconfig/resource.go index 4199e7185a0..8ff5b89c2a0 100644 --- a/pkg/controller/nodeconfig/resource.go +++ b/pkg/controller/nodeconfig/resource.go @@ -98,6 +98,11 @@ func NodeConfigClusterRole() *rbacv1.ClusterRole { Resources: []string{"daemonsets"}, Verbs: []string{"get", "list", "watch"}, }, + { + APIGroups: []string{"apps"}, + Resources: []string{"daemonsets/finalizers"}, + Verbs: []string{"update"}, + }, { APIGroups: []string{"batch"}, Resources: []string{"jobs"}, @@ -113,6 +118,12 @@ func NodeConfigClusterRole() *rbacv1.ClusterRole { Resources: []string{"nodeconfigs/status"}, Verbs: []string{"update"}, }, + { + APIGroups: []string{"security.openshift.io"}, + ResourceNames: []string{"privileged"}, + Resources: []string{"securitycontextconstraints"}, + Verbs: []string{"use"}, + }, }, } } @@ -126,7 +137,14 @@ func makePerftuneRole() *rbacv1.Role { naming.NodeConfigNameLabel: naming.NodeConfigAppName, }, }, - Rules: []rbacv1.PolicyRule{}, + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{"security.openshift.io"}, + Resources: []string{"securitycontextconstraints"}, + ResourceNames: []string{"privileged"}, + Verbs: []string{"use"}, + }, + }, } } @@ -139,7 +157,14 @@ func makeRlimitsRole() *rbacv1.Role { naming.NodeConfigNameLabel: naming.NodeConfigAppName, }, }, - Rules: []rbacv1.PolicyRule{}, + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{"security.openshift.io"}, + Resources: []string{"securitycontextconstraints"}, + ResourceNames: []string{"privileged"}, + Verbs: []string{"use"}, + }, + }, } } diff --git a/pkg/controller/scylladbmonitoring/sync.go b/pkg/controller/scylladbmonitoring/sync.go index ecbba409707..7aafc3bc9bc 100644 --- a/pkg/controller/scylladbmonitoring/sync.go +++ b/pkg/controller/scylladbmonitoring/sync.go @@ -273,6 +273,7 @@ func (smc *Controller) sync(ctx context.Context, key string) error { controllerhelpers.FilterObjectMapByLabel(secrets, grafanaSelector), controllerhelpers.FilterObjectMapByLabel(services, grafanaSelector), controllerhelpers.FilterObjectMapByLabel(serviceAccounts, grafanaSelector), + controllerhelpers.FilterObjectMapByLabel(roleBindings, grafanaSelector), controllerhelpers.FilterObjectMapByLabel(deployments, grafanaSelector), controllerhelpers.FilterObjectMapByLabel(ingresses, grafanaSelector), ) diff --git a/pkg/controller/scylladbmonitoring/sync_grafana.go b/pkg/controller/scylladbmonitoring/sync_grafana.go index 93608960521..95fbe804349 100644 --- a/pkg/controller/scylladbmonitoring/sync_grafana.go +++ b/pkg/controller/scylladbmonitoring/sync_grafana.go @@ -26,6 +26,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" networkingv1 "k8s.io/api/networking/v1" + rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" kutilerrors "k8s.io/apimachinery/pkg/util/errors" @@ -148,6 +149,13 @@ func makeGrafanaSA(sm *scyllav1alpha1.ScyllaDBMonitoring) (*corev1.ServiceAccoun }) } +func makeGrafanaRoleBinding(sm *scyllav1alpha1.ScyllaDBMonitoring) (*rbacv1.RoleBinding, string, error) { + return grafanav1alpha1assets.GrafanaRoleBindingTemplate.Get().RenderObject(map[string]any{ + "namespace": sm.Namespace, + "scyllaDBMonitoringName": sm.Name, + }) +} + func makeGrafanaConfigs(sm *scyllav1alpha1.ScyllaDBMonitoring) (*corev1.ConfigMap, string, error) { enableAnonymousAccess := false spec := getGrafanaSpec(sm) @@ -246,6 +254,7 @@ func (smc *Controller) syncGrafana( secrets map[string]*corev1.Secret, services map[string]*corev1.Service, serviceAccounts map[string]*corev1.ServiceAccount, + roleBindings map[string]*rbacv1.RoleBinding, deployments map[string]*appsv1.Deployment, ingresses map[string]*networkingv1.Ingress, ) ([]metav1.Condition, error) { @@ -310,6 +319,9 @@ func (smc *Controller) syncGrafana( requiredGrafanaSA, _, err := makeGrafanaSA(sm) renderErrors = append(renderErrors, err) + requiredGrafanaRoleBinding, _, err := makeGrafanaRoleBinding(sm) + renderErrors = append(renderErrors, err) + requiredConfigsCM, _, err := makeGrafanaConfigs(sm) renderErrors = append(renderErrors, err) @@ -357,6 +369,17 @@ func (smc *Controller) syncGrafana( ) pruneErrors = append(pruneErrors, err) + err = controllerhelpers.Prune( + ctx, + oslices.ToSlice(requiredGrafanaRoleBinding), + roleBindings, + &controllerhelpers.PruneControlFuncs{ + DeleteFunc: smc.kubeClient.RbacV1().RoleBindings(sm.Namespace).Delete, + }, + smc.eventRecorder, + ) + pruneErrors = append(pruneErrors, err) + allCMs := []*corev1.ConfigMap{ requiredConfigsCM, requiredProvisioningsCM, @@ -435,6 +458,15 @@ func (smc *Controller) syncGrafana( DeleteFunc: smc.kubeClient.CoreV1().ServiceAccounts(sm.Namespace).Delete, }, }.ToUntyped(), + resourceapply.ApplyConfig[*rbacv1.RoleBinding]{ + Required: requiredGrafanaRoleBinding, + Control: resourceapply.ApplyControlFuncs[*rbacv1.RoleBinding]{ + GetCachedFunc: smc.roleBindingLister.RoleBindings(sm.Namespace).Get, + CreateFunc: smc.kubeClient.RbacV1().RoleBindings(sm.Namespace).Create, + UpdateFunc: smc.kubeClient.RbacV1().RoleBindings(sm.Namespace).Update, + DeleteFunc: smc.kubeClient.RbacV1().RoleBindings(sm.Namespace).Delete, + }, + }.ToUntyped(), resourceapply.ApplyConfig[*corev1.ConfigMap]{ Required: requiredConfigsCM, Control: resourceapply.ApplyControlFuncs[*corev1.ConfigMap]{ diff --git a/pkg/controller/scylladbmonitoring/sync_grafana_test.go b/pkg/controller/scylladbmonitoring/sync_grafana_test.go index a5149296a35..c2d4501e927 100644 --- a/pkg/controller/scylladbmonitoring/sync_grafana_test.go +++ b/pkg/controller/scylladbmonitoring/sync_grafana_test.go @@ -329,6 +329,7 @@ spec: labels: scylla-operator.scylladb.com/deployment-name: "sm-name-grafana" spec: + serviceAccountName: "sm-name-grafana" affinity: {} tolerations: @@ -532,6 +533,7 @@ spec: labels: scylla-operator.scylladb.com/deployment-name: "sm-name-grafana" spec: + serviceAccountName: "sm-name-grafana" affinity: {} tolerations: diff --git a/pkg/test/unit/valid.nodeconfig.yaml b/pkg/test/unit/valid.nodeconfig.yaml index 0bd5d13df72..69b6f3f7ecb 100644 --- a/pkg/test/unit/valid.nodeconfig.yaml +++ b/pkg/test/unit/valid.nodeconfig.yaml @@ -9,7 +9,7 @@ spec: type: xfs mounts: - device: /dev/md/nvmes - mountPoint: /mnt/persistent-volumes + mountPoint: /var/lib/persistent-volumes unsupportedOptions: - prjquota raids: diff --git a/test/e2e/set/nodeconfig/nodeconfig_disksetup.go b/test/e2e/set/nodeconfig/nodeconfig_disksetup.go index 77d66a54fe4..6d18022b19d 100644 --- a/test/e2e/set/nodeconfig/nodeconfig_disksetup.go +++ b/test/e2e/set/nodeconfig/nodeconfig_disksetup.go @@ -30,6 +30,12 @@ import ( "k8s.io/client-go/util/retry" ) +var ( + // xfsSize is a size of a default xfs filesystem we create. + // Beware that `mkfs.xfs` fails unless it has at least 300MB available. + xfsVolumeSize = resource.MustParse("320M") +) + var _ = g.Describe("Node Setup", framework.Serial, func() { f := framework.NewFramework("nodesetup") @@ -66,7 +72,7 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { o.Expect(err).NotTo(o.HaveOccurred()) raidName := rand.String(8) - mountPath := fmt.Sprintf("/mnt/disk-setup-%s", f.Namespace()) + mountPath := fmt.Sprintf("/var/lib/disk-setup-%s", f.Namespace()) hostMountPath := path.Join("/host", mountPath) filesystem := scyllav1alpha1.XFSFilesystem @@ -84,8 +90,8 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { for _, ldName := range loopDeviceNames { ldcs = append(ldcs, scyllav1alpha1.LoopDeviceConfiguration{ Name: ldName, - ImagePath: fmt.Sprintf("/mnt/%s-%s.img", ldName, f.Namespace()), - Size: resource.MustParse("32M"), + ImagePath: fmt.Sprintf("/var/lib/%s-%s.img", ldName, f.Namespace()), + Size: xfsVolumeSize, }) } @@ -202,7 +208,7 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { g.Expect(err).NotTo(o.HaveOccurred(), stderr) // mount output format - // /dev/md337 on /host/mnt/persistent-volume type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,sunit=2048,swidth=2048,prjquota) + // /dev/md337 on /host/var/lib/disk-setup-* type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,sunit=2048,swidth=2048,prjquota) g.Expect(stdout).To(o.MatchRegexp(`%s on %s type %s \(.*%s.*\)`, discoveredRaidDevice, hostMountPath, filesystem, mountOptions[0])) }).WithPolling(1 * time.Second).WithTimeout(3 * time.Minute).Should(o.Succeed()) @@ -353,7 +359,7 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { Mounts: []scyllav1alpha1.MountConfiguration{ { Device: fmt.Sprintf("/dev/%s", f.Namespace()), - MountPoint: fmt.Sprintf("/mnt/%s", f.Namespace()), + MountPoint: fmt.Sprintf("/var/lib/%s", f.Namespace()), FSType: string(scyllav1alpha1.XFSFilesystem), UnsupportedOptions: []string{"prjquota"}, }, @@ -373,14 +379,14 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { LoopDevices: []scyllav1alpha1.LoopDeviceConfiguration{ { Name: "disk", - ImagePath: fmt.Sprintf("/mnt/%s.img", f.Namespace()), - Size: resource.MustParse("32M"), + ImagePath: fmt.Sprintf("/var/lib/%s.img", f.Namespace()), + Size: xfsVolumeSize, }, }, Mounts: []scyllav1alpha1.MountConfiguration{ { Device: "/dev/loops/disk", - MountPoint: fmt.Sprintf("/mnt/%s/mount", f.Namespace()), + MountPoint: fmt.Sprintf("/var/lib/%s/mount", f.Namespace()), FSType: string(scyllav1alpha1.XFSFilesystem), UnsupportedOptions: []string{"prjquota"}, }, @@ -400,8 +406,8 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { LoopDevices: []scyllav1alpha1.LoopDeviceConfiguration{ { Name: "disk", - ImagePath: fmt.Sprintf("/mnt/%s.img", f.Namespace()), - Size: resource.MustParse("32M"), + ImagePath: fmt.Sprintf("/var/lib/%s.img", f.Namespace()), + Size: xfsVolumeSize, }, }, Filesystems: []scyllav1alpha1.FilesystemConfiguration{ @@ -413,7 +419,7 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { Mounts: []scyllav1alpha1.MountConfiguration{ { Device: "/dev/loops/disk", - MountPoint: fmt.Sprintf("/mnt/%s", f.Namespace()), + MountPoint: fmt.Sprintf("/var/lib/%s", f.Namespace()), FSType: string(scyllav1alpha1.XFSFilesystem), UnsupportedOptions: []string{"prjquota"}, }, @@ -423,7 +429,7 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { return nc }, preNodeConfigCreationFunc: func(ctx context.Context, nc *scyllav1alpha1.NodeConfig) func(context.Context) { - hostMountPath := fmt.Sprintf("/host/mnt/%s", f.Namespace()) + hostMountPath := fmt.Sprintf("/host/var/lib/%s", f.Namespace()) framework.By("Creating a client Pod") clientPod := newClientPod(nc) @@ -467,8 +473,8 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { LoopDevices: []scyllav1alpha1.LoopDeviceConfiguration{ { Name: "disk", - ImagePath: fmt.Sprintf("/mnt/%s.img", f.Namespace()), - Size: resource.MustParse("32M"), + ImagePath: fmt.Sprintf("/var/lib/%s.img", f.Namespace()), + Size: xfsVolumeSize, }, }, Filesystems: []scyllav1alpha1.FilesystemConfiguration{ @@ -525,7 +531,7 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { ncCopy.Spec.LocalDiskSetup.Mounts = []scyllav1alpha1.MountConfiguration{ { Device: "/dev/loops/disk", - MountPoint: fmt.Sprintf("/mnt/%s", f.Namespace()), + MountPoint: fmt.Sprintf("/var/lib/%s", f.Namespace()), FSType: string(scyllav1alpha1.XFSFilesystem), UnsupportedOptions: []string{"prjquota"}, },