diff --git a/Makefile b/Makefile index 71fcceb04f5..849d0444759 100644 --- a/Makefile +++ b/Makefile @@ -374,14 +374,19 @@ define generate-operator-manifests mv '$(3)'/scylla-operator/templates/operator.clusterrole.yaml '$(2)'/00_operator.clusterrole.yaml mv '$(3)'/scylla-operator/templates/operator.clusterrole_def.yaml '$(2)'/00_operator.clusterrole_def.yaml + mv '$(3)'/scylla-operator/templates/operator.clusterrole_def_openshift.yaml '$(2)'/00_operator.clusterrole_def_openshift.yaml mv '$(3)'/scylla-operator/templates/operator_remote.clusterrole.yaml '$(2)'/00_operator_remote.clusterrole.yaml mv '$(3)'/scylla-operator/templates/operator_remote.clusterrole_def.yaml '$(2)'/00_operator_remote.clusterrole_def.yaml mv '$(3)'/scylla-operator/templates/view_clusterrole.yaml '$(2)'/00_scyllacluster_clusterrole_view.yaml mv '$(3)'/scylla-operator/templates/edit_clusterrole.yaml '$(2)'/00_scyllacluster_clusterrole_edit.yaml mv '$(3)'/scylla-operator/templates/scyllacluster_member_clusterrole.yaml '$(2)'/00_scyllacluster_member_clusterrole.yaml mv '$(3)'/scylla-operator/templates/scyllacluster_member_clusterrole_def.yaml '$(2)'/00_scyllacluster_member_clusterrole_def.yaml + mv '$(3)'/scylla-operator/templates/scyllacluster_member_clusterrole_def_openshift.yaml '$(2)'/00_scyllacluster_member_clusterrole_def_openshift.yaml mv '$(3)'/scylla-operator/templates/scylladbmonitoring_prometheus_clusterrole.yaml '$(2)'/00_scylladbmonitoring_prometheus_clusterrole.yaml mv '$(3)'/scylla-operator/templates/scylladbmonitoring_prometheus_clusterrole_def.yaml '$(2)'/00_scylladbmonitoring_prometheus_clusterrole_def.yaml + mv '$(3)'/scylla-operator/templates/scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml '$(2)'/00_scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml + mv '$(3)'/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole.yaml '$(2)'/00_scylladbmonitoring_grafana_clusterrole.yaml + mv '$(3)'/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole_def_openshift.yaml '$(2)'/00_scylladbmonitoring_grafana_clusterrole_def_openshift.yaml mv '$(3)'/scylla-operator/templates/issuer.yaml '$(2)'/10_issuer.yaml mv '$(3)'/scylla-operator/templates/certificate.yaml '$(2)'/10_certificate.yaml @@ -415,6 +420,7 @@ define generate-manager-manifests-prod mv '$(3)'/scylla-manager/templates/manager_service.yaml '$(2)'/10_manager_service.yaml mv '$(3)'/scylla-manager/templates/manager_serviceaccount.yaml '$(2)'/10_manager_serviceaccount.yaml mv '$(3)'/scylla-manager/templates/manager_configmap.yaml '$(2)'/10_manager_configmap.yaml + mv '$(3)'/scylla-manager/templates/manager_networkpolicy.yaml '$(2)'/10_manager_networkpolicy.yaml mv '$(3)'/scylla-manager/templates/controller_clusterrolebinding.yaml '$(2)'/20_controller_clusterrolebinding.yaml @@ -517,7 +523,6 @@ verify-deploy: $(diff) -r '$(tmp_dir)'/manager/dev deploy/manager/dev $(call concat-manifests,$(sort $(wildcard ./deploy/manager/dev/*.yaml)),'$(tmp_dir)'/manager-dev.yaml) $(diff) '$(tmp_dir)'/manager-dev.yaml deploy/manager-dev.yaml - .PHONY: verify-deploy # $1 - file name diff --git a/assets/monitoring/grafana/v1alpha1/deployment.yaml b/assets/monitoring/grafana/v1alpha1/deployment.yaml index 6a808d89edf..e9ece01c7cc 100644 --- a/assets/monitoring/grafana/v1alpha1/deployment.yaml +++ b/assets/monitoring/grafana/v1alpha1/deployment.yaml @@ -15,6 +15,7 @@ spec: labels: scylla-operator.scylladb.com/deployment-name: "{{ .scyllaDBMonitoringName }}-grafana" spec: + serviceAccountName: "{{ .scyllaDBMonitoringName }}-grafana" affinity: {{- .affinity | toYAML | nindent 8 }} tolerations: diff --git a/assets/monitoring/grafana/v1alpha1/registry.go b/assets/monitoring/grafana/v1alpha1/registry.go index 451d7b37f41..73d0e5d7677 100644 --- a/assets/monitoring/grafana/v1alpha1/registry.go +++ b/assets/monitoring/grafana/v1alpha1/registry.go @@ -11,6 +11,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" networkingv1 "k8s.io/api/networking/v1" + rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/runtime" ) @@ -31,6 +32,12 @@ var ( return ParseObjectTemplateOrDie[*corev1.ServiceAccount]("grafana-sa", grafanaSATemplateString) }) + //go:embed "rolebinding.yaml" + grafanaRoleBindingTemplateString string + GrafanaRoleBindingTemplate = lazy.New(func() *assets.ObjectTemplate[*rbacv1.RoleBinding] { + return ParseObjectTemplateOrDie[*rbacv1.RoleBinding]("grafana-rolebinding", grafanaRoleBindingTemplateString) + }) + //go:embed "configs.cm.yaml" grafanaConfigsTemplateString string GrafanaConfigsTemplate = lazy.New(func() *assets.ObjectTemplate[*corev1.ConfigMap] { diff --git a/assets/monitoring/grafana/v1alpha1/rolebinding.yaml b/assets/monitoring/grafana/v1alpha1/rolebinding.yaml new file mode 100644 index 00000000000..9238ff84b01 --- /dev/null +++ b/assets/monitoring/grafana/v1alpha1/rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "{{ .scyllaDBMonitoringName }}-grafana" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: scylladb:monitoring:grafana +subjects: +- kind: ServiceAccount + name: "{{ .scyllaDBMonitoringName }}-grafana" + namespace: "{{ .namespace }}" diff --git a/deploy/manager-dev.yaml b/deploy/manager-dev.yaml index aff48725614..35f2d1f7e7c 100644 --- a/deploy/manager-dev.yaml +++ b/deploy/manager-dev.yaml @@ -132,6 +132,25 @@ data: hosts: - scylla-manager-cluster-manager-dc-manager-rack-0 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + namespace: scylla-manager + name: scylla-manager-to-scylla-pod +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + app.kubernetes.io/managed-by: scylla-operator + app.kubernetes.io/name: scylla + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: scylla-manager + --- apiVersion: v1 kind: Service diff --git a/deploy/manager-prod.yaml b/deploy/manager-prod.yaml index 3abaa0676ad..67326857c6e 100644 --- a/deploy/manager-prod.yaml +++ b/deploy/manager-prod.yaml @@ -132,6 +132,25 @@ data: hosts: - scylla-manager-cluster-manager-dc-manager-rack-0 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + namespace: scylla-manager + name: scylla-manager-to-scylla-pod +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + app.kubernetes.io/managed-by: scylla-operator + app.kubernetes.io/name: scylla + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: scylla-manager + --- apiVersion: v1 kind: Service diff --git a/deploy/manager/dev/10_manager_networkpolicy.yaml b/deploy/manager/dev/10_manager_networkpolicy.yaml new file mode 100644 index 00000000000..24f59f1e100 --- /dev/null +++ b/deploy/manager/dev/10_manager_networkpolicy.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + namespace: scylla-manager + name: scylla-manager-to-scylla-pod +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + app.kubernetes.io/managed-by: scylla-operator + app.kubernetes.io/name: scylla + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: scylla-manager diff --git a/deploy/manager/prod/10_manager_networkpolicy.yaml b/deploy/manager/prod/10_manager_networkpolicy.yaml new file mode 100644 index 00000000000..24f59f1e100 --- /dev/null +++ b/deploy/manager/prod/10_manager_networkpolicy.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + namespace: scylla-manager + name: scylla-manager-to-scylla-pod +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + app.kubernetes.io/managed-by: scylla-operator + app.kubernetes.io/name: scylla + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: scylla-manager diff --git a/deploy/operator.yaml b/deploy/operator.yaml index 582d22bddcd..c2ba76cff54 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -297,6 +297,91 @@ rules: - patch - update - delete +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets/finalizers + - pods/finalizers + verbs: + - update +- apiGroups: + - apps + resources: + - daemonsets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - scyllaclusters/finalizers + - scylladbdatacenters/finalizers + - scylladbmonitorings/finalizers + verbs: + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - nodeconfigs/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets/finalizers + - pods/finalizers + verbs: + - update +- apiGroups: + - apps + resources: + - daemonsets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - scyllaclusters/finalizers + - scylladbdatacenters/finalizers + - scylladbmonitorings/finalizers + verbs: + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - nodeconfigs/finalizers + verbs: + - update + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:controller:aggregate-to-operator-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylla-operator: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use --- apiVersion: rbac.authorization.k8s.io/v1 @@ -27904,6 +27989,57 @@ rules: - scyllaclusters verbs: - get +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets/finalizers + verbs: + - update + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:aggregate-to-scyllacluster-member-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylla-member: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:monitoring:grafana +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.operator.scylladb.com/aggregate-to-scylladb-monitoring-grafana: "true" + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:aggregate-to-scylladb-monitoring-grafana-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylladb-monitoring-grafana: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use --- apiVersion: rbac.authorization.k8s.io/v1 @@ -27940,6 +28076,23 @@ rules: verbs: - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:aggregate-to-scylladb-monitoring-prometheus-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylladb-monitoring-prometheus: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use + --- apiVersion: cert-manager.io/v1 kind: Certificate diff --git a/deploy/operator/00_operator.clusterrole_def.yaml b/deploy/operator/00_operator.clusterrole_def.yaml index c857c2d55c0..bfbc10a0994 100644 --- a/deploy/operator/00_operator.clusterrole_def.yaml +++ b/deploy/operator/00_operator.clusterrole_def.yaml @@ -281,3 +281,71 @@ rules: - patch - update - delete +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets/finalizers + - pods/finalizers + verbs: + - update +- apiGroups: + - apps + resources: + - daemonsets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - scyllaclusters/finalizers + - scylladbdatacenters/finalizers + - scylladbmonitorings/finalizers + verbs: + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - nodeconfigs/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets/finalizers + - pods/finalizers + verbs: + - update +- apiGroups: + - apps + resources: + - daemonsets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - scyllaclusters/finalizers + - scylladbdatacenters/finalizers + - scylladbmonitorings/finalizers + verbs: + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - nodeconfigs/finalizers + verbs: + - update diff --git a/deploy/operator/00_operator.clusterrole_def_openshift.yaml b/deploy/operator/00_operator.clusterrole_def_openshift.yaml new file mode 100644 index 00000000000..88556786aa3 --- /dev/null +++ b/deploy/operator/00_operator.clusterrole_def_openshift.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:controller:aggregate-to-operator-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylla-operator: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/deploy/operator/00_scyllacluster_member_clusterrole_def.yaml b/deploy/operator/00_scyllacluster_member_clusterrole_def.yaml index 11cb8ad0b39..d5af6d0c159 100644 --- a/deploy/operator/00_scyllacluster_member_clusterrole_def.yaml +++ b/deploy/operator/00_scyllacluster_member_clusterrole_def.yaml @@ -56,3 +56,10 @@ rules: - scyllaclusters verbs: - get +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets/finalizers + verbs: + - update diff --git a/deploy/operator/00_scyllacluster_member_clusterrole_def_openshift.yaml b/deploy/operator/00_scyllacluster_member_clusterrole_def_openshift.yaml new file mode 100644 index 00000000000..7871d0307d6 --- /dev/null +++ b/deploy/operator/00_scyllacluster_member_clusterrole_def_openshift.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:aggregate-to-scyllacluster-member-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylla-member: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/deploy/operator/00_scylladbmonitoring_grafana_clusterrole.yaml b/deploy/operator/00_scylladbmonitoring_grafana_clusterrole.yaml new file mode 100644 index 00000000000..30d54f79fef --- /dev/null +++ b/deploy/operator/00_scylladbmonitoring_grafana_clusterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:monitoring:grafana +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.operator.scylladb.com/aggregate-to-scylladb-monitoring-grafana: "true" diff --git a/deploy/operator/00_scylladbmonitoring_grafana_clusterrole_def_openshift.yaml b/deploy/operator/00_scylladbmonitoring_grafana_clusterrole_def_openshift.yaml new file mode 100644 index 00000000000..f1cf99ee147 --- /dev/null +++ b/deploy/operator/00_scylladbmonitoring_grafana_clusterrole_def_openshift.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:aggregate-to-scylladb-monitoring-grafana-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylladb-monitoring-grafana: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/deploy/operator/00_scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml b/deploy/operator/00_scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml new file mode 100644 index 00000000000..fb293dd8149 --- /dev/null +++ b/deploy/operator/00_scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:aggregate-to-scylladb-monitoring-prometheus-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylladb-monitoring-prometheus: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/docs/source/resources/nodeconfigs.md b/docs/source/resources/nodeconfigs.md index 23ebb1a89cc..25c467a6468 100644 --- a/docs/source/resources/nodeconfigs.md +++ b/docs/source/resources/nodeconfigs.md @@ -22,7 +22,7 @@ spec: type: xfs mounts: - device: /dev/md/nvmes - mountPoint: /mnt/persistent-volumes + mountPoint: /var/lib/persistent-volumes unsupportedOptions: - prjquota placement: diff --git a/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole.yaml b/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole.yaml new file mode 100644 index 00000000000..393e347ad85 --- /dev/null +++ b/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:csi-external-provisioner +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.operator.scylladb.com/aggregate-to-csi-external-provisioner: "true" diff --git a/examples/common/local-volume-provisioner/local-csi-driver/10_provisioner_clusterrole.yaml b/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole_def.yaml similarity index 91% rename from examples/common/local-volume-provisioner/local-csi-driver/10_provisioner_clusterrole.yaml rename to examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole_def.yaml index c211a270b2f..ce9410f0350 100644 --- a/examples/common/local-volume-provisioner/local-csi-driver/10_provisioner_clusterrole.yaml +++ b/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole_def.yaml @@ -1,7 +1,9 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: scylladb:csi-external-provisioner + name: scylladb:aggregate-to-csi-external-provisioner + labels: + rbac.operator.scylladb.com/aggregate-to-csi-external-provisioner: "true" rules: - apiGroups: - "" diff --git a/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole_def_openshift.yaml b/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole_def_openshift.yaml new file mode 100644 index 00000000000..7bed98b0eb8 --- /dev/null +++ b/examples/common/local-volume-provisioner/local-csi-driver/00_clusterrole_def_openshift.yaml @@ -0,0 +1,15 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: scylladb:aggregate-to-csi-external-provisioner-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-csi-external-provisioner: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/examples/common/local-volume-provisioner/local-csi-driver/10_driver.serviceaccount.yaml b/examples/common/local-volume-provisioner/local-csi-driver/10_serviceaccount.yaml similarity index 100% rename from examples/common/local-volume-provisioner/local-csi-driver/10_driver.serviceaccount.yaml rename to examples/common/local-volume-provisioner/local-csi-driver/10_serviceaccount.yaml diff --git a/examples/common/local-volume-provisioner/local-csi-driver/20_provisioner_clusterrolebinding.yaml b/examples/common/local-volume-provisioner/local-csi-driver/20_clusterrolebinding.yaml similarity index 100% rename from examples/common/local-volume-provisioner/local-csi-driver/20_provisioner_clusterrolebinding.yaml rename to examples/common/local-volume-provisioner/local-csi-driver/20_clusterrolebinding.yaml diff --git a/examples/common/local-volume-provisioner/local-csi-driver/50_daemonset.yaml b/examples/common/local-volume-provisioner/local-csi-driver/50_daemonset.yaml index d7be54b6270..fafd604ae82 100644 --- a/examples/common/local-volume-provisioner/local-csi-driver/50_daemonset.yaml +++ b/examples/common/local-volume-provisioner/local-csi-driver/50_daemonset.yaml @@ -29,7 +29,7 @@ spec: args: - --listen=/csi/csi.sock - --node-name=$(NODE_NAME) - - --volumes-dir=/mnt/persistent-volumes + - --volumes-dir=/var/lib/persistent-volumes - --v=2 env: - name: NODE_NAME @@ -43,7 +43,7 @@ spec: - name: plugin-dir mountPath: /csi - name: volumes-dir - mountPath: /mnt/persistent-volumes + mountPath: /var/lib/persistent-volumes ports: - name: healthz containerPort: 9809 @@ -121,5 +121,5 @@ spec: type: Directory - name: volumes-dir hostPath: - path: /mnt/persistent-volumes + path: /var/lib/persistent-volumes type: Directory diff --git a/examples/eks/nodeconfig-alpha.yaml b/examples/eks/nodeconfig-alpha.yaml index bc4e6a65ff9..663a125bd05 100644 --- a/examples/eks/nodeconfig-alpha.yaml +++ b/examples/eks/nodeconfig-alpha.yaml @@ -16,7 +16,7 @@ spec: type: xfs mounts: - device: /dev/md/nvmes - mountPoint: /mnt/persistent-volumes + mountPoint: /var/lib/persistent-volumes unsupportedOptions: - prjquota placement: diff --git a/examples/generic/nodeconfig-alpha.yaml b/examples/generic/nodeconfig-alpha.yaml index b29923d799b..2df77954e70 100644 --- a/examples/generic/nodeconfig-alpha.yaml +++ b/examples/generic/nodeconfig-alpha.yaml @@ -6,14 +6,14 @@ spec: localDiskSetup: loopDevices: - name: persistent-volumes - imagePath: /mnt/persistent-volumes.img + imagePath: /var/lib/persistent-volumes.img size: 80Gi filesystems: - device: /dev/loops/persistent-volumes type: xfs mounts: - device: /dev/loops/persistent-volumes - mountPoint: /mnt/persistent-volumes + mountPoint: /var/lib/persistent-volumes unsupportedOptions: - prjquota placement: diff --git a/examples/gke/nodeconfig-alpha.yaml b/examples/gke/nodeconfig-alpha.yaml index 952d91568b8..06e68c578b9 100644 --- a/examples/gke/nodeconfig-alpha.yaml +++ b/examples/gke/nodeconfig-alpha.yaml @@ -15,7 +15,7 @@ spec: type: xfs mounts: - device: /dev/md/nvmes - mountPoint: /mnt/persistent-volumes + mountPoint: /var/lib/persistent-volumes unsupportedOptions: - prjquota placement: diff --git a/examples/monitoring/v1alpha1/scylladbmonitoring.yaml b/examples/monitoring/v1alpha1/scylladbmonitoring.yaml index 69b7e7a4a88..709b24f97cb 100644 --- a/examples/monitoring/v1alpha1/scylladbmonitoring.yaml +++ b/examples/monitoring/v1alpha1/scylladbmonitoring.yaml @@ -38,6 +38,6 @@ spec: ingress: ingressClassName: haproxy dnsDomains: - - test-grafana.test.svc.cluster.local + - example-grafana.test.svc.cluster.local annotations: haproxy-ingress.github.io/ssl-passthrough: "true" diff --git a/examples/third-party/haproxy-ingress.yaml b/examples/third-party/haproxy-ingress.yaml index 041ef61fae5..d70259453fe 100644 --- a/examples/third-party/haproxy-ingress.yaml +++ b/examples/third-party/haproxy-ingress.yaml @@ -79,20 +79,6 @@ rules: - list - watch ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: haproxy-ingress -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: haproxy-ingress -subjects: -- kind: ServiceAccount - name: haproxy-ingress - namespace: haproxy-ingress - --- apiVersion: v1 kind: ConfigMap @@ -129,6 +115,185 @@ data: stats-config-snippet: | option dontlog-normal +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: haproxy-ingress +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: haproxy-ingress + +--- +apiVersion: v1 +kind: Service +metadata: + name: haproxy-ingress +spec: + selector: + app.kubernetes.io/name: haproxy-ingress + type: LoadBalancer + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 8080 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + - name: cql-ssl + port: 9142 + protocol: TCP + targetPort: 8443 + - name: stat + port: 1024 + protocol: TCP + targetPort: 1024 + +--- +apiVersion: v1 +kind: Service +metadata: + name: ingress-default-backend +spec: + selector: + app.kubernetes.io/name: ingress-default-backend + ports: + - name: https + port: 443 + protocol: TCP + targetPort: 8080 + - name: cql-ssl + port: 9142 + protocol: TCP + targetPort: 8080 + +--- +apiVersion: v1 +kind: Secret +metadata: + name: ingress-default-ssl-certificate +type: kubernetes.io/tls +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR1ekNDQXFPZ0F3SUJBZ0lVY0lxVXJoVnkvKzlWdGVaMkFkQVFxb0FiVDl3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JURUxNQWtHQTFVRUJoTUNRMW94RVRBUEJnTlZCQWdNQ0ZaNWMyOWphVzVoTVJBd0RnWURWUVFIREFkSwphV2hzWVhaaE1SVXdFd1lEVlFRS0RBeFRZM2xzYkdGRVFpQk1kR1F4RURBT0JnTlZCQXNNQjJoaGNISnZlSGt4CkVEQU9CZ05WQkFNTUIyaGhjSEp2ZUhrd0hoY05Nakl3TWpFMU1USTBNekF6V2hjTk1qSXdNekUzTVRJME16QXoKV2pCdE1Rc3dDUVlEVlFRR0V3SkRXakVSTUE4R0ExVUVDQXdJVm5semIyTnBibUV4RURBT0JnTlZCQWNNQjBwcAphR3hoZG1FeEZUQVRCZ05WQkFvTURGTmplV3hzWVVSQ0lFeDBaREVRTUE0R0ExVUVDd3dIYUdGd2NtOTRlVEVRCk1BNEdBMVVFQXd3SGFHRndjbTk0ZVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUIKQU1hUkhPWEV2Ri9pSy9LVXJwZWN4TFBkN0FqMjNlZHV3c3hiWnN5ZCtoRk53R1FYR2lhZTlydEMvYTJaMmxuTgpYRXdTdENGWlpEbkgxSXZIT0pHYkdEd2txam1tK0FrVzRjdEF2RzFoL0NMK3k1TkpPUWJjZ2NzZ1B3TVkzNXU2Cll3VVVGby8xZEVtV2pzSGE4NjZSdHFMdzZtR2lrdUcySlBRN0xpdnUvWXpXdTQ3TzdjS2oyanhoUGQxQ214NisKR1c3bm4xTEVWTW1BS21JRDVFUmZSdTJCWW40VEFnaDdhUlJTZHZ1UTNZZldoSUo2K3kyTHp5WGE5SmJPQlVrMwpUTEJ1QS9mTTNqSHRjdWJudjZHMHpHaEg5WmJFYmVmSVNnRnQ5cUtYMXdWb29nenZydktBZmFyREthSndCY3BPCkpnZFU4eCtBc3c4QVJISkJITUxWZ2FrQ0F3RUFBYU5UTUZFd0hRWURWUjBPQkJZRUZBVXAxaHFzRW43eXRoSkYKcXBGN2ZIUk0yNXFYTUI4R0ExVWRJd1FZTUJhQUZBVXAxaHFzRW43eXRoSkZxcEY3ZkhSTTI1cVhNQThHQTFVZApFd0VCL3dRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUNnRlNlVTZjQ2YzUmRjMVJPMGE0ck5nClQvZC80SE5qcE1UTXQ4TVhOLzBzQXdWNTg2UmRFWUVGRnhQSmQ4ZjhHUVMydVFBbUNRMDlZd1pyQXh3L2pFc24KamloTTRWdlJvOHJJcXlJZmlYTkpUNDgvd0lmVEc1T3d0UzJ5eExoQjdkRUtFTUhkL0loRjNDQ3ptTzQzV0xPaApRVVl6bUY1UXZEV2Q4eGJKelRjaHAxSy9tRG5BUE5vS1FxZ3RJTGg5ekpITndWOWNROUJhUmRQN1NueE1mQUcwCnAybllHcmhmcGlJZ2g4MTdWUVZ3SHZIODRLYlVjQzJRUlQrOG43T1dyUitRVVArdjJLYVFzKytGOVFpc1RrL0MKSGhDNlhDMGNWNHBHNmIvSlpmU2VCRWJDRDVMSzZ1aW1GSlB1T05SVXlrVzdWOGxMOXVKRHpkVlBNSGMvQTBRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRREdrUnpseEx4ZjRpdnkKbEs2WG5NU3ozZXdJOXQzbmJzTE1XMmJNbmZvUlRjQmtGeG9tbnZhN1F2MnRtZHBaelZ4TUVyUWhXV1E1eDlTTAp4emlSbXhnOEpLbzVwdmdKRnVITFFMeHRZZndpL3N1VFNUa0czSUhMSUQ4REdOK2J1bU1GRkJhUDlYUkpsbzdCCjJ2T3VrYmFpOE9waG9wTGh0aVQwT3k0cjd2Mk0xcnVPenUzQ285bzhZVDNkUXBzZXZobHU1NTlTeEZUSmdDcGkKQStSRVgwYnRnV0orRXdJSWUya1VVbmI3a04ySDFvU0NldnN0aTg4bDJ2U1d6Z1ZKTjB5d2JnUDN6TjR4N1hMbQo1NytodE14b1IvV1d4RzNueUVvQmJmYWlsOWNGYUtJTTc2N3lnSDJxd3ltaWNBWEtUaVlIVlBNZmdMTVBBRVJ5ClFSekMxWUdwQWdNQkFBRUNnZ0VBQm1TWnA1UWo5SHBWcStPNWswd0swVGV0NThQNjlQNk42d0p1VnR3bk52Tm4KNUZFU0dIZzV2V0cweFNnVTdaczlBMzMrcXF3MEcrQWhLYmJxVFZYTysvQzZRa3pyNDI4SEtnSVZqdmYrcENuTAo2QndOWi9rbGZLSzNKS1JpWHFNcm1QaENtYlB2WUljbVpYdGxLUk9yNjZjU0JMNjFOK3NqV1hHbVZPZkc1Z2ZkClAwbnJqRDZMcmVNZmJyNkdlOXpRTHpuNkhCZjB5cUxxZmpEWThPVURsK0R4TlZwOGZkd2ZlcWZOUXBRQk04NHIKei90ZzFSK0hFYXBkWUR0WXhKNnV1SzVMTmdHVG1RWUlaZmFmVVp0YmlBWCtDdFVoZ3FiRXowdFVFUXpQQWRsSAphblpKc0FmbmVzTXJabkRjNERLaU0xUk9KNW1jNGNHNm51RVZDQmMxWVFLQmdRRDQzSG4zQjd3d2dialdCa2s1CjNPZlYxY0JXZElQdXdEY1NvWlJ0QUsrVEtSaUZPTG1oVTk4bVhnblJhVk9BSXY1cEVNa2VpSkFkZ2xZRGRTbFgKMVpzdzBhay9samtqanJQM2Q1aFVuY3Z1WnY3cUhKckVaSVRtVU1wWmdmVnlpTVo5MVc1RmY3TlhmWTIyZVVQZwpKVG9qTlExU0l5ZHZIR2RTZ3h5b1BHYXdKUUtCZ1FETVEwd2djbGNNN0EvYjJERklzN29jU0pLZVJobDNiM3AxCkNnb2tUdHFYd1BLUFY5UHYxRkxSRGpZM0hoaitTKzFEdE1QMlRoSEFpZDNlbmdtQUZGQTg4c2tsNUVXa2U3ZDkKWUdKdW9KVURjdWU3aXorenV3b3dQVnlYL0Y5cHZ0ZmJjN2c3eW5MdzlGbFh5Y2NMRVI1bGxncE15OWlacmxacApmU0dOM0l2Q05RS0JnRDlHRjRDV3ArT1JhQVNLenAxMnJEOXpQSmIrd3ZpMlNJcGxLTTdhS01uNjNmQXBieEUwCnVQMFJWZCszcnZKYWMyTVZVSDJCN1ZxRFpBazNCYzcrVVpvRkJNcFZFS3dZd1dzL0xpejlmZmRjbXAyOXJpQVgKQ3E5Z2hVSml4NXhhYUZWZ0tjeGozcDUxSHMzeFlTK2haM25DS0dQazZrYlc2dkpRd2IySXRmYzlBb0dCQUw5cQpaV0dXcE5yNE1OaGRYYm42cXZLc1U3RzhrVXJxamdBMSsxRVJFQ25iNTdMS3BGS0FUMmVYZ05qZi9KMzV1d3VTCnozejJwZzRmWkdxbEFOUWt0UmlZa0VWUkNLNWVQWkpoaTN5T1FYWnM3SnBFb05xbDhhTkpMWWRFT29tWERTT2EKNnRBbEpOZUd0RjdmT1FhMjhSeFRvYTFiN2N2K292M1NCR3F6ZmNqdEFvR0FYaW9oZWlFdk9jZFFPK3RmcHEwNApnR1pScXRwMzZBU3NxQ2RhN1pSelc0cFNqb0RzZ1VmRmZHMm1qYnBOeVdyTFByS041bjdoWHp5RUxxbExTNHh1CkllSkM4dHhyN0lhMUt5ZXNPbysyemxCeHdjWGNDbWZoVUV1RHRwN2RqdytBcFRNZ2dTK0R5MVhyck5hOXN0RGoKcnMvREMwb2R1UUlaV2trWllJQ2w4cFU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: prometheus-cfg +data: + prometheus.yml: | + global: + scrape_interval: 10s + scrape_timeout: 10s + scrape_configs: + - job_name: haproxy + kubernetes_sd_configs: + - role: pod + namespaces: + names: + - haproxy-ingress + relabel_configs: + - source_labels: [__meta_kubernetes_pod_label_run] + regex: haproxy-ingress + action: keep + - source_labels: [__meta_kubernetes_pod_container_port_number] + regex: 1024 + action: keep + - source_labels: [__meta_kubernetes_pod_node_name] + target_label: hostname + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: prometheus +rules: +- apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: prometheus + +--- +apiVersion: v1 +kind: Service +metadata: + name: prometheus +spec: + ports: + - port: 9090 + selector: + app.kubernetes.io/instance: prometheus + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: haproxy-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: haproxy-ingress +subjects: +- kind: ServiceAccount + name: haproxy-ingress + namespace: haproxy-ingress + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: haproxy-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: haproxy-ingress +subjects: +- kind: ServiceAccount + name: haproxy-ingress + namespace: haproxy-ingress + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: prometheus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prometheus +subjects: +- kind: ServiceAccount + name: prometheus + namespace: haproxy-ingress + --- apiVersion: apps/v1 kind: Deployment @@ -202,39 +367,6 @@ spec: fieldRef: fieldPath: metadata.namespace ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: haproxy-ingress - ---- -apiVersion: v1 -kind: Service -metadata: - name: haproxy-ingress -spec: - selector: - app.kubernetes.io/name: haproxy-ingress - type: LoadBalancer - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 8080 - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - - name: cql-ssl - port: 9142 - protocol: TCP - targetPort: 8443 - - name: stat - port: 1024 - protocol: TCP - targetPort: 1024 - --- apiVersion: apps/v1 kind: Deployment @@ -260,61 +392,6 @@ spec: cpu: 10m memory: 50Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: ingress-default-backend -spec: - selector: - app.kubernetes.io/name: ingress-default-backend - ports: - - name: https - port: 443 - protocol: TCP - targetPort: 8080 - - name: cql-ssl - port: 9142 - protocol: TCP - targetPort: 8080 - ---- -apiVersion: v1 -kind: Secret -metadata: - name: ingress-default-ssl-certificate -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR1ekNDQXFPZ0F3SUJBZ0lVY0lxVXJoVnkvKzlWdGVaMkFkQVFxb0FiVDl3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd2JURUxNQWtHQTFVRUJoTUNRMW94RVRBUEJnTlZCQWdNQ0ZaNWMyOWphVzVoTVJBd0RnWURWUVFIREFkSwphV2hzWVhaaE1SVXdFd1lEVlFRS0RBeFRZM2xzYkdGRVFpQk1kR1F4RURBT0JnTlZCQXNNQjJoaGNISnZlSGt4CkVEQU9CZ05WQkFNTUIyaGhjSEp2ZUhrd0hoY05Nakl3TWpFMU1USTBNekF6V2hjTk1qSXdNekUzTVRJME16QXoKV2pCdE1Rc3dDUVlEVlFRR0V3SkRXakVSTUE4R0ExVUVDQXdJVm5semIyTnBibUV4RURBT0JnTlZCQWNNQjBwcAphR3hoZG1FeEZUQVRCZ05WQkFvTURGTmplV3hzWVVSQ0lFeDBaREVRTUE0R0ExVUVDd3dIYUdGd2NtOTRlVEVRCk1BNEdBMVVFQXd3SGFHRndjbTk0ZVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUIKQU1hUkhPWEV2Ri9pSy9LVXJwZWN4TFBkN0FqMjNlZHV3c3hiWnN5ZCtoRk53R1FYR2lhZTlydEMvYTJaMmxuTgpYRXdTdENGWlpEbkgxSXZIT0pHYkdEd2txam1tK0FrVzRjdEF2RzFoL0NMK3k1TkpPUWJjZ2NzZ1B3TVkzNXU2Cll3VVVGby8xZEVtV2pzSGE4NjZSdHFMdzZtR2lrdUcySlBRN0xpdnUvWXpXdTQ3TzdjS2oyanhoUGQxQ214NisKR1c3bm4xTEVWTW1BS21JRDVFUmZSdTJCWW40VEFnaDdhUlJTZHZ1UTNZZldoSUo2K3kyTHp5WGE5SmJPQlVrMwpUTEJ1QS9mTTNqSHRjdWJudjZHMHpHaEg5WmJFYmVmSVNnRnQ5cUtYMXdWb29nenZydktBZmFyREthSndCY3BPCkpnZFU4eCtBc3c4QVJISkJITUxWZ2FrQ0F3RUFBYU5UTUZFd0hRWURWUjBPQkJZRUZBVXAxaHFzRW43eXRoSkYKcXBGN2ZIUk0yNXFYTUI4R0ExVWRJd1FZTUJhQUZBVXAxaHFzRW43eXRoSkZxcEY3ZkhSTTI1cVhNQThHQTFVZApFd0VCL3dRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUNnRlNlVTZjQ2YzUmRjMVJPMGE0ck5nClQvZC80SE5qcE1UTXQ4TVhOLzBzQXdWNTg2UmRFWUVGRnhQSmQ4ZjhHUVMydVFBbUNRMDlZd1pyQXh3L2pFc24KamloTTRWdlJvOHJJcXlJZmlYTkpUNDgvd0lmVEc1T3d0UzJ5eExoQjdkRUtFTUhkL0loRjNDQ3ptTzQzV0xPaApRVVl6bUY1UXZEV2Q4eGJKelRjaHAxSy9tRG5BUE5vS1FxZ3RJTGg5ekpITndWOWNROUJhUmRQN1NueE1mQUcwCnAybllHcmhmcGlJZ2g4MTdWUVZ3SHZIODRLYlVjQzJRUlQrOG43T1dyUitRVVArdjJLYVFzKytGOVFpc1RrL0MKSGhDNlhDMGNWNHBHNmIvSlpmU2VCRWJDRDVMSzZ1aW1GSlB1T05SVXlrVzdWOGxMOXVKRHpkVlBNSGMvQTBRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRREdrUnpseEx4ZjRpdnkKbEs2WG5NU3ozZXdJOXQzbmJzTE1XMmJNbmZvUlRjQmtGeG9tbnZhN1F2MnRtZHBaelZ4TUVyUWhXV1E1eDlTTAp4emlSbXhnOEpLbzVwdmdKRnVITFFMeHRZZndpL3N1VFNUa0czSUhMSUQ4REdOK2J1bU1GRkJhUDlYUkpsbzdCCjJ2T3VrYmFpOE9waG9wTGh0aVQwT3k0cjd2Mk0xcnVPenUzQ285bzhZVDNkUXBzZXZobHU1NTlTeEZUSmdDcGkKQStSRVgwYnRnV0orRXdJSWUya1VVbmI3a04ySDFvU0NldnN0aTg4bDJ2U1d6Z1ZKTjB5d2JnUDN6TjR4N1hMbQo1NytodE14b1IvV1d4RzNueUVvQmJmYWlsOWNGYUtJTTc2N3lnSDJxd3ltaWNBWEtUaVlIVlBNZmdMTVBBRVJ5ClFSekMxWUdwQWdNQkFBRUNnZ0VBQm1TWnA1UWo5SHBWcStPNWswd0swVGV0NThQNjlQNk42d0p1VnR3bk52Tm4KNUZFU0dIZzV2V0cweFNnVTdaczlBMzMrcXF3MEcrQWhLYmJxVFZYTysvQzZRa3pyNDI4SEtnSVZqdmYrcENuTAo2QndOWi9rbGZLSzNKS1JpWHFNcm1QaENtYlB2WUljbVpYdGxLUk9yNjZjU0JMNjFOK3NqV1hHbVZPZkc1Z2ZkClAwbnJqRDZMcmVNZmJyNkdlOXpRTHpuNkhCZjB5cUxxZmpEWThPVURsK0R4TlZwOGZkd2ZlcWZOUXBRQk04NHIKei90ZzFSK0hFYXBkWUR0WXhKNnV1SzVMTmdHVG1RWUlaZmFmVVp0YmlBWCtDdFVoZ3FiRXowdFVFUXpQQWRsSAphblpKc0FmbmVzTXJabkRjNERLaU0xUk9KNW1jNGNHNm51RVZDQmMxWVFLQmdRRDQzSG4zQjd3d2dialdCa2s1CjNPZlYxY0JXZElQdXdEY1NvWlJ0QUsrVEtSaUZPTG1oVTk4bVhnblJhVk9BSXY1cEVNa2VpSkFkZ2xZRGRTbFgKMVpzdzBhay9samtqanJQM2Q1aFVuY3Z1WnY3cUhKckVaSVRtVU1wWmdmVnlpTVo5MVc1RmY3TlhmWTIyZVVQZwpKVG9qTlExU0l5ZHZIR2RTZ3h5b1BHYXdKUUtCZ1FETVEwd2djbGNNN0EvYjJERklzN29jU0pLZVJobDNiM3AxCkNnb2tUdHFYd1BLUFY5UHYxRkxSRGpZM0hoaitTKzFEdE1QMlRoSEFpZDNlbmdtQUZGQTg4c2tsNUVXa2U3ZDkKWUdKdW9KVURjdWU3aXorenV3b3dQVnlYL0Y5cHZ0ZmJjN2c3eW5MdzlGbFh5Y2NMRVI1bGxncE15OWlacmxacApmU0dOM0l2Q05RS0JnRDlHRjRDV3ArT1JhQVNLenAxMnJEOXpQSmIrd3ZpMlNJcGxLTTdhS01uNjNmQXBieEUwCnVQMFJWZCszcnZKYWMyTVZVSDJCN1ZxRFpBazNCYzcrVVpvRkJNcFZFS3dZd1dzL0xpejlmZmRjbXAyOXJpQVgKQ3E5Z2hVSml4NXhhYUZWZ0tjeGozcDUxSHMzeFlTK2haM25DS0dQazZrYlc2dkpRd2IySXRmYzlBb0dCQUw5cQpaV0dXcE5yNE1OaGRYYm42cXZLc1U3RzhrVXJxamdBMSsxRVJFQ25iNTdMS3BGS0FUMmVYZ05qZi9KMzV1d3VTCnozejJwZzRmWkdxbEFOUWt0UmlZa0VWUkNLNWVQWkpoaTN5T1FYWnM3SnBFb05xbDhhTkpMWWRFT29tWERTT2EKNnRBbEpOZUd0RjdmT1FhMjhSeFRvYTFiN2N2K292M1NCR3F6ZmNqdEFvR0FYaW9oZWlFdk9jZFFPK3RmcHEwNApnR1pScXRwMzZBU3NxQ2RhN1pSelc0cFNqb0RzZ1VmRmZHMm1qYnBOeVdyTFByS041bjdoWHp5RUxxbExTNHh1CkllSkM4dHhyN0lhMUt5ZXNPbysyemxCeHdjWGNDbWZoVUV1RHRwN2RqdytBcFRNZ2dTK0R5MVhyck5hOXN0RGoKcnMvREMwb2R1UUlaV2trWllJQ2w4cFU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: prometheus-cfg -data: - prometheus.yml: | - global: - scrape_interval: 10s - scrape_timeout: 10s - scrape_configs: - - job_name: haproxy - kubernetes_sd_configs: - - role: pod - namespaces: - names: - - haproxy-ingress - relabel_configs: - - source_labels: [__meta_kubernetes_pod_label_run] - regex: haproxy-ingress - action: keep - - source_labels: [__meta_kubernetes_pod_container_port_number] - regex: 1024 - action: keep - - source_labels: [__meta_kubernetes_pod_node_name] - target_label: hostname - --- apiVersion: apps/v1 kind: Deployment @@ -350,58 +427,15 @@ spec: volumeMounts: - mountPath: /etc/prometheus/config name: prometheus-cfg + - name: prometheus + mountPath: /prometheus serviceAccountName: prometheus volumes: - configMap: name: prometheus-cfg name: prometheus-cfg - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: prometheus -rules: -- apiGroups: - - "" - resources: - - services - - endpoints - - pods - verbs: - - get - - list - - watch - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: prometheus -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: prometheus -subjects: -- kind: ServiceAccount - name: prometheus - namespace: haproxy-ingress - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: prometheus - ---- -apiVersion: v1 -kind: Service -metadata: - name: prometheus -spec: - ports: - - port: 9090 - selector: - app.kubernetes.io/instance: prometheus + - name: prometheus + emptyDir: + sizeLimit: 10Mi --- diff --git a/examples/third-party/haproxy-ingress/10_haproxy-ingress.role.yaml b/examples/third-party/haproxy-ingress/10_haproxy-ingress.role.yaml new file mode 100644 index 00000000000..01787839162 --- /dev/null +++ b/examples/third-party/haproxy-ingress/10_haproxy-ingress.role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: haproxy-ingress +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/examples/third-party/haproxy-ingress/10_clusterrolebinding.yaml b/examples/third-party/haproxy-ingress/20_clusterrolebinding.yaml similarity index 100% rename from examples/third-party/haproxy-ingress/10_clusterrolebinding.yaml rename to examples/third-party/haproxy-ingress/20_clusterrolebinding.yaml diff --git a/examples/third-party/haproxy-ingress/20_haproxy-ingress.rolebinding.yaml b/examples/third-party/haproxy-ingress/20_haproxy-ingress.rolebinding.yaml new file mode 100644 index 00000000000..ebe89868052 --- /dev/null +++ b/examples/third-party/haproxy-ingress/20_haproxy-ingress.rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: haproxy-ingress +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: haproxy-ingress +subjects: +- kind: ServiceAccount + name: haproxy-ingress + namespace: haproxy-ingress diff --git a/examples/third-party/haproxy-ingress/10_prometheus.rolebinding.yaml b/examples/third-party/haproxy-ingress/20_prometheus.rolebinding.yaml similarity index 100% rename from examples/third-party/haproxy-ingress/10_prometheus.rolebinding.yaml rename to examples/third-party/haproxy-ingress/20_prometheus.rolebinding.yaml diff --git a/examples/third-party/haproxy-ingress/10_haproxy-ingress.deploy.yaml b/examples/third-party/haproxy-ingress/50_haproxy-ingress.deploy.yaml similarity index 100% rename from examples/third-party/haproxy-ingress/10_haproxy-ingress.deploy.yaml rename to examples/third-party/haproxy-ingress/50_haproxy-ingress.deploy.yaml diff --git a/examples/third-party/haproxy-ingress/10_ingress-default-backend.deploy.yaml b/examples/third-party/haproxy-ingress/50_ingress-default-backend.deploy.yaml similarity index 100% rename from examples/third-party/haproxy-ingress/10_ingress-default-backend.deploy.yaml rename to examples/third-party/haproxy-ingress/50_ingress-default-backend.deploy.yaml diff --git a/examples/third-party/haproxy-ingress/10_prometheus.deploy.yaml b/examples/third-party/haproxy-ingress/50_prometheus.deploy.yaml similarity index 89% rename from examples/third-party/haproxy-ingress/10_prometheus.deploy.yaml rename to examples/third-party/haproxy-ingress/50_prometheus.deploy.yaml index d20d93e6e40..ee3fe3bf2a0 100644 --- a/examples/third-party/haproxy-ingress/10_prometheus.deploy.yaml +++ b/examples/third-party/haproxy-ingress/50_prometheus.deploy.yaml @@ -32,8 +32,13 @@ spec: volumeMounts: - mountPath: /etc/prometheus/config name: prometheus-cfg + - name: prometheus + mountPath: /prometheus serviceAccountName: prometheus volumes: - configMap: name: prometheus-cfg name: prometheus-cfg + - name: prometheus + emptyDir: + sizeLimit: 10Mi diff --git a/examples/third-party/prometheus-operator.yaml b/examples/third-party/prometheus-operator.yaml index 55715c89268..43db708e71f 100644 --- a/examples/third-party/prometheus-operator.yaml +++ b/examples/third-party/prometheus-operator.yaml @@ -65448,7 +65448,6 @@ spec: kubernetes.io/os: linux securityContext: runAsNonRoot: true - runAsUser: 65534 seccompProfile: type: RuntimeDefault serviceAccountName: prometheus-operator diff --git a/examples/third-party/prometheus-operator/50_operator.deployment.yaml b/examples/third-party/prometheus-operator/50_operator.deployment.yaml index 889dd30e1bb..f22bdf9cf5f 100644 --- a/examples/third-party/prometheus-operator/50_operator.deployment.yaml +++ b/examples/third-party/prometheus-operator/50_operator.deployment.yaml @@ -53,7 +53,6 @@ spec: kubernetes.io/os: linux securityContext: runAsNonRoot: true - runAsUser: 65534 seccompProfile: type: RuntimeDefault serviceAccountName: prometheus-operator diff --git a/hack/.ci/lib/e2e.sh b/hack/.ci/lib/e2e.sh index 7a7737fd6e5..ea5e075f069 100755 --- a/hack/.ci/lib/e2e.sh +++ b/hack/.ci/lib/e2e.sh @@ -240,7 +240,7 @@ function run-e2e { fi ingress_class_name='haproxy' - ingress_custom_annotations='haproxy.org/ssl-passthrough=true' + ingress_custom_annotations='haproxy.org/ssl-passthrough=true,route.openshift.io/termination=passthrough' ingress_controller_address="$( kubectl -n=haproxy-ingress get svc haproxy-ingress --template='{{ .spec.clusterIP }}' ):9142" kubectl_create -n=e2e -f=- < /dev/stderr + exit 2 +fi + +source "$( dirname "${BASH_SOURCE[0]}" )/../lib/kube.sh" +source "$( dirname "${BASH_SOURCE[0]}" )/lib/e2e.sh" +parent_dir="$( dirname "${BASH_SOURCE[0]}" )" + +trap gather-artifacts-on-exit EXIT + +REENTRANT="${REENTRANT=false}" +export REENTRANT + +SO_NODECONFIG_PATH="${SO_NODECONFIG_PATH=${parent_dir}/manifests/cluster/nodeconfig-openshift-aws.yaml}" +export SO_NODECONFIG_PATH +SO_CSI_DRIVER_PATH="${SO_CSI_DRIVER_PATH=${parent_dir}/manifests/namespaces/local-csi-driver/}" +export SO_CSI_DRIVER_PATH +SO_SCYLLACLUSTER_STORAGECLASS_NAME="${SO_SCYLLACLUSTER_STORAGECLASS_NAME=scylladb-local-xfs}" +export SO_SCYLLACLUSTER_STORAGECLASS_NAME + +SCYLLA_OPERATOR_FEATURE_GATES="${SCYLLA_OPERATOR_FEATURE_GATES:-AllAlpha=true,AllBeta=true}" +export SCYLLA_OPERATOR_FEATURE_GATES + +for i in "${!KUBECONFIGS[@]}"; do + KUBECONFIG="${KUBECONFIGS[$i]}" DEPLOY_DIR="${ARTIFACTS}/deploy/${i}" timeout --foreground -v 10m "${parent_dir}/../ci-deploy.sh" "${SO_IMAGE}" & + ci_deploy_bg_pids["${i}"]=$! +done + +for pid in "${ci_deploy_bg_pids[@]}"; do + wait "${pid}" +done + +KUBECONFIG="${KUBECONFIGS[0]}" apply-e2e-workarounds +KUBECONFIG="${KUBECONFIGS[0]}" run-e2e diff --git a/hack/ci-deploy.sh b/hack/ci-deploy.sh index 9832444edc8..d4dae040a9d 100755 --- a/hack/ci-deploy.sh +++ b/hack/ci-deploy.sh @@ -66,6 +66,7 @@ if [[ -z "${SO_NODECONFIG_PATH:-}" ]]; then echo "Skipping NodeConfig creation" else kubectl_create -f="${SO_NODECONFIG_PATH}" + kubectl wait --for='condition=Reconciled' --timeout=10m -f="${SO_NODECONFIG_PATH}" fi if [[ -z "${SO_CSI_DRIVER_PATH:-}" ]]; then @@ -95,3 +96,4 @@ kubectl wait --for condition=established crd/nodeconfigs.scylla.scylladb.com kubectl wait --for condition=established crd/scyllaoperatorconfigs.scylla.scylladb.com kubectl wait --for condition=established crd/scylladbmonitorings.scylla.scylladb.com kubectl wait --for condition=established $( find "${DEPLOY_DIR}/prometheus-operator/" -name '*.crd.yaml' -printf '-f=%p\n' ) +kubectl -n=prometheus-operator rollout status deploy/prometheus-operator diff --git a/helm/scylla-manager/templates/manager_networkpolicy.yaml b/helm/scylla-manager/templates/manager_networkpolicy.yaml new file mode 100644 index 00000000000..24f59f1e100 --- /dev/null +++ b/helm/scylla-manager/templates/manager_networkpolicy.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + namespace: scylla-manager + name: scylla-manager-to-scylla-pod +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + app.kubernetes.io/managed-by: scylla-operator + app.kubernetes.io/name: scylla + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: scylla-manager diff --git a/helm/scylla-operator/templates/operator.clusterrole_def.yaml b/helm/scylla-operator/templates/operator.clusterrole_def.yaml index c857c2d55c0..bfbc10a0994 100644 --- a/helm/scylla-operator/templates/operator.clusterrole_def.yaml +++ b/helm/scylla-operator/templates/operator.clusterrole_def.yaml @@ -281,3 +281,71 @@ rules: - patch - update - delete +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets/finalizers + - pods/finalizers + verbs: + - update +- apiGroups: + - apps + resources: + - daemonsets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - scyllaclusters/finalizers + - scylladbdatacenters/finalizers + - scylladbmonitorings/finalizers + verbs: + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - nodeconfigs/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets/finalizers + - pods/finalizers + verbs: + - update +- apiGroups: + - apps + resources: + - daemonsets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - scyllaclusters/finalizers + - scylladbdatacenters/finalizers + - scylladbmonitorings/finalizers + verbs: + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets/finalizers + verbs: + - update +- apiGroups: + - scylla.scylladb.com + resources: + - nodeconfigs/finalizers + verbs: + - update diff --git a/helm/scylla-operator/templates/operator.clusterrole_def_openshift.yaml b/helm/scylla-operator/templates/operator.clusterrole_def_openshift.yaml new file mode 100644 index 00000000000..88556786aa3 --- /dev/null +++ b/helm/scylla-operator/templates/operator.clusterrole_def_openshift.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:controller:aggregate-to-operator-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylla-operator: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/helm/scylla-operator/templates/scyllacluster_member_clusterrole_def.yaml b/helm/scylla-operator/templates/scyllacluster_member_clusterrole_def.yaml index 11cb8ad0b39..d5af6d0c159 100644 --- a/helm/scylla-operator/templates/scyllacluster_member_clusterrole_def.yaml +++ b/helm/scylla-operator/templates/scyllacluster_member_clusterrole_def.yaml @@ -56,3 +56,10 @@ rules: - scyllaclusters verbs: - get +- apiGroups: + - "" + resources: + - configmaps/finalizers + - secrets/finalizers + verbs: + - update diff --git a/helm/scylla-operator/templates/scyllacluster_member_clusterrole_def_openshift.yaml b/helm/scylla-operator/templates/scyllacluster_member_clusterrole_def_openshift.yaml new file mode 100644 index 00000000000..7871d0307d6 --- /dev/null +++ b/helm/scylla-operator/templates/scyllacluster_member_clusterrole_def_openshift.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:aggregate-to-scyllacluster-member-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylla-member: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/helm/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole.yaml b/helm/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole.yaml new file mode 100644 index 00000000000..30d54f79fef --- /dev/null +++ b/helm/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:monitoring:grafana +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.operator.scylladb.com/aggregate-to-scylladb-monitoring-grafana: "true" diff --git a/helm/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole_def_openshift.yaml b/helm/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole_def_openshift.yaml new file mode 100644 index 00000000000..f1cf99ee147 --- /dev/null +++ b/helm/scylla-operator/templates/scylladbmonitoring_grafana_clusterrole_def_openshift.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:aggregate-to-scylladb-monitoring-grafana-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylladb-monitoring-grafana: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/helm/scylla-operator/templates/scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml b/helm/scylla-operator/templates/scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml new file mode 100644 index 00000000000..fb293dd8149 --- /dev/null +++ b/helm/scylla-operator/templates/scylladbmonitoring_prometheus_clusterrole_def_openshift.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: scylladb:aggregate-to-scylladb-monitoring-prometheus-openshift + labels: + rbac.operator.scylladb.com/aggregate-to-scylladb-monitoring-prometheus: "true" +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use diff --git a/pkg/api/scylla/validation/nodeconfig_validation_test.go b/pkg/api/scylla/validation/nodeconfig_validation_test.go index 612a663b7fe..0bf9dc148ff 100644 --- a/pkg/api/scylla/validation/nodeconfig_validation_test.go +++ b/pkg/api/scylla/validation/nodeconfig_validation_test.go @@ -52,9 +52,9 @@ func TestValidateNodeConfig(t *testing.T) { return nc }(), expectedErrorList: field.ErrorList{ - &field.Error{Type: field.ErrorTypeDuplicate, Field: "spec.localDiskSetup.mounts[1].mountPoint", BadValue: "/mnt/persistent-volumes"}, + &field.Error{Type: field.ErrorTypeDuplicate, Field: "spec.localDiskSetup.mounts[1].mountPoint", BadValue: "/var/lib/persistent-volumes"}, }, - expectedErrorString: `spec.localDiskSetup.mounts[1].mountPoint: Duplicate value: "/mnt/persistent-volumes"`, + expectedErrorString: `spec.localDiskSetup.mounts[1].mountPoint: Duplicate value: "/var/lib/persistent-volumes"`, }, { name: "raid type specified but without configuration", diff --git a/pkg/controller/nodeconfig/resource.go b/pkg/controller/nodeconfig/resource.go index 4199e7185a0..8ff5b89c2a0 100644 --- a/pkg/controller/nodeconfig/resource.go +++ b/pkg/controller/nodeconfig/resource.go @@ -98,6 +98,11 @@ func NodeConfigClusterRole() *rbacv1.ClusterRole { Resources: []string{"daemonsets"}, Verbs: []string{"get", "list", "watch"}, }, + { + APIGroups: []string{"apps"}, + Resources: []string{"daemonsets/finalizers"}, + Verbs: []string{"update"}, + }, { APIGroups: []string{"batch"}, Resources: []string{"jobs"}, @@ -113,6 +118,12 @@ func NodeConfigClusterRole() *rbacv1.ClusterRole { Resources: []string{"nodeconfigs/status"}, Verbs: []string{"update"}, }, + { + APIGroups: []string{"security.openshift.io"}, + ResourceNames: []string{"privileged"}, + Resources: []string{"securitycontextconstraints"}, + Verbs: []string{"use"}, + }, }, } } @@ -126,7 +137,14 @@ func makePerftuneRole() *rbacv1.Role { naming.NodeConfigNameLabel: naming.NodeConfigAppName, }, }, - Rules: []rbacv1.PolicyRule{}, + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{"security.openshift.io"}, + Resources: []string{"securitycontextconstraints"}, + ResourceNames: []string{"privileged"}, + Verbs: []string{"use"}, + }, + }, } } @@ -139,7 +157,14 @@ func makeRlimitsRole() *rbacv1.Role { naming.NodeConfigNameLabel: naming.NodeConfigAppName, }, }, - Rules: []rbacv1.PolicyRule{}, + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{"security.openshift.io"}, + Resources: []string{"securitycontextconstraints"}, + ResourceNames: []string{"privileged"}, + Verbs: []string{"use"}, + }, + }, } } diff --git a/pkg/controller/scylladbmonitoring/sync.go b/pkg/controller/scylladbmonitoring/sync.go index ecbba409707..7aafc3bc9bc 100644 --- a/pkg/controller/scylladbmonitoring/sync.go +++ b/pkg/controller/scylladbmonitoring/sync.go @@ -273,6 +273,7 @@ func (smc *Controller) sync(ctx context.Context, key string) error { controllerhelpers.FilterObjectMapByLabel(secrets, grafanaSelector), controllerhelpers.FilterObjectMapByLabel(services, grafanaSelector), controllerhelpers.FilterObjectMapByLabel(serviceAccounts, grafanaSelector), + controllerhelpers.FilterObjectMapByLabel(roleBindings, grafanaSelector), controllerhelpers.FilterObjectMapByLabel(deployments, grafanaSelector), controllerhelpers.FilterObjectMapByLabel(ingresses, grafanaSelector), ) diff --git a/pkg/controller/scylladbmonitoring/sync_grafana.go b/pkg/controller/scylladbmonitoring/sync_grafana.go index 93608960521..95fbe804349 100644 --- a/pkg/controller/scylladbmonitoring/sync_grafana.go +++ b/pkg/controller/scylladbmonitoring/sync_grafana.go @@ -26,6 +26,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" networkingv1 "k8s.io/api/networking/v1" + rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" kutilerrors "k8s.io/apimachinery/pkg/util/errors" @@ -148,6 +149,13 @@ func makeGrafanaSA(sm *scyllav1alpha1.ScyllaDBMonitoring) (*corev1.ServiceAccoun }) } +func makeGrafanaRoleBinding(sm *scyllav1alpha1.ScyllaDBMonitoring) (*rbacv1.RoleBinding, string, error) { + return grafanav1alpha1assets.GrafanaRoleBindingTemplate.Get().RenderObject(map[string]any{ + "namespace": sm.Namespace, + "scyllaDBMonitoringName": sm.Name, + }) +} + func makeGrafanaConfigs(sm *scyllav1alpha1.ScyllaDBMonitoring) (*corev1.ConfigMap, string, error) { enableAnonymousAccess := false spec := getGrafanaSpec(sm) @@ -246,6 +254,7 @@ func (smc *Controller) syncGrafana( secrets map[string]*corev1.Secret, services map[string]*corev1.Service, serviceAccounts map[string]*corev1.ServiceAccount, + roleBindings map[string]*rbacv1.RoleBinding, deployments map[string]*appsv1.Deployment, ingresses map[string]*networkingv1.Ingress, ) ([]metav1.Condition, error) { @@ -310,6 +319,9 @@ func (smc *Controller) syncGrafana( requiredGrafanaSA, _, err := makeGrafanaSA(sm) renderErrors = append(renderErrors, err) + requiredGrafanaRoleBinding, _, err := makeGrafanaRoleBinding(sm) + renderErrors = append(renderErrors, err) + requiredConfigsCM, _, err := makeGrafanaConfigs(sm) renderErrors = append(renderErrors, err) @@ -357,6 +369,17 @@ func (smc *Controller) syncGrafana( ) pruneErrors = append(pruneErrors, err) + err = controllerhelpers.Prune( + ctx, + oslices.ToSlice(requiredGrafanaRoleBinding), + roleBindings, + &controllerhelpers.PruneControlFuncs{ + DeleteFunc: smc.kubeClient.RbacV1().RoleBindings(sm.Namespace).Delete, + }, + smc.eventRecorder, + ) + pruneErrors = append(pruneErrors, err) + allCMs := []*corev1.ConfigMap{ requiredConfigsCM, requiredProvisioningsCM, @@ -435,6 +458,15 @@ func (smc *Controller) syncGrafana( DeleteFunc: smc.kubeClient.CoreV1().ServiceAccounts(sm.Namespace).Delete, }, }.ToUntyped(), + resourceapply.ApplyConfig[*rbacv1.RoleBinding]{ + Required: requiredGrafanaRoleBinding, + Control: resourceapply.ApplyControlFuncs[*rbacv1.RoleBinding]{ + GetCachedFunc: smc.roleBindingLister.RoleBindings(sm.Namespace).Get, + CreateFunc: smc.kubeClient.RbacV1().RoleBindings(sm.Namespace).Create, + UpdateFunc: smc.kubeClient.RbacV1().RoleBindings(sm.Namespace).Update, + DeleteFunc: smc.kubeClient.RbacV1().RoleBindings(sm.Namespace).Delete, + }, + }.ToUntyped(), resourceapply.ApplyConfig[*corev1.ConfigMap]{ Required: requiredConfigsCM, Control: resourceapply.ApplyControlFuncs[*corev1.ConfigMap]{ diff --git a/pkg/controller/scylladbmonitoring/sync_grafana_test.go b/pkg/controller/scylladbmonitoring/sync_grafana_test.go index a5149296a35..c2d4501e927 100644 --- a/pkg/controller/scylladbmonitoring/sync_grafana_test.go +++ b/pkg/controller/scylladbmonitoring/sync_grafana_test.go @@ -329,6 +329,7 @@ spec: labels: scylla-operator.scylladb.com/deployment-name: "sm-name-grafana" spec: + serviceAccountName: "sm-name-grafana" affinity: {} tolerations: @@ -532,6 +533,7 @@ spec: labels: scylla-operator.scylladb.com/deployment-name: "sm-name-grafana" spec: + serviceAccountName: "sm-name-grafana" affinity: {} tolerations: diff --git a/pkg/controller/scyllaoperatorconfig/controller.go b/pkg/controller/scyllaoperatorconfig/controller.go index d8daff2e348..688b9a247b5 100644 --- a/pkg/controller/scyllaoperatorconfig/controller.go +++ b/pkg/controller/scyllaoperatorconfig/controller.go @@ -200,7 +200,7 @@ func (opc *Controller) Run(ctx context.Context, workers int) { wait.UntilWithContext(ctx, func(ctx context.Context) { klog.V(4).InfoS("Periodically enqueuing %q ScyllaOperatorConfig", naming.SingletonName) - key, err := keyFunc(metav1.ObjectMeta{ + key, err := keyFunc(&metav1.ObjectMeta{ Namespace: "", Name: naming.SingletonName, }) diff --git a/pkg/controller/scyllaoperatorconfig/sync.go b/pkg/controller/scyllaoperatorconfig/sync.go index 4631a347394..ce8398dadc7 100644 --- a/pkg/controller/scyllaoperatorconfig/sync.go +++ b/pkg/controller/scyllaoperatorconfig/sync.go @@ -71,7 +71,9 @@ func (opc *Controller) sync(ctx context.Context) error { errs = append(errs, fmt.Errorf("can't aggregate workload conditions: %w", err)) } else { err = opc.updateStatus(ctx, soc, status) - errs = append(errs, fmt.Errorf("can't update status: %w", err)) + if err != nil { + errs = append(errs, fmt.Errorf("can't update status: %w", err)) + } } return utilerrors.NewAggregate(errs) diff --git a/pkg/test/unit/valid.nodeconfig.yaml b/pkg/test/unit/valid.nodeconfig.yaml index 0bd5d13df72..69b6f3f7ecb 100644 --- a/pkg/test/unit/valid.nodeconfig.yaml +++ b/pkg/test/unit/valid.nodeconfig.yaml @@ -9,7 +9,7 @@ spec: type: xfs mounts: - device: /dev/md/nvmes - mountPoint: /mnt/persistent-volumes + mountPoint: /var/lib/persistent-volumes unsupportedOptions: - prjquota raids: diff --git a/test/e2e/fixture/scylla/scylladbmonitoring.yaml.tmpl b/test/e2e/fixture/scylla/scylladbmonitoring.yaml.tmpl index e79f99d7d75..b73e569158a 100644 --- a/test/e2e/fixture/scylla/scylladbmonitoring.yaml.tmpl +++ b/test/e2e/fixture/scylla/scylladbmonitoring.yaml.tmpl @@ -28,6 +28,9 @@ spec: resources: requests: storage: 1Gi + {{- if .storageClassName }} + storageClassName: {{ .storageClassName }} + {{- end }} placement: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go index 4d3e0c622bf..ca40f12f772 100644 --- a/test/e2e/framework/framework.go +++ b/test/e2e/framework/framework.go @@ -351,6 +351,27 @@ func CreateUserNamespace(ctx context.Context, clusterName string, labels map[str }, metav1.CreateOptions{}) o.Expect(err).NotTo(o.HaveOccurred()) + // Grant it permission needed for ScyllaClusters + _, err = adminClient.RbacV1().RoleBindings(ns.Name).Create(ctx, &rbacv1.RoleBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: userSA.Name + "-scyllacluster-member", + }, + Subjects: []rbacv1.Subject{ + { + APIGroup: corev1.GroupName, + Kind: rbacv1.ServiceAccountKind, + Namespace: userSA.Namespace, + Name: userSA.Name, + }, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: rbacv1.GroupName, + Kind: "ClusterRole", + Name: "scyllacluster-member", + }, + }, metav1.CreateOptions{}) + o.Expect(err).NotTo(o.HaveOccurred()) + // Create a service account token Secret for the user ServiceAccount. userSATokenSecret, err := adminClient.CoreV1().Secrets(ns.Name).Create(ctx, &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ diff --git a/test/e2e/set/nodeconfig/nodeconfig_disksetup.go b/test/e2e/set/nodeconfig/nodeconfig_disksetup.go index 77d66a54fe4..aaf9f83e743 100644 --- a/test/e2e/set/nodeconfig/nodeconfig_disksetup.go +++ b/test/e2e/set/nodeconfig/nodeconfig_disksetup.go @@ -30,6 +30,12 @@ import ( "k8s.io/client-go/util/retry" ) +var ( + // xfsVolumeSize is a size of a default xfs filesystem we create. + // Beware that `mkfs.xfs` fails unless it has at least 300MB available. + xfsVolumeSize = resource.MustParse("320M") +) + var _ = g.Describe("Node Setup", framework.Serial, func() { f := framework.NewFramework("nodesetup") @@ -66,7 +72,7 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { o.Expect(err).NotTo(o.HaveOccurred()) raidName := rand.String(8) - mountPath := fmt.Sprintf("/mnt/disk-setup-%s", f.Namespace()) + mountPath := fmt.Sprintf("/var/lib/disk-setup-%s", f.Namespace()) hostMountPath := path.Join("/host", mountPath) filesystem := scyllav1alpha1.XFSFilesystem @@ -84,8 +90,8 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { for _, ldName := range loopDeviceNames { ldcs = append(ldcs, scyllav1alpha1.LoopDeviceConfiguration{ Name: ldName, - ImagePath: fmt.Sprintf("/mnt/%s-%s.img", ldName, f.Namespace()), - Size: resource.MustParse("32M"), + ImagePath: fmt.Sprintf("/var/lib/%s-%s.img", ldName, f.Namespace()), + Size: xfsVolumeSize, }) } @@ -202,7 +208,7 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { g.Expect(err).NotTo(o.HaveOccurred(), stderr) // mount output format - // /dev/md337 on /host/mnt/persistent-volume type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,sunit=2048,swidth=2048,prjquota) + // /dev/md337 on /host/var/lib/disk-setup-* type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,sunit=2048,swidth=2048,prjquota) g.Expect(stdout).To(o.MatchRegexp(`%s on %s type %s \(.*%s.*\)`, discoveredRaidDevice, hostMountPath, filesystem, mountOptions[0])) }).WithPolling(1 * time.Second).WithTimeout(3 * time.Minute).Should(o.Succeed()) @@ -353,7 +359,7 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { Mounts: []scyllav1alpha1.MountConfiguration{ { Device: fmt.Sprintf("/dev/%s", f.Namespace()), - MountPoint: fmt.Sprintf("/mnt/%s", f.Namespace()), + MountPoint: fmt.Sprintf("/var/lib/%s", f.Namespace()), FSType: string(scyllav1alpha1.XFSFilesystem), UnsupportedOptions: []string{"prjquota"}, }, @@ -373,14 +379,14 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { LoopDevices: []scyllav1alpha1.LoopDeviceConfiguration{ { Name: "disk", - ImagePath: fmt.Sprintf("/mnt/%s.img", f.Namespace()), - Size: resource.MustParse("32M"), + ImagePath: fmt.Sprintf("/var/lib/%s.img", f.Namespace()), + Size: xfsVolumeSize, }, }, Mounts: []scyllav1alpha1.MountConfiguration{ { Device: "/dev/loops/disk", - MountPoint: fmt.Sprintf("/mnt/%s/mount", f.Namespace()), + MountPoint: fmt.Sprintf("/var/lib/%s/mount", f.Namespace()), FSType: string(scyllav1alpha1.XFSFilesystem), UnsupportedOptions: []string{"prjquota"}, }, @@ -400,8 +406,8 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { LoopDevices: []scyllav1alpha1.LoopDeviceConfiguration{ { Name: "disk", - ImagePath: fmt.Sprintf("/mnt/%s.img", f.Namespace()), - Size: resource.MustParse("32M"), + ImagePath: fmt.Sprintf("/var/lib/%s.img", f.Namespace()), + Size: xfsVolumeSize, }, }, Filesystems: []scyllav1alpha1.FilesystemConfiguration{ @@ -413,7 +419,7 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { Mounts: []scyllav1alpha1.MountConfiguration{ { Device: "/dev/loops/disk", - MountPoint: fmt.Sprintf("/mnt/%s", f.Namespace()), + MountPoint: fmt.Sprintf("/var/lib/%s", f.Namespace()), FSType: string(scyllav1alpha1.XFSFilesystem), UnsupportedOptions: []string{"prjquota"}, }, @@ -423,7 +429,7 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { return nc }, preNodeConfigCreationFunc: func(ctx context.Context, nc *scyllav1alpha1.NodeConfig) func(context.Context) { - hostMountPath := fmt.Sprintf("/host/mnt/%s", f.Namespace()) + hostMountPath := fmt.Sprintf("/host/var/lib/%s", f.Namespace()) framework.By("Creating a client Pod") clientPod := newClientPod(nc) @@ -467,8 +473,8 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { LoopDevices: []scyllav1alpha1.LoopDeviceConfiguration{ { Name: "disk", - ImagePath: fmt.Sprintf("/mnt/%s.img", f.Namespace()), - Size: resource.MustParse("32M"), + ImagePath: fmt.Sprintf("/var/lib/%s.img", f.Namespace()), + Size: xfsVolumeSize, }, }, Filesystems: []scyllav1alpha1.FilesystemConfiguration{ @@ -525,7 +531,7 @@ var _ = g.Describe("Node Setup", framework.Serial, func() { ncCopy.Spec.LocalDiskSetup.Mounts = []scyllav1alpha1.MountConfiguration{ { Device: "/dev/loops/disk", - MountPoint: fmt.Sprintf("/mnt/%s", f.Namespace()), + MountPoint: fmt.Sprintf("/var/lib/%s", f.Namespace()), FSType: string(scyllav1alpha1.XFSFilesystem), UnsupportedOptions: []string{"prjquota"}, }, diff --git a/test/e2e/set/scylladbmonitoring/scylladbmonitoring.go b/test/e2e/set/scylladbmonitoring/scylladbmonitoring.go index c140d514882..8e4ddb0ac0d 100644 --- a/test/e2e/set/scylladbmonitoring/scylladbmonitoring.go +++ b/test/e2e/set/scylladbmonitoring/scylladbmonitoring.go @@ -156,6 +156,7 @@ var _ = g.Describe("ScyllaDBMonitoring", func() { "name": sc.Name, "namespace": sc.Namespace, "scyllaClusterName": sc.Name, + "storageClassName": framework.TestContext.ScyllaClusterOptions.StorageClassName, } if framework.TestContext.IngressController != nil { renderArgs["ingressClassName"] = framework.TestContext.IngressController.IngressClassName