Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge pull request #8831 from rubenvp8510/fix-BZ1590748

 Set UID,fsGroup and Linux options to cassandra RC's
OpenShift Merge Robot 6 years ago
parent
767c7d38a1 c16f1e8abc
commit
652e9f6a93
12 changed files with 64 additions and 221 deletions
Split View Show Diff Stats
  1. 1 2
      roles/openshift_metrics/defaults/main.yaml
  2. 0 17
      roles/openshift_metrics/tasks/clean_old_namespace.yaml
  3. 4 10
      roles/openshift_metrics/tasks/generate_cassandra_pvcs.yaml
  4. 4 0
      roles/openshift_metrics/tasks/install_cassandra.yaml
  5. 0 42
      roles/openshift_metrics/tasks/install_metrics.yaml
  6. 0 2
      roles/openshift_metrics/tasks/main.yaml
  7. 0 99
      roles/openshift_metrics/tasks/migrate_cassandra_pvcs.yaml
  8. 0 36
      roles/openshift_metrics/tasks/oc_apply.yaml
  9. 50 0
      roles/openshift_metrics/tasks/pre_install.yaml
  10. 0 10
      roles/openshift_metrics/templates/create_project.j2
  11. 5 0
      roles/openshift_metrics/templates/hawkular_cassandra_rc.j2
  12. 0 3
      roles/openshift_metrics/templates/pvc.j2

+ 1 - 2
roles/openshift_metrics/defaults/main.yaml
View File 

@@ -60,8 +60,7 @@ openshift_metrics_resolution: 30s
 
 
 openshift_metrics_master_url: https://kubernetes.default.svc
 
 openshift_metrics_node_id: nodename
 
-openshift_metrics_old_project: openshift-infra
 
-openshift_metrics_project: openshift-metrics
 
+openshift_metrics_project: openshift-infra
 
 
 openshift_metrics_cassandra_pvc_prefix: metrics-cassandra
 
 openshift_metrics_cassandra_pvc_access: "{{ openshift_metrics_storage_access_modes | default(['ReadWriteOnce']) }}"

+ 0 - 17
roles/openshift_metrics/tasks/clean_old_namespace.yaml
View File 

@@ -1,17 +0,0 @@
 
----
 
-- name: remove metrics components on {{ openshift_metrics_old_project }}
 
-  command: >
 
-    {{ openshift_client_binary }} -n {{ openshift_metrics_old_project }} --config={{ mktemp.stdout }}/admin.kubeconfig
 
-    delete --ignore-not-found --selector=metrics-infra
 
-    all,sa,secrets,templates,routes,pvc,rolebindings,clusterrolebindings,clusterrole
 
-  register: delete_metrics
 
-  changed_when: delete_metrics.stdout != 'No resources found'
 
-
 
-- name: remove rolebindings on {{ openshift_metrics_old_project }}
 
-  command: >
 
-    {{ openshift_client_binary }} -n {{ openshift_metrics_old_project }} --config={{ mktemp.stdout }}/admin.kubeconfig
 
-    delete --ignore-not-found
 
-    rolebinding/hawkular-view
 
-    clusterrolebinding/heapster-cluster-reader
 
-    clusterrolebinding/hawkular-metrics
 
-  changed_when: delete_metrics.stdout != 'No resources found'

+ 4 - 10
roles/openshift_metrics/tasks/generate_cassandra_pvcs.yaml
View File 

@@ -1,23 +1,17 @@
 
 ---
 
-- name: Check to see if PVC already exists in actual namespace
 
+- name: Check to see if PVC already exists
 
   oc_obj:
 
     state: list
 
     kind: pvc
 
     name: "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ metrics_pvc_index }}"
 
-    namespace: "{{openshift_metrics_project}}"
 
-  register: metrics_pvc
 
-
 
-# Migration process for PV to another namespace.
 
-- name: Check if we need to move cassandra PV to another namespace.
 
-  include_tasks: migrate_cassandra_pvcs.yaml
 
+    namespace: "{{ openshift_metrics_project }}"
 
+  register: _metrics_pvc
 
 
 # _metrics_pvc.results.results | length > 0 returns a false positive
 
 # so we check for the presence of 'stderr' to determine if the obj exists or not
 
 # the RC for existing and not existing is both 0
 
-
 
-# No PVC exist (either new or old namespace), so it's a new installation
 
 - when:
 
-    - metrics_pvc.results.stderr is defined and not openshift_metrics_migrate_namespace
 
+    - _metrics_pvc.results.stderr is defined
 
   block:
 
     - name: generate hawkular-cassandra persistent volume claims
 
       template:

+ 4 - 0
roles/openshift_metrics/tasks/install_cassandra.yaml
View File 

@@ -27,6 +27,10 @@
 
     master: "{{ (item == '1')|string|lower }}"
 
     replica_count: "{{cassandra_replica_count.results[item|int - 1].stdout}}"
 
     node_selector: "{{openshift_metrics_cassandra_nodeselector | default('') }}"
 
+    fsgroup: "{{ openshift_metrics_namespace_fsgroup }}"
 
+    run_as_uid: "{{ openshift_metrics_namespace_uid }}"
 
+    selinux_level: "{{ openshift_metrics_namespace_selinux }}"
 
+
 
   with_sequence: count={{ openshift_metrics_cassandra_replicas }}
 
   changed_when: false

+ 0 - 42
roles/openshift_metrics/tasks/install_metrics.yaml
View File 

@@ -1,48 +1,6 @@
 
 ---
 
 - include_tasks: pre_install.yaml
 
 
-- name: Get annotations from {{ openshift_metrics_old_project }}
 
-  oc_obj:
 
-    state: list
 
-    kind: project
 
-    name: "{{ openshift_metrics_old_project }}"
 
-    namespace: "{{ openshift_metrics_old_project }}"
 
-  register: openshift_metrics_infra
 
-
 
-- name: Set {{openshift_metrics_old_project }} annotations fact.
 
-  set_fact:
 
-    openshift_metrics_old_project_annotations: >
 
-        { "openshift.io/sa.scc.mcs":"{{ openshift_metrics_infra.results.results[0].metadata.annotations['openshift.io/sa.scc.mcs'] }}",
 
-          "openshift.io/sa.scc.supplemental-groups": "{{ openshift_metrics_infra.results.results[0].metadata.annotations['openshift.io/sa.scc.supplemental-groups'] }}",
 
-          "openshift.io/sa.scc.uid-range": "{{ openshift_metrics_infra.results.results[0].metadata.annotations['openshift.io/sa.scc.uid-range'] }}"
 
-        }
 
-  when:
 
-    - openshift_metrics_infra.results is defined
 
-    - openshift_metrics_infra.results.results is defined
 
-    - openshift_metrics_infra.results.results[0] is defined
 
-    - openshift_metrics_infra.results.results[0].metadata is defined
 
-    - openshift_metrics_infra.results.results[0].metadata.annotations is defined
 
-    - openshift_metrics_infra.results.results[0].metadata.annotations['openshift.io/sa.scc.mcs'] is defined
 
-    - openshift_metrics_infra.results.results[0].metadata.annotations['openshift.io/sa.scc.supplemental-groups'] is defined
 
-    - openshift_metrics_infra.results.results[0].metadata.annotations['openshift.io/sa.scc.uid-range'] is defined
 
-
 
-- name: Generate template for project {{ openshift_metrics_project }} creation
 
-  template:
 
-    src: create_project.j2
 
-    dest: "{{ mktemp.stdout }}/templates/hawkular-metrics-projects.yaml"
 
-  vars:
 
-    project_name: "{{ openshift_metrics_project }}"
 
-    annotations: "{{ openshift_metrics_old_project_annotations | default(false) }}"
 
-
 
-- name: Create {{ openshift_metrics_project }} namespace
 
-  oc_obj:
 
-    state: present
 
-    name: "{{ openshift_metrics_project }}"
 
-    kind: Project
 
-    files:
 
-      - "{{ mktemp.stdout }}/templates/hawkular-metrics-projects.yaml"
 
-    delete_after: true
 
-
 
 - name: Install Metrics
 
   include_tasks: "install_{{ include_file }}.yaml"
 
   with_items:

+ 0 - 2
roles/openshift_metrics/tasks/main.yaml
View File 

@@ -49,5 +49,3 @@
 
   changed_when: False
 
   check_mode: no
 
   become: false
 
-
 
-- include_tasks: clean_old_namespace.yaml

+ 0 - 99
roles/openshift_metrics/tasks/migrate_cassandra_pvcs.yaml
View File 

@@ -1,99 +0,0 @@
 
----
 
-- name: Check to see if PVC exists in an old namespace
 
-  oc_obj:
 
-    state: list
 
-    kind: pvc
 
-    name: "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ metrics_pvc_index }}"
 
-    namespace: "{{openshift_metrics_old_project}}"
 
-  register: openshift_metrics_cassandra_old_pvc
 
-
 
-- name: Set PVC vars
 
-  set_fact:
 
-    pvc_name: "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ metrics_pvc_index }}"
 
-    pvc_exists: "{{ openshift_metrics_cassandra_old_pvc.results.results[0] | length > 0 }}"
 
-
 
-- name: Set fact if we need to move to another namespace
 
-  set_fact:
 
-    openshift_metrics_migrate_namespace: "{{ pvc_exists and openshift_metrics_cassandra_old_pvc.results.results[0]['metadata']['name'] == pvc_name }}"
 
-
 
-- name: Migrate cassandra PV and PVC to another namespace
 
-  when: openshift_metrics_migrate_namespace
 
-  block:
 
-    - name: Get PV name attached to cassandra PVC
 
-      set_fact:
 
-        openshift_metrics_pv_name: "{{ openshift_metrics_cassandra_old_pvc['results']['results'][0]['spec']['volumeName'] }}"
 
-
 
-    - name: Get PV object attached to cassandra PVC.
 
-      oc_obj:
 
-        state: list
 
-        kind: pv
 
-        name: "{{ openshift_metrics_pv_name }}"
 
-        namespace: "{{ openshift_metrics_old_project }}"
 
-      register: metrics_pv
 
-
 
-    - name: Get PV persistent policy attached to cassandra PVC.
 
-      set_fact:
 
-        openshift_metrics_cassandra_pvc_persistent_policy: "{{ metrics_pv['results']['results'][0]['spec']['persistentVolumeReclaimPolicy'] }}"
 
-
 
-    - name: Set PV persistent volume reclaim policy to Retain
 
-      command: >
 
-       {{ openshift_client_binary }} -n {{ openshift_metrics_old_project }}
 
-        --config={{ mktemp.stdout }}/admin.kubeconfig
 
-        patch pv {{ openshift_metrics_pv_name }} -p '{"spec": {"persistentVolumeReclaimPolicy": "Retain"}}'
 
-
 
-    - name: Generate persistent volume claim templates for namespace {{ openshift_metrics_project }}
 
-      template:
 
-        src: pvc.j2
 
-        dest: "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ metrics_pvc_index }}.yaml"
 
-      vars:
 
-        obj_name: "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ metrics_pvc_index }}"
 
-        labels:
 
-          metrics-infra: hawkular-cassandra
 
-        access_modes: "{{ openshift_metrics_cassandra_pvc_access | list }}"
 
-        size: "{{ openshift_metrics_cassandra_pvc_size }}"
 
-        pv_selector: "{{ openshift_metrics_cassandra_pv_selector }}"
 
-        storage_class_name: "{{ openshift_metrics_cassanda_pvc_storage_class_name | default('', true) }}"
 
-        volume_name: "{{ openshift_metrics_pv_name }}"
 
-
 
-    - name: Create PVC persistent volume claim {{ openshift_metrics_cassandra_pvc_prefix }}-{{ metrics_pvc_index }} for {{ openshift_metrics_project }}
 
-      oc_obj:
 
-        state: present
 
-        name: "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ metrics_pvc_index }}"
 
-        namespace: "{{ openshift_metrics_project }}"
 
-        kind: persistentvolumeclaim
 
-        files:
 
-          - "{{ mktemp.stdout }}/templates/hawkular-cassandra-pvc{{ metrics_pvc_index }}.yaml"
 
-        delete_after: true
 
-
 
-    - name: Wait for Cassandra persistent volume claim to be created on {{ openshift_metrics_project }}
 
-      oc_obj:
 
-        state: list
 
-        kind: pvc
 
-        name: "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ metrics_pvc_index }}"
 
-        namespace: "{{openshift_metrics_project}}"
 
-      register: openshift_metrics_new_pvc
 
-      until: openshift_metrics_new_pvc.results.results[0] | length > 0
 
-
 
-    - set_fact:
 
-        openshift_metrics_pvc_uuid: "{{openshift_metrics_new_pvc['results']['results'][0]['metadata']['uid']}}"
 
-
 
-    - name: Attach PV to the new PVC
 
-      command: >
 
-       {{ openshift_client_binary }} -n {{ openshift_metrics_project }}
 
-        --config={{ mktemp.stdout }}/admin.kubeconfig
 
-        patch pv {{ openshift_metrics_pv_name }} -p '{"spec": {"claimRef": { "namespace": "{{ openshift_metrics_project }}", "name": "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ metrics_pvc_index }}", "uid": "{{ openshift_metrics_pvc_uuid }}" }}}'
 
-
 
-    - name: Wait until the PV is attached to new PVC
 
-      oc_obj:
 
-        state: list
 
-        kind: pvc
 
-        name: "{{ openshift_metrics_cassandra_pvc_prefix }}-{{ metrics_pvc_index }}"
 
-        namespace: "{{openshift_metrics_project}}"
 
-      register: openshift_metrics_new_pvc
 
-      until: openshift_metrics_new_pvc.results.results[0].spec.volumeName == openshift_metrics_pv_name
 
-
 
-    - name: Restore persistent volume reclaim policy
 
-      command: >
 
-       {{ openshift_client_binary }} -n {{ openshift_metrics_old_project }}
 
-        --config={{ mktemp.stdout }}/admin.kubeconfig
 
-        patch pv {{ openshift_metrics_pv_name }} -p '{"spec": {"persistentVolumeReclaimPolicy": "{{openshift_metrics_cassandra_pvc_persistent_policy}}"}}'

+ 0 - 36
roles/openshift_metrics/tasks/oc_apply.yaml
View File 

@@ -9,18 +9,6 @@
 
   register: generation_init
 
   failed_when: false
 
   changed_when: no
 
-  when: namespace is defined
 
-
 
-- name: Checking generation of {{file_content.kind}} {{file_content.metadata.name}}
 
-  command: >
 
-    {{ openshift_client_binary }}
 
-    --config={{ kubeconfig }}
 
-    get {{file_content.kind}} {{file_content.metadata.name}}
 
-    -o jsonpath='{.metadata.resourceVersion}'
 
-  register: generation_init_no_ns
 
-  failed_when: false
 
-  changed_when: no
 
-  when: namespace is not defined
 
 
 - name: Applying {{file_name}}
 
   command: >
 
@@ -30,16 +18,6 @@
 
   register: generation_apply
 
   failed_when: "'error' in generation_apply.stderr or (generation_apply.rc | int != 0)"
 
   changed_when: no
 
-  when: namespace is defined
 
-
 
-- name: Applying {{file_name}}
 
-  command: >
 
-    {{ openshift_client_binary }} --config={{ kubeconfig }}
 
-    apply -f {{ file_name }}
 
-  register: generation_apply
 
-  failed_when: "'error' in generation_apply.stderr or (generation_apply.rc | int != 0)"
 
-  changed_when: no
 
-  when: namespace is not defined
 
 
 - name: Determine change status of {{file_content.kind}} {{file_content.metadata.name}}
 
   command: >
 
@@ -52,17 +30,3 @@
 
     init_version: "{{ (generation_init is defined) | ternary(generation_init.stdout, '0') }}"
 
   failed_when: "'error' in version_changed.stderr or version_changed.rc | int != 0"
 
   changed_when: version_changed.stdout | int  > init_version | int
 
-  when: namespace is defined
 
-
 
-
 
-- name: Determine change status of {{file_content.kind}} {{file_content.metadata.name}}
 
-  command: >
 
-    {{ openshift_client_binary }} --config={{ kubeconfig }}
 
-    get {{file_content.kind}} {{file_content.metadata.name}}
 
-    -o jsonpath='{.metadata.resourceVersion}'
 
-  register: version_changed
 
-  vars:
 
-    init_version: "{{ (generation_init_no_ns is defined) | ternary(generation_init_no_ns.stdout, '0') }}"
 
-  failed_when: "'error' in version_changed.stderr or version_changed.rc | int != 0"
 
-  changed_when: version_changed.stdout | int  > init_version | int
 
-  when: namespace is not defined

+ 50 - 0
roles/openshift_metrics/tasks/pre_install.yaml
View File 

@@ -19,3 +19,53 @@
 
     get secrets -o name
 
   register: metrics_secrets
 
   changed_when: false
 
+
 
+- name: Get namespace object
 
+  oc_obj:
 
+    state: list
 
+    kind: namespace
 
+    name: "{{ openshift_metrics_project }}"
 
+    namespace: "{{ openshift_metrics_project }}"
 
+  register: openshift_metrics_namespace_object
 
+
 
+- name: Get namespace annotations
 
+  set_fact:
 
+    openshift_metrics_namespace_annotations: >
 
+      {{ openshift_metrics_namespace_object.results.results[0].metadata.annotations }}
 
+  when:
 
+  - openshift_metrics_namespace_object is defined
 
+  - openshift_metrics_namespace_object.results is defined
 
+  - openshift_metrics_namespace_object.results.results is defined
 
+  - openshift_metrics_namespace_object.results.results[0] is defined
 
+  - openshift_metrics_namespace_object.results.results[0].metadata is defined
 
+
 
+- name: Get namespace fsGroup
 
+  set_fact:
 
+    openshift_metrics_namespace_fsgroup: >
 
+      {{ openshift_metrics_namespace_annotations['openshift.io/sa.scc.supplemental-groups'].split("/")[0] | trim }}
 
+  when:
 
+  - openshift_metrics_namespace_annotations is defined
 
+  - openshift_metrics_namespace_annotations['openshift.io/sa.scc.supplemental-groups'] is defined
 
+
 
+- name: Get namespace userID
 
+  set_fact:
 
+    openshift_metrics_namespace_uid: >
 
+      {{ openshift_metrics_namespace_annotations['openshift.io/sa.scc.uid-range'].split("/")[0] | trim }}
 
+  when:
 
+  - openshift_metrics_namespace_annotations is defined
 
+  - openshift_metrics_namespace_annotations['openshift.io/sa.scc.uid-range'] is defined
 
+
 
+- name: Get namespace seLinuxOptions
 
+  set_fact:
 
+    openshift_metrics_namespace_selinux: >
 
+      {{ openshift_metrics_namespace_annotations['openshift.io/sa.scc.mcs'] | trim }}
 
+  when:
 
+  - openshift_metrics_namespace_annotations is defined
 
+  - openshift_metrics_namespace_annotations['openshift.io/sa.scc.mcs'] is defined
 
+
 
+- fail:
 
+    msg: Cannot get annotations on {{ openshift_metrics_project }} namespace
 
+  when: >
 
+    openshift_metrics_namespace_uid is not defined or
 
+    openshift_metrics_namespace_selinux is not defined or
 
+    openshift_metrics_namespace_fsgroup is not defined

+ 0 - 10
roles/openshift_metrics/templates/create_project.j2
View File 

@@ -1,10 +0,0 @@
 
-apiVersion: v1
 
-kind: Project
 
-metadata:
 
-{% if annotations is mapping %}
 
-  annotations:
 
-{% for key, value in annotations.items() %}
 
-    {{key}}: "{{value}}"
 
-{% endfor %}
 
-{% endif %}
 
-  name: {{ project_name }}

+ 5 - 0
roles/openshift_metrics/templates/hawkular_cassandra_rc.j2
View File 

@@ -20,6 +20,9 @@ spec:
 
     spec:
 
       serviceAccount: cassandra
 
       securityContext:
 
+        fsGroup: {{ fsgroup }}
 
+        seLinuxOptions:
 
+          level: {{ selinux_level }}
 
         supplementalGroups:
 
         - {{openshift_metrics_cassandra_storage_group}}
 
 {% if node_selector is iterable and node_selector | length > 0 %}
 
@@ -82,6 +85,8 @@ spec:
 
           mountPath: "/cassandra_data"
 
         - name: hawkular-cassandra-certs
 
           mountPath: "/hawkular-cassandra-certs"
 
+        securityContext:
 
+          runAsUser: {{ run_as_uid }}
 
 {% if ((openshift_metrics_cassandra_limits_cpu is defined and openshift_metrics_cassandra_limits_cpu is not none)
 
    or (openshift_metrics_cassandra_limits_memory is defined and openshift_metrics_cassandra_limits_memory is not none)
 
    or (openshift_metrics_cassandra_requests_cpu is defined and openshift_metrics_cassandra_requests_cpu is not none)

+ 0 - 3
roles/openshift_metrics/templates/pvc.j2
View File 

@@ -18,9 +18,6 @@ metadata:
 
 {% endfor %}
 
 {% endif %}
 
 spec:
 
-{% if volume_name is defined %}
 
-  volumeName: {{volume_name}}
 
-{% endif %}
 
 {% if pv_selector is defined and pv_selector is mapping %}
 
   selector:
 
     matchLabels: