Skip to content

Commit

Permalink
Add OVNcontroller and OVSnodeOsp to cvs-generator
Browse files Browse the repository at this point in the history
this adds new added OVNcontroller and OVSnodeOsp CRDs to the
csv-generator, also adds the scc generation as it is not handled
by olm correct.
  • Loading branch information
stuggi committed Jul 6, 2020
1 parent c8176d3 commit ccb95a1
Show file tree
Hide file tree
Showing 6 changed files with 245 additions and 123 deletions.
76 changes: 76 additions & 0 deletions cmd/manager/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,16 +17,22 @@ import (
"github.com/openstack-k8s-operators/neutron-operator/pkg/controller"
"github.com/openstack-k8s-operators/neutron-operator/version"

secv1 "github.com/openshift/api/security/v1"
"github.com/operator-framework/operator-sdk/pkg/k8sutil"
kubemetrics "github.com/operator-framework/operator-sdk/pkg/kube-metrics"
"github.com/operator-framework/operator-sdk/pkg/leader"
"github.com/operator-framework/operator-sdk/pkg/log/zap"
"github.com/operator-framework/operator-sdk/pkg/metrics"
sdkVersion "github.com/operator-framework/operator-sdk/version"
"github.com/spf13/pflag"
corev1 "k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/api/meta"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"sigs.k8s.io/controller-runtime/pkg/cache"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/client/config"
logf "sigs.k8s.io/controller-runtime/pkg/log"
"sigs.k8s.io/controller-runtime/pkg/manager"
Expand Down Expand Up @@ -139,6 +145,13 @@ func main() {
// Add the Metrics Service
addMetrics(ctx, cfg)

log.Info("Creating SCC for neutron-operator.")
err = ensureSCCExists(mgr.GetClient(), namespace, "neutron-operator")
if err != nil {
log.Error(err, "Failed to create SCC for neutron-operator.")
os.Exit(1)
}

log.Info("Starting the Cmd.")

// Start the Cmd
Expand Down Expand Up @@ -217,3 +230,66 @@ func serveCRMetrics(cfg *rest.Config, operatorNs string) error {
}
return nil
}

const sccName = "neutron-operator"

// EnsureSCCExists ensures the security context constraint for neutron-operator exists
func ensureSCCExists(c client.Client, saNamespace, saName string) error {

userName := fmt.Sprintf("system:serviceaccount:%s:%s", saNamespace, saName)
trueVar := true
priority := int32(10)

scc := &secv1.SecurityContextConstraints{
ObjectMeta: metav1.ObjectMeta{
Name: sccName,
Labels: map[string]string{
"neutron.openstack.org": "",
},
},
Priority: &priority,
FSGroup: secv1.FSGroupStrategyOptions{
Type: secv1.FSGroupStrategyRunAsAny,
},
AllowPrivilegedContainer: true,
AllowPrivilegeEscalation: &trueVar,
AllowHostDirVolumePlugin: true,
AllowHostIPC: true,
AllowHostNetwork: true,
AllowHostPID: true,
AllowHostPorts: true,
ReadOnlyRootFilesystem: false,
AllowedCapabilities: []corev1.Capability{
"*",
},
DefaultAddCapabilities: []corev1.Capability{},
RequiredDropCapabilities: []corev1.Capability{},
RunAsUser: secv1.RunAsUserStrategyOptions{
Type: secv1.RunAsUserStrategyRunAsAny,
},
SELinuxContext: secv1.SELinuxContextStrategyOptions{
Type: secv1.SELinuxStrategyRunAsAny,
},
SupplementalGroups: secv1.SupplementalGroupsStrategyOptions{
Type: secv1.SupplementalGroupsStrategyRunAsAny,
},
SeccompProfiles: []string{"*"},
Volumes: []secv1.FSType{
secv1.FSTypeAll,
},
Users: []string{
userName,
},
}

// cache has not been started yet so we just attempt creation(no query). If it fails we handle accordingly
err := c.Create(context.TODO(), scc)
if meta.IsNoMatchError(err) {
log.Info("No match error for SecurityContextConstraints API, skipping SCC configuration.")
return nil
} else if apierrors.IsAlreadyExists(err) {
return nil
}
return err

}
111 changes: 56 additions & 55 deletions deploy/crds/neutron.openstack.org_ovncontrollers_crd.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: apiextensions.k8s.io/v1
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ovncontrollers.neutron.openstack.org
Expand All @@ -10,61 +10,62 @@ spec:
plural: ovncontrollers
singular: ovncontroller
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: OVNController is the Schema for the ovncontrollers API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: OVNControllerSpec defines the desired state of OVNController
properties:
ovnControllerImage:
description: container image to run for the daemon
type: string
ovnLogLevel:
description: log level
type: string
roleName:
description: Name of the worker role created for OSP computes
type: string
serviceAccount:
description: service account used to create pods
type: string
required:
- ovnControllerImage
- ovnLogLevel
- roleName
- serviceAccount
type: object
status:
description: OVNControllerStatus defines the observed state of OVNController
properties:
count:
description: Count is the number of nodes the daemon is deployed to
format: int32
type: integer
daemonsetHash:
description: Daemonset hash used to detect changes
type: string
required:
- count
- daemonsetHash
type: object
type: object
version: v1
versions:
- name: v1
schema:
openAPIV3Schema:
description: OVNController is the Schema for the ovncontrollers API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: OVNControllerSpec defines the desired state of OVNController
properties:
ovnControllerImage:
description: container image to run for the daemon
type: string
ovnLogLevel:
description: log level
type: string
roleName:
description: Name of the worker role created for OSP computes
type: string
serviceAccount:
description: service account used to create pods
type: string
required:
- ovnControllerImage
- ovnLogLevel
- roleName
- serviceAccount
type: object
status:
description: OVNControllerStatus defines the observed state of OVNController
properties:
count:
description: Count is the number of nodes the daemon is deployed to
format: int32
type: integer
daemonsetHash:
description: Daemonset hash used to detect changes
type: string
required:
- count
- daemonsetHash
type: object
type: object
served: true
storage: true
subresources:
status: {}
127 changes: 64 additions & 63 deletions deploy/crds/neutron.openstack.org_ovsnodeosps_crd.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: apiextensions.k8s.io/v1
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ovsnodeosps.neutron.openstack.org
Expand All @@ -10,69 +10,70 @@ spec:
plural: ovsnodeosps
singular: ovsnodeosp
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: OVSNodeOsp is the Schema for the ovsnodeosps API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: OVSNodeOspSpec defines the desired state of OVSNodeOsp
properties:
nic:
description: NIC for ovn encap ip
type: string
ovnSbRemote:
description: ovn south db ip
type: string
ovsLogLevel:
description: log level
type: string
ovsNodeOspImage:
description: container image to run for the daemon
type: string
roleName:
description: Name of the worker role created for OSP computes
type: string
serviceAccount:
description: service account used to create pods
type: string
required:
- nic
- ovnSbRemote
- ovsLogLevel
- ovsNodeOspImage
- roleName
- serviceAccount
type: object
status:
description: OVSNodeOspStatus defines the observed state of OVSNodeOsp
properties:
count:
description: Count is the number of nodes the daemon is deployed to
format: int32
type: integer
daemonsetHash:
description: Daemonset hash used to detect changes
type: string
required:
- count
- daemonsetHash
type: object
type: object
version: v1
versions:
- name: v1
schema:
openAPIV3Schema:
description: OVSNodeOsp is the Schema for the ovsnodeosps API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: OVSNodeOspSpec defines the desired state of OVSNodeOsp
properties:
nic:
description: NIC for ovn encap ip
type: string
ovnSbRemote:
description: ovn south db ip
type: string
ovsLogLevel:
description: log level
type: string
ovsNodeOspImage:
description: container image to run for the daemon
type: string
roleName:
description: Name of the worker role created for OSP computes
type: string
serviceAccount:
description: service account used to create pods
type: string
required:
- nic
- ovnSbRemote
- ovsLogLevel
- ovsNodeOspImage
- roleName
- serviceAccount
type: object
status:
description: OVSNodeOspStatus defines the observed state of OVSNodeOsp
properties:
count:
description: Count is the number of nodes the daemon is deployed to
format: int32
type: integer
daemonsetHash:
description: Daemonset hash used to detect changes
type: string
required:
- count
- daemonsetHash
type: object
type: object
served: true
storage: true
subresources:
status: {}
4 changes: 1 addition & 3 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,14 @@ module github.com/openstack-k8s-operators/neutron-operator
go 1.13

require (
github.com/RHsyseng/operator-utils v0.0.0-20200417214513-7aac0c82a293
github.com/blang/semver v3.5.1+incompatible
github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
github.com/go-openapi/spec v0.19.7
github.com/openshift/api v0.0.0-20200205133042-34f0ec8dab87
github.com/openshift/cluster-api v0.0.0-20191129101638-b09907ac6668
github.com/openstack-k8s-operators/lib-common v0.0.0-20200506095056-36244492b7a8
github.com/operator-framework/operator-lifecycle-manager v0.0.0-20200321030439-57b580e57e88
github.com/operator-framework/operator-sdk v0.17.0
github.com/spf13/pflag v1.0.5
github.com/stretchr/testify v1.4.0
golang.org/x/tools v0.0.0-20200504022951-6b6965ac5dd1 // indirect
k8s.io/api v0.17.4
k8s.io/apimachinery v0.17.4
Expand Down
Loading

0 comments on commit ccb95a1

Please sign in to comment.