Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

K8SPS-110 certify openshift #857

Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

K8SPS-110 certify openshift #857

wants to merge 14 commits into from
+235 −125

Conversation

nmarukovich
Copy link
Contributor

@nmarukovich nmarukovich commented Mar 11, 2025
edited
Loading

K8SPS-110 Powered by Pull Request Badge

CHANGE DESCRIPTION

Problem:
We can't run ps operator on openshift because of permission restrictions.

Cause:
Short explanation of the root cause of the issue if applicable.

Solution:
Use empty volume to store orchestrator config and run mysqlsh.
CHECKLIST

Jira

  • Is the Jira ticket created and referenced properly?
  • Does the Jira ticket have the proper statuses for documentation (Needs Doc) and QA (Needs QA)?
  • Does the Jira ticket link to the proper milestone (Fix Version field)?

Tests

  • Is an E2E test/test case added for the new feature/change?
  • Are unit tests added where appropriate?

Config/Logging/Testability

  • Are all needed new/changed options added to default YAML files?
  • Are all needed new/changed options added to the Helm Chart?
  • Did we add proper logging messages for operator actions?
  • Did we ensure compatibility with the previous version or cluster upgrade process?
  • Does the change support oldest and newest supported PS version?
  • Does the change support oldest and newest supported Kubernetes version?

@pull-request-size pull-request-size bot added the size/M 30-99 lines label Mar 11, 2025
@pull-request-size pull-request-size bot added size/L 100-499 lines and removed size/M 30-99 lines labels Mar 12, 2025
@nmarukovich nmarukovich marked this pull request as ready for review March 14, 2025 10:54
github-actions[bot]
github-actions bot reviewed Mar 31, 2025
View reviewed changes
e2e-tests/functions
Comment on lines +102 to +124
platform=openshift
oc create sa pmm-server -n "${NAMESPACE}" || :
oc adm policy add-scc-to-user privileged -z pmm-server -n "${NAMESPACE}" || :

if [[ $OPERATOR_NS ]]; then
timeout 30 oc delete clusterrolebinding $(kubectl get clusterrolebinding | grep 'pmm-ps-operator-' | awk '{print $1}') || :
oc create clusterrolebinding pmm-ps-operator-cluster-wide --clusterrole=percona-server-mysql-operator --serviceaccount=$NAMESPACE:pmm-server -n "$NAMESPACE"
oc patch clusterrole/percona-server-mysql-operator --type json -p='[{"op":"add","path": "/rules/-","value":{"apiGroups":["security.openshift.io"],"resources":["securitycontextconstraints"],"verbs":["use"],"resourceNames":["privileged"]}}]' ${OPERATOR_NS:+-n $OPERATOR_NS} || :
else
oc create rolebinding pmm-ps-operator-namespace-only --role percona-server-mysql-operator --serviceaccount=$NAMESPACE:pmm-server -n "$NAMESPACE"
oc patch role/percona-server-mysql-operator --type json -p='[{"op":"add","path": "/rules/-","value":{"apiGroups":["security.openshift.io"],"resources":["securitycontextconstraints"],"verbs":["use"],"resourceNames":["privileged"]}}]' -n "$NAMESPACE" || :
fi
local additional_params="--set platform=openshift --set supresshttp2=false --set serviceAccount.create=false --set serviceAccount.name=pmm-server"
fi

retry 10 120 helm install monitoring percona/pmm -n "${NAMESPACE}" \
--set fullnameOverride=monitoring \
--version ${PMM_SERVER_VERSION} \
--set imageTag=${IMAGE_PMM_SERVER#*:} \
--set imageRepo=${IMAGE_PMM_SERVER%:*} \
--set service.type=LoadBalancer \
$additional_params \
--force
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[shfmt] reported by reviewdog 🐶

Suggested change
platform=openshift
oc create sa pmm-server -n "${NAMESPACE}" || :
oc adm policy add-scc-to-user privileged -z pmm-server -n "${NAMESPACE}" || :
if [[ $OPERATOR_NS ]]; then
timeout 30 oc delete clusterrolebinding $(kubectl get clusterrolebinding | grep 'pmm-ps-operator-' | awk '{print $1}') || :
oc create clusterrolebinding pmm-ps-operator-cluster-wide --clusterrole=percona-server-mysql-operator --serviceaccount=$NAMESPACE:pmm-server -n "$NAMESPACE"
oc patch clusterrole/percona-server-mysql-operator --type json -p='[{"op":"add","path": "/rules/-","value":{"apiGroups":["security.openshift.io"],"resources":["securitycontextconstraints"],"verbs":["use"],"resourceNames":["privileged"]}}]' ${OPERATOR_NS:+-n $OPERATOR_NS} || :
else
oc create rolebinding pmm-ps-operator-namespace-only --role percona-server-mysql-operator --serviceaccount=$NAMESPACE:pmm-server -n "$NAMESPACE"
oc patch role/percona-server-mysql-operator --type json -p='[{"op":"add","path": "/rules/-","value":{"apiGroups":["security.openshift.io"],"resources":["securitycontextconstraints"],"verbs":["use"],"resourceNames":["privileged"]}}]' -n "$NAMESPACE" || :
fi
local additional_params="--set platform=openshift --set supresshttp2=false --set serviceAccount.create=false --set serviceAccount.name=pmm-server"
fi
retry 10 120 helm install monitoring percona/pmm -n "${NAMESPACE}" \
--set fullnameOverride=monitoring \
--version ${PMM_SERVER_VERSION} \
--set imageTag=${IMAGE_PMM_SERVER#*:} \
--set imageRepo=${IMAGE_PMM_SERVER%:*} \
--set service.type=LoadBalancer \
$additional_params \
--force
platform=openshift
oc create sa pmm-server -n "${NAMESPACE}" || :
oc adm policy add-scc-to-user privileged -z pmm-server -n "${NAMESPACE}" || :
if [[ $OPERATOR_NS ]]; then
timeout 30 oc delete clusterrolebinding $(kubectl get clusterrolebinding | grep 'pmm-ps-operator-' | awk '{print $1}') || :
oc create clusterrolebinding pmm-ps-operator-cluster-wide --clusterrole=percona-server-mysql-operator --serviceaccount=$NAMESPACE:pmm-server -n "$NAMESPACE"
oc patch clusterrole/percona-server-mysql-operator --type json -p='[{"op":"add","path": "/rules/-","value":{"apiGroups":["security.openshift.io"],"resources":["securitycontextconstraints"],"verbs":["use"],"resourceNames":["privileged"]}}]' ${OPERATOR_NS:+-n $OPERATOR_NS} || :
else
oc create rolebinding pmm-ps-operator-namespace-only --role percona-server-mysql-operator --serviceaccount=$NAMESPACE:pmm-server -n "$NAMESPACE"
oc patch role/percona-server-mysql-operator --type json -p='[{"op":"add","path": "/rules/-","value":{"apiGroups":["security.openshift.io"],"resources":["securitycontextconstraints"],"verbs":["use"],"resourceNames":["privileged"]}}]' -n "$NAMESPACE" || :
fi
local additional_params="--set platform=openshift --set supresshttp2=false --set serviceAccount.create=false --set serviceAccount.name=pmm-server"
fi
retry 10 120 helm install monitoring percona/pmm -n "${NAMESPACE}" \
--set fullnameOverride=monitoring \
--version ${PMM_SERVER_VERSION} \
--set imageTag=${IMAGE_PMM_SERVER#*:} \
--set imageRepo=${IMAGE_PMM_SERVER%:*} \
--set service.type=LoadBalancer \
$additional_params \
--force

e2e-tests/functions
@@ -736,6 +739,7 @@
echo logs saved in: ${TEMP_DIR}/logs_output-$p-$c.txt
for pass in $passwords; do
count=$(grep -c --fixed-strings -- "$pass" ${TEMP_DIR}/logs_output-$p-$c.txt || :)
count=$(echo "$count" | awk '{if ($1 ~ /^[0-9]+$/) print $1; else print 0}')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[shfmt] reported by reviewdog 🐶

Suggested change
count=$(echo "$count" | awk '{if ($1 ~ /^[0-9]+$/) print $1; else print 0}')
count=$(echo "$count" | awk '{if ($1 ~ /^[0-9]+$/) print $1; else print 0}')

e2e-tests/functions
Comment on lines +770 to +772
oc adm policy add-scc-to-user privileged -z chaos-daemon --namespace=${NAMESPACE}
fi
sleep 10
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[shfmt] reported by reviewdog 🐶

Suggested change
oc adm policy add-scc-to-user privileged -z chaos-daemon --namespace=${NAMESPACE}
fi
sleep 10
oc adm policy add-scc-to-user privileged -z chaos-daemon --namespace=${NAMESPACE}
fi
sleep 10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@jvpasinatto jvpasinatto Awaiting requested review from jvpasinatto jvpasinatto is a code owner

@eleo007 eleo007 Awaiting requested review from eleo007 eleo007 is a code owner

@hors hors Awaiting requested review from hors hors is a code owner

@egegunes egegunes Awaiting requested review from egegunes egegunes is a code owner

@pooknull pooknull Awaiting requested review from pooknull pooknull is a code owner

@gkech gkech Awaiting requested review from gkech gkech is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
size/L 100-499 lines
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nmarukovich @hors