diff --git a/ceph-rgw/templates/bin/_bootstrap.sh.tpl b/ceph-rgw/templates/bin/_bootstrap.sh.tpl new file mode 100644 index 000000000..a95648b87 --- /dev/null +++ b/ceph-rgw/templates/bin/_bootstrap.sh.tpl @@ -0,0 +1,20 @@ +#!/bin/bash + +{{/* +Copyright 2020 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex +{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }} diff --git a/ceph-rgw/templates/configmap-bin.yaml b/ceph-rgw/templates/configmap-bin.yaml index 79666d391..bde4329c0 100644 --- a/ceph-rgw/templates/configmap-bin.yaml +++ b/ceph-rgw/templates/configmap-bin.yaml @@ -25,6 +25,11 @@ data: {{- if .Values.images.local_registry.active }} image-repo-sync.sh: | {{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }} +{{- end }} + +{{- if .Values.bootstrap.enabled }} + bootstrap.sh: | +{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{- end }} init-dirs.sh: | diff --git a/ceph-rgw/templates/job-bootstrap.yaml b/ceph-rgw/templates/job-bootstrap.yaml new file mode 100644 index 000000000..95b71a8cd --- /dev/null +++ b/ceph-rgw/templates/job-bootstrap.yaml @@ -0,0 +1,128 @@ +{{/* +Copyright 2020 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} +{{- $envAll := . }} + +{{- $serviceAccountName := "ceph-rgw-bootstrap" }} +{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: ceph-rgw-bootstrap + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +spec: + template: + metadata: + labels: +{{ tuple $envAll "ceph" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + spec: +{{ dict "envAll" $envAll "application" "bootstrap" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} + initContainers: +{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + - name: ceph-keyring-placement +{{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ dict "envAll" $envAll "application" "bootstrap" "container" "keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/ceph-admin-keyring.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: pod-etc-ceph + mountPath: /etc/ceph + - name: ceph-rgw-bin + mountPath: /tmp/ceph-admin-keyring.sh + subPath: ceph-admin-keyring.sh + readOnly: true + - name: ceph-rgw-admin-keyring + mountPath: /tmp/client-keyring + subPath: key + readOnly: true + containers: + - name: ceph-rgw-bootstrap +{{ tuple $envAll "ceph_bootstrap" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "bootstrap" "container" "bootstrap" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/bootstrap.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: pod-etc-ceph + mountPath: /etc/ceph + - name: ceph-rgw-bin + mountPath: /tmp/bootstrap.sh + subPath: bootstrap.sh + readOnly: true + - name: ceph-rgw-etc + mountPath: /etc/ceph/ceph.conf + subPath: ceph.conf + readOnly: true + - name: ceph-rgw-admin-keyring + mountPath: /tmp/client-keyring + subPath: key + readOnly: true + volumes: + - name: pod-tmp + emptyDir: {} + - name: pod-etc-ceph + emptyDir: {} + - name: ceph-rgw-bin + configMap: + name: ceph-rgw-bin + defaultMode: 0555 + - name: ceph-rgw-etc + configMap: + name: {{ .Values.ceph_client.configmap }} + defaultMode: 0444 + - name: ceph-rgw-admin-keyring + secret: + secretName: {{ .Values.secrets.keyrings.admin | quote }} +{{- end }} diff --git a/ceph-rgw/values.yaml b/ceph-rgw/values.yaml index 0ed48d8b0..474a34fdd 100644 --- a/ceph-rgw/values.yaml +++ b/ceph-rgw/values.yaml @@ -25,6 +25,7 @@ release_group: null images: pull_policy: IfNotPresent tags: + ceph_bootstrap: 'docker.io/openstackhelm/ceph-daemon:ubuntu_bionic-20191216' ceph_config_helper: 'docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20191216' ceph_rgw: 'docker.io/openstackhelm/ceph-daemon:ubuntu_bionic-20191216' dep_check: 'quay.io/airshipit/kubernetes-entrypoint:v1.0.0' @@ -85,6 +86,16 @@ pod: create_s3_admin: allowPrivilegeEscalation: false readOnlyRootFilesystem: true + bootstrap: + pod: + runAsUser: 65534 + container: + keyring_placement: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + bootstrap: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true dns_policy: "ClusterFirstWithHostNet" replicas: rgw: 2 @@ -106,6 +117,13 @@ pod: memory: "512Mi" cpu: "1000m" jobs: + bootstrap: + limits: + memory: "1024Mi" + cpu: "2000m" + requests: + memory: "128Mi" + cpu: "500m" ceph-rgw-storage-init: requests: memory: "128Mi" @@ -379,11 +397,6 @@ dependencies: s3: rgw: {} static: - bootstrap: - jobs: null - services: - - endpoint: internal - service: ceph_mon rgw: jobs: - ceph-rgw-storage-init @@ -559,6 +572,7 @@ manifests: configmap_etc: true deployment_rgw: true ingress_rgw: true + job_bootstrap: false job_ceph_rgw_storage_init: true job_image_repo_sync: true job_ks_endpoints: true diff --git a/tools/deployment/osh-infra-logging/030-radosgw-osh-infra.sh b/tools/deployment/osh-infra-logging/030-radosgw-osh-infra.sh index 3493335b0..655488648 100755 --- a/tools/deployment/osh-infra-logging/030-radosgw-osh-infra.sh +++ b/tools/deployment/osh-infra-logging/030-radosgw-osh-infra.sh @@ -37,7 +37,7 @@ deployment: client_secrets: false rgw_keystone_user_and_endpoints: false bootstrap: - enabled: false + enabled: true conf: rgw_ks: enabled: false @@ -46,6 +46,8 @@ conf: pod: replicas: rgw: 1 +manifests: + job_bootstrap: true EOF helm upgrade --install radosgw-osh-infra ./ceph-rgw \ --namespace=osh-infra \