From ed1fc67147c801a0fcb2738bfe777a72f17403cb Mon Sep 17 00:00:00 2001 From: Aiden Keating Date: Mon, 25 Nov 2019 23:43:03 +0000 Subject: [PATCH] fuse online 1.5 refactor --- pkg/deploys/fuse/deployer.go | 146 +++++---- pkg/deploys/fuse/objects.go | 61 +--- templates/broker.template.yaml | 540 +++++++++++++++++++++++++++++++++ tmp/build/broker/Dockerfile | 3 +- 4 files changed, 637 insertions(+), 113 deletions(-) diff --git a/pkg/deploys/fuse/deployer.go b/pkg/deploys/fuse/deployer.go index 1939e274..fba8da7b 100644 --- a/pkg/deploys/fuse/deployer.go +++ b/pkg/deploys/fuse/deployer.go @@ -1,14 +1,16 @@ package fuse import ( - "context" + "archive/tar" + "compress/gzip" "fmt" "io" + v1 "k8s.io/api/authentication/v1" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/util/yaml" "net/http" "os" + "os/exec" + "path/filepath" "strings" brokerapi "github.com/integr8ly/managed-service-broker/pkg/broker" @@ -18,10 +20,7 @@ import ( "github.com/operator-framework/operator-sdk/pkg/util/k8sutil" "github.com/pkg/errors" glog "github.com/sirupsen/logrus" - yamlv2 "gopkg.in/yaml.v2" - "k8s.io/api/authentication/v1" apiErrors "k8s.io/apimachinery/pkg/api/errors" - k8errors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" "sigs.k8s.io/controller-runtime/pkg/client" @@ -83,7 +82,6 @@ func (fd *FuseDeployer) Deploy(req *brokerapi.ProvisionRequest, async bool) (*br }, err } - //RoleBindings err = fd.createRoleBindings(namespace, req.OriginatingUserInfo, fd.k8sClient, fd.osClient) if err != nil { glog.Errorln(err) @@ -147,46 +145,19 @@ func (fd *FuseDeployer) createOperatorResources(namespace string, client client. } glog.Printf("Operator resources url = %v", resourcesUrl) - var httpClient http.Client - resp, err := httpClient.Get(resourcesUrl) - if err != nil { - return err - } - defer resp.Body.Close() - - var resources []runtime.Object - dec := yamlv2.NewDecoder(resp.Body) - for { - var value interface{} - err := dec.Decode(&value) - if err == io.EOF { - break - } - if err != nil { - return err - } - yamlData, err := yamlv2.Marshal(value) - if err != nil { - return err - } - jsonData, err := yaml.ToJSON(yamlData) - if err != nil { + destUrl := "/tmp" + destBin := fmt.Sprintf("%s/syndesis-operator", destUrl) + if _, err := os.Stat(destBin); os.IsNotExist(err) || err != nil { + glog.Infof("downloading fuse online binary from %s, to %s", resourcesUrl, destUrl) + if err := downloadSyndesisBinary(resourcesUrl, destUrl); err != nil { + glog.Infof("failed to download fuse online binary") return err } - resource, err := openshift.LoadKubernetesResource(jsonData, namespace) - if err != nil { - return err - } - resources = append(resources, resource) } - //ToDo Can we lazy load these resources so we don't need to be doing a http request every time - for _, resource := range resources { - err = client.Create(context.TODO(), resource) - if err != nil && !k8errors.IsAlreadyExists(err) { - glog.Errorf("failed to create object during provision with kind %v, err: %+v", resource.GetObjectKind().GroupVersionKind().String(), err) - return err - } + if _, err := exec.Command(destBin, "install", "operator", "--wait", "-n", namespace).Output(); err != nil { + glog.Infof("failed to install fuse online operator in namespace %s", namespace) + return err } return nil } @@ -267,23 +238,14 @@ func (fd *FuseDeployer) ServiceInstanceLastOperation(req *brokerapi.LastOperatio } func (fd *FuseDeployer) createRoleBindings(namespace string, userInfo v1.UserInfo, k8sclient kubernetes.Interface, osClientFactory *openshift.ClientFactory) error { - for _, sysRoleBinding := range getSystemRoleBindings(namespace) { - _, err := k8sclient.RbacV1beta1().RoleBindings(namespace).Create(&sysRoleBinding) - if err != nil && !strings.Contains(err.Error(), "already exists") { - return errors.Wrapf(err, "failed to create rolebinding for %s", &sysRoleBinding.ObjectMeta.Name) - } - } - authClient, err := osClientFactory.AuthClient() if err != nil { return errors.Wrap(err, "failed to create an openshift authorization client") } - _, err = authClient.RoleBindings(namespace).Create(getUserViewRoleBindingObj(namespace, userInfo.Username)) if err != nil { return errors.Wrap(err, "failed to create user view role binding for fuse service") } - return nil } @@ -349,3 +311,83 @@ func getFuse(ns string) (*fuseV1alpha1.Syndesis, error) { return nil, nil } + +func downloadSyndesisBinary(srcUrl, destUrl string) error { + resp, err := http.Get(srcUrl) + if err != nil { + return err + } + defer resp.Body.Close() + if err := untar(destUrl, resp.Body); err != nil { + return err + } + if err := os.Chmod(fmt.Sprintf("%s/syndesis-operator", destUrl), 755); err != nil { + return err + } + return nil +} + +func untar(dst string, r io.Reader) error { + + gzr, err := gzip.NewReader(r) + if err != nil { + return err + } + defer gzr.Close() + + tr := tar.NewReader(gzr) + + for { + header, err := tr.Next() + + switch { + + // if no more files are found return + case err == io.EOF: + return nil + + // return any other error + case err != nil: + return err + + // if the header is nil, just skip it (not sure how this happens) + case header == nil: + continue + } + + // the target location where the dir/file should be created + target := filepath.Join(dst, header.Name) + + // the following switch could also be done using fi.Mode(), not sure if there + // a benefit of using one vs. the other. + // fi := header.FileInfo() + + // check the file type + switch header.Typeflag { + + // if its a dir and it doesn't exist create it + case tar.TypeDir: + if _, err := os.Stat(target); err != nil { + if err := os.MkdirAll(target, 0755); err != nil { + return err + } + } + + // if it's a file create it + case tar.TypeReg: + f, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode)) + if err != nil { + return err + } + + // copy over contents + if _, err := io.Copy(f, tr); err != nil { + return err + } + + // manually close here after each file operation; defering would cause each file close + // to wait until all operations have completed. + f.Close() + } + } +} diff --git a/pkg/deploys/fuse/objects.go b/pkg/deploys/fuse/objects.go index 73671d6e..957419c6 100644 --- a/pkg/deploys/fuse/objects.go +++ b/pkg/deploys/fuse/objects.go @@ -5,7 +5,6 @@ import ( "github.com/integr8ly/managed-service-broker/pkg/deploys/fuse/pkg/apis/syndesis/v1alpha1" authv1 "github.com/openshift/api/authorization/v1" corev1 "k8s.io/api/core/v1" - rbacv1beta1 "k8s.io/api/rbac/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -91,63 +90,6 @@ func getUserViewRoleBindingObj(namespace, username string) *authv1.RoleBinding { } } -// System specific role bindings -func getSystemRoleBindings(namespace string) []rbacv1beta1.RoleBinding { - return []rbacv1beta1.RoleBinding{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "system:deployers", - }, - Subjects: []rbacv1beta1.Subject{ - { - Kind: "ServiceAccount", - Name: "deployer", - Namespace: namespace, - }, - }, - RoleRef: rbacv1beta1.RoleRef{ - Kind: "ClusterRole", - Name: "system:deployer", - APIGroup: "rbac.authorization.k8s.io", - }, - }, - { - ObjectMeta: metav1.ObjectMeta{ - Name: "system:image-builders", - }, - Subjects: []rbacv1beta1.Subject{ - { - Kind: "ServiceAccount", - Name: "builder", - Namespace: namespace, - }, - }, - RoleRef: rbacv1beta1.RoleRef{ - Kind: "ClusterRole", - Name: "system:image-builder", - APIGroup: "rbac.authorization.k8s.io", - }, - }, - { - ObjectMeta: metav1.ObjectMeta{ - Name: "system:image-pullers", - }, - Subjects: []rbacv1beta1.Subject{ - { - Kind: "Group", - Name: "system:serviceaccounts:" + namespace, - Namespace: namespace, - }, - }, - RoleRef: rbacv1beta1.RoleRef{ - Kind: "ClusterRole", - Name: "system:image-puller", - APIGroup: "rbac.authorization.k8s.io", - }, - }, - } -} - // Fuse Custom Resource func getFuseObj(deployNamespace, consumerNamespace string, integrationsLimit int) *v1alpha1.Syndesis { return &v1alpha1.Syndesis{ @@ -161,8 +103,7 @@ func getFuseObj(deployNamespace, consumerNamespace string, integrationsLimit int Annotations: map[string]string{}, }, Spec: v1alpha1.SyndesisSpec{ - SarNamespace: consumerNamespace, - ImageStreamNamespace: FUSE_IMAGE_STREAMS_NAMESPACE, + SarNamespace: consumerNamespace, Integration: v1alpha1.IntegrationSpec{ Limit: &integrationsLimit, }, diff --git a/templates/broker.template.yaml b/templates/broker.template.yaml index 9a7fee20..9d4a230a 100644 --- a/templates/broker.template.yaml +++ b/templates/broker.template.yaml @@ -424,6 +424,546 @@ objects: name: managed-service-role-for-syndesis-operator apiGroup: rbac.authorization.k8s.io + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: syndesis-installer + subjects: + - kind: ServiceAccount + name: default + namespace: ${NAMESPACE} + roleRef: + kind: ClusterRole + name: syndesis-installer + apiGroup: rbac.authorization.k8s.io + + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + app: syndesis + syndesis.io/app: syndesis + syndesis.io/component: syndesis-operator + syndesis.io/type: operator + name: syndesis-installer + rules: + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - impersonate + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - apiGroups: + - "" + - project.openshift.io + resources: + - projects + verbs: + - get + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - impersonate + - apiGroups: + - "" + resources: + - pods + - pods/exec + - services + - endpoints + - persistentvolumeclaims + - configmaps + - secrets + - serviceaccounts + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - apiGroups: + - "" + resources: + - replicationcontrollers + - replicationcontrollers/scale + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - patch + - apiGroups: + - apps + resources: + - daemonsets + - deployments + - deployments/scale + - replicasets + - replicasets/scale + - statefulsets + - statefulsets/scale + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - patch + - apiGroups: + - extensions + resources: + - daemonsets + - deployments + - deployments/scale + - ingresses + - networkpolicies + - replicasets + - replicasets/scale + - replicationcontrollers/scale + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - patch + - apiGroups: + - "" + resources: + - bindings + - events + - limitranges + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch + - apiGroups: + - "" + - build.openshift.io + resources: + - buildconfigs + - buildconfigs/webhooks + - builds + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - patch + - apiGroups: + - "" + - build.openshift.io + resources: + - buildconfigs/instantiate + - buildconfigs/instantiatebinary + - builds/clone + verbs: + - create + - apiGroups: + - "" + - build.openshift.io + resources: + - builds/details + verbs: + - update + - apiGroups: + - "" + - build.openshift.io + resources: + - builds/log + verbs: + - get + - list + - watch + - apiGroups: + - "" + - apps.openshift.io + resources: + - deploymentconfigs + - deploymentconfigs/scale + - deploymentconfigs/finalizers + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - patch + - apiGroups: + - "" + - apps.openshift.io + resources: + - deploymentconfigrollbacks + - deploymentconfigs/instantiate + - deploymentconfigs/rollback + verbs: + - create + - apiGroups: + - "" + - apps.openshift.io + resources: + - deploymentconfigs/log + - deploymentconfigs/status + verbs: + - get + - list + - watch + - apiGroups: + - "" + - image.openshift.io + resources: + - imagestreams + - imagestreamimages + - imagestreammappings + - imagestreams/secrets + - imagestreamtags + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - patch + - apiGroups: + - "" + - image.openshift.io + resources: + - imagestreamimports + verbs: + - create + - apiGroups: + - "" + - image.openshift.io + resources: + - imagestreams/status + verbs: + - get + - list + - watch + - apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - patch + - apiGroups: + - "" + - template.openshift.io + resources: + - processedtemplates + - templateconfigs + - templateinstances + - templates + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - patch + - apiGroups: + - "" + - build.openshift.io + resources: + - buildlogs + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - patch + - apiGroups: + - syndesis.io + resources: + - '*' + - '*/finalizers' + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - apiGroups: + - "" + resources: + - pods + - services + - endpoints + - persistentvolumeclaims + - configmaps + - secrets + - serviceaccounts + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - apiGroups: + - "" + resources: + - replicationcontrollers + - replicationcontrollers/scale + - replicationcontrollers/status + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - apiGroups: + - "" + - build.openshift.io + resources: + - builds + - buildconfigs + - builds/details + - buildconfigs/webhooks + - buildconfigs/instantiatebinary + - builds/log + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - apiGroups: + - "" + - apps.openshift.io + resources: + - deploymentconfigs + - deploymentconfigs/finalizers + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - patch + - apiGroups: + - "" + - apps.openshift.io + resources: + - deploymentconfigrollbacks + - deploymentconfigs/instantiate + - deploymentconfigs/rollback + verbs: + - create + - apiGroups: + - "" + - apps.openshift.io + resources: + - deploymentconfigs/log + - deploymentconfigs/status + verbs: + - get + - list + - watch + - apiGroups: + - "" + - image.openshift.io + resources: + - imagestreams + - imagestreamimages + - imagestreammappings + - imagestreams/secrets + - imagestreamtags + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - patch + - apiGroups: + - "" + - image.openshift.io + resources: + - imagestreams/status + - imagestreamimports + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - apiGroups: + - "" + - template.openshift.io + resources: + - processedtemplates + - templateconfigs + - templateinstances + - templates + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - patch + - apiGroups: + - authorization.openshift.io + resources: + - rolebindings + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - apiGroups: + - route.openshift.io + resources: + - routes + - routes/custom-host + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - patch + - apiGroups: + - camel.apache.org + resources: + - '*' + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - apiGroups: + - monitoring.coreos.com + resources: + - alertmanagers + - prometheuses + - servicemonitors + - prometheusrules + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - apiGroups: + - integreatly.org + resources: + - grafanadashboards + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - watch + - apiGroups: + - serving.knative.dev + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - eventing.knative.dev + resources: + - channels + verbs: + - get + - list + - watch + parameters: - name: NAMESPACE description: Namespace of the project that is being deployed to diff --git a/tmp/build/broker/Dockerfile b/tmp/build/broker/Dockerfile index 19c8a71c..0fa89d23 100644 --- a/tmp/build/broker/Dockerfile +++ b/tmp/build/broker/Dockerfile @@ -1,6 +1,7 @@ FROM alpine:3.6 -RUN apk add --no-cache ca-certificates +RUN apk add --no-cache ca-certificates libc6-compat + RUN adduser -D managed-service USER managed-service