Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow server to control ansible pods #174

Merged
merged 4 commits into from
Jul 5, 2017
Merged

Allow server to control ansible pods #174

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6c9133b
Add MY_POD_NAMESPACE environment variable
carbonin Jun 28, 2017
5a8e8a0
Add a new service account for the orchestrator
carbonin Jun 30, 2017
adb2566
Start the ansible pods at 0 replicas
carbonin Jun 30, 2017
cd296dd
Edit the README to add the correct roles and scc to the new user
carbonin Jun 30, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 17 additions & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,22 +52,23 @@ $ oc new-project <project_name> \

_At a minimum, only `<project_name>` is required._

### Add the miq-anyuid service account to the anyuid security context
### Add the miq-anyuid and miq-orchestrator service accounts to the anyuid security context

_**Note:**_ The current MIQ image requires the root user.

The miq-anyuid service account for your namespace (project) must be added to the anyuid SCC before pods using the service account can run as root.
These service accounts for your namespace (project) must be added to the anyuid SCC before pods using the service accounts can run as root.

_**As admin**_

```bash
$ oc adm policy add-scc-to-user anyuid system:serviceaccount:<your-namespace>:miq-anyuid
$ oc adm policy add-scc-to-user anyuid system:serviceaccount:<your-namespace>:miq-orchestrator
```

Verify that the miq-anyuid service account is now included in the anyuid scc
Verify that the service accounts are now included in the anyuid scc
```
$ oc describe scc anyuid | grep Users
Users: system:serviceaccount:<your-namespace>:miq-anyuid
Users: system:serviceaccount:<your-namespace>:miq-anyuid,system:serviceaccount:<your-namespace>:miq-orchestrator
```

### Add the miq-privileged service account to the privileged security context
Expand All @@ -88,6 +89,18 @@ $ oc describe scc privileged | grep Users
Users: system:serviceaccount:<your-namespace>:miq-privileged
```

### Add the view and edit roles to the orchestrator service account

This will allow the ManageIQ pod to scale other pods up and down.
In particular we use this to scale the Ansible pod when the Embedded Ansible role is enabled.

_**As basic user**_

```bash
oc policy add-role-to-user view system:serviceaccount:<your-namespace>:miq-orchestrator -n <your-namespace>
oc policy add-role-to-user edit system:serviceaccount:<your-namespace>:miq-orchestrator -n <your-namespace>
```

### Make persistent volumes to host the MIQ database and application data

A basic (single server/replica) deployment needs at least 2 persistent volumes (PVs) to store MIQ data:
Expand Down
15 changes: 12 additions & 3 deletions templates/miq-template-ext-db.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ metadata:
tags: "instant-app,manageiq,miq"
iconClass: "icon-rails"
objects:
- apiVersion: v1
kind: ServiceAccount
metadata:
name: miq-orchestrator
- apiVersion: v1
kind: ServiceAccount
metadata:
Expand Down Expand Up @@ -130,6 +134,11 @@ objects:
name: "${NAME}-server"
mountPath: "/persistent"
env:
-
name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
-
name: "APPLICATION_INIT_DELAY"
value: "${APPLICATION_INIT_DELAY}"
Expand Down Expand Up @@ -177,8 +186,8 @@ objects:
exec:
command:
- /opt/manageiq/container-scripts/sync-pv-data
serviceAccount: miq-anyuid
serviceAccountName: miq-anyuid
serviceAccount: miq-orchestrator
serviceAccountName: miq-orchestrator
terminationGracePeriodSeconds: 90
volumeClaimTemplates:
- metadata:
Expand Down Expand Up @@ -326,7 +335,7 @@ objects:
strategy:
type: "Recreate"
serviceName: "${ANSIBLE_SERVICE_NAME}"
replicas: 1
replicas: 0
template:
metadata:
labels:
Expand Down
15 changes: 12 additions & 3 deletions templates/miq-template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ metadata:
tags: "instant-app,manageiq,miq"
iconClass: "icon-rails"
objects:
- apiVersion: v1
kind: ServiceAccount
metadata:
name: miq-orchestrator
- apiVersion: v1
kind: ServiceAccount
metadata:
Expand Down Expand Up @@ -148,6 +152,11 @@ objects:
name: "${NAME}-server"
mountPath: "/persistent"
env:
-
name: MY_POD_NAMESPACE
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you need this in the other template as well.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

valueFrom:
fieldRef:
fieldPath: metadata.namespace
-
name: "APPLICATION_INIT_DELAY"
value: "${APPLICATION_INIT_DELAY}"
Expand Down Expand Up @@ -195,8 +204,8 @@ objects:
exec:
command:
- /opt/manageiq/container-scripts/sync-pv-data
serviceAccount: miq-anyuid
serviceAccountName: miq-anyuid
serviceAccount: miq-orchestrator
serviceAccountName: miq-orchestrator
terminationGracePeriodSeconds: 90
volumeClaimTemplates:
- metadata:
Expand Down Expand Up @@ -417,7 +426,7 @@ objects:
strategy:
type: "Recreate"
serviceName: "${ANSIBLE_SERVICE_NAME}"
replicas: 1
replicas: 0
template:
metadata:
labels:
Expand Down