Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use OpenShift API to control the Ansible container #15492

Merged

Conversation

carbonin
Copy link
Member

This PR mainly adds a new class called ContainerOrchestrator.

Its purpose is to abstract calls to the OpenShift API into easily consumable methods like #scale which will scale a given deployment config to a particular number of replicas.

In this PR I also change the EmbeddedAnsible class to utilize this in order to scale the ansible pod up when we start the embedded ansible role and scale it down when the role is disabled.

This ability requires some additional permissions for the server container which is handled using the server's service account in a separate PR to the manageiq-pods repo (ManageIQ/manageiq-pods#174)

@@ -0,0 +1,32 @@
require 'kubeclient'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we push this down in to the connection method to delay load it?

end

def client_auth_options
{ :bearer_token_file => TOKEN_FILE }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feels like we don't need a method for this considering that the ssl_options don't have a method of their own.

end
end


Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line is not necessary.

@Fryguy
Copy link
Member

Fryguy commented Jun 30, 2017

Looks good @carbonin ! A few minor comments.

URI::HTTPS.build(
:host => ENV["KUBERNETES_SERVICE_HOST"],
:port => ENV["KUBERNETES_SERVICE_PORT"],
:path => "/oapi"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kill the bonus whitespace here between the keys and => to stop rubocop.

@carbonin carbonin force-pushed the use_openshift_api_to_start_ansible_container branch from 6a419cc to 59b25e2 Compare July 5, 2017 13:13
@carbonin carbonin force-pushed the use_openshift_api_to_start_ansible_container branch from 59b25e2 to 44868cd Compare July 5, 2017 13:34
Copy link
Member

@bdunne bdunne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 LGTM

Gemfile Outdated
@@ -55,6 +55,7 @@ gem "hamlit", "~>2.7.0"
gem "htauth", "2.0.0", :require => false
gem "inifile", "~>3.0", :require => false
gem "jbuilder", "~>2.5.0" # For the REST API
gem "kubeclient", "~>2.4.0", :require => false # For scaling pods at runtime
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we be this restrictive on this dependency? Maybe "~>2.4" would be better to avoid conflict with the provider repo? (Assuming they follow semver)

@miq-bot
Copy link
Member

miq-bot commented Jul 5, 2017

This pull request is not mergeable. Please rebase and repush.

@carbonin carbonin force-pushed the use_openshift_api_to_start_ansible_container branch from 44868cd to da932e3 Compare July 5, 2017 17:40
@@ -0,0 +1,29 @@

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kill this blank line please. (You vim users and your leading blank lines :trollface: )

if MiqEnvironment::Command.is_container?
container_stop
else
services.each { |service| LinuxAdmin::Service.new(service).stop }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if this should be extracted to a method like the container stuff is extracted to a method. Then this method just becomes a simple redirection method with no logic.

def self.stop
  MiqEnvironment::Command.is_container? ? container_stop : services_stop
end

Upon reading that maybe the methods should be stop_containers and stop_services, so that all 3 stop methods "group" themselves together

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I went with this rename I would probably go with appliance_stop and appliance_disable to match appliance_start which does more than start services in some cases. What do you think?

It's all private interface anyway so we could always change in a follow up.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe application_enable and application_disable

carbonin added 3 commits July 5, 2017 14:08
…t API

As a first pass it implements a #scale method which can be used to
change the desired number of replicas in a deployment config.

It also handles authenticating to the API using the pod's service
account token.
We require this directly now that we are using it from the core
application to scale pods at runtime
@carbonin carbonin force-pushed the use_openshift_api_to_start_ansible_container branch from da932e3 to 463922e Compare July 5, 2017 18:22
@miq-bot
Copy link
Member

miq-bot commented Jul 5, 2017

Checked commits carbonin/manageiq@3774758~...02ef655 with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0
4 files checked, 0 offenses detected
Everything looks fine. ⭐

@Fryguy Fryguy merged commit b0dbb77 into ManageIQ:master Jul 5, 2017
@Fryguy Fryguy added this to the Sprint 64 Ending Jul 10, 2017 milestone Jul 5, 2017
Kubeclient::Client.new(
manager_uri,
:auth_options => { :bearer_token_file => TOKEN_FILE },
:ssl_options => { :verify_ssl => OpenSSL::SSL::VERIFY_NONE }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

friendly reminder: will need something better than VERIFY_NONE eventually :)

This is to be used when MIQ runs inside the cluster, right?
https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/#trusting-tls-in-a-cluster
sounds like we can use /var/run/secrets/kubernetes.io/serviceaccount/ca.crt

@carbonin carbonin deleted the use_openshift_api_to_start_ansible_container branch October 13, 2017 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants