Added instructions for daemonsets on OpenShift (#346)

* Added instructions for DaemonSets on OpenShift

Closes #459

Signed-off-by: Juraci Paixão Kröhling <[email protected]>

* Moved new examples to OpenShift directory

Signed-off-by: Juraci Paixão Kröhling <[email protected]>

* Fixed path to the new files in the readme

Signed-off-by: Juraci Paixão Kröhling <[email protected]>

README.adoc

@@ -97,6 +97,33 @@ oc create \
 
 After the role is granted, switch back to a non-privileged user.
 
+Jaeger Agent can be configured to be deployed as a `DaemonSet` using a `HostPort` to allow Jaeger clients in the same node to discover the agent. In OpenShift, a `HostPort` can only be set when a special security context is set. A separate service account can be used by the Jaeger Agent with the permission to bind to `HostPort`, as follows:
+
+[source,bash]
+----
+oc create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/examples/openshift/hostport-scc-daemonset.yaml # <1>
+
+oc new-project myappnamespace
+oc create -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/examples/openshift/service_account_jaeger-agent-daemonset.yaml # <2>
+oc adm policy add-scc-to-user daemonset-with-hostport -z jaeger-agent-daemonset # <3>
+oc apply -f https://raw.githubusercontent.com/jaegertracing/jaeger-operator/master/deploy/examples/openshift/agent-as-daemonset.yaml # <4>
+----
+<1> The `SecurityContextConstraints` with the `allowHostPorts` policy
+<2> The `ServiceAccount` to be used by the Jaeger Agent
+<3> Adds the security policy to the service account
+<4> Creates the Jaeger Instance using the `serviceAccount` created in the steps above
+
+WARNING: without such a policy, errors like the following will prevent a `DaemonSet` to be created: `Warning FailedCreate 4s (x14 over 45s) daemonset-controller Error creating: pods "agent-as-daemonset-agent-daemonset-" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 5775: Host ports are not allowed to be used`
+
+After a few seconds, the `DaemonSet` should be up and running:
+
+[source,console]
+----
+$ oc get daemonset agent-as-daemonset-agent-daemonset
+NAME                                 DESIRED   CURRENT   READY     UP-TO-DATE   AVAILABLE
+agent-as-daemonset-agent-daemonset   1         1         1         1            1        
+----
+
 == Creating a new Jaeger instance
 
 Example custom resources, for different configurations of Jaeger, can be found https://github.com/jaegertracing/jaeger-operator/tree/master/deploy/examples[here].

deploy/examples/openshift/agent-as-daemonset.yaml

@@ -0,0 +1,10 @@
+apiVersion: jaegertracing.io/v1
+kind: Jaeger
+metadata:
+  name: agent-as-daemonset
+spec:
+  agent:
+    strategy: DaemonSet
+    serviceAccount: jaeger-agent-daemonset
+    options:
+      log-level: debug

deploy/examples/openshift/hostport-scc-daemonset.yaml

@@ -0,0 +1,11 @@
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: daemonset-with-hostport
+  annotations:
+    kubernetes.io/description: 'Allows DaemonSets to bind to a well-known host port'
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+allowHostPorts: true

deploy/examples/openshift/service_account_jaeger-agent-daemonset.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: jaeger-agent-daemonset