Skip to content

Commit

Permalink
Fix: Configdump deployment on OpenShift (#8)
Browse files Browse the repository at this point in the history 
* Fix: Configdump deployment on OpenShift

Co-authored-by: Michal Vala <michal.vala@gmail.com>
  • Loading branch information
@skabashnyuk @sparkoo
skabashnyuk and sparkoo authored Aug 10, 2020
1 parent d908fb0 commit cfd8b24
Show file tree
Hide file tree
Showing 3 changed files with 149 additions and 107 deletions.
103 changes: 4 additions & 99 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,103 +40,8 @@ Options:

## Examples

An example of using Traefik with configbump as a sidecar in a single pod to enable configbump dynamically downloading configuration files to a directory that Traefik watches for configuration changes.

```yaml
# The only thing that our Pod needs is to have access to the cluster API and be able to read
# config maps. The following service account, role and role binding show the minimum perms required:
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-able-to-access-k8s-api-and-read-configmaps
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: read-configmaps
rules:
- verbs:
- watch
- get
- list
apiGroups:
- ""
resources:
- configmaps
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-config-maps-to-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: read-configmaps
subjects:
- kind: ServiceAccount
name: sa-able-to-access-k8s-api-and-read-configmaps
---
# This is the Pod with Traefik and configbump as a sidecar. The only things required to make
# configbump do its job is to a) assign the proper service account to the Pod and b) connect
# the Traefik container and configbump container using a shared emptydir volume. There is no
# need for the volume to be persistent because configbump syncs its content with all the matching
# configmaps.
kind: Pod
apiVersion: v1
metadata:
name: traefik
spec:
serviceAccountName: sa-able-to-access-k8s-api-and-read-configmaps
containers:
- name: traefik
image: traefik
volumeMounts:
- name: config
mountPath: /etc/traefik
- name: dynamic-config
mountPath: "/dynamic-config"
- name: config-map-sync
image: che-incubator/configbump:latest
env:
- name: CONFIG_BUMP_DIR
value: "/dynamic-config"
- name: CM_LABELS
value: "config-for=traefik"
- name: CONFIG_BUMP_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: dynamic-config
mountPath: "/dynamic-config"
volumes:
- name: config
configMap:
name: traefik-config
- name: dynamic-config
emptyDir: {}
---

# This is the main configuration for Traefik. We configure it to listen
# for changes in the "/dynamic-config" directory - where we put all the
# configuration from the config maps labeled with "config-for" label equal
# "traefik".
kind: ConfigMap
apiVersion: v1
metadata:
name: traefik-config
data:
traefik.yml: |
global:
checkNewVersion: false
sendAnonymousUsage: false
entrypoints:
http:
address: ":8080"
https:
address: ":8443"
providers:
file:
directory: "/dynamic-config"
watch: true
An example of using Traefik with configbump as a sidecar in a single pod to enable configbump dynamically downloading configuration files to a directory that Traefik watches for configuration changes can be found in deploy_example.yaml file.
To apply it:
```
kubectl apply -f deploy_example.yaml
```
9 changes: 1 addition & 8 deletions cmd/configbump/main.go
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,11 @@
package main

import (
"context"
"os"

arg "github.com/alexflint/go-arg"
"github.com/che-incubator/configbump/pkg/configmaps"
"github.com/operator-framework/operator-sdk/pkg/k8sutil"
"github.com/operator-framework/operator-sdk/pkg/leader"
"github.com/operator-framework/operator-sdk/pkg/ready"
"sigs.k8s.io/controller-runtime/pkg/client/config"
logf "sigs.k8s.io/controller-runtime/pkg/log"
Expand Down Expand Up @@ -78,19 +76,14 @@ func initializeConfigMapController(labels string, baseDir string, namespace stri
}
}

err = leader.Become(context.Background(), controllerName)
if err != nil {
return err
}

ready := ready.NewFileReady()
err = ready.Set()
if err != nil {
return err
}
defer ready.Unset()

mgr, err := manager.New(cfg, manager.Options{Namespace: namespace})
mgr, err := manager.New(cfg, manager.Options{MetricsBindAddress: "0", Namespace: namespace})
if err != nil {
return err
}
Expand Down
144 changes: 144 additions & 0 deletions deploy_example.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,144 @@
# The only thing that our Pod needs is to have access to the cluster API and be able to read
# config maps. The following service account, role and role binding show the minimum perms required:
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-able-to-access-k8s-api-and-read-configmaps
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: read-configmaps
rules:
- verbs:
- watch
- get
- list
apiGroups:
- ""
resources:
- configmaps
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-config-maps-to-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: read-configmaps
subjects:
- kind: ServiceAccount
name: sa-able-to-access-k8s-api-and-read-configmaps
---
# This is the Pod with Traefik and configbump as a sidecar. The only things required to make
# configbump do its job is to a) assign the proper service account to the Pod and b) connect
# the Traefik container and configbump container using a shared emptydir volume. There is no
# need for the volume to be persistent because configbump syncs its content with all the matching
# configmaps.
kind: Pod
apiVersion: v1
metadata:
name: traefik
spec:
serviceAccountName: sa-able-to-access-k8s-api-and-read-configmaps
containers:
- name: traefik
image: docker.io/traefik:v2.2.8
volumeMounts:
- name: config
mountPath: /etc/traefik
- name: dynamic-config
mountPath: "/dynamic-config"
- name: config-map-sync
image: quay.io/che-incubator/configbump:latest
env:
- name: CONFIG_BUMP_DIR
value: "/dynamic-config"
- name: CONFIG_BUMP_LABELS
value: "app=che,role=gateway-config"
- name: CONFIG_BUMP_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: dynamic-config
mountPath: "/dynamic-config"
volumes:
- name: config
configMap:
name: traefik-config
- name: dynamic-config
emptyDir: {}
---

# This is the main configuration for Traefik. We configure it to listen
# for changes in the "/dynamic-config" directory - where we put all the
# configuration from the config maps labeled with "config-for" label equal
# "traefik".
kind: ConfigMap
apiVersion: v1
metadata:
name: traefik-config
data:
traefik.yml: |
global:
checkNewVersion: false
sendAnonymousUsage: false
entrypoints:
http:
address: ":8080"
https:
address: ":8443"
providers:
file:
directory: "/dynamic-config"
watch: true
---
kind: ConfigMap
apiVersion: v1
metadata:
name: che-gateway-che
labels:
app: che
role: gateway-config
data:
che.yml: |
http:
routers:
che:
rule: "PathPrefix(`/`)"
service: che
priority: 1
plugin-registry:
rule: "PathPrefix(`/plugin-registry`)"
service: plugin-registry
middlewares: [plugin-registry]
priority: 10
devfile-registry:
rule: "PathPrefix(`/devfile-registry`)"
service: devfile-registry
middlewares: [devfile-registry]
priority: 10
services:
che:
loadBalancer:
servers:
- url: 'http://che-host:8080'
plugin-registry:
loadBalancer:
servers:
- url: 'http://plugin-registry:8080'
devfile-registry:
loadBalancer:
servers:
- url: 'http://devfile-registry:8080'
middlewares:
plugin-registry:
stripPrefix:
prefixes:
- '/plugin-registry'
devfile-registry:
stripPrefix:
prefixes:
- '/devfile-registry'

0 comments on commit cfd8b24

Please sign in to comment.