NMS-16238: Allow multiple minions to run in the same cluster (#42)

* Allow multiple instances of Minion in the same namespace * increment the chart version * Add create property for sa and scc * undo original changes * update readme file * fix values schema json * Apply recommendations
OpenNMS · Nov 17, 2023 · bf0fada · bf0fada
1 parent 8997098
commit bf0fada
Show file tree

Hide file tree

Showing 16 changed files with 22 additions and 30 deletions.
diff --git a/minion/Chart.yaml b/minion/Chart.yaml
@@ -17,7 +17,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.1.2
+version: 1.1.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/minion/OpenShift_README.md b/minion/OpenShift_README.md
@@ -23,7 +23,6 @@ This documentation provides basic information on how to install Minion on Red Ha
 6. Under Repository, select the newly created repository entry.
 7. Click on Minion.
 8.	Make sure that the project name matches the name you set in step 2.
-    * Skip this step if you are setting “CreateNamespace” option to true.
 9.	Make the required modifications (for example, set the PostgreSQL information).
 10.	Click Create.
 11.	Wait for the pods to come up. This may take a few minutes.

diff --git a/minion/README.md b/minion/README.md
@@ -16,7 +16,6 @@ This template can be used to bring up a minion and connect it to a OpenNMS core.
 | clusterRole | bool | `true` |  |
 | clusterRoleBinding | bool | `true` |  |
 | core.instanceID | string | `"monms"` |  |
-| createNamespace | bool | `false` |  |
 | imagePullSecrets | list | `[]` |  |
 | minion.configuration.ports.karaf.enabled | bool | `true` |  |
 | minion.configuration.ports.karaf.externalPort | int | `8201` |  |
@@ -40,8 +39,10 @@ This template can be used to bring up a minion and connect it to a OpenNMS core.
 | securitycontext.allowPrivilegeEscalation | bool | `true` |  |
 | securitycontext.allowedCapabilities[0] | string | `"NET_BIND_SERVICE"` |  |
 | securitycontext.allowedCapabilities[1] | string | `"CAP_NET_RAW"` |  |
+| securitycontext.securitycontextconstraints.create | bool | `true` |  |
 | securitycontext.securitycontextconstraints.enabled | bool | `true` |  |
 | securitycontext.securitycontextconstraints.name | string | `"minion-scc"` |  |
+| securitycontext.serviceaccount.create | bool | `true` |  |
 | securitycontext.serviceaccount.enabled | bool | `true` |  |
 | securitycontext.serviceaccount.name | string | `"minion-sa"` |  |
 | truststore.content | string | `""` |  |

diff --git a/minion/templates/docker.secret.yaml b/minion/templates/docker.secret.yaml
@@ -1,5 +1,5 @@
 # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-{{- $namespace := .Release.Name }}
+{{- $namespace := .Release.Namespace }}
 {{- range $k, $r := .Values.imagePullSecrets }}
 # TODO: find a better way to format this JSON that won't be sensitive to special characters
 {{- $json := printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" $r.dockerServer $r.dockerUsername $r.dockerPassword $r.dockerEmail (printf "%s:%s" $r.dockerUsername $r.dockerPassword | b64enc) }}
@@ -9,7 +9,6 @@ kind: Secret
 type: kubernetes.io/dockerconfigjson
 metadata:
   name: {{ $r.name }}
-  namespace: {{ $namespace }}
 data:
   .dockerconfigjson: {{ $json | b64enc }}
 {{- end }}
diff --git a/minion/templates/minion-configmap.yaml b/minion/templates/minion-configmap.yaml
@@ -3,7 +3,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: minion-settings
-  namespace: {{ .Release.Name }}
 data:
   minion-config.yaml: |
     id: {{ .Values.minion.name }}

diff --git a/minion/templates/minion-core.sa.yaml b/minion/templates/minion-core.sa.yaml
@@ -1,8 +1,7 @@
-{{- if and (eq (include "onOpenShift" .) "true") ((.Values.securitycontext).serviceaccount.enabled) }}
+{{- if and (eq (include "onOpenShift" .) "true") ((.Values.securitycontext).serviceaccount.create) ((.Values.securitycontext).serviceaccount.enabled) }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ (.Values.securitycontext).serviceaccount.name | quote }}
-  namespace: {{ .Release.Name }}
-{{- end }}
+{{- end }}
diff --git a/minion/templates/minion-core.scc.yaml b/minion/templates/minion-core.scc.yaml
@@ -1,9 +1,8 @@
-{{- if and (eq (include "onOpenShift" .) "true") ((.Values.securitycontext).securitycontextconstraints.enabled) }}
+{{- if and (eq (include "onOpenShift" .) "true") ((.Values.securitycontext).securitycontextconstraints.create) ((.Values.securitycontext).securitycontextconstraints.enabled) }}
 ---
 kind: SecurityContextConstraints
 metadata:
   name: {{ (.Values.securitycontext).securitycontextconstraints.name | quote }}
-  namespace: {{ .Release.Name }}
 allowHostDirVolumePlugin: false
 allowHostIPC: false
 allowHostNetwork: false

diff --git a/minion/templates/minion-data-pvc.yaml b/minion/templates/minion-data-pvc.yaml
@@ -3,7 +3,6 @@ kind: PersistentVolumeClaim
 metadata:
   creationTimestamp: null
   name: minion-data-folder
-  namespace: {{ .Release.Name }}
 spec:
   accessModes:
     - ReadWriteOnce

diff --git a/minion/templates/minion-deployment.yaml b/minion/templates/minion-deployment.yaml
@@ -5,7 +5,6 @@ metadata:
   name: minion
   labels:
     app: minion
-  namespace: {{ .Release.Name }}
 spec:
   replicas: 1
   selector:

diff --git a/minion/templates/minion-secret.yaml b/minion/templates/minion-secret.yaml
@@ -1,9 +1,10 @@
+{{- if .Values.truststore.content }}
 apiVersion: v1
 kind: Secret
 type: Opaque
 metadata:
   name: minion-app-jks
-  namespace: {{ .Release.Name }}
 data: # To be mounted at /etc/java/jks
   truststore.jks: |
      {{ .Values.truststore.content }}
+{{- end }}
diff --git a/minion/templates/minion-service.yaml b/minion/templates/minion-service.yaml
@@ -5,7 +5,6 @@ metadata:
   labels:
     app: minion
   name: minion
-  namespace: {{ .Release.Namespace }}
 spec:
   ports:
     {{- if .Values.minion.configuration.ports.karaf.enabled }}

diff --git a/minion/templates/minion.clusterrole.yaml b/minion/templates/minion.clusterrole.yaml
@@ -1,3 +1,4 @@
+{{ $name :=(printf "system:openshift:scc:%s" (.Values.securitycontext).securitycontextconstraints.name) }}
 {{- if and (eq (include "onOpenShift" .) "true") (.Values.clusterRole) }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/minion/templates/minion.clusterrolebinding.yaml b/minion/templates/minion.clusterrolebinding.yaml
@@ -1,3 +1,4 @@
+{{ $name :=(printf "system:openshift:scc:%s" (.Values.securitycontext).securitycontextconstraints.name) }}
 {{- if and (eq (include "onOpenShift" .) "true") (.Values.clusterRoleBinding) }}
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -6,7 +7,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: {{ (.Values.securitycontext).serviceaccount.name | quote }}
-    namespace: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/minion/templates/namespace.yaml b/minion/templates/namespace.yaml
diff --git a/minion/values.schema.json b/minion/values.schema.json
@@ -2,11 +2,6 @@
     "$schema": "http://json-schema.org/schema#",
     "type": "object",
     "properties": {
-        "createNamespace": {
-            "type": "boolean",
-            "title": "Create Namespace",
-            "default": false
-        },
         "imagePullSecrets": {
             "type": "array",
             "title": "Image Pull Secrets",
@@ -214,6 +209,10 @@
                             "type": "boolean",
                             "default": true
                         },
+                        "create": {
+                            "type": "boolean",
+                            "default": true
+                        },
                         "name": {
                             "type": "string",
                             "default": "opennms-scc"
@@ -228,6 +227,10 @@
                             "type": "boolean",
                             "default": true
                         },
+                        "create": {
+                            "type": "boolean",
+                            "default": true
+                        },
                         "name": {
                             "type": "string",
                             "default": "opennms-sa"

diff --git a/minion/values.yaml b/minion/values.yaml
@@ -1,5 +1,3 @@
-createNamespace: false  # Whether to create the namespace for this deployment
-
 # Red Hat OpenShift related settings for creating Cluster Role and Binding
 clusterRole: true
 clusterRoleBinding: true
@@ -63,7 +61,9 @@ securitycontext:
  allowPrivilegeEscalation: true
  securitycontextconstraints:
   enabled: true
+  create: true
   name: minion-scc
  serviceaccount:
   enabled: true
+  create: true
   name: minion-sa