Skip to content

Commit

Permalink
Fix #64: Add ServiceAccount to the Roles manifest to allow the operat…
Browse files Browse the repository at this point in the history 
…or to create and manage the Nexus SA (#65)

Signed-off-by: Ricardo Zanini <[email protected]>
  • Loading branch information
@ricardozanini
ricardozanini authored May 15, 2020
1 parent ac531e4 commit b5495de
Show file tree
Hide file tree
Showing 11 changed files with 543 additions and 30 deletions.
2 changes: 1 addition & 1 deletion .osdk-scorecard.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,4 @@ scorecard:
- olm:
cr-manifest:
- "deploy/crds/apps.m88i.io_v1alpha1_nexus_cr.yaml"
csv-path: "deploy/olm-catalog/nexus-operator/0.2.0/nexus-operator.v0.2.0.clusterserviceversion.yaml"
csv-path: "deploy/olm-catalog/nexus-operator/0.2.1/nexus-operator.v0.2.1.clusterserviceversion.yaml"
13 changes: 7 additions & 6 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ Table of Contents
* [Nexus Operator](#nexus-operator)
* [Pre Requisites](#pre-requisites)
* [Quick Install](#quick-install)
* [Openshift 3.x](#openshift-3x)
* [Openshift](#openshift)
* [Clean up](#clean-up)
* [Networking](#networking)
* [Use NodePort](#use-nodeport)
Expand Down Expand Up @@ -44,13 +44,14 @@ kubectl edit nexus

If you're running on Kubernetes, edit the Nexus resource to add a [valid host for the Ingress](#network-on-kubernetes-114) to work.

### Openshift 3.x
### Openshift

If you're running the Operator on Openshift 3.x it's also necessary to configure a [Security Context Constraints](https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html) (SCC) resource.
If you're running the Operator on Openshift (3.11 or 4.x+) it's also necessary to configure a [Security Context Constraints](https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html) (SCC) resource.

This is necessary because the Nexus image requires its container to be ran as UID 200. The use of default SCC resources in Openshift 3.x results in a failure when starting the pods, as seen in [Issue #41](https://github.com/m88i/nexus-operator/issues/41).
This is necessary because the Nexus image requires its container to be ran as UID 200. The use of default SCC resources in Openshift results in a failure when starting the pods, as seen in [Issue #41](https://github.com/m88i/nexus-operator/issues/41).

Valid SCC resources can be found at the `examples/` directory. You must associate the SCC with the `ServiceAccount` in use. In the commands below it is assumed you'll be using the default `ServiceAccount` created when deploying a new Nexus CR.

For persistent configurations:

```
Expand All @@ -60,15 +61,15 @@ $ oc apply -f examples/scc-persistent.yaml
For volatile configurations:

```
$ oc apply -f examples/scc-persistent.yaml
$ oc apply -f examples/scc-volatile.yaml
```

> **Note**: you must choose one or the other, applying both will result in using the one applied last.
Once the SCC has been created, run:

```
$ oc adm policy add-scc-to-user nexus-operator -z <ServiceAccountName>
$ oc adm policy add-scc-to-user <SCCName> -z <ServiceAccountName>
```

This command will bind the SCC we just created with the `ServiceAccount` being used to create the Pods.
Expand Down
230 changes: 230 additions & 0 deletions deploy/olm-catalog/nexus-operator/0.2.1/apps.m88i.io_nexus_crd.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,230 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: nexus.apps.m88i.io
spec:
group: apps.m88i.io
names:
kind: Nexus
listKind: NexusList
plural: nexus
singular: nexus
scope: Namespaced
validation:
openAPIV3Schema:
description: Nexus custom resource to deploy the Nexus Server
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: NexusSpec defines the desired state of Nexus
properties:
image:
description: 'Full image tag name for this specific deployment Default:
docker.io/sonatype/nexus3:latest'
type: string
networking:
description: Networking definition
properties:
expose:
description: Set to `true` to expose the Nexus application. Default
to false.
type: boolean
exposeAs:
description: 'Type of networking exposure: NodePort, Route or Ingress.
Default to Route on OpenShift and Ingress on Kubernetes.'
enum:
- NodePort
- Route
- Ingress
type: string
host:
description: Host where the Nexus service is exposed. This attribute
is required if the service is exposed via Ingress.
type: string
nodePort:
description: NodePort defined in the exposed service. Required if
exposed via NodePort.
format: int32
type: integer
tls:
description: TLS/SSL-related configuration
properties:
mandatory:
description: When exposing via Route, set to `true` to only
allow encrypted traffic using TLS (disables HTTP in favor
of HTTPS). Defaults to false.
type: boolean
secretName:
description: When exposing via Ingress, inform the name of the
TLS secret containing certificate and private key for TLS
encryption. It must be present in the same namespace as the
Operator.
type: string
type: object
type: object
persistence:
description: Persistence definition
properties:
persistent:
description: Flag to indicate if this instance will be persistent
or not
type: boolean
storageClass:
description: StorageClass used by the managed PVC.
type: string
volumeSize:
description: 'If persistent, the size of the Volume. Defaults: 10Gi'
type: string
required:
- persistent
type: object
replicas:
description: 'Number of pods replicas desired Default: 1'
format: int32
maximum: 100
minimum: 1
type: integer
resources:
description: Defined Resources for the Nexus instance
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: 'Limits describes the maximum amount of compute resources
allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: 'Requests describes the minimum amount of compute resources
required. If Requests is omitted for a container, it defaults
to Limits if that is explicitly specified, otherwise to an implementation-defined
value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
type: object
serviceAccountName:
description: ServiceAccountName is the name of the ServiceAccount used
to run the Pods. If left blank, a default ServiceAccount is created
with the same name as the Nexus CR.
type: string
useRedHatImage:
description: 'If you have access to Red Hat Container Catalog, turn
this to true to use the certified image provided by Sonatype Default:
false'
type: boolean
required:
- persistence
- replicas
- useRedHatImage
type: object
status:
description: NexusStatus defines the observed state of Nexus
properties:
deploymentStatus:
description: Condition status for the Nexus deployment
properties:
availableReplicas:
description: Total number of available pods (ready for at least
minReadySeconds) targeted by this deployment.
format: int32
type: integer
collisionCount:
description: Count of hash collisions for the Deployment. The Deployment
controller uses this field as a collision avoidance mechanism
when it needs to create the name for the newest ReplicaSet.
format: int32
type: integer
conditions:
description: Represents the latest available observations of a deployment's
current state.
items:
description: DeploymentCondition describes the state of a deployment
at a certain point.
properties:
lastTransitionTime:
description: Last time the condition transitioned from one
status to another.
format: date-time
type: string
lastUpdateTime:
description: The last time this condition was updated.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False,
Unknown.
type: string
type:
description: Type of deployment condition.
type: string
required:
- status
- type
type: object
type: array
observedGeneration:
description: The generation observed by the deployment controller.
format: int64
type: integer
readyReplicas:
description: Total number of ready pods targeted by this deployment.
format: int32
type: integer
replicas:
description: Total number of non-terminated pods targeted by this
deployment (their labels match the selector).
format: int32
type: integer
unavailableReplicas:
description: Total number of unavailable pods targeted by this deployment.
This is the total number of pods that are still required for the
deployment to have 100% available capacity. They may either be
pods that are running but not yet available or pods that still
have not been created.
format: int32
type: integer
updatedReplicas:
description: Total number of non-terminated pods targeted by this
deployment that have the desired template spec.
format: int32
type: integer
type: object
nexusRoute:
description: Route for external service access
type: string
nexusStatus:
description: Will be "OK" when all objects are created successfully
type: string
type: object
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
280 changes: 280 additions & 0 deletions deploy/olm-catalog/nexus-operator/0.2.1/nexus-operator.v0.2.1.clusterserviceversion.yaml
View file

Large diffs are not rendered by default.

10 changes: 6 additions & 4 deletions deploy/olm-catalog/nexus-operator/manifests/nexus-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,13 @@ metadata:
capabilities: Basic Install
categories: Developer Tools
certified: "false"
containerImage: quay.io/m88i/nexus-operator:0.2.0
containerImage: quay.io/m88i/nexus-operator:0.2.1
createdAt: "2019-11-16T13:12:22Z"
description: Nexus Operator to deploy and manage Nexus 3.x servers
repository: https://github.com/m88i/nexus-operator
support: m88i Labs
tectonic-visibility: ocs
name: nexus-operator.v0.2.0
name: nexus-operator.v0.2.1
namespace: placeholder
spec:
apiservicedefinitions: {}
Expand Down Expand Up @@ -132,7 +132,7 @@ spec:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: nexus-operator
image: quay.io/m88i/nexus-operator:0.2.0
image: quay.io/m88i/nexus-operator:0.2.1
imagePullPolicy: Always
name: nexus-operator
resources: {}
Expand All @@ -152,6 +152,7 @@ spec:
- secrets
- replicationcontrollers
- podtemplates
- serviceaccounts
verbs:
- create
- delete
Expand Down Expand Up @@ -275,4 +276,5 @@ spec:
minKubeVersion: 1.11.0
provider:
name: m88i Labs
version: 0.2.0
replaces: nexus-operator.v0.2.0
version: 0.2.1
2 changes: 1 addition & 1 deletion deploy/olm-catalog/nexus-operator/nexus-operator-m88i.package.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
channels:
- currentCSV: nexus-operator.v0.2.0
- currentCSV: nexus-operator.v0.2.1
name: alpha
defaultChannel: alpha
packageName: nexus-operator-m88i
6 changes: 3 additions & 3 deletions deploy/operator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,9 @@ spec:
serviceAccountName: nexus-operator
containers:
- name: nexus-operator
image: quay.io/m88i/nexus-operator:0.2.0
image: quay.io/m88i/nexus-operator:0.2.1
command:
- nexus-operator
- nexus-operator
imagePullPolicy: Always
env:
- name: WATCH_NAMESPACE
Expand All @@ -29,4 +29,4 @@ spec:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: "nexus-operator"
value: "nexus-operator"
14 changes: 7 additions & 7 deletions examples/scc-persistent.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: nexus-operator
name: <Change Me!>
fsGroup:
ranges:
- max: 200
min: 200
- max: 200
min: 200
type: MustRunAs
runAsUser:
type: MustRunAs
Expand All @@ -14,9 +14,9 @@ seLinuxContext:
type: MustRunAs
supplementalGroups:
ranges:
- max: 200
min: 200
- max: 200
min: 200
type: MustRunAs
volumes:
- persistentVolumeClaim
- secret
- persistentVolumeClaim
- secret
Loading

0 comments on commit b5495de

Please sign in to comment.