diff --git a/bindata/v4.1.0/config/defaultconfig.yaml b/bindata/v4.1.0/config/defaultconfig.yaml index 333b41626..bf42297f8 100644 --- a/bindata/v4.1.0/config/defaultconfig.yaml +++ b/bindata/v4.1.0/config/defaultconfig.yaml @@ -11,10 +11,10 @@ extendedArguments: - "true" flex-volume-plugin-dir: - "/etc/kubernetes/kubelet-plugins/volume/exec" # created by machine-config-operator, owned by storage team/hekumar@redhat.com - pv-recycler-pod-template-filepath-nfs: - - "/etc/kubernetes/manifests/recycler-pod.yaml" # created by machine-config-operator, owned by storage team/fbertina@redhat.com - pv-recycler-pod-template-filepath-hostpath: - - "/etc/kubernetes/manifests/recycler-pod.yaml" # created by machine-config-operator, owned by storage team/fbertina@redhat.com + pv-recycler-pod-template-filepath-nfs: # owned by storage team/fbertina@redhat.com + - "/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml" + pv-recycler-pod-template-filepath-hostpath: # owned by storage team/fbertina@redhat.com + - "/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml" leader-elect: - "true" leader-elect-retry-period: diff --git a/bindata/v4.1.0/kube-controller-manager/pod.yaml b/bindata/v4.1.0/kube-controller-manager/pod.yaml index 6c8a62069..a537a2ceb 100644 --- a/bindata/v4.1.0/kube-controller-manager/pod.yaml +++ b/bindata/v4.1.0/kube-controller-manager/pod.yaml @@ -38,8 +38,6 @@ spec: ports: - containerPort: 10257 volumeMounts: - - mountPath: /etc/kubernetes/manifests - name: manifests-dir # Used in the KubeControllerManagerConfig to pass in recycler pod templates - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs @@ -163,9 +161,6 @@ spec: tolerations: - operator: "Exists" volumes: - - hostPath: - path: /etc/kubernetes/manifests - name: manifests-dir - hostPath: path: /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-REVISION name: resource-dir diff --git a/bindata/v4.1.0/kube-controller-manager/recycler-cm.yaml b/bindata/v4.1.0/kube-controller-manager/recycler-cm.yaml new file mode 100644 index 000000000..61d6e99d0 --- /dev/null +++ b/bindata/v4.1.0/kube-controller-manager/recycler-cm.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: openshift-kube-controller-manager + name: recycler-config +data: + recycler-pod.yaml: | + apiVersion: v1 + kind: Pod + metadata: + name: recycler-pod + namespace: openshift-infra + spec: + activeDeadlineSeconds: 60 + restartPolicy: Never + serviceAccountName: pv-recycler-controller + containers: + - name: recycler-container + image: "${TOOLS_IMAGE}" + command: + - "/bin/bash" + args: + - "-c" + - "test -e /scrub && rm -rf /scrub/..?* /scrub/.[!.]* /scrub/* && test -z \"$(ls -A /scrub)\" || exit 1" + volumeMounts: + - mountPath: /scrub + name: vol + securityContext: + runAsUser: 0 + volumes: + - name: vol diff --git a/manifests/0000_25_kube-controller-manager-operator_06_deployment.yaml b/manifests/0000_25_kube-controller-manager-operator_06_deployment.yaml index 9ff34c74d..f3f180a30 100644 --- a/manifests/0000_25_kube-controller-manager-operator_06_deployment.yaml +++ b/manifests/0000_25_kube-controller-manager-operator_06_deployment.yaml @@ -49,6 +49,8 @@ spec: value: docker.io/openshift/origin-cluster-kube-controller-manager-operator:v4.0 - name: CLUSTER_POLICY_CONTROLLER_IMAGE value: quay.io/openshift/origin-cluster-policy-controller:v4.3 + - name: TOOLS_IMAGE + value: quay.io/openshift/origin-tools:latest - name: OPERATOR_IMAGE_VERSION value: "0.0.1-snapshot" - name: OPERAND_IMAGE_VERSION diff --git a/manifests/image-references b/manifests/image-references index 7c693c1c4..295d6d4bb 100644 --- a/manifests/image-references +++ b/manifests/image-references @@ -14,3 +14,7 @@ spec: from: kind: DockerImage name: quay.io/openshift/origin-cluster-policy-controller:v4.3 + - name: tools # owned by storage team/fbertina@redhat.com + from: + kind: DockerImage + name: quay.io/openshift/origin-tools:latest diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go index a3a111104..4ac3b1754 100644 --- a/pkg/operator/starter.go +++ b/pkg/operator/starter.go @@ -104,6 +104,7 @@ func RunOperator(ctx context.Context, cc *controllercmd.ControllerContext) error os.Getenv("IMAGE"), os.Getenv("OPERATOR_IMAGE"), os.Getenv("CLUSTER_POLICY_CONTROLLER_IMAGE"), + os.Getenv("TOOLS_IMAGE"), kubeInformersForNamespaces, operatorClient, kubeClient, @@ -218,6 +219,7 @@ var deploymentConfigMaps = []revision.RevisionResource{ {Name: "kube-controller-cert-syncer-kubeconfig"}, {Name: "serviceaccount-ca"}, {Name: "service-ca"}, + {Name: "recycler-config"}, } // deploymentSecrets is a list of secrets that are directly copied for the current values. A different actor/controller modifies these. diff --git a/pkg/operator/targetconfigcontroller/targetconfigcontroller.go b/pkg/operator/targetconfigcontroller/targetconfigcontroller.go index 66461c730..1f7a62c91 100644 --- a/pkg/operator/targetconfigcontroller/targetconfigcontroller.go +++ b/pkg/operator/targetconfigcontroller/targetconfigcontroller.go @@ -53,6 +53,7 @@ type TargetConfigController struct { targetImagePullSpec string operatorImagePullSpec string clusterPolicyControllerPullSpec string + toolsImagePullSpec string operatorClient v1helpers.StaticPodOperatorClient @@ -68,7 +69,7 @@ type TargetConfigController struct { func NewTargetConfigController( ctx context.Context, - targetImagePullSpec, operatorImagePullSpec, clusterPolicyControllerPullSpec string, + targetImagePullSpec, operatorImagePullSpec, clusterPolicyControllerPullSpec, toolsImagePullSpec string, kubeInformersForNamespaces v1helpers.KubeInformersForNamespaces, operatorClient v1helpers.StaticPodOperatorClient, kubeClient kubernetes.Interface, @@ -80,6 +81,7 @@ func NewTargetConfigController( targetImagePullSpec: targetImagePullSpec, operatorImagePullSpec: operatorImagePullSpec, clusterPolicyControllerPullSpec: clusterPolicyControllerPullSpec, + toolsImagePullSpec: toolsImagePullSpec, configMapLister: kubeInformersForNamespaces.ConfigMapLister(), secretLister: kubeInformersForNamespaces.SecretLister(), @@ -196,6 +198,10 @@ func createTargetConfigController(ctx context.Context, c TargetConfigController, if err != nil { errors = append(errors, fmt.Errorf("%q: %v", "configmap/cluster-policy-controller-config", err)) } + _, _, err = manageRecycler(ctx, c.kubeClient.CoreV1(), recorder, c.toolsImagePullSpec) + if err != nil { + errors = append(errors, fmt.Errorf("%q: %v", "configmap/recycler-config", err)) + } _, _, err = ManageCSRIntermediateCABundle(ctx, c.secretLister, c.kubeClient.CoreV1(), recorder) if err != nil { errors = append(errors, fmt.Errorf("%q: %v", "configmap/csr-intermediate-ca", err)) @@ -404,6 +410,19 @@ func manageControllerManagerKubeconfig(ctx context.Context, client corev1client. return resourceapply.ApplyConfigMap(client, recorder, requiredCM) } +// manageRecycler applies a ConfigMap containing the recycler config. +// Owned by storage team/fbertina@redhat.com. +func manageRecycler(ctx context.Context, configMapsGetter corev1client.ConfigMapsGetter, recorder events.Recorder, imagePullSpec string) (*corev1.ConfigMap, bool, error) { + cmString := string(v411_00_assets.MustAsset("v4.1.0/kube-controller-manager/recycler-cm.yaml")) + for pattern, value := range map[string]string{ + "${TOOLS_IMAGE}": imagePullSpec, + } { + cmString = strings.ReplaceAll(cmString, pattern, value) + } + requiredCM := resourceread.ReadConfigMapV1OrDie([]byte(cmString)) + return resourceapply.ApplyConfigMap(configMapsGetter, recorder, requiredCM) +} + func managePod(ctx context.Context, configMapsGetter corev1client.ConfigMapsGetter, secretsGetter corev1client.SecretsGetter, recorder events.Recorder, operatorSpec *operatorv1.StaticPodOperatorSpec, imagePullSpec, operatorImagePullSpec, clusterPolicyControllerPullSpec string, addServingServiceCAToTokenSecrets bool) (*corev1.ConfigMap, bool, error) { required := resourceread.ReadPodV1OrDie(v411_00_assets.MustAsset("v4.1.0/kube-controller-manager/pod.yaml")) // TODO: If the image pull spec is not specified, the "${IMAGE}" will be used as value and the pod will fail to start. diff --git a/pkg/operator/v411_00_assets/bindata.go b/pkg/operator/v411_00_assets/bindata.go index 2fdd0bced..4b437fad4 100644 --- a/pkg/operator/v411_00_assets/bindata.go +++ b/pkg/operator/v411_00_assets/bindata.go @@ -21,6 +21,7 @@ // bindata/v4.1.0/kube-controller-manager/ns.yaml // bindata/v4.1.0/kube-controller-manager/pod-cm.yaml // bindata/v4.1.0/kube-controller-manager/pod.yaml +// bindata/v4.1.0/kube-controller-manager/recycler-cm.yaml // bindata/v4.1.0/kube-controller-manager/sa.yaml // bindata/v4.1.0/kube-controller-manager/svc.yaml // bindata/v4.1.0/kube-controller-manager/trusted-ca-cm.yaml @@ -118,10 +119,10 @@ extendedArguments: - "true" flex-volume-plugin-dir: - "/etc/kubernetes/kubelet-plugins/volume/exec" # created by machine-config-operator, owned by storage team/hekumar@redhat.com - pv-recycler-pod-template-filepath-nfs: - - "/etc/kubernetes/manifests/recycler-pod.yaml" # created by machine-config-operator, owned by storage team/fbertina@redhat.com - pv-recycler-pod-template-filepath-hostpath: - - "/etc/kubernetes/manifests/recycler-pod.yaml" # created by machine-config-operator, owned by storage team/fbertina@redhat.com + pv-recycler-pod-template-filepath-nfs: # owned by storage team/fbertina@redhat.com + - "/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml" + pv-recycler-pod-template-filepath-hostpath: # owned by storage team/fbertina@redhat.com + - "/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml" leader-elect: - "true" leader-elect-retry-period: @@ -794,8 +795,6 @@ spec: ports: - containerPort: 10257 volumeMounts: - - mountPath: /etc/kubernetes/manifests - name: manifests-dir # Used in the KubeControllerManagerConfig to pass in recycler pod templates - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs @@ -919,9 +918,6 @@ spec: tolerations: - operator: "Exists" volumes: - - hostPath: - path: /etc/kubernetes/manifests - name: manifests-dir - hostPath: path: /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-REVISION name: resource-dir @@ -945,6 +941,54 @@ func v410KubeControllerManagerPodYaml() (*asset, error) { return a, nil } +var _v410KubeControllerManagerRecyclerCmYaml = []byte(`apiVersion: v1 +kind: ConfigMap +metadata: + namespace: openshift-kube-controller-manager + name: recycler-config +data: + recycler-pod.yaml: | + apiVersion: v1 + kind: Pod + metadata: + name: recycler-pod + namespace: openshift-infra + spec: + activeDeadlineSeconds: 60 + restartPolicy: Never + serviceAccountName: pv-recycler-controller + containers: + - name: recycler-container + image: "${TOOLS_IMAGE}" + command: + - "/bin/bash" + args: + - "-c" + - "test -e /scrub && rm -rf /scrub/..?* /scrub/.[!.]* /scrub/* && test -z \"$(ls -A /scrub)\" || exit 1" + volumeMounts: + - mountPath: /scrub + name: vol + securityContext: + runAsUser: 0 + volumes: + - name: vol +`) + +func v410KubeControllerManagerRecyclerCmYamlBytes() ([]byte, error) { + return _v410KubeControllerManagerRecyclerCmYaml, nil +} + +func v410KubeControllerManagerRecyclerCmYaml() (*asset, error) { + bytes, err := v410KubeControllerManagerRecyclerCmYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "v4.1.0/kube-controller-manager/recycler-cm.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _v410KubeControllerManagerSaYaml = []byte(`apiVersion: v1 kind: ServiceAccount metadata: @@ -1097,6 +1141,7 @@ var _bindata = map[string]func() (*asset, error){ "v4.1.0/kube-controller-manager/ns.yaml": v410KubeControllerManagerNsYaml, "v4.1.0/kube-controller-manager/pod-cm.yaml": v410KubeControllerManagerPodCmYaml, "v4.1.0/kube-controller-manager/pod.yaml": v410KubeControllerManagerPodYaml, + "v4.1.0/kube-controller-manager/recycler-cm.yaml": v410KubeControllerManagerRecyclerCmYaml, "v4.1.0/kube-controller-manager/sa.yaml": v410KubeControllerManagerSaYaml, "v4.1.0/kube-controller-manager/svc.yaml": v410KubeControllerManagerSvcYaml, "v4.1.0/kube-controller-manager/trusted-ca-cm.yaml": v410KubeControllerManagerTrustedCaCmYaml, @@ -1170,6 +1215,7 @@ var _bintree = &bintree{nil, map[string]*bintree{ "ns.yaml": {v410KubeControllerManagerNsYaml, map[string]*bintree{}}, "pod-cm.yaml": {v410KubeControllerManagerPodCmYaml, map[string]*bintree{}}, "pod.yaml": {v410KubeControllerManagerPodYaml, map[string]*bintree{}}, + "recycler-cm.yaml": {v410KubeControllerManagerRecyclerCmYaml, map[string]*bintree{}}, "sa.yaml": {v410KubeControllerManagerSaYaml, map[string]*bintree{}}, "svc.yaml": {v410KubeControllerManagerSvcYaml, map[string]*bintree{}}, "trusted-ca-cm.yaml": {v410KubeControllerManagerTrustedCaCmYaml, map[string]*bintree{}},