Skip to content

Commit 19fa76c

Browse files
author
bstorm
committed
podpresets: Create a pod preset to automount hostpaths and set HOME for tools
This adds one pod preset to each new tool namespace. One will use the label selector "toolforge: tool" to be an easy to remember and use label for custom manifests where people use them and for webservice to use. Anything in a tool namespace that uses the label will have this spec injected into pods: env: - name: HOME value: /data/project/<toolname> volumeMounts: - mountPath: /public/dumps/ name: dumps readOnly: true - mountPath: /data/project/ name: home - mountPath: /etc/wmcs-project name: wmcs-project readOnly: true - mountPath: /data/scratch/ name: scratch - mountPath: /etc/ldap.conf readOnly: true name: etcldap-conf - mountPath: /etc/ldap.yaml name: etcldap-yaml readOnly: true - mountPath: /etc/novaobserver.yaml name: etcnovaobserver-yaml readOnly: true - mountPath: /var/lib/sss/pipes name: sssd-pipes volumes: - hostPath: path: /public/dumps type: Directory name: dumps - hostPath: path: /data/project type: Directory name: home - hostPath: path: /etc/wmcs-project type: File name: wmcs-project - hostPath: path: /data/scratch type: Directory name: scratch - hostPath: path: /etc/ldap.conf type: File name: etcldap-conf - hostPath: path: /etc/ldap.yaml type: File name: etcldap-yaml - hostPath: path: /etc/novaobserver.yaml type: File name: etcnovaobserver-yaml - hostPath: path: /var/lib/sss/pipes type: Directory name: sssd-pipes Bug: T215678 Change-Id: Icf264d22a9e544d35d675f4fb5424da13eb085eb
1 parent fb8eacf commit 19fa76c

8 files changed

+414
-252
lines changed

README.md

+3-4
Original file line numberDiff line numberDiff line change
@@ -58,8 +58,7 @@ The steps are below:
5858
4. Fix that until it works, if it didn't.
5959
5. Run `vagrant forward-port 1389 389` to expose the vagrant VMs LDAP to the
6060
host.
61-
6. Start minikube with `minikube start
62-
--extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy`. It
61+
6. Start minikube with `minikube start --kubernetes-version=1.15.5 --extra-config=apiserver.runtime-config=settings.k8s.io/v1alpha1=true --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy,PodPreset`. It
6362
will fail to finish initializing because PodSecurityPolicy complicates
6463
everything until the next step.
6564
7. Run `kubectl apply -f <path to
@@ -92,13 +91,13 @@ The steps are below:
9291
pod! After this, things become a bit more familiar in terms of python
9392
testing.
9493
17. Run `source venv/bin/activate`
95-
18. Start recording tests! Delete the cassettes in the pod shell with `rm tests/cassettes` just to make sure you have a clean slate and run `pytest --in-k8s`. This will
94+
18. Start recording tests! Delete the cassettes in the pod shell with `rm tests/cassettes/*` just to make sure you have a clean slate and run `pytest --in-k8s`. This will
9695
**fail** on one of the API tests. The reason is that this doesn't have an
9796
excellent teardown when actually running against an API server just yet.
9897
It should have only failed on a single test.
9998
19. In another terminal on your local machine run `kubectl delete ns
10099
tool-blurp` to clean up what is upsetting that last test.
101-
20. In your kubernetes pod terminal run `rm tests/cassettes/test_tool_renewal`. Now record only that test as a VCR cassette with `pytest --in-k8s -k "test_tool_renewal"`. If that succeeded, you have
100+
20. In your kubernetes pod terminal run `rm tests/cassettes/test_tool_renewal.yaml`. Now record only that test as a VCR cassette with `pytest --in-k8s -k "test_tool_renewal"`. If that succeeded, you have
102101
a good set of mocks ("cassettes") to run later.
103102
21. You now need to get those cassettes from the pod to your host and into the
104103
git repository. There are several ways to do that. The easy and reliable way is to copy them all to `/data/project` inside the pod like `cp -r tests/cassettes /data/project/` to get them on the minikube VM. Then, log out of your pod terminal (since that should all be done if all your tests passed), delete the cassettes in your active repo (`rm tests/cassettes/*`), and replace them from the minikube vm with `scp -i $(minikube ssh-key) docker@$(minikube ip):/data/project/cassettes/* tests/cassettes/`

betaservice.yaml

+11
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,17 @@ rules:
2929
- patch
3030
- update
3131
- watch
32+
- apiGroups:
33+
- settings.k8s.io
34+
resources:
35+
- podpresets
36+
verbs:
37+
- create
38+
- get
39+
- list
40+
- patch
41+
- update
42+
- watch
3243
- apiGroups:
3344
- extensions
3445
resources:

maintain_kubeusers/maintain_kubeusers.py

+125
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,7 @@ def __init__(self):
6363
self.certs = client.CertificatesV1beta1Api()
6464
self.rbac = client.RbacAuthorizationV1Api()
6565
self.extensions = client.ExtensionsV1beta1Api()
66+
self.settings_api = client.SettingsV1alpha1Api()
6667

6768
def get_cluster_info(self):
6869
c_info = self.core.read_namespaced_config_map(
@@ -195,6 +196,129 @@ def approve_cert(self, user):
195196
else:
196197
logging.error("Certificate creation stalled or failed for %s", user)
197198

199+
def create_presets(self, user):
200+
try:
201+
_ = self.settings_api.create_namespaced_pod_preset(
202+
namespace="tool-{}".format(user),
203+
body=client.V1alpha1PodPreset(
204+
api_version="settings.k8s.io/v1alpha1",
205+
kind="PodPreset",
206+
metadata=client.V1ObjectMeta(name="mount-toolforge-vols"),
207+
spec=client.V1alpha1PodPresetSpec(
208+
selector=client.V1LabelSelector(
209+
match_labels={
210+
"toolforge": "tool"
211+
}
212+
),
213+
env=[
214+
client.V1EnvVar(
215+
name="HOME",
216+
value="/data/project/{}".format(user)
217+
),
218+
],
219+
volumes=[
220+
client.V1Volume(
221+
name="dumps",
222+
host_path=client.V1HostPathVolumeSource(
223+
path="/public/dumps", type="Directory"
224+
),
225+
),
226+
client.V1Volume(
227+
name="home",
228+
host_path=client.V1HostPathVolumeSource(
229+
path="/data/project", type="Directory"
230+
),
231+
),
232+
client.V1Volume(
233+
name="wmcs-project",
234+
host_path=client.V1HostPathVolumeSource(
235+
path="/etc/wmcs-project", type="File"
236+
),
237+
),
238+
client.V1Volume(
239+
name="scratch",
240+
host_path=client.V1HostPathVolumeSource(
241+
path="/data/scratch", type="Directory"
242+
),
243+
),
244+
client.V1Volume(
245+
name="etcldap-conf",
246+
host_path=client.V1HostPathVolumeSource(
247+
path="/etc/ldap.conf", type="File"
248+
),
249+
),
250+
client.V1Volume(
251+
name="etcldap-yaml",
252+
host_path=client.V1HostPathVolumeSource(
253+
path="/etc/ldap.yaml", type="File"
254+
),
255+
),
256+
client.V1Volume(
257+
name="etcnovaobserver-yaml",
258+
host_path=client.V1HostPathVolumeSource(
259+
path="/etc/novaobserver.yaml", type="File"
260+
),
261+
),
262+
client.V1Volume(
263+
name="sssd-pipes",
264+
host_path=client.V1HostPathVolumeSource(
265+
path="/var/lib/sss/pipes", type="Directory"
266+
),
267+
),
268+
],
269+
volume_mounts=[
270+
client.V1VolumeMount(
271+
name="dumps",
272+
mount_path="/public/dumps",
273+
read_only=True,
274+
),
275+
client.V1VolumeMount(
276+
name="home", mount_path="/data/project"
277+
),
278+
client.V1VolumeMount(
279+
name="wmcs-project",
280+
mount_path="/etc/wmcs-project",
281+
read_only=True,
282+
),
283+
client.V1VolumeMount(
284+
name="scratch", mount_path="/data/scratch"
285+
),
286+
client.V1VolumeMount(
287+
name="etcldap-conf",
288+
mount_path="/etc/ldap.conf",
289+
read_only=True,
290+
),
291+
client.V1VolumeMount(
292+
name="etcldap-yaml",
293+
mount_path="/etc/ldap.yaml",
294+
read_only=True,
295+
),
296+
client.V1VolumeMount(
297+
name="etcnovaobserver-yaml",
298+
mount_path="/etc/novaobserver.yaml",
299+
read_only=True,
300+
),
301+
client.V1VolumeMount(
302+
name="sssd-pipes",
303+
mount_path="/var/lib/sss/pipes",
304+
),
305+
],
306+
),
307+
),
308+
)
309+
except ApiException as api_ex:
310+
if api_ex.status == 409 and "AlreadyExists" in api_ex.body:
311+
logging.info(
312+
"PodPreset mount-toolforge-vols in tool-%s already exists",
313+
user,
314+
)
315+
return
316+
317+
logging.error(
318+
"Could not create PodPreset mount-toolforge-vols for %s", user
319+
)
320+
raise
321+
198322
def create_namespace(self, user):
199323
"""
200324
Creates a namespace for the given user if it doesn't exist
@@ -520,6 +644,7 @@ def process_rbac(self, user):
520644
def add_user_access(self, user):
521645
self.generate_psp(user)
522646
self.create_namespace(user.name)
647+
self.create_presets(user.name)
523648
self.process_rbac(user.name)
524649
self.create_configmap(user)
525650

service.yaml

+11
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,17 @@ rules:
2929
- patch
3030
- update
3131
- watch
32+
- apiGroups:
33+
- settings.k8s.io
34+
resources:
35+
- podpresets
36+
verbs:
37+
- create
38+
- get
39+
- list
40+
- patch
41+
- update
42+
- watch
3243
- apiGroups:
3344
- extensions
3445
resources:

0 commit comments

Comments
 (0)