node-cert-exporter icon indicating copy to clipboard operation
node-cert-exporter copied to clipboard

Published 20 hours ago verified publisher icon amimof

Add okd support

Open Asgoret opened this issue 5 years ago • 6 comments

Asgoret avatar Sep 02 '20 18:09 Asgoret

сс @amimof

Asgoret avatar Sep 02 '20 18:09 Asgoret

@Asgoret Thanks for contributing. Can you please provide a bit more details. Is there a reason why OKD is different from the existing K8S daemonset manifest? What is the reason for using jsonnet? Is there a chance that the jsonnet implementation is generic and not specific for OpenShift?

amimof avatar Sep 03 '20 07:09 amimof

@amimof Hi!

  1. OKD by design have a more secure environment. So you can't just add daemonset with mounting something from the host machine. Also I there is another ways for certificates (e.g. ~/kubernetes/pki doesn't exist at all) and I add ETCD certificates for monitoring
  2. Jsonnet used just for generating YAML files for the different environment (e.g. image version or namespace)
  3. jsonnet used with ksonnet so it prepares YAML basically for k8s API. But, as OKD based on k8s we can deploy in OKD too.

UPD: Also I add grafana dashboard (forget is at first (sic!))

Asgoret avatar Sep 03 '20 12:09 Asgoret

@amimof all good?

Asgoret avatar Sep 04 '20 09:09 Asgoret

Ok I understand. However I believe the jsonnet files are somewhat out of scope of this project since it is possible to deploy rendered yaml manifests to OKD. How those files are rendered to begin with is up to the user.

  • The files okd/rendered/node-cert-exporter-daemonset.yaml, okd/rendered/node-cert-exporter-service.yaml, okd/rendered/node-cert-exporter-serviceAccount.yaml, and okd/rendered/node-cert-exporter-serviceMonitor.yaml can be merge into one file.
  • The command oc adm policy add-scc-to-user hostmount-anyuid -n monitoring -z node-cert-exporter essentially creates a ClusterRoleBinding which can be put as yaml into the manifest. All this makes for a much cleaner and simpler example.

And lastly, please put the okd/ folder under deploy

amimof avatar Sep 07 '20 08:09 amimof

  • Jsonnet is something for development. If someone wants to develop their own version with own limits or tags he will be creating some template file. Not in scope, but good thing I think)
  • The long file is not good to practise because it harder for development and check before deploying and hard to store version in git
  • SCC is not a CRB. It's security context and is OKD abstraction, not Kubernetes

Asgoret avatar Sep 08 '20 08:09 Asgoret