opensearch-k8s-operator icon indicating copy to clipboard operation
opensearch-k8s-operator copied to clipboard

Published 20 hours ago verified publisher icon opensearch-project

Openshift SCC / Route support

Open Djeezus opened this issue 2 years ago • 9 comments

'lo all,

It's my understanding that this k8-operator is heavily based on the official HELM-charts, and thus I assume that at least the securiryContexts will eventually be part of the operator, but maybe not the openshift-routes.

For now, I have manually updated the code to include both of them, and things work fine on Openshift ... If noone is working on it, or planning to do so, I would like to volunteer/help for this part.

Grtz, gert

Djeezus avatar Jun 24 '22 11:06 Djeezus

Hi @Djeezus. Currently no one is working on these topics. If you have the time and energy to help and want to contribute this, PRs are always welcome. From my perspective it is just important that both aspects are optional so that a non-OpenShift standard kubernetes is still the default target.

swoehrl-mw avatar Jun 24 '22 14:06 swoehrl-mw

Ok, I've started working on a local fork ...

I've adapted the Makefile to check for OSE or K8 build :

ifeq ($(shell which oc),)
$(info "No OC found, assuming K8 build...")
else
$(info "OC found in path, assuming OSE build...")
$(shell ln -sf $$(which oc) $$(echo $${PATH} | awk -F: '{print $$1}')/kubectl)
# other OSE-specific vars/configs go here ...
endif

if you have other idea/opinion, let me know

Djeezus avatar Jun 29 '22 22:06 Djeezus

I've adapted the Makefile to check for OSE or K8 build

Why would you need to do this? The build happens in the Github Actions pipeline which has no connection to any specific environment. Aside from that the build itself is and must stay generic. All detections regarding OpenShift and specific behaviour must happen at runtime.

From my perspective there can be two points where OpenShift-specific behaviour could be relevant:

  • In the helm chart to deploy the operator in another way for OpenShift (e.g. add extra kubernetes objects). If this is the case it needs to be enabled via an option in the helm values
  • In the operator code itself during deployment of a cluster. In my opinion this should be configured via a commandline flag and exposed as a value in the helm chart.

swoehrl-mw avatar Jun 30 '22 07:06 swoehrl-mw

indeed, for the functional part everything is going to be in runtime ... With the Makefile adaptation, I was just thinking about people cloning it locally on their machine (like me), I'll leave that out eventually thus

Djeezus avatar Jun 30 '22 08:06 Djeezus

Hi, any progress on this? Support for OpenShift would be highly appreciated.

ms2jpg avatar Sep 07 '22 08:09 ms2jpg

What is needed for better openshift support?

We tried installing this operator on a single node openshift cluster, in the "default" namespace, and it seemed to work pretty well. We didnt get routes, also we used the example my-cluster, which expects multiple worker nodes, and we had only one node in this cluster. still opensearch started, and we could load it with data.

Then we tried installing on another larger cluster, in a separate namespace, not "default" and in this case nothing much worked at all, the operator rbac proxy didnt seem to boot even.

So, what is needed for improved openshift support?

jave avatar Sep 25 '22 19:09 jave

for the time being we are using a workaround, in a test cluster

  • create a "opensearchtest" ns in the testcluster
  • apply the example my-cluster yaml file in the opensearchtest ns
  • run the following: oc adm policy add-scc-to-user anyuid -z default oc adm policy add-scc-to-user anyuid -z opensearch-operator-controller-manager

this makes the operator at least proceed. I would advice against this in a production openshift instance

jave avatar Sep 29 '22 14:09 jave