Create OCP 3.11 Specific Spec for Deployer Container

andrewlecuyer · andrewlecuyer · commit b12caeaabb86 · 2020-05-26T10:34:25.000-05:00
This commit creates a spec specifically for use by OpenShift 3.11
users when installing via the "kubectl" install method.  This spec
binds the 'pgo-deployer-sa' ServiceAccount to the 'cluster-admin'
role as needed to ensure the deployer can create any RBAC required
by the Operator.  This specifically works around a defect in OCP
3.11 in which the Operator is unable to create roles it does not
currently have (specifically due to a deficiency with the "escalate"
verb for roles).

Being that this is an OpenShift specific container, a few defaults
have been changed from the standard 'postgresql-operator.yaml'.
Specifically, "DISABLE_FSGROUPS" is set to "true" as required to
run within the "restricted" SCC on OpenShift, and "NAMESPACE_MODE"
has been set to "readonly" since "dynamic" is unable to work
properly in OCP 3.11 due to the same known "escalate" issue.
diff --git a/installers/kubectl/postgres-operator-ocp311.yml b/installers/kubectl/postgres-operator-ocp311.yml
@@ -0,0 +1,205 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+    name: pgo-deployer-sa
+    namespace: pgo
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+    name: pgo-deployer-crb
+    namespace: pgo
+roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: system:serviceaccount:pgo:pgo-deployer-sa
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+    name: pgo-deploy
+    namespace: pgo
+spec:
+    backoffLimit: 0
+    template:
+        metadata:
+            name: pgo-deploy
+        spec:
+            serviceAccountName: pgo-deployer-sa
+            restartPolicy: Never
+            containers:
+            - name: pgo-deploy
+              command: ["/pgo-deploy.sh"]
+              image: registry.developers.crunchydata.com/crunchydata/pgo-deployer:centos7-4.3.1
+              imagePullPolicy: IfNotPresent
+              env:
+                  - name: ARCHIVE_MODE
+                    value: "true"
+                  - name: ARCHIVE_TIMEOUT
+                    value: "60"
+                  - name: BACKREST
+                    value: "true"
+                  - name: BADGER
+                    value: "false"
+                  - name: CRUNCHY_DEBUG
+                    value: "false"
+                  - name: CREATE_RBAC
+                    value: "true"
+                  - name: CCP_IMAGE_PREFIX
+                    value: "registry.developers.crunchydata.com/crunchydata"
+                  - name: CCP_IMAGE_TAG
+                    value: "centos7-12.3-4.3.1"
+                  - name: DB_PASSWORD_LENGTH
+                    value: "24"
+                  - name: DB_PORT
+                    value: "5432"
+                  - name: DB_REPLICAS
+                    value: "0"
+                  - name: DB_USER
+                    value: "testuser"
+                  - name: DEFAULT_INSTANCE_MEMORY
+                    value: "128Mi"
+                  - name: DEFAULT_PGBACKREST_MEMORY
+                    value: ""
+                  - name: DEFAULT_PGBOUNCER_MEMORY
+                    value: ""
+                  - name: DEPLOY_ACTION
+                    value: "install"
+                  - name: DISABLE_AUTO_FAILOVER
+                    value: "false"
+                  - name: DISABLE_FSGROUP
+                    value: "true"
+                  - name: DYNAMIC_RBAC
+                    value: "false"
+                  - name: EXPORTERPORT
+                    value: "9187"
+                  - name: METRICS
+                    value: "false"
+                  - name: NAMESPACE
+                    value: "pgo"
+                  - name: NAMESPACE_MODE
+                    value: "readonly"
+                  - name: PGBADGERPORT
+                    value: "10000"
+                  - name: PGO_ADMIN_PASSWORD
+                    value: "password"
+                  - name: PGO_ADMIN_PERMS
+                    value: "*"
+                  - name: PGO_ADMIN_ROLE_NAME
+                    value: "pgoadmin"
+                  - name: PGO_ADMIN_USERNAME
+                    value: "admin"
+                  - name: PGO_CLIENT_VERSION
+                    value: "v4.3.1"
+                  - name: PGO_IMAGE_PREFIX
+                    value: "registry.developers.crunchydata.com/crunchydata"
+                  - name: PGO_IMAGE_TAG
+                    value: "centos7-4.3.1"
+                  - name: PGO_INSTALLATION_NAME
+                    value: "devtest"
+                  - name: PGO_OPERATOR_NAMESPACE
+                    value: "pgo"
+                  - name: SCHEDULER_TIMEOUT
+                    value: "3600"
+                  - name: BACKREST_STORAGE
+                    value: "hostpathstorage"
+                  - name: BACKUP_STORAGE
+                    value: "hostpathstorage"
+                  - name: PRIMARY_STORAGE
+                    value: "hostpathstorage"
+                  - name: REPLICA_STORAGE
+                    value: "hostpathstorage"
+                  - name: WAL_STORAGE
+                    value: ""
+                  - name: STORAGE1_NAME
+                    value: "hostpathstorage"
+                  - name: STORAGE1_ACCESS_MODE
+                    value: "ReadWriteMany"
+                  - name: STORAGE1_SIZE
+                    value: "1G"
+                  - name: STORAGE1_TYPE
+                    value: "create"
+                  - name: STORAGE2_NAME
+                    value: "replicastorage"
+                  - name: STORAGE2_ACCESS_MODE
+                    value: "ReadWriteMany"
+                  - name: STORAGE2_SIZE
+                    value: "700M"
+                  - name: STORAGE2_TYPE
+                    value: "create"
+                  - name: STORAGE3_NAME
+                    value: "nfsstorage"
+                  - name: STORAGE3_ACCESS_MODE
+                    value: "ReadWriteMany"
+                  - name: STORAGE3_SIZE
+                    value: "1G"
+                  - name: STORAGE3_TYPE
+                    value: "create"
+                  - name: STORAGE3_SUPPLEMENTAL_GROUPS
+                    value: "65534"
+                  - name: STORAGE4_NAME
+                    value: "nfsstoragered"
+                  - name: STORAGE4_ACCESS_MODE
+                    value: "ReadWriteMany"
+                  - name: STORAGE4_SIZE
+                    value: "1G"
+                  - name: STORAGE4_MATCH_LABEL
+                    value: "crunchyzone=red"
+                  - name: STORAGE4_TYPE
+                    value: "create"
+                  - name: STORAGE4_SUPPLEMENTAL_GROUPS
+                    value: "65534"
+                  - name: STORAGE5_NAME
+                    value: "storageos"
+                  - name: STORAGE5_ACCESS_MODE
+                    value: "ReadWriteOnce"
+                  - name: STORAGE5_SIZE
+                    value: "5Gi"
+                  - name: STORAGE5_TYPE
+                    value: "dynamic"
+                  - name: STORAGE5_CLASS
+                    value: "fast"
+                  - name: STORAGE6_NAME
+                    value: "primarysite"
+                  - name: STORAGE6_ACCESS_MODE
+                    value: "ReadWriteOnce"
+                  - name: STORAGE6_SIZE
+                    value: "4G"
+                  - name: STORAGE6_TYPE
+                    value: "dynamic"
+                  - name: STORAGE6_CLASS
+                    value: "primarysite"
+                  - name: STORAGE7_NAME
+                    value: "alternatesite"
+                  - name: STORAGE7_ACCESS_MODE
+                    value: "ReadWriteOnce"
+                  - name: STORAGE7_SIZE
+                    value: "4G"
+                  - name: STORAGE7_TYPE
+                    value: "dynamic"
+                  - name: STORAGE7_CLASS
+                    value: "alternatesite"
+                  - name: STORAGE8_NAME
+                    value: "gce"
+                  - name: STORAGE8_ACCESS
+                    value: "ReadWriteOnce"
+                  - name: STORAGE8_SIZE
+                    value: "300M"
+                  - name: STORAGE8_TYPE
+                    value: "dynamic"
+                  - name: STORAGE8_CLASS
+                    value: "standard"
+                  - name: STORAGE9_NAME
+                    value: "rook"
+                  - name: STORAGE9_ACCESS_MODE
+                    value: "ReadWriteOnce"
+                  - name: STORAGE9_SIZE
+                    value: "1Gi"
+                  - name: STORAGE9_TYPE
+                    value: "dynamic"
+                  - name: STORAGE9_CLASS
+                    value: "rook-ceph-block"
