roles/openshift_daemonset_config/templates/daemonset.yml.j2


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  name: {{ openshift_daemonset_config_daemonset_name }}
  annotations:
    kubernetes.io/description: |
      This daemon set manages the operational configuration for a cluster and ensures all nodes have
      a concrete set of config in place. It could also use a local ansible run against the /host directory.
spec:
  selector:
    matchLabels:
      app: {{ openshift_daemonset_config_daemonset_name }}
      confighosts: ops
      ops.openshift.io/role: operations
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: {{ openshift_daemonset_config_daemonset_name }}
        confighosts: ops
        ops.openshift.io/role: operations
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
{% if openshift_daemonset_config_node_selector is defined and openshift_daemonset_config_node_selector != {} %}
      nodeSelector: {{ openshift_daemonset_config_node_selector | to_json }}
{% endif %}
      serviceAccountName: {{ openshift_daemonset_config_sa_name }}
      hostNetwork: true
      hostPID: true
      hostIPC: true
      containers:
      - name: config
        image: "{{ openshift_daemonset_config_image }}"
        env:
        - name: RESYNC_INTERVAL
          value: "{{ openshift_daemonset_config_interval }}"
        command:
        - /bin/bash
        - -c
        - |
          #!/bin/sh
          set -o errexit

          while true; do

            # execute user defined script
            sh /opt/config/{{ openshift_daemonset_config_script }}

            # sleep for ${RESYNC_INTERVAL} minutes, then loop. if we fail Kubelet will restart us again
            echo "Success, sleeping for ${RESYNC_INTERVAL}s. Date: $(date)"
            sleep ${RESYNC_INTERVAL}

          # Return to perform the config
          done
        securityContext:
          # Must be root to modify host system
          runAsUser: {{ openshift_daemonset_config_runasuser }}
          # Permission could be reduced by selecting an appropriate SELinux policy that allows
          # us to update the named directories
          privileged: {{ openshift_daemonset_config_privileged }}
        volumeMounts:
        # Directory which contains the host volume.
        - mountPath: /host
          name: host
        # Our node configuration
        - mountPath: /opt/config
          name: config
        - mountPath: /opt/tmp_shared_config
          name: tmp-shared-dir
{% if openshift_daemonset_config_secrets != {} %}
        # Our delivered secrets
        - mountPath: /opt/secrets
          name: secrets
{% endif %}
        resources:
          requests:
            cpu: {{ openshift_daemonset_config_resources.cpu }}
            memory: {{ openshift_daemonset_config_resources.memory }}
{% if openshift_daemonset_config_monitoring %}
      - name: monitoring
        image: "{{ openshift_daemonset_config_monitoring_image }}"
        env:
        - name: OO_PAUSE_ON_START
          value: "{{ openshift_daemonset_config_monitoring_pos }}"
        securityContext:
          # Must be root to read content
          runAsUser: 0
          privileged: true
        volumeMounts:
        - mountPath: /host
          name: host
          readOnly: true
        - mountPath: /etc/localtime
          subPath: etc/localtime
          name: host
          readOnly: true
        - mountPath: /sys
          subPath: sys
          name: host
          readOnly: true
        - mountPath: /var/run/docker.sock
          subPath: var/run/docker.sock
          name: host
          readOnly: true
        - mountPath: /var/run/openvswitch
          subPath: var/run/openvswitch
          name: host
          readOnly: true
        - mountPath: /etc/origin
          subPath: etc/origin
          name: host
          readOnly: true
        - mountPath: /usr/bin/oc
          subPath: usr/bin/oc
          name: host
          readOnly: true
          name: host
          readOnly: true
        - mountPath: /host/var/cache/yum
          subPath: var/cache/yum
          name: host
          readOnly: true
        - mountPath: /container_setup
          name: tmp-shared-dir
        - mountPath: /opt/config
          name: config
{% if openshift_daemonset_config_secrets != {} %}
        - mountPath: /opt/secrets
          name: secrets
{% endif %}
        resources:
          requests:
            cpu: 10m
            memory: 10Mi
{% endif %}
      volumes:
      - name: tmp-shared-dir
        emptyDir: {}
      - name: config
        configMap:
          name: {{ openshift_daemonset_config_configmap_name }}
{% if openshift_daemonset_config_secrets != {} %}
      - name: secrets
        secret:
          secretName: {{ openshift_daemonset_config_secret_name }}
{% endif %}
      - name: host
        hostPath:
          path: /