Look for secrets in the deployed namespace

2018-02-14 15:37:30 +01:00 · 2018-02-14 15:37:30 +01:00 · d5d15b7546
parent 5837015b3c
commit d5d15b7546
4 changed files with 50 additions and 21 deletions
--- a/README.md
+++ b/README.md
@ -61,6 +61,23 @@ to test your that your setup is working.

 Note: if you use multiple Kubernetes clusters, you can switch to Minikube with `kubectl config use-context minikube`

+### Select the namespace to deploy to
+
+The operator can run in a namespace other than `default`. For example, to deploy it to the `test` namespace, run the following:
+
+    kubectl create namespace test
+    kubectl config set-context minikube --namespace=test
+
+All subsequent `kubectl` commands will work with the `test` namespace. The operator  will run in this namespace and look up needed resources - such as its config map - there.
+
+### Specify the namespace to watch
+
+Watching a namespace for an operator means tracking requests to change Postgresql clusters in the namespace such as "increase the number of Postgresql replicas to 5" and reacting to the requests, in this example by actually scaling up. 
+
+By default, the operator watches the namespace it is deployed to. You can change this by altering the `WATCHED_NAMESPACE` env var in the operator deployment manifest or the `watched_namespace` field in the operator configmap. In the case both are set, the env var takes the preference.
+
+Note that for an operator to create pods in the watched namespace, one needs to create the `operator` service account in the namespace.
+
 ### Create ConfigMap

 ConfigMap is used to store the configuration of the operator
--- a/cmd/main.go
+++ b/cmd/main.go
@ -2,7 +2,6 @@ package main

 import (
 	"flag"
-	"io/ioutil"
 	"log"
 	"os"
 	"os/signal"
@ -14,11 +13,6 @@ import (
 	"github.com/zalando-incubator/postgres-operator/pkg/util/k8sutil"
 )

-const (
-	// assumes serviceaccount secret is mounted by kubernetes
-	fileWithNamespace = "/var/run/secrets/kubernetes.io/serviceaccount/namespace"
-)
-
 var (
 	kubeConfigFile string
 	outOfCluster   bool
@ -33,15 +27,10 @@ func init() {
 	flag.BoolVar(&config.NoTeamsAPI, "noteamsapi", false, "Disable all access to the teams API")
 	flag.Parse()

-	operatorNamespaceBytes, err := ioutil.ReadFile(fileWithNamespace)
-	if err != nil {
-		log.Fatalf("Unable to detect operator namespace from within its pod  due to %v", err)
-	}
-
 	configMapRawName := os.Getenv("CONFIG_MAP_NAME")
 	if configMapRawName != "" {

-		operatorNamespace := string(operatorNamespaceBytes)
+		operatorNamespace := spec.GetOperatorNamespace()
 		config.Namespace = operatorNamespace

 		namespacedConfigMapName := operatorNamespace + "/" + configMapRawName
--- a/pkg/controller/controller.go
+++ b/pkg/controller/controller.go
@ -109,11 +109,6 @@ func (c *Controller) initOperatorConfig() {
 		configMapData["watched_namespace"] = c.config.Namespace
 	}

-	_, err := c.KubeClient.ServiceAccounts(configMapData["watched_namespace"]).Get("operator", metav1.GetOptions{})
-	if err != nil {
-		c.logger.Warnf("Cannot find the 'operator' service account in the watched namepsace %q. Pods will not be able to start. Error: %v", c.opConfig.WatchedNamespace, err)
-	}
-
 	if c.config.NoDatabaseAccess {
 		configMapData["enable_database_access"] = "false"
 	}
@ -136,6 +131,11 @@ func (c *Controller) initController() {

 	c.logger.Infof("config: %s", c.opConfig.MustMarshal())

+	c.mustHaveOperatorServiceAccountInNamespace(c.config.Namespace)
+	if c.config.Namespace != c.opConfig.WatchedNamespace {
+		c.mustHaveOperatorServiceAccountInNamespace(c.opConfig.WatchedNamespace)
+	}
+
 	if c.opConfig.DebugLogging {
 		c.logger.Logger.Level = logrus.DebugLevel
 	}
@ -261,3 +261,10 @@ func (c *Controller) kubeNodesInformer(stopCh <-chan struct{}, wg *sync.WaitGrou

 	c.nodesInformer.Run(stopCh)
 }
+
+func (c *Controller) mustHaveOperatorServiceAccountInNamespace(namespace string) {
+	_, err := c.KubeClient.ServiceAccounts(namespace).Get(c.opConfig.ServiceAccountName, metav1.GetOptions{})
+	if err != nil {
+		c.logger.Warnf("Cannot find the '%v' service account in the namepsace %q. Pods will not be able to start. Error: %v", c.opConfig.ServiceAccountName, namespace, err)
+	}
+}
--- a/pkg/spec/types.go
+++ b/pkg/spec/types.go
@ -3,6 +3,8 @@ package spec
 import (
 	"database/sql"
 	"fmt"
+	"io/ioutil"
+	"log"
 	"strings"
 	"time"

@ -26,6 +28,8 @@ const (
 	EventUpdate EventType = "UPDATE"
 	EventDelete EventType = "DELETE"
 	EventSync   EventType = "SYNC"
+
+	fileWithNamespace = "/var/run/secrets/kubernetes.io/serviceaccount/namespace"
 )

 // ClusterEvent carries the payload of the Cluster TPR events.
@ -165,16 +169,28 @@ func (n *NamespacedName) Decode(value string) error {

 	if strings.Trim(value, string(types.Separator)) != "" && name == (types.NamespacedName{}) {
 		name.Name = value
-		name.Namespace = v1.NamespaceDefault
+		name.Namespace = GetOperatorNamespace()
 	} else if name.Namespace == "" {
-		name.Namespace = v1.NamespaceDefault
+		name.Namespace = GetOperatorNamespace()
 	}

 	if name.Name == "" {
-		return fmt.Errorf("incorrect namespaced name")
+		return fmt.Errorf("incorrect namespaced name: %v", value)
 	}

 	*n = NamespacedName(name)

 	return nil
 }
+
+// GetOperatorNamespace assumes serviceaccount secret is mounted by kubernetes
+// Placing this func here instead of pgk/util avoids circular import
+func GetOperatorNamespace() string {
+
+	operatorNamespaceBytes, err := ioutil.ReadFile(fileWithNamespace)
+	if err != nil {
+		log.Fatalf("Unable to detect operator namespace from within its pod due to: %v", err)
+	}
+
+	return string(operatorNamespaceBytes)
+}