Initial WIP openshift example (#1225)

* Initial WIP openshift example

.gitignore

@@ -1,2 +1,3 @@
 *.*~
 telepresence.log
+devel/openshift-*

Makefile

@@ -4,10 +4,12 @@ GOFMT = /usr/bin/env gofmt
 IMAGE_TAG ?= dev-$(shell date +%FT%H-%M-%S-%Z)
 VERSION ?= $$(git rev-parse HEAD)
 
+include ./script/openshift-cluster.mk
+
 IMG_MODIFIER ?= 
 
 GO_PACKAGES = ./...
-GO_FILES := $(shell find $(shell $(GO) list -f '{{.Dir}}' $(GO_PACKAGES)) -name \*.go)
+# GO_FILES := $(shell find $(shell $(GO) list -f '{{.Dir}}' $(GO_PACKAGES)) -name \*.go)
 
 default: all
 

docs/user/manifests/openshift-tiller-with-apprepository-rbac.yaml

@@ -0,0 +1,36 @@
+# Tiller needs to be able to create apprepositories in the kubeapps namespace.
+kind: Template
+apiVersion: v1
+objects:
+- kind: Role
+  apiVersion: v1
+  metadata:
+    name: apprepositories-manager
+  rules:
+  - apiGroups:
+    - "kubeapps.com"
+    resources:
+    - apprepositories
+    verbs: ["*"]
+  - apiGroups:
+    - "rbac.authorization.k8s.io"
+    resources:
+    - roles
+    verbs: ["*"]
+- kind: RoleBinding
+  apiVersion: v1
+  metadata:
+    name: tiller-apprepositories
+  roleRef:
+    name: apprepositories-manager
+    namespace: ${KUBEAPPS_NAMESPACE}
+  subjects:
+  - kind: ServiceAccount
+    name: tiller
+    namespace: ${TILLER_NAMESPACE}
+
+parameters:
+- name: KUBEAPPS_NAMESPACE
+  required: true
+- name: TILLER_NAMESPACE
+  required: true

docs/user/manifests/openshift-tiller-with-crd-rbac.yaml

@@ -0,0 +1,106 @@
+kind: Template
+apiVersion: v1
+objects:
+- kind: ServiceAccount
+  apiVersion: v1
+  metadata:
+    name: tiller
+    namespace: ${TILLER_NAMESPACE}
+
+# TODO: Remove cluster-admin binding for tiller and get working with the individual roles below.
+- kind: ClusterRoleBinding
+  apiVersion: v1
+  metadata:
+    name: temporary-tiller-cluster-admin
+  roleRef:
+    kind: ClusterRole
+    name: cluster-admin
+  subjects:
+  - kind: ServiceAccount
+    name: tiller
+    namespace: ${TILLER_NAMESPACE}
+
+- kind: Role
+  apiVersion: v1
+  metadata:
+    name: tiller
+  rules:
+  - apiGroups:
+    - ""
+    resources:
+    - configmaps
+    verbs: ["*"]
+  - apiGroups:
+    - ""
+    resources:
+    - namespaces
+    verbs:
+    - get
+
+- kind: RoleBinding
+  apiVersion: v1
+  metadata:
+    name: tiller
+  roleRef:
+    name: tiller
+    namespace: ${TILLER_NAMESPACE}
+  subjects:
+  - kind: ServiceAccount
+    name: tiller
+
+# The crd-manager role needs to be bound to the tiller service account by the openshift system:admin 
+- kind: ClusterRole
+  apiVersion: v1
+  metadata:
+    name: crd-manager
+  rules:
+  - apiGroups:
+    - "apiextensions.k8s.io"
+    resources:
+    - customresourcedefinitions
+    verbs: ["*"]
+
+- kind: ClusterRoleBinding
+  apiVersion: v1
+  metadata:
+    name: tiller-kubeapps-crds
+  roleRef:
+    kind: ClusterRole
+    name: crd-manager
+  subjects:
+  - kind: ServiceAccount
+    name: tiller
+    namespace: ${TILLER_NAMESPACE}
+
+# On OpenShift, the developer who 'helm install's a chart needs certain access to pods in the tiller namespace.
+- kind: Role
+  apiVersion: v1
+  metadata:
+    name: helm-user
+  rules:
+  - apiGroups:
+    - ""
+    resources:
+    - pods
+    - pods/portforward
+    verbs:
+    - get
+    - list
+    - create
+- kind: RoleBinding
+  apiVersion: v1
+  metadata:
+    name: helm-user
+  roleRef:
+    name: helm-user
+    namespace: ${TILLER_NAMESPACE}
+  subjects:
+  - kind: User
+    name: developer
+
+parameters:
+- name: HELM_VERSION
+  value: v2.6.1
+  required: true
+- name: TILLER_NAMESPACE
+  required: true

script/openshift-cluster.mk

@@ -0,0 +1,67 @@
+# This Makefile assumes that you have:
+# 1) helm installed 
+# 2) minishift installed and a cluster started.
+TILLER_NAMESPACE=tiller
+KUBEAPPS_NAMESPACE=kubeapps
+
+devel/openshift-tiller-project-created:
+	@$(shell minishift oc-env) && \
+		oc login -u developer && \
+		oc new-project ${TILLER_NAMESPACE} && \
+		touch $@
+
+devel/openshift-tiller-with-crd-rbac.yaml: devel/openshift-tiller-project-created
+	@$(shell minishift oc-env) && \
+		oc process -f ./docs/user/manifests/openshift-tiller-with-crd-rbac.yaml \
+			-p TILLER_NAMESPACE="${TILLER_NAMESPACE}" \
+			-p HELM_VERSION=v2.14.3 \
+			-o yaml \
+		> $@
+
+devel/openshift-tiller-with-apprepository-rbac.yaml: devel/openshift-tiller-with-crd-rbac.yaml
+	@$(shell minishift oc-env) && \
+		oc process -f ./docs/user/manifests/openshift-tiller-with-apprepository-rbac.yaml \
+			-p TILLER_NAMESPACE="${TILLER_NAMESPACE}" \
+			-p KUBEAPPS_NAMESPACE="${KUBEAPPS_NAMESPACE}" \
+			-o yaml \
+		> $@
+
+# Openshift requires you to have a project selected when referencing roles, otherwise the following error results:
+# Error from server: invalid origin role binding tiller-apprepositories: attempts to reference
+# role in namespace "kubeapps" instead of current namespace "tiller"
+openshift-install-tiller: devel/openshift-tiller-with-crd-rbac.yaml devel/openshift-tiller-with-apprepository-rbac.yaml devel/openshift-kubeapps-project-created
+	$(shell minishift oc-env) && \
+		oc login -u system:admin && \
+		oc project ${TILLER_NAMESPACE} && \
+		oc apply -f devel/openshift-tiller-with-crd-rbac.yaml --wait=true && \
+		oc project ${KUBEAPPS_NAMESPACE} && \
+		oc apply -f devel/openshift-tiller-with-apprepository-rbac.yaml && \
+		helm init --tiller-namespace ${TILLER_NAMESPACE} --service-account tiller --wait && \
+		oc login -u developer
+
+devel/openshift-kubeapps-project-created: devel/openshift-tiller-project-created
+	@$(shell minishift oc-env) && \
+		oc login -u developer && \
+		oc new-project ${KUBEAPPS_NAMESPACE} && \
+		oc policy add-role-to-user edit "system:serviceaccount:${TILLER_NAMESPACE}:tiller" && \
+		touch $@
+
+devel/openshift-kubeapps-installed: openshift-install-tiller
+	@$(shell minishift oc-env) && \
+		oc project ${KUBEAPPS_NAMESPACE} && \
+		helm --tiller-namespace=${TILLER_NAMESPACE} install ./chart/kubeapps -n ${KUBEAPPS_NAMESPACE} --set tillerProxy.host=tiller-deploy.tiller:44134
+
+openshift-kubeapps: devel/openshift-kubeapps-installed
+
+openshift-kubeapps-reset:
+	$(shell minishift oc-env) && \
+		oc login -u system:admin && \
+		oc delete project ${KUBEAPPS_NAMESPACE} && \
+		oc delete project ${TILLER_NAMESPACE} && \
+		#oc delete -f devel/openshift-tiller-with-crd-rbac.yaml && \
+		#oc delete -f devel/openshift-tiller-with-apprepository-rbac.yaml && \
+		oc delete customresourcedefinition apprepositories.kubeapps.com && \
+		oc login -u developer && \
+		rm devel/openshift-*	
+
+.PHONY: openshift-install-tiller openshift-kubeapps openshift-kubeapps-reset