Openshift support (#285)

* adding scc as part of cluster-resources dir

* Added an scc that will contain all needed SA's for the runtime

* fixes according to code review

* fix

* bump

Author: danielm-codefresh

Makefile

@@ -1,4 +1,4 @@
-VERSION=v0.0.262
+VERSION=v0.0.263
 
 OUT_DIR=dist
 YEAR?=$(shell date +"%Y")

cmd/commands/runtime.go

@@ -55,6 +55,7 @@ import (
 	argocdv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	argocdv1alpha1cs "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
 	aev1alpha1 "github.com/argoproj/argo-events/pkg/apis/eventsource/v1alpha1"
+	oc "github.com/codefresh-io/cli-v2/pkg/util/openshift"
 
 	"github.com/Masterminds/semver/v3"
 	kubeutil "github.com/codefresh-io/cli-v2/pkg/util/kube"
@@ -604,6 +605,15 @@ func RunRuntimeInstall(ctx context.Context, opts *RuntimeInstallOptions) error {
 		return util.DecorateErrorWithDocsLink(fmt.Errorf("failed to bootstrap repository: %w", err))
 	}
 
+	err = oc.PrepareOpenshiftCluster(ctx, &oc.OpenshiftOptions{
+		KubeFactory:  opts.KubeFactory,
+		RuntimeName:  opts.RuntimeName,
+		InsCloneOpts: opts.InsCloneOpts,
+	})
+	if err != nil {
+		return fmt.Errorf("failed setting up environment for openshift %w", err)
+	}
+
 	err = apcmd.RunProjectCreate(ctx, &apcmd.ProjectCreateOptions{
 		CloneOpts:   opts.InsCloneOpts,
 		ProjectName: opts.RuntimeName,

docs/releases/release_notes.md

@@ -23,7 +23,7 @@ cf version
 
 ```bash
 # download and extract the binary
-curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.262/cf-linux-amd64.tar.gz | tar zx
+curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.263/cf-linux-amd64.tar.gz | tar zx
 
 # move the binary to your $PATH
 mv ./cf-linux-amd64 /usr/local/bin/cf
@@ -36,7 +36,7 @@ cf version
 
 ```bash
 # download and extract the binary
-curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.262/cf-darwin-amd64.tar.gz | tar zx
+curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.263/cf-darwin-amd64.tar.gz | tar zx
 
 # move the binary to your $PATH
 mv ./cf-darwin-amd64 /usr/local/bin/cf

go.mod

@@ -21,6 +21,7 @@ require (
 	github.com/juju/ansiterm v0.0.0-20210929141451-8b71cc96ebdc
 	github.com/manifoldco/promptui v0.8.0
 	github.com/mattn/go-colorable v0.1.12 // indirect
+	github.com/openshift/api v3.9.0+incompatible
 	github.com/rkrmr33/checklist v0.0.5
 	github.com/segmentio/backo-go v1.0.0 // indirect
 	github.com/sirupsen/logrus v1.8.1

go.sum

@@ -1053,6 +1053,8 @@ github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84
 github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
+github.com/openshift/api v3.9.0+incompatible h1:fJ/KsefYuZAjmrr3+5U9yZIZbTOpVkDDLDLFresAeYs=
+github.com/openshift/api v3.9.0+incompatible/go.mod h1:dh9o4Fs58gpFXGSYfnVxGR9PnV53I8TW84pQaJDdGiY=
 github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go.mod h1:Ngi6UdF0k5OKD5t5wlmGhe/EDKPoUM3BXZSSfIuJbis=
 github.com/opentracing/basictracer-go v1.0.0/go.mod h1:QfBfYuafItcjQuMwinw9GhYKwFXS9KnPs5lxoYwgW74=
 github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=

manifests/argo-events/kustomization.yaml

@@ -1,6 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - https://raw.githubusercontent.com/codefresh-io/argo-events/v1.5.5-cap-CR-8983/manifests/install.yaml
-  - https://raw.githubusercontent.com/codefresh-io/argo-events/v1.5.5-cap-CR-8983/manifests/install-validating-webhook.yaml
+  - https://raw.githubusercontent.com/codefresh-io/argo-events/v1.5.5-cap-CR-9720/manifests/install.yaml
+  - https://raw.githubusercontent.com/codefresh-io/argo-events/v1.5.5-cap-CR-9720/manifests/install-validating-webhook.yaml
   - eventbus.yaml

manifests/runtime.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: "{{ namespace }}"
 spec:
   defVersion: 1.0.1
-  version: 0.0.262
+  version: 0.0.263
   bootstrapSpecifier: github.com/codefresh-io/cli-v2/manifests/argo-cd
   components:
     - name: events

pkg/store/store.go

@@ -132,6 +132,7 @@ type Store struct {
 	NetworkTesterImage                   string
 	MinKubeVersion                       string
 	MaxKubeVersion                       string
+	SccName                              string
 	CFInternalGitSources                 []string
 	CFInternalReporters                  []string
 }
@@ -223,6 +224,7 @@ func init() {
 	s.NetworkTesterImage = "quay.io/codefresh/cf-venona-network-tester:latest"
 	s.MinKubeVersion = "v1.18.0"
 	s.MaxKubeVersion = "v1.21.9"
+	s.SccName = "cf-scc"
 	s.CFInternalGitSources = []string{s.MarketplaceGitSourceName}
 	s.CFInternalReporters = []string{s.EventsReporterName, s.WorkflowReporterName, s.RolloutReporterName}
 

pkg/util/kube/kube.go

@@ -28,6 +28,7 @@ import (
 	authv1 "k8s.io/api/authorization/v1"
 	batchv1 "k8s.io/api/batch/v1"
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/version"
@@ -421,3 +422,20 @@ func getPodLogs(ctx context.Context, client kubernetes.Interface, namespace, nam
 
 	return strings.Trim(logsBuf.String(), "\n"), nil
 }
+
+func CheckNamespaceExists(ctx context.Context, namespace string, kubeFactory kube.Factory) (bool, error) {
+	client, err := kubeFactory.KubernetesClientSet()
+	if err != nil {
+		return false, fmt.Errorf("failed to create kubernetes client: %w", err)
+	}
+
+	_, err = client.CoreV1().Namespaces().Get(ctx, namespace, metav1.GetOptions{})
+	if err != nil {
+		if errors.IsNotFound(err) {
+			return false, nil
+		}
+		return false, fmt.Errorf("failed to get namespace %s: %w", namespace, err)
+	}
+
+	return true, nil
+}

pkg/util/openshift/util.go

@@ -0,0 +1,119 @@
+// Copyright 2022 The Codefresh Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package openshift
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/argoproj-labs/argocd-autopilot/pkg/git"
+	"github.com/argoproj-labs/argocd-autopilot/pkg/kube"
+	apstore "github.com/argoproj-labs/argocd-autopilot/pkg/store"
+	"github.com/codefresh-io/cli-v2/pkg/log"
+	"github.com/codefresh-io/cli-v2/pkg/store"
+	apu "github.com/codefresh-io/cli-v2/pkg/util/aputil"
+	kubeutil "github.com/codefresh-io/cli-v2/pkg/util/kube"
+	ocsecurityv1 "github.com/openshift/api/security/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type OpenshiftOptions struct {
+	KubeFactory  kube.Factory
+	RuntimeName  string
+	InsCloneOpts *git.CloneOptions
+}
+
+const openshiftNs = "openshift"
+
+func PrepareOpenshiftCluster(ctx context.Context, opts *OpenshiftOptions) error {
+	isOpenshift, err := isOpenshiftCluster(ctx, opts.KubeFactory)
+	if err != nil {
+		return err
+	}
+
+	if !isOpenshift {
+		return nil
+	}
+
+	err = createScc(ctx, opts)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func isOpenshiftCluster(ctx context.Context, kubeFactory kube.Factory) (bool, error) {
+	exists, err := kubeutil.CheckNamespaceExists(ctx, openshiftNs, kubeFactory)
+	if err != nil {
+		return false, err
+	}
+	if !exists {
+		return false, nil
+	}
+
+	log.G().Info("Running on an Openshift cluster")
+	return true, nil
+}
+
+func createScc(ctx context.Context, opts *OpenshiftOptions) error {
+	r, fs, err := opts.InsCloneOpts.GetRepo(ctx)
+	if err != nil {
+		return err
+	}
+
+	sccPriority := int32(15)
+
+	scc := ocsecurityv1.SecurityContextConstraints{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "SecurityContextConstraints",
+			APIVersion: "security.openshift.io/v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: opts.RuntimeName,
+			Name:      store.Get().SccName,
+		},
+		AllowPrivilegedContainer: false,
+		RunAsUser: ocsecurityv1.RunAsUserStrategyOptions{
+			Type: ocsecurityv1.RunAsUserStrategyRunAsAny,
+		},
+		SELinuxContext: ocsecurityv1.SELinuxContextStrategyOptions{
+			Type: ocsecurityv1.SELinuxStrategyRunAsAny,
+		},
+		Users:    getServiceAccountsList(opts.RuntimeName),
+		// This is required to take precedence over the default SCC's
+		Priority: &sccPriority,
+	}
+
+	clusterResourcesDir := fs.Join(apstore.Default.BootsrtrapDir, apstore.Default.ClusterResourcesDir, "in-cluster")
+
+	if err = fs.WriteYamls(fs.Join(clusterResourcesDir, "scc.yaml"), scc); err != nil {
+		return err
+	}
+
+	log.G(ctx).Info("Pushing scc manifest")
+
+	return apu.PushWithMessage(ctx, r, "Created scc")
+}
+
+func getServiceAccountsList(runtimeName string) []string {
+	return []string{
+		fmt.Sprintf("system:serviceaccount:%s:argo-events-sa", runtimeName),
+		fmt.Sprintf("system:serviceaccount:%s:argo-events-webhook-sa", runtimeName),
+		fmt.Sprintf("system:serviceaccount:%s:argo-server", runtimeName),
+		fmt.Sprintf("system:serviceaccount:%s:argocd-redis", runtimeName),
+		fmt.Sprintf("system:serviceaccount:%s:cap-app-proxy", runtimeName),
+	}
+}