search

puppetlabs / puppetserver-helm-chart

The Helm Chart for Puppet Server
Apache License 2.0
47 stars 55 forks source link

openshift support #65

Open a-dawg opened 3 years ago

a-dawg commented 3 years ago

Describe the Bug

I am not able to run the chart on openshift 4.5 I am getting in the puppetserver logs

Running /docker-entrypoint.d/10-analytics.sh
(/docker-entrypoint.d/10-analytics.sh) Pupperware analytics disabled; skipping metric submission
Running /docker-entrypoint.d/20-use-templates-initially.sh
Upgrading /opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems
Running /docker-entrypoint.d/30-set-permissions.sh
Running /docker-entrypoint.d/40-update-puppetdb-conf.sh
Running /docker-entrypoint.d/50-set-certname.sh
Running /docker-entrypoint.d/55-set-masterport.sh
Running /docker-entrypoint.d/60-setup-autosign.sh
Running /docker-entrypoint.d/70-set-dns-alt-names.sh
Running /docker-entrypoint.d/80-ca.sh
Running /docker-entrypoint.d/85-setup-storeconfigs.sh
Running /docker-entrypoint.d/90-consul.sh
runuser: failed to user credentials: System error

Expected Behavior

should not be killed

Environment

openshift 4.5

Additional Context

I have tried the commands below with no luck

oc -n puppet adm policy add-scc-to-user privileged -z default
oc adm policy add-scc-to-user anyuid -z deployer -n puppet
a-dawg commented 3 years ago

this issue is related to puppet/puppetserver not being openshift compatible.

Xtigyro commented 3 years ago

@a-dawg Gotcha! Thanks for bringing this up! 💯

Will be added in the next month or two.

CC: @underscorgan @Iristyle @slconley @scottcressi @mwaggett @nwolfe @adrienthebo @dhollinger @raphink @binford2k

raphink commented 3 years ago

@a-dawg FTR we're using puppet/puppetserver on OpenShift, but we do not use the entrypoint scripts. See https://github.com/camptocamp/charts/blob/master/puppetserver/templates/deployment.yaml#L54-L72

Xtigyro commented 3 years ago

@raphink Please feel absolutely free to start the work on adding the OpenShift support to the chart - will be very appreciated. 🥇

P.S. https://github.com/puppetlabs/puppetserver-helm-chart/pull/66 should help the chart to meet some of your earlier requirements.

pjamenaja commented 3 years ago

I just had a chance to deploy Puppet on Openshift 4.5 today and discovered 3 steps need to do to make it works on Openshift.

  1. Run command oc adm policy add-scc-to-user privileged -z default -n puppet-server to add "priviledge" SCC to user "default". Please note that the "priviledge" SCC is the most relax security so be careful to use it. Ref: https://www.openshift.com/blog/managing-sccs-in-openshift

  2. Add "securityContext" to "puppetserver" container, this need to modify the Helm template puppetserver-deployment-masters.yaml.

        securityContext:
      runAsUser: 0
      runAsNonRoot: false
      privileged: true

  3. The same "securityContext" will need to be added to "puppetdb" and "puppetboard" containers in the puppetdb-deployment.yaml as well.

Xtigyro commented 2 years ago

Thanks for the proposition, @a-dawg @pjamenaja! Please feel free to send our way a PR - I'll be happy to review and merge it, afterwards. 🙇‍♂️