Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow NGF to run on Openshift #1976

Merged
merged 34 commits into from
May 28, 2024
Merged

Allow NGF to run on Openshift #1976

merged 34 commits into from
May 28, 2024

Conversation

bjee19
Copy link
Contributor

@bjee19 bjee19 commented May 15, 2024
edited

Add SecurityContextConstraints for NGF, documentation on additional steps when installing NGF on an Openshift environment.

Problem: NGF fails to deploy on Openshift.

Solution: Add SecurityContextConstraints for NGF, giving NGF to correct permissions to deploy on Openshift.

Testing: Manual deployment of NGF with NGINX and NGINX+. Also set up the cafe example and ensured traffic flowed.

After manual deployment of NGF, here is the cafe example directing traffic correctly:

[cloud-user@ocp-provisioner cafe-example]$ curl --resolve cafe.example.com:8080:127.0.0.1 http://cafe.example.com:8080/coffee
Handling connection for 8080
Server address: 10.131.0.49:8080
Server name: coffee-7b9b4bbd99-dtdzv
Date: 08/May/2024:23:11:50 +0000
URI: /coffee
Request ID: e49fc248ba007d069782e7afe43954b9
[cloud-user@ocp-provisioner cafe-example]$ curl --resolve cafe.example.com:8080:127.0.0.1 http://cafe.example.com:8080/tea
Handling connection for 8080
Server address: 10.131.0.50:8080
Server name: tea-7f5799695f-2wcnx
Date: 08/May/2024:23:12:04 +0000
URI: /tea
Request ID: 5728cac75d9c670b2ed3125b39181771

After manual deployment of NGF with NGINX+, here is the cafe example directing traffic correctly:

NAME                                        READY   STATUS    RESTARTS      AGE
ngf-nginx-gateway-fabric-586cdc4477-779l2   2/2     Running   1 (31s ago)   49s
[cloud-user@ocp-provisioner ~]$ kubectl logs -n nginx-gateway ngf-nginx-gateway-fabric-586cdc4477-779l2 --container nginx
2024/05/14 18:16:06 [notice] 22#22: using the "epoll" event method
2024/05/14 18:16:06 [notice] 22#22: nginx/1.25.3 (nginx-plus-r31-p1)

...

[cloud-user@ocp-provisioner ~]$ curl --resolve cafe.example.com:8080:127.0.0.1 http://cafe.example.com:8080/coffee
Server address: 10.128.2.28:8080
Server name: coffee-7b9b4bbd99-ltsmp
Date: 14/May/2024:20:36:02 +0000
URI: /coffee
Request ID: 5952f1e1a07070db43d1f07300d85cc4
[cloud-user@ocp-provisioner ~]$ curl --resolve cafe.example.com:8080:127.0.0.1 http://cafe.example.com:8080/tea
Server address: 10.131.0.28:8080
Server name: tea-7f5799695f-75vwz
Date: 14/May/2024:20:36:19 +0000
URI: /tea
Request ID: d233f1856fcf96e5b49684232257a7ec

Closes #1674

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

Add SecurityContextConstraints so NGF can run on Openshift.

@github-actions github-actions bot added bug Something isn't working documentation Improvements or additions to documentation helm-chart Relates to helm chart labels May 15, 2024
@bjee19
Copy link
Contributor Author

bjee19 commented May 15, 2024

Documentation on additional steps when installing NGF on an Openshift environment is still in progress, would like some feedback on the current SCC file and the references documentation.

kate-osborn
kate-osborn requested changes May 15, 2024
View reviewed changes
deploy/manifests/scc.yaml Outdated Show resolved Hide resolved
deploy/manifests/scc.yaml Outdated Show resolved Hide resolved
deploy/manifests/scc.yaml Outdated Show resolved Hide resolved
deploy/manifests/scc.yaml Show resolved Hide resolved
deploy/manifests/scc.yaml Show resolved Hide resolved
deploy/manifests/scc.yaml Show resolved Hide resolved
site/content/reference/openshift-permissions.md Outdated Show resolved Hide resolved
site/content/reference/openshift-permissions.md Outdated Show resolved Hide resolved
site/content/reference/openshift-permissions.md Outdated Show resolved Hide resolved
site/content/reference/openshift-permissions.md Outdated Show resolved Hide resolved
sjberman
sjberman reviewed May 16, 2024
View reviewed changes
charts/nginx-gateway-fabric/values.yaml Outdated Show resolved Hide resolved
deploy/manifests/scc.yaml Outdated Show resolved Hide resolved
@bjee19 bjee19 mentioned this pull request May 16, 2024
Open
@bjee19
Copy link
Contributor Author

bjee19 commented May 16, 2024

Decided to split out the openshift-permissions / NGF permissions into a separate issue found here #1985 , will be resolving/closing all reviews dealing with that document.

@bjee19 bjee19 force-pushed the fix/fails-to-deploy-on-openshift branch from fa18b7b to 1dd9543 Compare May 20, 2024 22:03
@bjee19 bjee19 marked this pull request as ready for review May 22, 2024 15:32
@bjee19 bjee19 requested review from a team as code owners May 22, 2024 15:32
lucacome
lucacome reviewed May 22, 2024
View reviewed changes
.goreleaser.yml Outdated Show resolved Hide resolved
@bjee19 bjee19 requested a review from lucacome May 23, 2024 20:28
bjee19 added 26 commits May 28, 2024 10:29
@bjee19
Change helm template from onOpenshift to platform
2592c87
@bjee19
Add allowPrivilegeEscalation
0c14d2c
@bjee19
Remove unnecessary false boolean fields in SCC
9727a3b
@bjee19
Add Helm templating for SCC
a36ca2c
@bjee19
Remove openshift permissions document
356c951
@bjee19
Add back required SCC fields
b3b8fc2
@bjee19
Add platform openshift to upgrade commands too
fa42453
@bjee19
Add sccName value to rbac template
580cec8
@bjee19
Add scc name to helpers template file
892d48a
@bjee19
Remove sccName from values file
517ac81
@bjee19
Add createOpenShiftSCC flag
202c0c9
@bjee19
Add openshift manifests and helm template generation
083972a
@bjee19
Remove unnecessary scc manifest
d32061d
@bjee19
Add installation through manifests on openshift document
9b17360
@bjee19
Add grpc routes changes from main
8834573
@bjee19
Remove running on openshift document
228de49
@bjee19
Add openshift to file names and add files to goreleaser
f8f97c9
@bjee19
Add Helm template checker for Openshift platform and remove fields in…
48a7e1c 
… values file
@bjee19
Remove openshift specific manifests
ad6dacc
@bjee19
Update scc users template to use release namespace and SA name
540552b
@bjee19
Add scc.yaml manifest
2515c22
@bjee19
Remove Openshift manifest specific document
2e2153f
@bjee19
Remove comment on installation in helm installation guide
2238762
@bjee19
Add more details on installation through manifests
03c8be5
@bjee19
Change SCC link to version 1.2.0
bda54b7
@bjee19
Fix Openshift to OpenShift
2573e90
@bjee19 bjee19 force-pushed the fix/fails-to-deploy-on-openshift branch from 4f28bbf to 2573e90 Compare May 28, 2024 17:33
@bjee19 bjee19 merged commit 2296ac5 into nginxinc:main May 28, 2024
40 checks passed
@bjee19 bjee19 deleted the fix/fails-to-deploy-on-openshift branch May 28, 2024 17:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ciarams87 ciarams87 ciarams87 approved these changes

@pleshakov pleshakov pleshakov approved these changes

@sjberman sjberman sjberman approved these changes

@kate-osborn kate-osborn kate-osborn approved these changes

@lucacome lucacome Awaiting requested review from lucacome

Assignees
No one assigned
Labels
bug Something isn't working documentation Improvements or additions to documentation helm-chart Relates to helm chart release-notes
Projects
NGINX Gateway Fabric
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

NGF fails to deploy on Openshift
6 participants
@bjee19 @lucacome @pleshakov @sjberman @ciarams87 @kate-osborn