Skip to content

Commit

Permalink
[FIX] Update deploy_monitoring_openshift.sh for OCP 4.16+
Browse files Browse the repository at this point in the history
  • Loading branch information
@gsmith-sas
gsmith-sas committed Aug 28, 2024
1 parent ae1b901 commit e453c98
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 10 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# SAS Viya Monitoring for Kubernetes

## unreleased
* **Metrics**
* [FIX] Updated deploy_monitoring_openshift.sh to be compatible with OpenShift 4.16+


## Version 1.2.28 (13AUG2024)
* **Logging**
* [UPGRADE] OpenSearch and OpenSearch Dashboards upgraded from 2.12.0 to 2.15.0
Expand Down
35 changes: 25 additions & 10 deletions monitoring/bin/deploy_monitoring_openshift.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,23 +80,38 @@ if [ -z "$(kubectl get serviceAccount -n $MON_NS grafana-serviceaccount -o name
kubectl create serviceaccount -n $MON_NS grafana-serviceaccount
fi

# OCP 4.11: We need to patch service account to add API Token
if [ "$OSHIFT_MAJOR_VERSION" -eq "4" ] && [ "$OSHIFT_MINOR_VERSION" -gt "10" ]; then
token=$(kubectl describe -n $MON_NS serviceaccount grafana-serviceaccount |grep "Tokens:"|awk '{print $2}')
log_debug "Patching serviceAccount to link to token...[$token]"
kubectl -n $MON_NS patch serviceaccount grafana-serviceaccount --type=json -p='[{"op":"add","path":"/secrets/1","value":{"name":"'$token'"}}]'
fi
if [ -z "$(kubectl get serviceAccount -n $MON_NS grafana-serviceaccount -o name 2>/dev/null)" ]; then
log_info "Creating Grafana serviceAccount..."
kubectl create serviceaccount -n $MON_NS grafana-serviceaccount
fi

#Container Security: Disable serviceAccount Token Automounting
disable_sa_token_automount $MON_NS grafana-serviceaccount

log_debug "Adding cluster role..."
oc adm policy add-cluster-role-to-user cluster-monitoring-view -z grafana-serviceaccount -n $MON_NS

if [ "$OSHIFT_MAJOR_VERSION" -eq "4" ] && [ "$OSHIFT_MINOR_VERSION" -gt "10" ] && [ "$OSHIFT_MINOR_VERSION" -lt "16" ] ; then

# OCP versions 4.11-4.15: We need to patch service account to add API Token

# NOTE: $token below is the *name* of the Kubernetes secret
# containing the autogenerated serviceaccount token
token=$(kubectl describe -n $MON_NS serviceaccount grafana-serviceaccount |grep "Tokens:"|awk '{print $2}')
log_debug "Patching serviceAccount to link to token...[$token]"
kubectl -n $MON_NS patch serviceaccount grafana-serviceaccount --type=json -p='[{"op":"add","path":"/secrets/1","value":{"name":"'$token'"}}]'
fi

log_debug "Obtaining token..."
###grafanaToken=$(oc serviceaccounts get-token grafana-serviceaccount -n $MON_NS)
grafanaToken=$(oc create token grafana-serviceaccount -n $MON_NS --duration 2160h) # 2160hours = 90 days
###REMOVE FOLLOWING DEBUG LINE
log_debug "Grafana Token:[$grafanaToken]" #REMOVE
# NOTE: $grafanaToken is an actual token and NOT the name of a k8s resouce
if [ "$OSHIFT_MAJOR_VERSION" -eq "4" ] && [ "$OSHIFT_MINOR_VERSION" -gt "15" ]; then
# OCP 4.16: removed deprecated oc serviceaccounts get-token command
# NOTE: 12000 hours = 500 days although OpenShift *may* expire token after 12 months
grafanaToken=$(oc create token grafana-serviceaccount -n $MON_NS --duration 600s)
else
grafanaToken=$(oc serviceaccounts get-token grafana-serviceaccount -n $MON_NS)
fi

if [ "$grafanaToken" == "" ]; then
log_error "Unable to obtain authentication token for [grafana-serviceaccount]"
exit 1
Expand Down

0 comments on commit e453c98

Please sign in to comment.