Changed the Trident installer to support RBAC

The installer script creates service accounts, cluster roles, and cluster role bindings for Trident and Trident launcher
The default namespace for Trident has changed from "default" to the working namespace
The installer supports installing Trident in a different namespace (./install_trident.sh -n trident)
Added a script for deleting most artificats of the installer
Added a script for updating or rolling back containers in the Trident deployment

Author: kangarlou

.gitignore

@@ -13,7 +13,7 @@ kubernetes-yaml/trident-deployment-local.yaml
 launcher/kubernetes-yaml/launcher-pod-local.yaml
 launcher/config/
 trident-installer.tar.gz
-trident-installer/launcher-pod.yaml
+trident-installer/*.yaml
 trident-installer/setup
 trident
 

Makefile

@@ -201,6 +201,9 @@ dist_tar:
 	@mkdir -p trident-installer/setup
 	@sed "s|__LAUNCHER_TAG__|${LAUNCHER_DIST_TAG}|g" ./launcher/kubernetes-yaml/launcher-pod.yaml.templ > trident-installer/launcher-pod.yaml
 	@sed "s|__TRIDENT_IMAGE__|${TRIDENT_DIST_TAG}|g" kubernetes-yaml/trident-deployment.yaml.templ > trident-installer/setup/trident-deployment.yaml
+	@cp kubernetes-yaml/trident-namespace.yaml trident-installer/
+	@cp kubernetes-yaml/trident-serviceaccounts.yaml trident-installer/
+	@cp kubernetes-yaml/trident-clusterrole* trident-installer/
 	@tar -czf trident-installer-${TRIDENT_DIST_VERSION}.tar.gz trident-installer
 
 dist_tag:

README.md

@@ -120,28 +120,24 @@ are not available, see the subsequent sections.
 7.  Copy the backend configuration file from step 6 the `setup/` directory
     and name it `backend.json`.
 
-8. Run the Trident installation script.  If using Kubernetes, run:
+8. Run the Trident installation script:
 
 	```bash
-	./install_trident.sh
+	./install_trident.sh -n trident
 	```
-
-	If using OpenShift, run:
-
-	```bash
-	./install_trident.sh --namespace <namespace> --serviceaccount trident
-	```
-
-	where the `--namespace` argument is optional.
+	where the `-n` argument is optional and specifies the namespace for the
+	Trident deployment. If not specified, namespace defaults to the current
+	namespace; however, it is highly recommended to run Trident in its own
+	namespace so that it is isoloated from other applications in the cluster.
 
 	The install script first configures the Trident deployment and Trident
 	launcher pod definitions, found in `setup/trident-deployment.yaml` and
 	`launcher-pod.yaml`, to use the namespace and service account specified
-	(defaulting to `default` for both if unspecified, as in the Kubernetes
-	command above).  It then starts the Trident launcher pod, which provisions
-	a PVC and PV on which Trident will store its data, using the provided
-	backend.  The launcher then starts a deployment for Trident itself, using
-	the defintion in `setup/`.
+	(defaulting to the current namespace for both if unspecified, as in the 
+	Kubernetes command above).  It then starts the Trident launcher pod, 
+	which provisions a PVC and PV on which Trident will store its data, using
+	the provided backend.  The launcher then starts a deployment for Trident 
+	itself, using the defintion in `setup/`.
 
 	When the installer completes, `kubectl get deployment trident` should show
 	a deployment named `trident` with a single live replica.  Running `kubectl
@@ -304,10 +300,22 @@ parameters:
 * `-deployment_file`:  The path to a Trident deployment definition, as
   described in [Deploying As a Pod](#deploying-as-a-pod).  Defaults to
   `/etc/config/trident-deployment.yaml`.
-* `-apiserver`:  The IP address and insecure port for the Kubernetes API
+* `-apiserver`: The IP address and insecure port for the Kubernetes API
   server.  Optional; if specified, the launcher uses this to communicate with
   the API server.  If omitted, the launcher will assume it is being launched as
   a Kubernetes pod and connect using the service account for that pod.
+* `-volume_name`: The name of the volume provisioned by launcher on the storage
+  backend. If omitted, it defaults to "trident".
+* `-volume_size`: The size of the volume provisioned by launcher in GB. If
+  omitted, it defaults to 1GB.
+* `pvc_name`: The name of the PVC created by launcher. If omitted, it defaults
+  to "trident".
+* `pv_name`: The name of the PV created by launcher. If omitted, it defaults
+  to "trident".
+* `-trident_timeout`: The number of seconds to wait before the launcher times
+  out on a Trident connection. If omitted, it defaults to 10 seconds.
+* `-k8s_timeout`: The number of seconds to wait before timing out on Kubernetes
+   operations. If omitted, it defaults to 60 seconds.  
 * `-debug`: Optional; enables debugging output.
 
 As with Trident itself, the launcher can be deployed as a pod using the
@@ -341,19 +349,59 @@ Trident launcher and CLI, and several sample input files for Trident.  The insta
 script requires a backend configuration named `backend.json` to be added to the
 `setup/` directory.  Once this has been done, it will create the ConfigMap
 described above using the files in `setup/` and then launch the Trident
-deployment.  It takes two optional parameters:
-
-* `-n <namespace>`/`--namespace <namespace>`:  Namespace in which to deploy
-  Trident and the Trident launcher.  Defaults to `default`.
-* `-s <service-account>`/`--serviceaccount <service-account>`:  Service account
-  to use for Trident and the Trident launcher.  Defaults to `default`.
-
-The script will change the deployment definition files (`launcher-pod.yaml` and
-`setup/trident-deployment.yaml`) provided based on these parameters.  These
-defintions can also be changed manually as needed.  Note that the script must
-be run with `kubectl` using a context with the namespace used in `--namespace`;
-otherwise, the ConfigMap will be created in the wrong namespace and the
-launcher will not run.
+deployment.  This script can be run from any directory and from any namespace.
+```bash
+$ ./install_trident.sh -h
+
+Usage:
+ -n <namespace>      Specifies the namespace for the Trident deployment; defaults to the current namespace.
+ -h                  Prints this usage guide.
+
+Example:
+  ./install_trident.sh -n trident		Installs the Trident deployment in namespace "trident".
+```
+
+It is highly recommended to run Trident in its own namespace
+(`./install_trident.sh -n trident`) so that it is isolated from other
+applications in the Kubernetes cluster. This script also creates service
+accounts, cluster roles, and cluster role bindings for both Trident and Trident
+launcher.
+
+#### Delete Script
+
+The delete script deletes most artifacts of the install script. This script can
+be run from any directory and from any namespace.
+```bash
+$ ./delete_trident.sh -h
+
+Usage:
+ -n <namespace>      Specifies the namespace for the Trident deployment; defaults to the current namespace.
+ -h                  Prints this usage guide.
+
+Example:
+  ./delete_trident.sh -n trident		Deletes artifacts of Trident from namespace "trident".
+```
+
+This script does not delete the namespace, the PVC, and the PV created by the
+install script.
+
+#### Update Script
+
+The update script can be used to update or rollback container images in the
+Trident deployment.
+```bash
+$ ./update_trident.sh -h
+
+Usage:
+ -n <namespace>      Specifies the namespace for the Trident deployment; defaults to the current namespace.
+ -t <trident_image>  Specifies the new image for the "trident-main" container in the Trident deployment.
+ -e <etcd_image>     Specifies the new image for the "etcd" container in the Trident deployment.
+ -d <deployment>     Specifies the name of the deployment; defaults to "trident". 
+ -h                  Prints this usage guide.
+
+Example:
+  ./update_trident.sh -n trident -t netapp/trident:17.04.1		Updates the Trident deployment in namespace "trident" to use image "netapp/trident:17.04.1".
+```
 
 ### Deploying As a Pod
 

kubernetes-yaml/trident-clusterrolebindings.yaml

@@ -0,0 +1,26 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+metadata:
+  name: trident
+subjects:
+  - kind: ServiceAccount
+    name: trident
+    namespace: trident
+roleRef:
+  kind: ClusterRole
+  name: trident
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+metadata:
+    name: trident-launcher
+subjects:
+  - kind: ServiceAccount
+    name: trident-launcher
+    namespace: trident
+roleRef:
+  kind: ClusterRole
+  name: trident-launcher
+  apiGroup: rbac.authorization.k8s.io
+

kubernetes-yaml/trident-clusterroles.yaml

@@ -0,0 +1,35 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+metadata:
+  name: trident
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["watch", "create", "update", "patch"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+metadata:
+  name: trident-launcher
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["pods", "pods/log"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["extensions", "apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "watch", "create", "delete"]

kubernetes-yaml/trident-deployment.yaml.templ

@@ -2,18 +2,16 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   name: trident
-  namespace: default
   labels:
     app: trident.netapp.io
-    kubernetes.io/cluster-service: "true"
 spec:
   replicas: 1
   template:
       metadata:
           labels:
               app: trident.netapp.io
       spec:
-          serviceAccount: default
+          serviceAccount: trident
           containers:
           - name: trident-main
             image: __TRIDENT_IMAGE__ 
@@ -25,6 +23,7 @@ spec:
             - "-k8s_pod"
             #- "-k8s_api_server"
             #- "__KUBERNETES_SERVER__:__KUBERNETES_PORT__"
+            #- "-debug"
           - name: etcd
             image: quay.io/coreos/etcd:v3.1.3
             command:

kubernetes-yaml/trident-serviceaccounts.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: trident
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+    name: trident-launcher
+

launcher/kubernetes-yaml/launcher-pod.yaml.templ

@@ -2,9 +2,8 @@ apiVersion: v1
 kind: Pod
 metadata:
     name: trident-launcher
-    namespace: default
 spec:
-    serviceAccount: default
+    serviceAccount: trident-launcher
     containers:
     - name: launcher
       image: __LAUNCHER_TAG__

launcher/launcher.go

@@ -34,6 +34,7 @@ const (
 	tridentEphemeralPodName = "trident-ephemeral"
 	tridentDefaultPort      = 8000
 	tridentStorageClassName = "trident-basic"
+	tridentNamespaceFile    = "/var/run/secrets/kubernetes.io/serviceaccount/namespace"
 	//based on the number of seconds Trident waits on etcd to bootstrap
 	bootstrappingTimeout int64 = 11
 )
@@ -46,7 +47,7 @@ var (
 		"/etc/config/trident-deployment.yaml", "Deployment definition file for Trident")
 	debug                  = flag.Bool("debug", false, "Enable debug output.")
 	k8sTimeout             = flag.Int64("k8s_timeout", 60, "The number of seconds to wait before timing out on Kubernetes operations.")
-	tridentVolumeSize      = flag.Int("volume_size", 1, "The size of the volume used by etcd in GB.")
+	tridentVolumeSize      = flag.Int("volume_size", 1, "The size of the volume provisioned by launcher in GB.")
 	tridentVolumeName      = flag.String("volume_name", "trident", "The name of the volume used by etcd.")
 	tridentPVCName         = flag.String("pvc_name", "trident", "The name of the PVC used by Trident.")
 	tridentPVName          = flag.String("pv_name", "trident", "The name of the PV used by Trident.")
@@ -694,8 +695,14 @@ func (launcher *Launcher) Run() (errors []error) {
 			return
 		}
 		if pv, err = createPV(launcher.kubeClient, *tridentPVName, volConfig, pvc); err != nil {
-			launcherErr = fmt.Errorf("Launcher failed in creating PV %s: %s",
-				*tridentPVName, err)
+			launcherErr = fmt.Errorf("Launcher failed in creating PV %s: %s. "+
+				"Either use -pv_name in launcher-pod.yaml to create a volume "+
+				"and a PV with a different name, or delete PV %s so that "+
+				"launcher can create a new PV with the same name. "+
+				"(The new PV will reuse the volume represented by the old "+
+				"PV unless the volume is manually deleted from the storage "+
+				"backend.)",
+				*tridentPVName, err, *tridentPVName)
 			return
 		}
 		pvCreated = true
@@ -820,7 +827,14 @@ func main() {
 	for _, container := range tridentDeployment.Spec.Template.Spec.Containers {
 		if container.Name == tridentContainerName {
 			tridentImage = container.Image
-			tridentNamespace = tridentDeployment.Namespace
+			bytes, err := ioutil.ReadFile(tridentNamespaceFile)
+			if err != nil {
+				log.WithFields(log.Fields{
+					"error":         err,
+					"namespaceFile": tridentNamespaceFile,
+				}).Fatal("Launcher failed to obtain the namespace for the launcher pod!")
+			}
+			tridentNamespace = string(bytes)
 			break
 		}
 	}

launcher/launcher_test.go

@@ -29,7 +29,7 @@ func TestValidKubeVersion(t *testing.T) {
 	}
 }
 
-func TestInvalidKubeVersion1(t *testing.T) {
+func TestInvalidKubeVersion(t *testing.T) {
 	k8sVersion := &version.Info{
 		Major: "1",
 		Minor: "3",