From a466ef93b0bfe9c33cf5256f5fec75102a72c3e7 Mon Sep 17 00:00:00 2001 From: Greg Smith <65406958+gsmith-sas@users.noreply.github.com> Date: Thu, 12 Sep 2024 16:31:27 -0400 Subject: [PATCH] [FIX] Update deploy_monitoring_openshift.sh for OCP 4.16+ (#672) --- CHANGELOG.md | 6 ++++ monitoring/bin/deploy_monitoring_openshift.sh | 32 +++++++++++++++---- 2 files changed, 31 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9458d62c..6dd398c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,10 @@ # SAS Viya Monitoring for Kubernetes ## Unreleased +* **Overall** + * [DOCUMENTATION] Reorganization of content to improve readability and flow. + * [TASK] Updated links (within markdown files, dashboards, etc.) to reflect documentation reorganization + * **Logging** * [CHANGE] Updated link to SAS documentation in the SAS Update Checker Report (within OpenSearch Dashboards) to be version-independent @@ -8,6 +12,8 @@ OpenSearch Dashboards) to be version-independent * **Metrics** * [FIX] Changed metric label (from 'CAS Version' to 'OS Version') on SAS CAS Overview dashboard (within Grafana) to reflect information displayed + * [FIX] Replace deprecated `oc serviceacounts get-token` command in deploy_monitoring_openshift.sh for OpenShift 4.16+ + ## Version 1.2.28 (13AUG2024) * **Logging** diff --git a/monitoring/bin/deploy_monitoring_openshift.sh b/monitoring/bin/deploy_monitoring_openshift.sh index 5e517b2c..a8b8dda5 100755 --- a/monitoring/bin/deploy_monitoring_openshift.sh +++ b/monitoring/bin/deploy_monitoring_openshift.sh @@ -80,20 +80,38 @@ if [ -z "$(kubectl get serviceAccount -n $MON_NS grafana-serviceaccount -o name kubectl create serviceaccount -n $MON_NS grafana-serviceaccount fi -# OCP 4.11: We need to patch service account to add API Token - if [ "$OSHIFT_MAJOR_VERSION" -eq "4" ] && [ "$OSHIFT_MINOR_VERSION" -gt "10" ]; then - token=$(kubectl describe -n $MON_NS serviceaccount grafana-serviceaccount |grep "Tokens:"|awk '{print $2}') - log_debug "Patching serviceAccount to link to token...[$token]" - kubectl -n $MON_NS patch serviceaccount grafana-serviceaccount --type=json -p='[{"op":"add","path":"/secrets/1","value":{"name":"'$token'"}}]' - fi +if [ -z "$(kubectl get serviceAccount -n $MON_NS grafana-serviceaccount -o name 2>/dev/null)" ]; then + log_info "Creating Grafana serviceAccount..." + kubectl create serviceaccount -n $MON_NS grafana-serviceaccount +fi #Container Security: Disable serviceAccount Token Automounting disable_sa_token_automount $MON_NS grafana-serviceaccount log_debug "Adding cluster role..." oc adm policy add-cluster-role-to-user cluster-monitoring-view -z grafana-serviceaccount -n $MON_NS + +if [ "$OSHIFT_MAJOR_VERSION" -eq "4" ] && [ "$OSHIFT_MINOR_VERSION" -gt "10" ] && [ "$OSHIFT_MINOR_VERSION" -lt "16" ] ; then + + # OCP versions 4.11-4.15: We need to patch service account to add API Token + + # NOTE: $token below is the *name* of the Kubernetes secret + # containing the autogenerated serviceaccount token + token=$(kubectl describe -n $MON_NS serviceaccount grafana-serviceaccount |grep "Tokens:"|awk '{print $2}') + log_debug "Patching serviceAccount to link to token...[$token]" + kubectl -n $MON_NS patch serviceaccount grafana-serviceaccount --type=json -p='[{"op":"add","path":"/secrets/1","value":{"name":"'$token'"}}]' +fi + log_debug "Obtaining token..." -grafanaToken=$(oc serviceaccounts get-token grafana-serviceaccount -n $MON_NS) +# NOTE: $grafanaToken is an actual token and NOT the name of a k8s resouce +if [ "$OSHIFT_MAJOR_VERSION" -eq "4" ] && [ "$OSHIFT_MINOR_VERSION" -gt "15" ]; then + # OCP 4.16: removed deprecated oc serviceaccounts get-token command + # NOTE: 12000 hours = 500 days although OpenShift *may* expire token after 12 months + grafanaToken=$(oc create token grafana-serviceaccount -n $MON_NS --duration 12000h) +else + grafanaToken=$(oc serviceaccounts get-token grafana-serviceaccount -n $MON_NS) +fi + if [ "$grafanaToken" == "" ]; then log_error "Unable to obtain authentication token for [grafana-serviceaccount]" exit 1