Merge remote-tracking branch 'origin/master' into feature/bootstrap-root-pwd

Author: lamai93

Makefile

@@ -104,6 +104,22 @@ endif
 SOURCES := $(shell find $(SRCDIR) -name '*.go' -not -path './test/*')
 DASHBOARDSOURCES := $(shell find $(DASHBOARDDIR)/src -name '*.js' -not -path './test/*') $(DASHBOARDDIR)/package.json
 
+ifndef ARANGOSYNCSRCDIR
+	ARANGOSYNCSRCDIR := $(SCRIPTDIR)/arangosync
+endif
+DOCKERARANGOSYNCCTRLFILE=tests/sync/Dockerfile
+ifndef ARANGOSYNCTESTCTRLIMAGE
+	ARANGOSYNCTESTCTRLIMAGE := $(DOCKERNAMESPACE)/kube-arangodb-sync-test-ctrl$(IMAGESUFFIX)
+endif
+ifndef ARANGOSYNCTESTIMAGE
+	ARANGOSYNCTESTIMAGE := $(DOCKERNAMESPACE)/kube-arangodb-sync-test$(IMAGESUFFIX)
+endif
+ifndef ARANGOSYNCIMAGE
+	ARANGOSYNCIMAGE := $(DOCKERNAMESPACE)/kube-arangodb-sync$(IMAGESUFFIX)
+endif
+ARANGOSYNCTESTCTRLBINNAME := $(PROJECT)_sync_test_ctrl
+ARANGOSYNCTESTCTRLBIN := $(BINDIR)/$(ARANGOSYNCTESTCTRLBINNAME)
+
 .PHONY: all
 all: verify-generated build
 
@@ -298,6 +314,23 @@ docker-test: $(TESTBIN)
 run-upgrade-tests:
 	TESTOPTIONS="-test.run=TestUpgrade" make run-tests
 
+.PHONY: prepare-run-tests
+prepare-run-tests:
+ifdef PUSHIMAGES
+	docker push $(OPERATORIMAGE)
+endif
+ifneq ($(DEPLOYMENTNAMESPACE), default)
+	$(ROOTDIR)/scripts/kube_delete_namespace.sh $(DEPLOYMENTNAMESPACE)
+	kubectl create namespace $(DEPLOYMENTNAMESPACE)
+endif
+	kubectl apply -f $(MANIFESTPATHCRD)
+	kubectl apply -f $(MANIFESTPATHSTORAGE)
+	kubectl apply -f $(MANIFESTPATHDEPLOYMENT)
+	kubectl apply -f $(MANIFESTPATHDEPLOYMENTREPLICATION)
+	kubectl apply -f $(MANIFESTPATHTEST)
+	$(ROOTDIR)/scripts/kube_create_storage.sh $(DEPLOYMENTNAMESPACE)
+	$(ROOTDIR)/scripts/kube_create_license_key_secret.sh "$(DEPLOYMENTNAMESPACE)" '$(ENTERPRISELICENSE)'
+
 .PHONY: run-tests
 run-tests: docker-test
 ifdef PUSHIMAGES
@@ -424,3 +457,54 @@ redeploy-operator: delete-operator manifests
 	kubectl apply -f $(MANIFESTPATHDEPLOYMENTREPLICATION)
 	kubectl apply -f $(MANIFESTPATHTEST)
 	kubectl get pods 
+
+## ArangoSync Tests
+
+$(ARANGOSYNCTESTCTRLBIN): $(GOBUILDDIR) $(SOURCES)
+	@mkdir -p $(BINDIR)
+	docker run \
+		--rm \
+		-v $(SRCDIR):/usr/code \
+		-v $(CACHEVOL):/usr/gocache \
+		-e GOCACHE=/usr/gocache \
+		-e GOPATH=/usr/code/.gobuild \
+		-e GOOS=linux \
+		-e GOARCH=amd64 \
+		-e CGO_ENABLED=0 \
+		-w /usr/code/ \
+		golang:$(GOVERSION) \
+		go build -installsuffix cgo -ldflags "-X main.projectVersion=$(VERSION) -X main.projectBuild=$(COMMIT)" -o /usr/code/bin/$(ARANGOSYNCTESTCTRLBINNAME) $(REPOPATH)/tests/sync
+
+.PHONY: check-sync-vars
+check-sync-vars:
+ifndef ARANGOSYNCSRCDIR
+	@echo ARANGOSYNCSRCDIR must point to the arangosync source directory
+	@exit 1
+endif
+ifndef ARANGODIMAGE
+	@echo ARANGODIMAGE must point to the usable arangodb enterprise image
+	@exit 1
+endif
+ifndef ENTERPRISELICENSE
+	@echo For tests using ArangoSync you most likely need the license key. Please set ENTERPRISELICENSE.
+	@exit 1
+endif
+	@echo Using ArangoSync source at $(ARANGOSYNCSRCDIR)
+	@echo Using ArangoDB image $(ARANGODIMAGE)
+
+.PHONY: docker-sync
+docker-sync: check-sync-vars
+	SYNCIMAGE=$(ARANGOSYNCIMAGE) TESTIMAGE=$(ARANGOSYNCTESTIMAGE) $(MAKE) -C $(ARANGOSYNCSRCDIR) docker docker-test
+
+.PHONY:
+docker-sync-test-ctrl: $(ARANGOSYNCTESTCTRLBIN)
+	docker build --quiet -f $(DOCKERARANGOSYNCCTRLFILE) -t $(ARANGOSYNCTESTCTRLIMAGE) .
+
+.PHONY:
+run-sync-tests: check-vars docker-sync docker-sync-test-ctrl prepare-run-tests
+ifdef PUSHIMAGES
+	docker push $(ARANGOSYNCTESTCTRLIMAGE)
+	docker push $(ARANGOSYNCTESTIMAGE)
+	docker push $(ARANGOSYNCIMAGE)
+endif
+	$(ROOTDIR)/scripts/kube_run_sync_tests.sh $(DEPLOYMENTNAMESPACE) '$(ARANGODIMAGE)' '$(ARANGOSYNCIMAGE)' '$(ARANGOSYNCTESTIMAGE)' '$(ARANGOSYNCTESTCTRLIMAGE)' '$(TESTOPTIONS)'

docs/Manual/Deployment/Kubernetes/Drain.md

@@ -238,17 +238,18 @@ POST /_db/_system/_api/replication/clusterInventory
 }
 ```
 
-Check that for all collections the attribute `"allInSync"` has
-the value `true`. Note that it is necessary to do this for all databases!
+Check that for all collections the attributes `"isReady"` and `"allInSync"`
+both have the value `true`. Note that it is necessary to do this for all
+databases!
 
 Here is a shell command which makes this check easy:
 
 ```bash
-curl -k https://arangodb.9hoeffer.de:8529/_db/_system/_api/replication/clusterInventory --user root: | jq . | grep '"allInSync"' | sort | uniq -c
+curl -k https://arangodb.9hoeffer.de:8529/_db/_system/_api/replication/clusterInventory --user root: | jq . | grep '"isReady"\|"allInSync"' | sort | uniq -c
 ```
 
-If all these checks are performed and are okay, the cluster is ready to
-run a risk-free drain operation.
+If all these checks are performed and are okay, then it is safe to
+continue with the clean out and drain procedure as described below.
 
 {% hint 'danger' %}
 If there are some collections with `replicationFactor` set to
@@ -274,13 +275,14 @@ below, the procedure should also work without this.
 Finally, one should **not run a rolling upgrade or restart operation**
 at the time of a node drain.
 
-## Clean out a DBserver manually (optional)
+## Clean out a DBserver manually
 
-In this step we clean out a _DBServer_ manually, before even issuing the
-`kubectl drain` command. This step is optional, but can speed up things
-considerably. Here is why:
+In this step we clean out a _DBServer_ manually, **before issuing the
+`kubectl drain` command**. Previously, we have denoted this step as optional,
+but for safety reasons, we consider it mandatory now, since it is near
+impossible to choose the grace period long enough in a reliable way.
 
-If this step is not performed, we must choose
+Furthermore, if this step is not performed, we must choose
 the grace period long enough to avoid any risk, as explained in the
 previous section. However, this has a disadvantage which has nothing to
 do with ArangoDB: We have observed, that some k8s internal services like
@@ -308,10 +310,10 @@ POST /_admin/cluster/cleanOutServer
 {"server":"DBServer0006"}
 ```
 
-(please compare the above output of the `/_admin/cluster/health` API).
 The value of the `"server"` attribute should be the name of the DBserver
 which is the one in the pod which resides on the node that shall be
-drained next. This uses the UI short name, alternatively one can use the
+drained next. This uses the UI short name (`ShortName` in the
+`/_admin/cluster/health` API), alternatively one can use the
 internal name, which corresponds to the pod name. In our example, the
 pod name is:
 
@@ -328,6 +330,12 @@ could use the body:
 {"server":"PRMR-wbsq47rz"}
 ```
 
+You can use this command line to achieve this:
+
+```bash
+curl -k https://arangodb.9hoeffer.de:8529/_admin/cluster/cleanOutServer --user root: -d '{"server":"PRMR-wbsq47rz"}'
+```
+
 The API call will return immediately with a body like this:
 
 ```JSON
@@ -360,6 +368,12 @@ GET /_admin/cluster/queryAgencyJob?id=38029195
 }
 ```
 
+Use this command line to check progress:
+
+```bash
+curl -k https://arangodb.9hoeffer.de:8529/_admin/cluster/queryAgencyJob?id=38029195 --user root:
+```
+
 It indicates that the job is still ongoing (`"Pending"`). As soon as
 the job has completed, the answer will be:
 
@@ -391,8 +405,8 @@ completely risk-free, even with a small grace period.
 ## Performing the drain
 
 After all above [checks before a node drain](#things-to-check-in-arangodb-before-a-node-drain)
-have been done successfully, it is safe to perform the drain
-operation, similar to this command:
+and the [manual clean out of the DBServer](#clean-out-a-dbserver-manually)
+have been done successfully, it is safe to perform the drain operation, similar to this command:
 
 ```bash
 kubectl drain gke-draintest-default-pool-394fe601-glts --delete-local-data --ignore-daemonsets --grace-period=300
@@ -402,12 +416,12 @@ As described above, the options `--delete-local-data` for ArangoDB and
 `--ignore-daemonsets` for other services have been added. A `--grace-period` of
 300 seconds has been chosen because for this example we are confident that all the data on our _DBServer_ pod
 can be moved to a different server within 5 minutes. Note that this is
-**not saying** that 300 seconds will always be enough, regardless of how
+**not saying** that 300 seconds will always be enough. Regardless of how
 much data is stored in the pod, your mileage may vary, moving a terabyte
 of data can take considerably longer!
 
-If the optional step of
-[cleaning out a DBserver manually](#clean-out-a-dbserver-manually-optional)
+If the highly recommended step of
+[cleaning out a DBserver manually](#clean-out-a-dbserver-manually)
 has been performed beforehand, the grace period can easily be reduced to 60
 seconds - at least from the perspective of ArangoDB, since the server is already
 cleaned out, so it can be dropped readily and there is still no risk.

docs/Manual/Tutorials/Kubernetes/bare-metal.md

@@ -109,8 +109,8 @@ sudo chown $(id -u):$(id -g) $HOME/.kube/config
 For this guide, we go with **flannel**, as it is an easy way of setting up a layer 3 network, which uses the Kubernetes API and just works anywhere, where a network between the involved machines works:
 
 ```
-kubectl apply -f \ 
-   https://raw.githubusercontent.com/coreos/flannel/bc79dd1505b0c8681ece4de4c0d86c5cd2643275/Documentation/kube-flannel.yml
+kubectl apply -f \
+	https://raw.githubusercontent.com/coreos/flannel/bc79dd1505b0c8681ece4de4c0d86c5cd2643275/Documentation/kube-flannel.yml
 ```
 ```
   clusterrole.rbac.authorization.k8s.io/flannel created
@@ -220,8 +220,8 @@ kubectl get all --all-namespaces
 - Attach `tiller` to proper role
 
   ```
-  kubectl create clusterrolebinding tiller-cluster-rule \
-    --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
+kubectl create clusterrolebinding tiller-cluster-rule \
+	--clusterrole=cluster-admin --serviceaccount=kube-system:tiller
   ```
   ```
     clusterrolebinding.rbac.authorization.k8s.io/tiller-cluster-rule created
@@ -330,7 +330,7 @@ for how to get started.
 - As unlike cloud k8s offerings no file volume infrastructure exists, we need to still deploy the storage operator chart:
 
 ```
-helm install \ 
+helm install \
 	https://github.com/arangodb/kube-arangodb/releases/download/0.3.7/kube-arangodb-storage.tgz
 ```
 ```

manifests/templates/test/rbac.yaml

@@ -10,7 +10,7 @@ rules:
   resources: ["nodes"]
   verbs: ["list"]
 - apiGroups: [""]
-  resources: ["pods", "services", "persistentvolumes", "persistentvolumeclaims", "secrets", "serviceaccounts"]
+  resources: ["pods", "services", "persistentvolumes", "persistentvolumeclaims", "secrets", "serviceaccounts", "pods/log"]
   verbs: ["*"]
 - apiGroups: ["apps"]
   resources: ["daemonsets", "deployments"]

pkg/apis/deployment/v1alpha/deployment_spec.go

@@ -99,6 +99,14 @@ func (s DeploymentSpec) GetImage() string {
 	return util.StringOrDefault(s.Image)
 }
 
+// GetSyncImage returns, if set, Sync.Image or the default image.
+func (s DeploymentSpec) GetSyncImage() string {
+	if s.Sync.HasSyncImage() {
+		return s.Sync.GetSyncImage()
+	}
+	return s.GetImage()
+}
+
 // GetImagePullPolicy returns the value of imagePullPolicy.
 func (s DeploymentSpec) GetImagePullPolicy() v1.PullPolicy {
 	return util.PullPolicyOrDefault(s.ImagePullPolicy)

pkg/apis/deployment/v1alpha/sync_spec.go

@@ -36,13 +36,24 @@ type SyncSpec struct {
 	Authentication SyncAuthenticationSpec `json:"auth"`
 	TLS            TLSSpec                `json:"tls"`
 	Monitoring     MonitoringSpec         `json:"monitoring"`
+	Image          *string                `json:"image"`
 }
 
 // IsEnabled returns the value of enabled.
 func (s SyncSpec) IsEnabled() bool {
 	return util.BoolOrDefault(s.Enabled)
 }
 
+// GetSyncImage returns the syncer image or empty string
+func (s SyncSpec) GetSyncImage() string {
+	return util.StringOrDefault(s.Image)
+}
+
+// HasSyncImage returns whether a special sync image is set
+func (s SyncSpec) HasSyncImage() bool {
+	return s.GetSyncImage() != ""
+}
+
 // Validate the given spec
 func (s SyncSpec) Validate(mode DeploymentMode) error {
 	if s.IsEnabled() && !mode.SupportsSync() {
@@ -78,6 +89,9 @@ func (s *SyncSpec) SetDefaultsFrom(source SyncSpec) {
 	if s.Enabled == nil {
 		s.Enabled = util.NewBoolOrNil(source.Enabled)
 	}
+	if s.Image == nil {
+		s.Image = util.NewStringOrNil(source.Image)
+	}
 	s.ExternalAccess.SetDefaultsFrom(source.ExternalAccess)
 	s.Authentication.SetDefaultsFrom(source.Authentication)
 	s.TLS.SetDefaultsFrom(source.TLS)
@@ -95,5 +109,8 @@ func (s SyncSpec) ResetImmutableFields(fieldPrefix string, target *SyncSpec) []s
 	if list := s.Authentication.ResetImmutableFields(fieldPrefix+".auth", &target.Authentication); len(list) > 0 {
 		resetFields = append(resetFields, list...)
 	}
+	if s.GetSyncImage() != target.GetSyncImage() {
+		resetFields = append(resetFields, fieldPrefix+".image")
+	}
 	return resetFields
 }

pkg/apis/deployment/v1alpha/zz_generated.deepcopy.go

@@ -196,6 +196,8 @@ func (d *Deployment) ensureAccessPackage(apSecretName string) error {
 		},
 		Data: map[string][]byte{
 			constants.SecretAccessPackageYaml: []byte(allYaml),
+			constants.SecretCACertificate:     []byte(tlsCACert),
+			constants.SecretTLSKeyfile:        []byte(keyfile),
 		},
 	}
 	// Attach secret to owner

pkg/deployment/access_package.go

@@ -598,6 +598,11 @@ func (r *Resources) createPodForMember(spec api.DeploymentSpec, memberID string,
 			log.Debug().Str("image", spec.GetImage()).Msg("Image is not an enterprise image")
 			return maskAny(fmt.Errorf("Image '%s' does not contain an Enterprise version of ArangoDB", spec.GetImage()))
 		}
+		// Check if the sync image is overwritten by the SyncSpec
+		imageID := imageInfo.ImageID
+		if spec.Sync.HasSyncImage() {
+			imageID = spec.Sync.GetSyncImage()
+		}
 		var tlsKeyfileSecretName, clientAuthCASecretName, masterJWTSecretName, clusterJWTSecretName string
 		// Check master JWT secret
 		masterJWTSecretName = spec.Sync.Authentication.GetJWTSecretName()
@@ -664,7 +669,7 @@ func (r *Resources) createPodForMember(spec api.DeploymentSpec, memberID string,
 		if group == api.ServerGroupSyncWorkers {
 			affinityWithRole = api.ServerGroupDBServers.AsRole()
 		}
-		if err := k8sutil.CreateArangoSyncPod(kubecli, spec.IsDevelopment(), apiObject, role, m.ID, m.PodName, imageInfo.ImageID, lifecycleImage, spec.GetImagePullPolicy(), terminationGracePeriod, args, env,
+		if err := k8sutil.CreateArangoSyncPod(kubecli, spec.IsDevelopment(), apiObject, role, m.ID, m.PodName, imageID, lifecycleImage, spec.GetImagePullPolicy(), terminationGracePeriod, args, env,
 			livenessProbe, tolerations, serviceAccountName, tlsKeyfileSecretName, clientAuthCASecretName, masterJWTSecretName, clusterJWTSecretName, affinityWithRole, groupSpec.GetNodeSelector()); err != nil {
 			return maskAny(err)
 		}

pkg/deployment/resources/pod_creator.go

@@ -44,6 +44,15 @@ func NewKubeClient() (kubernetes.Interface, error) {
 	return c, nil
 }
 
+// MustNewKubeClient calls NewKubeClient an panics if it fails
+func MustNewKubeClient() kubernetes.Interface {
+	i, err := NewKubeClient()
+	if err != nil {
+		panic(err)
+	}
+	return i
+}
+
 // NewKubeExtClient creates a new k8s api extensions client
 func NewKubeExtClient() (apiextensionsclient.Interface, error) {
 	cfg, err := InClusterConfig()