Browse Source

Add Docker default AppArmor profile to drydock

Change-Id: I50be2f08e69123afbef136683134abffc4e44197
changes/19/705119/18
Prateek Dodda 2 years ago
parent
commit
67716a7841
  1. 9
      .zuul.yaml
  2. 1
      charts/drydock/templates/deployment.yaml
  3. 4
      charts/drydock/values.yaml
  4. 7
      tools/gate/playbooks/omni_test.yaml

9
.zuul.yaml

@ -23,14 +23,12 @@
- airship-drydock-chart-build-latest-htk
- airship-drydock-docker-build-gate-ubuntu_xenial
- airship-drydock-docker-build-gate-ubuntu_bionic
gate:
jobs:
- airship-drydock-omni-test
- airship-drydock-chart-build-gate
- airship-drydock-docker-build-gate-ubuntu_xenial
- airship-drydock-docker-build-gate-ubuntu_bionic
post:
jobs:
- airship-drydock-docker-publish-ubuntu_xenial
@ -41,7 +39,7 @@
name: airship-drydock-single-node
nodes:
- name: primary
label: ubuntu-xenial
label: ubuntu-bionic
- job:
name: airship-drydock-omni-test
@ -49,7 +47,9 @@
Run a set of lightweight lints and tests
(pep8, Helm chart lint, Sphinx build, Python unit tests, Bandit scan)
run: tools/gate/playbooks/omni_test.yaml
timeout: 900
required-projects:
- openstack/openstack-helm-infra
timeout: 3600
nodeset: airship-drydock-single-node
- job:
@ -141,7 +141,6 @@
commit: true
static:
- latest
- secret:
name: airship_drydock_quay_creds
data:

1
charts/drydock/templates/deployment.yaml

@ -37,6 +37,7 @@ spec:
{{ $labels | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "drydock-api" "containerNames" (list "drydock-api") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:

4
charts/drydock/values.yaml

@ -58,6 +58,10 @@ network:
nginx.ingress.kubernetes.io/rewrite-target: /
pod:
mandatory_access_control:
type: apparmor
drydock-api:
drydock-api: runtime/default
security_context:
drydock:
pod:

7
tools/gate/playbooks/omni_test.yaml

@ -47,3 +47,10 @@
target: run_drydock
register: result
become: true
- name: Setup Apparmor
shell: |
set -xe;
./tools/deployment/apparmor/001-setup-apparmor-profiles.sh
args:
chdir: "{{ zuul.projects['opendev.org/openstack/openstack-helm-infra'].src_dir }}"
executable: /bin/bash
Loading…
Cancel
Save