airship
/
drydock
Code Issues Proposed changes

Add Docker default AppArmor profile to drydock 

Change-Id: I50be2f08e69123afbef136683134abffc4e44197
This commit is contained in:
Prateek Dodda 2020-01-30 15:12:59 -06:00
parent 2a02bc9b3f
commit 67716a7841
4 changed files with 16 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.zuul.yaml
View File

@ -23,14 +23,12 @@
- airship-drydock-chart-build-latest-htk - airship-drydock-chart-build-latest-htk
- airship-drydock-docker-build-gate-ubuntu_xenial - airship-drydock-docker-build-gate-ubuntu_xenial
- airship-drydock-docker-build-gate-ubuntu_bionic - airship-drydock-docker-build-gate-ubuntu_bionic
gate: gate:
jobs: jobs:
- airship-drydock-omni-test - airship-drydock-omni-test
- airship-drydock-chart-build-gate - airship-drydock-chart-build-gate
- airship-drydock-docker-build-gate-ubuntu_xenial - airship-drydock-docker-build-gate-ubuntu_xenial
- airship-drydock-docker-build-gate-ubuntu_bionic - airship-drydock-docker-build-gate-ubuntu_bionic
post: post:
jobs: jobs:
- airship-drydock-docker-publish-ubuntu_xenial - airship-drydock-docker-publish-ubuntu_xenial
@ -41,7 +39,7 @@
name: airship-drydock-single-node name: airship-drydock-single-node
nodes: nodes:
- name: primary - name: primary
label: ubuntu-xenial label: ubuntu-bionic
- job: - job:
name: airship-drydock-omni-test name: airship-drydock-omni-test
@ -49,7 +47,9 @@
Run a set of lightweight lints and tests Run a set of lightweight lints and tests
(pep8, Helm chart lint, Sphinx build, Python unit tests, Bandit scan) (pep8, Helm chart lint, Sphinx build, Python unit tests, Bandit scan)
run: tools/gate/playbooks/omni_test.yaml run: tools/gate/playbooks/omni_test.yaml
timeout: 900 required-projects:
- openstack/openstack-helm-infra
timeout: 3600
nodeset: airship-drydock-single-node nodeset: airship-drydock-single-node
- job: - job:
@ -141,7 +141,6 @@
commit: true commit: true
static: static:
- latest - latest
- secret: - secret:
name: airship_drydock_quay_creds name: airship_drydock_quay_creds
data: data:

1
charts/drydock/templates/deployment.yaml
View File

@ -37,6 +37,7 @@ spec:
{{ $labels | indent 8 }} {{ $labels | indent 8 }}
annotations: annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "drydock-api" "containerNames" (list "drydock-api") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec: spec:

4
charts/drydock/values.yaml
View File

@ -58,6 +58,10 @@ network:
nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/rewrite-target: /
pod: pod:
mandatory_access_control:
type: apparmor
drydock-api:
drydock-api: runtime/default
security_context: security_context:
drydock: drydock:
pod: pod:

7
tools/gate/playbooks/omni_test.yaml
View File

@ -47,3 +47,10 @@
target: run_drydock target: run_drydock
register: result register: result
become: true become: true
- name: Setup Apparmor
shell: |
set -xe;
./tools/deployment/apparmor/001-setup-apparmor-profiles.sh
args:
chdir: "{{ zuul.projects['opendev.org/openstack/openstack-helm-infra'].src_dir }}"
executable: /bin/bash