diff --git a/mini-mirror/templates/pod-helm-test.yaml b/mini-mirror/templates/pod-helm-test.yaml index af1676a3..9f9fd975 100644 --- a/mini-mirror/templates/pod-helm-test.yaml +++ b/mini-mirror/templates/pod-helm-test.yaml @@ -26,6 +26,7 @@ metadata: annotations: "helm.sh/hook": test-success {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{ dict "envAll" $envAll "podName" "mini-mirror-test" "containerNames" (list "mini-mirror-helm-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} spec: nodeSelector: {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} @@ -49,5 +50,4 @@ spec: configMap: name: mini-mirror-bin defaultMode: 0555 -{{- end }} - +{{- end }} \ No newline at end of file diff --git a/mini-mirror/values_overrides/apparmor.yaml b/mini-mirror/values_overrides/apparmor.yaml index 43f6b6fe..220ae18e 100644 --- a/mini-mirror/values_overrides/apparmor.yaml +++ b/mini-mirror/values_overrides/apparmor.yaml @@ -4,4 +4,6 @@ pod: type: apparmor mini-mirror: mini-mirror-api: runtime/default + mini-mirror-test: + mini-mirror-helm-test: runtime/default ... diff --git a/ranger-agent/templates/deployment-ranger-agent-engine.yaml b/ranger-agent/templates/deployment-ranger-agent-engine.yaml index 259237de..9b6e2ea8 100755 --- a/ranger-agent/templates/deployment-ranger-agent-engine.yaml +++ b/ranger-agent/templates/deployment-ranger-agent-engine.yaml @@ -66,7 +66,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} -{{ dict "envAll" $envAll "podName" "ranger-agent" "containerNames" (list "ranger-agent-engine") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} +{{ dict "envAll" $envAll "podName" "ranger-agent-engine" "containerNames" (list "init" "ranger-agent-engine") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "ranger_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/ranger-agent/templates/pod-test.yaml b/ranger-agent/templates/pod-test.yaml index d208b101..298a6d55 100644 --- a/ranger-agent/templates/pod-test.yaml +++ b/ranger-agent/templates/pod-test.yaml @@ -24,10 +24,11 @@ limitations under the License. apiVersion: v1 kind: Pod metadata: - name: "{{$envAll.Release.Name}}-test" + name: ranger-agent-test annotations: "helm.sh/hook": test-success {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{ dict "envAll" $envAll "podName" "ranger-agent-test" "containerNames" (list "init" "ranger-agent-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} labels: {{ tuple $envAll "ranger-agent" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} spec: @@ -38,7 +39,7 @@ spec: initContainers: {{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }} containers: - - name: {{.Release.Name}}-test + - name: ranger-agent-test image: {{ .Values.images.tags.scripted_test }} env: - name: RANGER_SERVICE_URL diff --git a/ranger-agent/values_overrides/apparmor.yaml b/ranger-agent/values_overrides/apparmor.yaml index bfc744ab..bee0e965 100644 --- a/ranger-agent/values_overrides/apparmor.yaml +++ b/ranger-agent/values_overrides/apparmor.yaml @@ -5,7 +5,10 @@ pod: ranger-agent-api: init: runtime/default ranger-agent-api: runtime/default - ranger-agent: + ranger-agent-engine: ranger-agent-engine: runtime/default - + init: runtime/default + ranger-agent-test: + ranger-agent-test: runtime/default + init: runtime/default ... diff --git a/ranger/values_overrides/apparmor.yaml b/ranger/values_overrides/apparmor.yaml index d0ab6f67..80c0785c 100644 --- a/ranger/values_overrides/apparmor.yaml +++ b/ranger/values_overrides/apparmor.yaml @@ -2,7 +2,25 @@ pod: mandatory_access_control: type: apparmor - ranger: + ranger-audit-service: init: runtime/default - ranger-services: runtime/default + ranger-audit-service: runtime/default + ranger-cms-service: + init: runtime/default + ranger-cms-service: runtime/default + ranger-fms-service: + init: runtime/default + ranger-fms-service: runtime/default + ranger-ims-service: + init: runtime/default + ranger-ims-service: runtime/default + ranger-rds-service: + init: runtime/default + ranger-rds-service: runtime/default + ranger-rms-service: + init: runtime/default + ranger-rms-service: runtime/default + ranger-uuid-service: + init: runtime/default + ranger-uuid-service: runtime/default ... diff --git a/sonobuoy/templates/pod-api.yaml b/sonobuoy/templates/pod-api.yaml index c040b727..28b399e4 100644 --- a/sonobuoy/templates/pod-api.yaml +++ b/sonobuoy/templates/pod-api.yaml @@ -55,7 +55,7 @@ metadata: name: sonobuoy annotations: "helm.sh/hook": test-success -{{- $containers := (list "kube-sonobuoy" ) }} +{{- $containers := (list "kube-sonobuoy" "init" ) }} {{- if $envAll.Values.conf.publish_results }} {{- $containers = append $containers "results-publisher" }} {{- end }} diff --git a/sonobuoy/values.yaml b/sonobuoy/values.yaml index 7ff22b18..82680058 100644 --- a/sonobuoy/values.yaml +++ b/sonobuoy/values.yaml @@ -39,11 +39,6 @@ dependencies: - sonobuoy-ks-user pod: - mandatory_access_control: - type: apparmor - sonobuoy: - kube-sonobuoy: localhost/docker-default - results-publisher: localhost/docker-default resources: enabled: false jobs: diff --git a/sonobuoy/values_overrides/apparmor.yaml b/sonobuoy/values_overrides/apparmor.yaml new file mode 100644 index 00000000..85d257b0 --- /dev/null +++ b/sonobuoy/values_overrides/apparmor.yaml @@ -0,0 +1,9 @@ +--- +pod: + mandatory_access_control: + type: apparmor + sonobuoy: + kube-sonobuoy: runtime/default + results-publisher: runtime/default + init: runtime/default +... diff --git a/tools/deployment/common/install-packages.sh b/tools/deployment/common/install-packages.sh index 936eb480..3ed951e9 100755 --- a/tools/deployment/common/install-packages.sh +++ b/tools/deployment/common/install-packages.sh @@ -19,4 +19,5 @@ sudo apt-get install --no-install-recommends -y \ nmap \ curl \ uuid-runtime \ - bc + bc \ + python3-pip \ No newline at end of file diff --git a/tools/deployment/component/sonobuoy/sonobuoy.sh b/tools/deployment/component/sonobuoy/sonobuoy.sh index ebe660fb..6d5a31f5 100755 --- a/tools/deployment/component/sonobuoy/sonobuoy.sh +++ b/tools/deployment/component/sonobuoy/sonobuoy.sh @@ -14,11 +14,15 @@ set -xe +#NOTE: Get the overrides to use +: ${OSH_EXTRA_HELM_ARGS_SONOBUOY:="$(./tools/deployment/common/get-values-overrides.sh sonobuoy)"} + helm dependency update sonobuoy helm upgrade --install sonobuoy sonobuoy \ --namespace=heptio-sonobuoy \ --set endpoints.identity.namespace=openstack \ - --set manifests.serviceaccount_readonly=true + --set manifests.serviceaccount_readonly=true \ + ${OSH_EXTRA_HELM_ARGS_SONOBUOY} helm test sonobuoy # test that the readonly service account CANNOT perform pod/exec in any namespaces @@ -41,7 +45,8 @@ helm upgrade --install another-sonobuoy sonobuoy \ --set manifests.serviceaccount_readonly=true \ --set manifests.serviceaccount_readonly_exec=true \ --set conf.exec_role_namespace=exec \ - --set conf.publish_results=false + --set conf.publish_results=false \ + ${OSH_EXTRA_HELM_ARGS_SONOBUOY} helm test another-sonobuoy # test that the readonly service account can perform pod/exec in exec namespace diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index d646723e..e7799535 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -96,3 +96,50 @@ - ./tools/deployment/common/deploy-k8s.sh - ./tools/deployment/common/setup-client.sh - ./tools/deployment/component/mini-mirror/mini-mirror.sh + +- job: + name: osh-addons-minimirror-ranger-apparmor + parent: osh-addons-base + run: tools/gate/playbooks/osh-gate-runner.yaml + vars: + osh_params: + openstack_release: ocata + container_distro_name: ubuntu + container_distro_version: bionic + feature_gates: apparmor + gate_scripts: + - ./tools/deployment/common/install-packages.sh + - ./tools/deployment/common/deploy-k8s.sh + - ./tools/deployment/common/setup-client.sh + - ./tools/deployment/component/mini-mirror/mini-mirror.sh + - ./tools/deployment/component/common/ingress.sh + - ./tools/deployment/component/common/mariadb.sh + - ./tools/deployment/component/common/rabbitmq.sh + - ./tools/deployment/component/common/memcached.sh + - ./tools/deployment/component/keystone/keystone.sh + - ./tools/deployment/component/ranger/ranger.sh + - ./tools/deployment/component/ranger/ranger-agent.sh + +- job: + name: osh-addons-sonobuoy-apparmor + parent: osh-addons-base + run: tools/gate/playbooks/osh-gate-runner.yaml + vars: + osh_params: + openstack_release: ocata + container_distro_name: ubuntu + container_distro_version: xenial + feature_gates: apparmor + gate_scripts: + - ./tools/deployment/common/install-packages.sh + - ./tools/deployment/common/deploy-k8s.sh + - ./tools/deployment/common/setup-client.sh + - ./tools/deployment/component/common/ingress.sh + - ./tools/deployment/component/common/mariadb.sh + - ./tools/deployment/component/common/rabbitmq.sh + - ./tools/deployment/component/common/memcached.sh + - ./tools/deployment/component/ceph/ceph.sh + - ./tools/deployment/component/ceph/ceph-ns-activate.sh + - ./tools/deployment/component/keystone/keystone.sh + - ./tools/deployment/component/ceph/radosgateway.sh + - ./tools/deployment/component/sonobuoy/sonobuoy.sh diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index ba774fa6..ff5af109 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -24,3 +24,7 @@ - osh-addons-sonobuoy - osh-addons-ranger - osh-addons-mini-mirror + experimental: + jobs: + - osh-addons-sonobuoy-apparmor + - osh-addons-minimirror-ranger-apparmor