From 0ed4f0de5ed7b0eb7bb6cb6f819ad48e3fd71a23 Mon Sep 17 00:00:00 2001
From: diwakarthyagaraj <diwakardmn@gmail.com>
Date: Wed, 24 Apr 2019 13:52:43 -0500
Subject: [PATCH] Add  Docker default AppArmor profile to Fluentbit and
 Elasticsearch

Change-Id: I21efbf8d434f6245eef04308973af4e7ec0b2380
Co-authored-by: ld366r@att.com
---
 .../templates/daemonset-fluent-bit.yaml       |  1 +
 .../deployment/apparmor/090-elasticsearch.sh  | 78 +++++++++++++++++++
 .../deployment/apparmor/100-fluent-logging.sh | 40 ++++++++++
 zuul.d/jobs.yaml                              |  3 +-
 4 files changed, 121 insertions(+), 1 deletion(-)
 create mode 100755 tools/deployment/apparmor/090-elasticsearch.sh
 create mode 100755 tools/deployment/apparmor/100-fluent-logging.sh

diff --git a/fluent-logging/templates/daemonset-fluent-bit.yaml b/fluent-logging/templates/daemonset-fluent-bit.yaml
index a0d984aa0..abe9b841f 100644
--- a/fluent-logging/templates/daemonset-fluent-bit.yaml
+++ b/fluent-logging/templates/daemonset-fluent-bit.yaml
@@ -93,6 +93,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "fluentbit" "containerNames" (list "fluentbit") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "daemon" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/tools/deployment/apparmor/090-elasticsearch.sh b/tools/deployment/apparmor/090-elasticsearch.sh
new file mode 100755
index 000000000..16e7fbd19
--- /dev/null
+++ b/tools/deployment/apparmor/090-elasticsearch.sh
@@ -0,0 +1,78 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+#NOTE: Lint and package chart
+make elasticsearch
+
+#NOTE: Deploy command
+tee /tmp/elasticsearch.yaml << EOF
+dependencies:
+  static:
+    tests:
+      jobs: null
+storage:
+  enabled: false
+pod:
+  mandatory_access_control:
+    type: apparmor
+    elasticsearch-master:
+      elasticsearch-master: localhost/docker-default
+    elasticsearch-data:
+      elasticsearch-data: localhost/docker-default
+    elasticsearch-client:
+      elasticsearch-client: localhost/docker-default
+  replicas:
+    data: 1
+    master: 2
+conf:
+  curator:
+    schedule:  "0 */6 * * *"
+    action_file:
+      actions:
+        1:
+          action: delete_indices
+          description: >-
+            "Delete indices older than 365 days"
+          options:
+            timeout_override:
+            continue_if_exception: False
+            ignore_empty_list: True
+            disable_action: True
+          filters:
+          - filtertype: pattern
+            kind: prefix
+            value: logstash-
+          - filtertype: age
+            source: name
+            direction: older
+            timestring: '%Y.%m.%d'
+            unit: days
+            unit_count: 365
+
+EOF
+helm upgrade --install elasticsearch ./elasticsearch \
+    --namespace=osh-infra \
+    --values=/tmp/elasticsearch.yaml
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh osh-infra
+
+#NOTE: Validate Deployment info
+helm status elasticsearch
+
+helm test elasticsearch
diff --git a/tools/deployment/apparmor/100-fluent-logging.sh b/tools/deployment/apparmor/100-fluent-logging.sh
new file mode 100755
index 000000000..6ba75eb77
--- /dev/null
+++ b/tools/deployment/apparmor/100-fluent-logging.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# Copyright 2019 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+set -xe
+
+#NOTE: Lint and package chart
+make fluent-logging
+
+tee /tmp/fluent-logging.yaml <<EOF
+pod:
+  mandatory_access_control:
+    type: apparmor
+    fluentbit:
+      fluentbit: localhost/docker-default
+EOF
+
+#NOTE: Deploy command
+helm upgrade --install fluent-logging ./fluent-logging \
+    --namespace=osh-infra \
+    --values=/tmp/fluent-logging.yaml
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh osh-infra
+
+#NOTE: Validate Deployment info
+helm status fluent-logging
+
+helm test fluent-logging
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index a0dcc633e..90ba08996 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -213,7 +213,8 @@
         - ./tools/deployment/apparmor/060-prometheus-node-exporter.sh
         - ./tools/deployment/apparmor/070-prometheus-openstack-exporter.sh
         - ./tools/deployment/apparmor/080-prometheus-process-exporter.sh
-
+        - ./tools/deployment/apparmor/090-elasticsearch.sh
+        - ./tools/deployment/apparmor/100-fluent-logging.sh
 
 - job:
     name: openstack-helm-infra-openstack-support