Merge "Fix nova-compute-ssh init to execute as runAsUser"
This commit is contained in:
Zuul
Gerrit Code Review
commit
0d627521ca
@ -14,7 +14,7 @@ apiVersion: v1
|
||||
appVersion: v1.0.0
|
||||
description: OpenStack-Helm Nova
|
||||
name: nova
|
||||
version: 0.2.25
|
||||
version: 0.2.26
|
||||
home: https://docs.openstack.org/nova/latest/
|
||||
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png
|
||||
sources:
|
||||
|
||||
@ -16,10 +16,13 @@ limitations under the License.
|
||||
|
||||
set -ex
|
||||
|
||||
mkdir -p ~nova/.ssh
|
||||
chown -R nova:nova ~nova/.ssh
|
||||
export NOVA_USERNAME=$(id -u ${NOVA_USER_UID} -n)
|
||||
export NOVA_USER_HOME=$(eval echo ~${NOVA_USERNAME})
|
||||
|
||||
cat > ~nova/.ssh/config <<EOF
|
||||
mkdir -p ${NOVA_USER_HOME}/.ssh
|
||||
chown -R ${NOVA_USERNAME}:${NOVA_USERNAME} ${NOVA_USER_HOME}/.ssh
|
||||
|
||||
cat > ${NOVA_USER_HOME}/.ssh/config <<EOF
|
||||
Host *
|
||||
StrictHostKeyChecking no
|
||||
UserKnownHostsFile /dev/null
|
||||
@ -27,5 +30,5 @@ Host *
|
||||
IdentitiesOnly yes
|
||||
EOF
|
||||
|
||||
cp /tmp/nova-ssh/* ~nova/.ssh/
|
||||
chmod 600 ~nova/.ssh/id_rsa
|
||||
cp /tmp/nova-ssh/* ${NOVA_USER_HOME}/.ssh/
|
||||
chmod 600 ${NOVA_USER_HOME}/.ssh/id_rsa
|
||||
|
||||
@ -104,6 +104,7 @@ spec:
|
||||
mountPath: /var/lib/nova
|
||||
- name: pod-shared
|
||||
mountPath: /tmp/pod-shared
|
||||
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||
{{- if .Values.conf.ceph.enabled }}
|
||||
- name: ceph-perms
|
||||
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
@ -119,6 +120,7 @@ spec:
|
||||
mountPath: /tmp
|
||||
- name: etcceph
|
||||
mountPath: /etc/ceph
|
||||
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||
{{- if empty .Values.conf.ceph.cinder.keyring }}
|
||||
- name: ceph-admin-keyring-placement
|
||||
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
@ -141,6 +143,7 @@ spec:
|
||||
subPath: key
|
||||
readOnly: true
|
||||
{{ end }}
|
||||
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||
{{ end }}
|
||||
- name: ceph-keyring-placement
|
||||
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
@ -169,6 +172,7 @@ spec:
|
||||
mountPath: /etc/ceph/ceph.conf.template
|
||||
subPath: ceph.conf
|
||||
readOnly: true
|
||||
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||
{{ end }}
|
||||
{{- if eq .Values.console.console_kind "novnc"}}
|
||||
- name: nova-compute-vnc-init
|
||||
@ -187,6 +191,7 @@ spec:
|
||||
readOnly: true
|
||||
- name: pod-shared
|
||||
mountPath: /tmp/pod-shared
|
||||
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||
{{ end }}
|
||||
{{- if eq .Values.console.console_kind "spice"}}
|
||||
- name: nova-compute-spice-init
|
||||
@ -205,6 +210,7 @@ spec:
|
||||
readOnly: true
|
||||
- name: pod-shared
|
||||
mountPath: /tmp/pod-shared
|
||||
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||
{{ end }}
|
||||
{{- if ( has "tungstenfabric" .Values.network.backend ) }}
|
||||
- name: tungstenfabric-compute-init
|
||||
@ -217,15 +223,19 @@ spec:
|
||||
mountPath: /opt/plugin
|
||||
- name: tf-plugin-bin
|
||||
mountPath: /opt/plugin/bin
|
||||
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||
{{- end }}
|
||||
{{- if .Values.network.ssh.enabled }}
|
||||
- name: nova-compute-ssh-init
|
||||
{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
terminationMessagePath: /var/log/termination-log
|
||||
env:
|
||||
- name: SSH_PORT
|
||||
value: {{ .Values.network.ssh.port | quote }}
|
||||
- name: NOVA_USER_UID
|
||||
value: "{{ .Values.pod.security_context.nova.pod.runAsUser }}"
|
||||
command:
|
||||
- /tmp/ssh-init.sh
|
||||
volumeMounts:
|
||||
@ -241,14 +251,13 @@ spec:
|
||||
mountPath: /tmp/ssh-init.sh
|
||||
subPath: ssh-init.sh
|
||||
readOnly: true
|
||||
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: nova-compute
|
||||
{{ tuple $envAll "nova_compute" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
securityContext:
|
||||
privileged: true
|
||||
env:
|
||||
{{- if .Values.conf.ceph.enabled }}
|
||||
- name: CEPH_CINDER_USER
|
||||
@ -431,8 +440,6 @@ spec:
|
||||
{{ tuple $envAll "nova_compute_ssh" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.ssh | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "nova" "container" "nova_compute_ssh" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
securityContext:
|
||||
privileged: true
|
||||
env:
|
||||
- name: KEY_TYPES
|
||||
value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }}
|
||||
@ -455,6 +462,7 @@ spec:
|
||||
subPath: ssh-start.sh
|
||||
readOnly: true
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||
{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
|
||||
@ -2155,8 +2155,10 @@ pod:
|
||||
readOnlyRootFilesystem: true
|
||||
privileged: true
|
||||
nova_compute_ssh:
|
||||
readOnlyRootFilesystem: true
|
||||
privileged: true
|
||||
runAsUser: 0
|
||||
nova_compute_ssh_init:
|
||||
runAsUser: 0
|
||||
nova_api_metadata_init:
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
|
||||
@ -46,4 +46,5 @@ nova:
|
||||
- 0.2.23 Add option to enable extra wait for cell-setup-init
|
||||
- 0.2.24 Fix nova-bootstrap job labels
|
||||
- 0.2.25 Add check for compute nodes
|
||||
- 0.2.26 Fix _ssh-start.sh.tpl to copy the ssh keys to the user on the security context
|
||||
...
|
||||
|
||||
Loading…
Reference in New Issue
Block a user