Enable Apparmor to osh test Pods

Change-Id: I0a67f66cc4ed8a1e3a5c3c458b7c1521f9169160 Signed-off-by: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
2020-05-14 15:59:48 +00:00 · 2020-05-14 15:59:48 +00:00 · 477602f2e7
commit 477602f2e7
parent 7cdec41ca8
15 changed files with 51 additions and 16 deletions
--- a/barbican/templates/pod-test.yaml
+++ b/barbican/templates/pod-test.yaml
@ -31,6 +31,7 @@ metadata:
  annotations:
    "helm.sh/hook": test-success
    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{ dict "envAll" $envAll "podName" "barbican-test" "containerNames" (list "init" "barbican-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
  serviceAccountName: {{ $serviceAccountName }}
  nodeSelector:
@ -39,7 +40,7 @@ spec:
  initContainers:
 {{ tuple $envAll "tests" $mounts_barbican_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
  containers:
-    - name: {{.Release.Name}}-barbican-test
+    - name: barbican-test
 {{ tuple $envAll "scripted_test" | include "helm-toolkit.snippets.image" | indent 6 }}
      env:
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
--- a/barbican/values_overrides/apparmor.yaml
+++ b/barbican/values_overrides/apparmor.yaml
@ -5,4 +5,7 @@ pod:
    barbican-api:
      barbican-api: runtime/default
      init: runtime/default
+    barbican-test:
+      init: runtime/default
+      barbican-test: runtime/default
 ...
--- a/cinder/templates/pod-rally-test.yaml
+++ b/cinder/templates/pod-rally-test.yaml
@ -30,6 +30,7 @@ metadata:
  annotations:
    "helm.sh/hook": test-success
    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{ dict "envAll" $envAll "podName" "cinder-test" "containerNames" (list "init" "cinder-test" "cinder-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
  restartPolicy: Never
  nodeSelector:
@ -37,7 +38,7 @@ spec:
  serviceAccountName: {{ $serviceAccountName }}
  initContainers:
 {{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
-    - name: {{ .Release.Name }}-test-ks-user
+    - name: cinder-test-ks-user
 {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
      command:
@ -61,7 +62,7 @@ spec:
        - name: SERVICE_OS_ROLE
          value: {{ .Values.endpoints.identity.auth.test.role | quote }}
  containers:
-    - name: {{ .Release.Name }}-test
+    - name: cinder-test
 {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
      env:
--- a/cinder/values_overrides/apparmor.yaml
+++ b/cinder/values_overrides/apparmor.yaml
@ -22,4 +22,8 @@ pod:
    cinder-backup-storage-init:
      cinder-backup-storage-init: runtime/default
      init: runtime/default
+    cinder-test:
+      init: runtime/default
+      cinder-test: runtime/default
+      cinder-test-ks-user: runtime/default
 ...
--- a/glance/templates/pod-rally-test.yaml
+++ b/glance/templates/pod-rally-test.yaml
@ -29,6 +29,7 @@ metadata:
 {{ tuple $envAll "glance" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
  annotations:
    "helm.sh/hook": test-success
+{{ dict "envAll" $envAll "podName" "glance-test" "containerNames" (list "init" "glance-test" "glance-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
  nodeSelector:
    {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
@ -36,7 +37,7 @@ spec:
  serviceAccountName: {{ $serviceAccountName }}
  initContainers:
 {{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
-    - name: {{ .Release.Name }}-test-ks-user
+    - name: glance-test-ks-user
 {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
      command:
@ -60,7 +61,7 @@ spec:
        - name: SERVICE_OS_ROLE
          value: {{ .Values.endpoints.identity.auth.test.role | quote }}
  containers:
-    - name: {{ .Release.Name }}-test
+    - name: glance-test
 {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
      env:
--- a/glance/values_overrides/apparmor.yaml
+++ b/glance/values_overrides/apparmor.yaml
@ -15,6 +15,10 @@ pod:
    glance-storage-init:
      init: runtime/default
      glance-storage-init: runtime/default
+    glance-test:
+      init: runtime/default
+      glance-test: runtime/default
+      glance-test-ks-user: runtime/default
 manifests:
  deployment_registry: true
 ...
--- a/horizon/templates/pod-helm-tests.yaml
+++ b/horizon/templates/pod-helm-tests.yaml
@ -30,6 +30,7 @@ metadata:
  annotations:
    "helm.sh/hook": test-success
    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{ dict "envAll" $envAll "podName" "horizon-test" "containerNames" (list "init" "horizon-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
  restartPolicy: Never
  serviceAccountName: {{ $serviceAccountName }}
@ -38,7 +39,7 @@ spec:
  initContainers:
 {{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
  containers:
-    - name: {{ .Release.Name }}-test
+    - name: horizon-test
 {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
      command:
--- a/horizon/values_overrides/apparmor.yaml
+++ b/horizon/values_overrides/apparmor.yaml
@ -8,4 +8,7 @@ pod:
    horizon-db-sync:
      horizon-db-sync: runtime/default
      init: runtime/default
+    horizon-test:
+      init: runtime/default
+      horizon-test: runtime/default
 ...
--- a/keystone/templates/pod-rally-test.yaml
+++ b/keystone/templates/pod-rally-test.yaml
@ -30,6 +30,7 @@ metadata:
  annotations:
    "helm.sh/hook": test-success
    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{ dict "envAll" $envAll "podName" "keystone-test" "containerNames" (list "init" "keystone-test" "keystone-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
  restartPolicy: Never
  nodeSelector:
@ -37,7 +38,7 @@ spec:
  serviceAccountName: {{ $serviceAccountName }}
  initContainers:
 {{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
-    - name: {{ .Release.Name }}-test-ks-user
+    - name: keystone-test-ks-user
 {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
      command:
@ -61,7 +62,7 @@ spec:
        - name: SERVICE_OS_ROLE
          value: {{ .Values.endpoints.identity.auth.test.role | quote }}
  containers:
-    - name: {{ .Release.Name }}-test
+    - name: keystone-test
 {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
      env:
--- a/keystone/values_overrides/apparmor.yaml
+++ b/keystone/values_overrides/apparmor.yaml
@ -13,4 +13,8 @@ pod:
    keystone-domain-manage:
      keystone-domain-manage: runtime/default
      keystone-domain-manage-init: runtime/default
+    keystone-test:
+      init: runtime/default
+      keystone-test: runtime/default
+      keystone-test-ks-user: runtime/default
 ...
--- a/neutron/templates/pod-rally-test.yaml
+++ b/neutron/templates/pod-rally-test.yaml
@ -31,6 +31,7 @@ metadata:
 {{ tuple $envAll "neutron" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
  annotations:
    "helm.sh/hook": test-success
+{{ dict "envAll" $envAll "podName" "neutron-test" "containerNames" (list "init" "neutron-test" "neutron-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
  nodeSelector:
    {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
@ -38,7 +39,7 @@ spec:
  serviceAccountName: {{ $serviceAccountName }}
  initContainers:
 {{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
-    - name: {{ .Release.Name }}-test-ks-user
+    - name: neutron-test-ks-user
 {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
      command:
@ -96,7 +97,7 @@ spec:
          mountPath: /tmp/pod-tmp
 {{ end }}
  containers:
-    - name: {{ .Release.Name }}-test
+    - name: neutron-test
 {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
      env:
--- a/neutron/values_overrides/apparmor.yaml
+++ b/neutron/values_overrides/apparmor.yaml
@ -31,4 +31,8 @@ pod:
    neutron-server:
      neutron-server: runtime/default
      init: runtime/default
+    neutron-test:
+      init: runtime/default
+      neutron-test: runtime/default
+      neutron-test-ks-user: runtime/default
 ...
--- a/nova/templates/pod-rally-test.yaml
+++ b/nova/templates/pod-rally-test.yaml
@ -30,6 +30,7 @@ metadata:
  annotations:
    "helm.sh/hook": test-success
    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{ dict "envAll" $envAll "podName" "nova-test" "containerNames" (list "init" "nova-test" "nova-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
  nodeSelector:
    {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
@ -37,7 +38,7 @@ spec:
  serviceAccountName: {{ $serviceAccountName }}
  initContainers:
 {{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
-    - name: {{ .Release.Name }}-test-ks-user
+    - name: nova-test-ks-user
 {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
      command:
@ -61,7 +62,7 @@ spec:
        - name: SERVICE_OS_ROLE
          value: {{ .Values.endpoints.identity.auth.test.role | quote }}
  containers:
-    - name: {{ .Release.Name }}-test
+    - name: nova-test
 {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
      env:
--- a/nova/values_overrides/apparmor.yaml
+++ b/nova/values_overrides/apparmor.yaml
@ -35,4 +35,8 @@ pod:
      nova-cell-setup: runtime/default
      nova-cell-setup-init: runtime/default
      init: runtime/default
+    nova-test:
+      init: runtime/default
+      nova-test: runtime/default
+      nova-test-ks-user: runtime/default
 ...
--- a/tools/deployment/apparmor/015-ingress.sh
+++ b/tools/deployment/apparmor/015-ingress.sh
@ -15,9 +15,14 @@
 #    under the License.

 set -xe
+export HELM_CHART_ROOT_PATH="${HELM_CHART_ROOT_PATH:="${OSH_INFRA_PATH:="../openstack-helm-infra"}"}"

 #NOTE: Lint and package chart
-make ingress
+make -C ${HELM_CHART_ROOT_PATH} ingress
+
+#NOTE: Deploy command
+: ${OSH_EXTRA_HELM_ARGS:=""}
+cd ${HELM_CHART_ROOT_PATH}

 export HELM_CHART_ROOT_PATH="${HELM_CHART_ROOT_PATH:="${OSH_INFRA_PATH:="../openstack-helm-infra"}"}"

@ -25,9 +30,6 @@ export HELM_CHART_ROOT_PATH="${HELM_CHART_ROOT_PATH:="${OSH_INFRA_PATH:="../open
 : ${OSH_INFRA_EXTRA_HELM_ARGS_OPENSTACK:="$(./tools/deployment/common/get-values-overrides.sh ingress)"}
 : ${OSH_INFRA_EXTRA_HELM_ARGS_CEPH:="$(./tools/deployment/common/get-values-overrides.sh ingress)"}

-#NOTE: Deploy command
-: ${OSH_INFRA_EXTRA_HELM_ARGS:=""}
-
 #NOTE: Deploy global ingress
 tee /tmp/ingress-kube-system.yaml << EOF
 deployment: