From 477602f2e75f20235a98f1bbdc322e3a89aa5a80 Mon Sep 17 00:00:00 2001 From: diwakar thyagaraj Date: Thu, 14 May 2020 15:59:48 +0000 Subject: [PATCH] Enable Apparmor to osh test Pods Change-Id: I0a67f66cc4ed8a1e3a5c3c458b7c1521f9169160 Signed-off-by: diwakar thyagaraj --- barbican/templates/pod-test.yaml | 3 ++- barbican/values_overrides/apparmor.yaml | 3 +++ cinder/templates/pod-rally-test.yaml | 5 +++-- cinder/values_overrides/apparmor.yaml | 4 ++++ glance/templates/pod-rally-test.yaml | 5 +++-- glance/values_overrides/apparmor.yaml | 4 ++++ horizon/templates/pod-helm-tests.yaml | 3 ++- horizon/values_overrides/apparmor.yaml | 3 +++ keystone/templates/pod-rally-test.yaml | 5 +++-- keystone/values_overrides/apparmor.yaml | 4 ++++ neutron/templates/pod-rally-test.yaml | 5 +++-- neutron/values_overrides/apparmor.yaml | 4 ++++ nova/templates/pod-rally-test.yaml | 5 +++-- nova/values_overrides/apparmor.yaml | 4 ++++ tools/deployment/apparmor/015-ingress.sh | 10 ++++++---- 15 files changed, 51 insertions(+), 16 deletions(-) diff --git a/barbican/templates/pod-test.yaml b/barbican/templates/pod-test.yaml index 9a790a02f5..2dd7f30fa0 100644 --- a/barbican/templates/pod-test.yaml +++ b/barbican/templates/pod-test.yaml @@ -31,6 +31,7 @@ metadata: annotations: "helm.sh/hook": test-success {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{ dict "envAll" $envAll "podName" "barbican-test" "containerNames" (list "init" "barbican-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} spec: serviceAccountName: {{ $serviceAccountName }} nodeSelector: @@ -39,7 +40,7 @@ spec: initContainers: {{ tuple $envAll "tests" $mounts_barbican_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - - name: {{.Release.Name}}-barbican-test + - name: barbican-test {{ tuple $envAll "scripted_test" | include "helm-toolkit.snippets.image" | indent 6 }} env: {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} diff --git a/barbican/values_overrides/apparmor.yaml b/barbican/values_overrides/apparmor.yaml index 02d5bf5ea3..d57debe765 100644 --- a/barbican/values_overrides/apparmor.yaml +++ b/barbican/values_overrides/apparmor.yaml @@ -5,4 +5,7 @@ pod: barbican-api: barbican-api: runtime/default init: runtime/default + barbican-test: + init: runtime/default + barbican-test: runtime/default ... diff --git a/cinder/templates/pod-rally-test.yaml b/cinder/templates/pod-rally-test.yaml index 2575263a0d..690b527b04 100644 --- a/cinder/templates/pod-rally-test.yaml +++ b/cinder/templates/pod-rally-test.yaml @@ -30,6 +30,7 @@ metadata: annotations: "helm.sh/hook": test-success {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{ dict "envAll" $envAll "podName" "cinder-test" "containerNames" (list "init" "cinder-test" "cinder-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} spec: restartPolicy: Never nodeSelector: @@ -37,7 +38,7 @@ spec: serviceAccountName: {{ $serviceAccountName }} initContainers: {{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }} - - name: {{ .Release.Name }}-test-ks-user + - name: cinder-test-ks-user {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} command: @@ -61,7 +62,7 @@ spec: - name: SERVICE_OS_ROLE value: {{ .Values.endpoints.identity.auth.test.role | quote }} containers: - - name: {{ .Release.Name }}-test + - name: cinder-test {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} env: diff --git a/cinder/values_overrides/apparmor.yaml b/cinder/values_overrides/apparmor.yaml index 5e58f81182..2c488ae61a 100644 --- a/cinder/values_overrides/apparmor.yaml +++ b/cinder/values_overrides/apparmor.yaml @@ -22,4 +22,8 @@ pod: cinder-backup-storage-init: cinder-backup-storage-init: runtime/default init: runtime/default + cinder-test: + init: runtime/default + cinder-test: runtime/default + cinder-test-ks-user: runtime/default ... diff --git a/glance/templates/pod-rally-test.yaml b/glance/templates/pod-rally-test.yaml index d8621cd1a6..f818aaa79c 100644 --- a/glance/templates/pod-rally-test.yaml +++ b/glance/templates/pod-rally-test.yaml @@ -29,6 +29,7 @@ metadata: {{ tuple $envAll "glance" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} annotations: "helm.sh/hook": test-success +{{ dict "envAll" $envAll "podName" "glance-test" "containerNames" (list "init" "glance-test" "glance-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} spec: nodeSelector: {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} @@ -36,7 +37,7 @@ spec: serviceAccountName: {{ $serviceAccountName }} initContainers: {{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }} - - name: {{ .Release.Name }}-test-ks-user + - name: glance-test-ks-user {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} command: @@ -60,7 +61,7 @@ spec: - name: SERVICE_OS_ROLE value: {{ .Values.endpoints.identity.auth.test.role | quote }} containers: - - name: {{ .Release.Name }}-test + - name: glance-test {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} env: diff --git a/glance/values_overrides/apparmor.yaml b/glance/values_overrides/apparmor.yaml index 29b11787de..e620e394bf 100644 --- a/glance/values_overrides/apparmor.yaml +++ b/glance/values_overrides/apparmor.yaml @@ -15,6 +15,10 @@ pod: glance-storage-init: init: runtime/default glance-storage-init: runtime/default + glance-test: + init: runtime/default + glance-test: runtime/default + glance-test-ks-user: runtime/default manifests: deployment_registry: true ... diff --git a/horizon/templates/pod-helm-tests.yaml b/horizon/templates/pod-helm-tests.yaml index 2fb15439eb..85e3ec0fcf 100644 --- a/horizon/templates/pod-helm-tests.yaml +++ b/horizon/templates/pod-helm-tests.yaml @@ -30,6 +30,7 @@ metadata: annotations: "helm.sh/hook": test-success {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{ dict "envAll" $envAll "podName" "horizon-test" "containerNames" (list "init" "horizon-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} spec: restartPolicy: Never serviceAccountName: {{ $serviceAccountName }} @@ -38,7 +39,7 @@ spec: initContainers: {{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }} containers: - - name: {{ .Release.Name }}-test + - name: horizon-test {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} command: diff --git a/horizon/values_overrides/apparmor.yaml b/horizon/values_overrides/apparmor.yaml index 7612b41cf1..4a9a7fc4a1 100644 --- a/horizon/values_overrides/apparmor.yaml +++ b/horizon/values_overrides/apparmor.yaml @@ -8,4 +8,7 @@ pod: horizon-db-sync: horizon-db-sync: runtime/default init: runtime/default + horizon-test: + init: runtime/default + horizon-test: runtime/default ... diff --git a/keystone/templates/pod-rally-test.yaml b/keystone/templates/pod-rally-test.yaml index 8d9972e4e1..12c1eeb331 100644 --- a/keystone/templates/pod-rally-test.yaml +++ b/keystone/templates/pod-rally-test.yaml @@ -30,6 +30,7 @@ metadata: annotations: "helm.sh/hook": test-success {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{ dict "envAll" $envAll "podName" "keystone-test" "containerNames" (list "init" "keystone-test" "keystone-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} spec: restartPolicy: Never nodeSelector: @@ -37,7 +38,7 @@ spec: serviceAccountName: {{ $serviceAccountName }} initContainers: {{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }} - - name: {{ .Release.Name }}-test-ks-user + - name: keystone-test-ks-user {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} command: @@ -61,7 +62,7 @@ spec: - name: SERVICE_OS_ROLE value: {{ .Values.endpoints.identity.auth.test.role | quote }} containers: - - name: {{ .Release.Name }}-test + - name: keystone-test {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} env: diff --git a/keystone/values_overrides/apparmor.yaml b/keystone/values_overrides/apparmor.yaml index a46c255f83..29ad7c1a17 100644 --- a/keystone/values_overrides/apparmor.yaml +++ b/keystone/values_overrides/apparmor.yaml @@ -13,4 +13,8 @@ pod: keystone-domain-manage: keystone-domain-manage: runtime/default keystone-domain-manage-init: runtime/default + keystone-test: + init: runtime/default + keystone-test: runtime/default + keystone-test-ks-user: runtime/default ... diff --git a/neutron/templates/pod-rally-test.yaml b/neutron/templates/pod-rally-test.yaml index 7ebaced38d..7e1f7254a1 100644 --- a/neutron/templates/pod-rally-test.yaml +++ b/neutron/templates/pod-rally-test.yaml @@ -31,6 +31,7 @@ metadata: {{ tuple $envAll "neutron" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} annotations: "helm.sh/hook": test-success +{{ dict "envAll" $envAll "podName" "neutron-test" "containerNames" (list "init" "neutron-test" "neutron-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} spec: nodeSelector: {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} @@ -38,7 +39,7 @@ spec: serviceAccountName: {{ $serviceAccountName }} initContainers: {{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }} - - name: {{ .Release.Name }}-test-ks-user + - name: neutron-test-ks-user {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} command: @@ -96,7 +97,7 @@ spec: mountPath: /tmp/pod-tmp {{ end }} containers: - - name: {{ .Release.Name }}-test + - name: neutron-test {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} env: diff --git a/neutron/values_overrides/apparmor.yaml b/neutron/values_overrides/apparmor.yaml index cb47431724..c3a2f007e7 100644 --- a/neutron/values_overrides/apparmor.yaml +++ b/neutron/values_overrides/apparmor.yaml @@ -31,4 +31,8 @@ pod: neutron-server: neutron-server: runtime/default init: runtime/default + neutron-test: + init: runtime/default + neutron-test: runtime/default + neutron-test-ks-user: runtime/default ... diff --git a/nova/templates/pod-rally-test.yaml b/nova/templates/pod-rally-test.yaml index e025ee26b3..fc161abf1d 100644 --- a/nova/templates/pod-rally-test.yaml +++ b/nova/templates/pod-rally-test.yaml @@ -30,6 +30,7 @@ metadata: annotations: "helm.sh/hook": test-success {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{ dict "envAll" $envAll "podName" "nova-test" "containerNames" (list "init" "nova-test" "nova-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} spec: nodeSelector: {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} @@ -37,7 +38,7 @@ spec: serviceAccountName: {{ $serviceAccountName }} initContainers: {{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }} - - name: {{ .Release.Name }}-test-ks-user + - name: nova-test-ks-user {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} command: @@ -61,7 +62,7 @@ spec: - name: SERVICE_OS_ROLE value: {{ .Values.endpoints.identity.auth.test.role | quote }} containers: - - name: {{ .Release.Name }}-test + - name: nova-test {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} env: diff --git a/nova/values_overrides/apparmor.yaml b/nova/values_overrides/apparmor.yaml index 220f24b078..0729fdb1a2 100644 --- a/nova/values_overrides/apparmor.yaml +++ b/nova/values_overrides/apparmor.yaml @@ -35,4 +35,8 @@ pod: nova-cell-setup: runtime/default nova-cell-setup-init: runtime/default init: runtime/default + nova-test: + init: runtime/default + nova-test: runtime/default + nova-test-ks-user: runtime/default ... diff --git a/tools/deployment/apparmor/015-ingress.sh b/tools/deployment/apparmor/015-ingress.sh index 34b82504c9..65bb065b45 100755 --- a/tools/deployment/apparmor/015-ingress.sh +++ b/tools/deployment/apparmor/015-ingress.sh @@ -15,9 +15,14 @@ # under the License. set -xe +export HELM_CHART_ROOT_PATH="${HELM_CHART_ROOT_PATH:="${OSH_INFRA_PATH:="../openstack-helm-infra"}"}" #NOTE: Lint and package chart -make ingress +make -C ${HELM_CHART_ROOT_PATH} ingress + +#NOTE: Deploy command +: ${OSH_EXTRA_HELM_ARGS:=""} +cd ${HELM_CHART_ROOT_PATH} export HELM_CHART_ROOT_PATH="${HELM_CHART_ROOT_PATH:="${OSH_INFRA_PATH:="../openstack-helm-infra"}"}" @@ -25,9 +30,6 @@ export HELM_CHART_ROOT_PATH="${HELM_CHART_ROOT_PATH:="${OSH_INFRA_PATH:="../open : ${OSH_INFRA_EXTRA_HELM_ARGS_OPENSTACK:="$(./tools/deployment/common/get-values-overrides.sh ingress)"} : ${OSH_INFRA_EXTRA_HELM_ARGS_CEPH:="$(./tools/deployment/common/get-values-overrides.sh ingress)"} -#NOTE: Deploy command -: ${OSH_INFRA_EXTRA_HELM_ARGS:=""} - #NOTE: Deploy global ingress tee /tmp/ingress-kube-system.yaml << EOF deployment: