Keystone: Stop running keystone container with root user

This PS updates the keystoen chart to stop running the keystone api as the root user. Change-Id: If3042210f761476846da02fc8e648c700267a591 Signed-off-by: Pete Birley <pete@port.direct>
2018-08-03 14:49:53 -05:00 · 2018-08-03 14:49:53 -05:00 · 4a6d740154
commit 4a6d740154
parent 5038d92b4f
23 changed files with 44 additions and 1 deletions
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@ -551,6 +551,7 @@ endpoints:
    port:
      api:
        default: 80
+        internal: 5000
  key_manager:
    name: barbican
    hosts:
--- a/ceilometer/values.yaml
+++ b/ceilometer/values.yaml
@ -1712,6 +1712,7 @@ endpoints:
    port:
      api:
        default: 80
+        internal: 5000
  metering:
    name: ceilometer
    hosts:
--- a/ceph-client/values.yaml
+++ b/ceph-client/values.yaml
@ -456,6 +456,7 @@ endpoints:
    port:
      api:
        default: 80
+        internal: 5000
  object_store:
    name: swift
    namespace: null
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@ -1075,6 +1075,7 @@ endpoints:
    port:
      api:
        default: 80
+        internal: 5000
  image:
    name: glance
    hosts:
--- a/congress/values.yaml
+++ b/congress/values.yaml
@ -250,6 +250,7 @@ endpoints:
    port:
      api:
        default: 80
+        internal: 5000
  policy:
    name: congress
    hosts:
--- a/glance/values.yaml
+++ b/glance/values.yaml
@ -580,6 +580,7 @@ endpoints:
    port:
      api:
        default: 80
+        internal: 5000
  image:
    name: glance
    hosts:
--- a/gnocchi/values.yaml
+++ b/gnocchi/values.yaml
@ -491,6 +491,7 @@ endpoints:
    port:
      api:
        default: 80
+        internal: 5000
  metric:
    name: gnocchi
    hosts:
--- a/heat/values.yaml
+++ b/heat/values.yaml
@ -817,6 +817,7 @@ endpoints:
    port:
      api:
        default: 80
+        internal: 5000
  orchestration:
    name: heat
    hosts:
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@ -2010,7 +2010,7 @@ endpoints:
    port:
      api:
        default: 80
-        admin: 35357
+        internal: 5000
  oslo_cache:
    hosts:
      default: memcached
--- a/ironic/values.yaml
+++ b/ironic/values.yaml
@ -405,6 +405,7 @@ endpoints:
    port:
      api:
        default: 80
+        internal: 5000
  baremetal:
    name: ironic
    hosts:
--- a/keystone/templates/configmap-etc.yaml
+++ b/keystone/templates/configmap-etc.yaml
@ -61,6 +61,7 @@ data:
 {{- tuple .Values.conf.mpm_event "etc/_mpm_event.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
  wsgi-keystone.conf: |
 {{- tuple .Values.conf.wsgi_keystone "etc/_wsgi-keystone.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
+  ports.conf: ""
  sso_callback_template.html: |
 {{- tuple .Values.conf.sso_callback_template "etc/_sso_callback_template.html.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
 {{- range $k, $v := .Values.conf.ks_domains }}
--- a/keystone/templates/deployment-api.yaml
+++ b/keystone/templates/deployment-api.yaml
@ -55,6 +55,8 @@ spec:
        - name: keystone-api
 {{ tuple $envAll "keystone_api" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: {{ .Values.pod.user.keystone.uid }}
          command:
            - /tmp/keystone-api.sh
            - start
@ -78,12 +80,20 @@ spec:
          volumeMounts:
          - name: etckeystone
            mountPath: /etc/keystone
+          - name: logs-apache
+            mountPath: /var/log/apache2
+          - name: run-apache
+            mountPath: /var/run/apache2
          - name: wsgi-keystone
            mountPath: /var/www/cgi-bin/keystone
          - name: keystone-etc
            mountPath: /etc/keystone/keystone.conf
            subPath: keystone.conf
            readOnly: true
+          - name: keystone-etc
+            mountPath: /etc/apache2/ports.conf
+            subPath: ports.conf
+            readOnly: true
          - name: keystone-etc
            mountPath: {{ .Values.conf.keystone.DEFAULT.log_config_append }}
            subPath: {{ base .Values.conf.keystone.DEFAULT.log_config_append }}
@ -130,6 +140,10 @@ spec:
        emptyDir: {}
      - name: wsgi-keystone
        emptyDir: {}
+      - name: logs-apache
+        emptyDir: {}
+      - name: run-apache
+        emptyDir: {}
      - name: keystone-etc
        configMap:
          name: keystone-etc
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@ -161,6 +161,9 @@ dependencies:
          service: local_image_registry

 pod:
+  user:
+    keystone:
+      uid: 42424
  affinity:
    anti:
      type:
@ -926,6 +929,9 @@ endpoints:
    port:
      api:
        default: 80
+        # NOTE(portdirect): to retain portability accross images, and allow
+        # running under a unprivileged user simply, we default to a port > 1000.
+        internal: 5000
  oslo_db:
    namespace: null
    auth:
--- a/magnum/values.yaml
+++ b/magnum/values.yaml
@ -363,6 +363,7 @@ endpoints:
    port:
      api:
        default: 80
+        internal: 5000
  container_infra:
    name: magnum
    hosts:
--- a/mistral/values.yaml
+++ b/mistral/values.yaml
@ -247,6 +247,7 @@ endpoints:
    port:
      api:
        default: 80
+        internal: 5000
  workflowv2:
    name: mistral
    hosts:
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@ -1781,6 +1781,7 @@ endpoints:
    port:
      api:
        default: 80
+        internal: 5000
  network:
    name: neutron
    hosts:
--- a/nova/values.yaml
+++ b/nova/values.yaml
@ -1791,6 +1791,7 @@ endpoints:
    port:
      api:
        default: 80
+        internal: 5000
  image:
    name: glance
    hosts:
--- a/rally/values.yaml
+++ b/rally/values.yaml
@ -260,6 +260,7 @@ endpoints:
    port:
      api:
        default: 80
+        internal: 5000
  benchmark:
    name: rally
    hosts:
--- a/senlin/values.yaml
+++ b/senlin/values.yaml
@ -412,6 +412,7 @@ endpoints:
    port:
      api:
        default: 80
+        internal: 5000
  clustering:
    name: senlin
    hosts:
--- a/tempest/values.yaml
+++ b/tempest/values.yaml
@ -255,6 +255,7 @@ endpoints:
    port:
      api:
        default: 80
+        internal: 5000

 manifests:
  configmap_bin: true
--- a/tools/overrides/releases/newton/kolla.yaml
+++ b/tools/overrides/releases/newton/kolla.yaml
@ -87,6 +87,8 @@ images:
    test: 'docker.io/kolla/ubuntu-source-rally:4.0.0'
 pod:
  user:
+    keystone:
+      uid: 1000
    barbican:
      uid: 1000
    cinder:
--- a/tools/overrides/releases/ocata/kolla.yaml
+++ b/tools/overrides/releases/ocata/kolla.yaml
@ -85,6 +85,8 @@ images:
 pod:
  #NOTE(portdirect): see https://github.com/openstack/kolla/blob/f62f5ae2fa5e7808722f9b37b48a50b39c20b46d/kolla/common/config.py#L695-L998
  user:
+    keystone:
+      uid: 42425
    barbican:
      uid: 42403
    cinder:
--- a/tools/overrides/releases/pike/kolla.yaml
+++ b/tools/overrides/releases/pike/kolla.yaml
@ -85,6 +85,8 @@ images:
 pod:
  #NOTE(portdirect): see https://github.com/openstack/kolla/blob/f62f5ae2fa5e7808722f9b37b48a50b39c20b46d/kolla/common/config.py#L695-L998
  user:
+    keystone:
+      uid: 42425
    barbican:
      uid: 42403
    cinder: