From 670a78bcbee5f275de2f48adf5fe3bc4f4f8b9a6 Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Thu, 29 Jun 2017 14:36:44 -0500 Subject: [PATCH] Fix file permission and readOnly flag This patchset enforces stricter file permission on *-etc configmap and sets readOnly flag to true in a number of charts. Change-Id: I233689a5d56dd1352e0d81997a94b4cdd6bed5d2 Signed-off-by: Tin Lam --- barbican/templates/deployment-api.yaml | 1 + barbican/templates/job-db-init.yaml | 5 +++-- barbican/templates/job-db-sync.yaml | 1 + ceph/templates/daemonset-osd.yaml | 1 + ceph/templates/deployment-mds.yaml | 1 + ceph/templates/deployment-moncheck.yaml | 1 + ceph/templates/deployment-rgw.yaml | 1 + ceph/templates/job-keyring.yaml | 1 + ceph/templates/job-storage-admin-keys.yaml | 1 + ceph/templates/statefulset-mon.yaml | 1 + cinder/templates/deployment-api.yaml | 1 + cinder/templates/deployment-backup.yaml | 2 ++ cinder/templates/deployment-scheduler.yaml | 1 + cinder/templates/deployment-volume.yaml | 1 + cinder/templates/job-bootstrap.yaml | 3 +++ cinder/templates/job-db-init.yaml | 1 + cinder/templates/pod-rally-test.yaml | 1 + glance/templates/deployment-api.yaml | 3 +++ glance/templates/deployment-registry.yaml | 1 + glance/templates/job-bootstrap.yaml | 1 + glance/templates/job-db-init.yaml | 1 + glance/templates/job-db-sync.yaml | 1 + glance/templates/pod-rally-test.yaml | 1 + heat/templates/deployment-api.yaml | 1 + heat/templates/deployment-cfn.yaml | 1 + heat/templates/deployment-cloudwatch.yaml | 1 + heat/templates/job-db-init.yaml | 1 + heat/templates/job-db-sync.yaml | 1 + heat/templates/statefulset-engine.yaml | 1 + horizon/templates/deployment.yaml | 1 + ingress/templates/deployment-ingress.yaml | 2 ++ keystone/templates/deployment.yaml | 1 + keystone/templates/job-bootstrap.yaml | 1 + keystone/templates/job-db-init.yaml | 1 + keystone/templates/job-db-sync.yaml | 1 + keystone/templates/pod-rally-test.yaml | 1 + magnum/templates/deployment-api.yaml | 1 + magnum/templates/job-db-init.yaml | 1 + magnum/templates/job-db-sync.yaml | 1 + magnum/templates/statefulset-conductor.yaml | 1 + mariadb/templates/statefulset.yaml | 1 + mistral/templates/deployment-api.yaml | 1 + mistral/templates/deployment-executor.yaml | 1 + mistral/templates/job-db-init.yaml | 1 + mistral/templates/job-db-sync.yaml | 1 + mistral/templates/statefulset-engine.yaml | 1 + .../templates/statefulset-event-engine.yaml | 1 + neutron/templates/daemonset-dhcp-agent.yaml | 1 + neutron/templates/daemonset-l3-agent.yaml | 1 + .../templates/daemonset-metadata-agent.yaml | 1 + neutron/templates/daemonset-ovs-agent.yaml | 1 + neutron/templates/daemonset-ovs-db.yaml | 1 + neutron/templates/deployment-server.yaml | 1 + neutron/templates/job-db-init.yaml | 1 + neutron/templates/job-db-sync.yaml | 1 + neutron/templates/pod-rally-test.yaml | 1 + nova/templates/daemonset-compute.yaml | 2 ++ nova/templates/daemonset-libvirt.yaml | 3 +++ nova/templates/deployment-api-metadata.yaml | 1 + nova/templates/deployment-api-osapi.yaml | 1 + nova/templates/deployment-conductor.yaml | 1 + nova/templates/deployment-consoleauth.yaml | 1 + nova/templates/deployment-scheduler.yaml | 1 + nova/templates/job-bootstrap.yaml | 1 + nova/templates/job-db-init.yaml | 1 + nova/templates/job-db-sync.yaml | 1 + nova/templates/pod-rally-test.yaml | 1 + rabbitmq/templates/deployment.yaml | 20 ++++++++++--------- senlin/templates/deployment-api.yaml | 1 + senlin/templates/job-db-init.yaml | 1 + senlin/templates/job-db-sync.yaml | 1 + senlin/templates/statefulset-engine.yaml | 1 + 72 files changed, 93 insertions(+), 11 deletions(-) diff --git a/barbican/templates/deployment-api.yaml b/barbican/templates/deployment-api.yaml index 11e2000691..588559416f 100644 --- a/barbican/templates/deployment-api.yaml +++ b/barbican/templates/deployment-api.yaml @@ -91,6 +91,7 @@ spec: - name: barbican-etc configMap: name: barbican-etc + defaultMode: 0444 - name: barbican-bin configMap: name: barbican-bin diff --git a/barbican/templates/job-db-init.yaml b/barbican/templates/job-db-init.yaml index e23f0fed0d..25ff06d3b0 100644 --- a/barbican/templates/job-db-init.yaml +++ b/barbican/templates/job-db-init.yaml @@ -45,12 +45,12 @@ spec: command: - /tmp/db-init.py volumeMounts: + - name: barbican-etc + mountPath: /etc/barbican - name: barbican-bin mountPath: /tmp/db-init.py subPath: db-init.py readOnly: true - - name: barbican-etc - mountPath: /etc/barbican - name: barbican-conf mountPath: /etc/barbican/barbican.conf subPath: barbican.conf @@ -61,6 +61,7 @@ spec: - name: barbican-conf configMap: name: barbican-etc + defaultMode: 0444 - name: barbican-bin configMap: name: barbican-bin diff --git a/barbican/templates/job-db-sync.yaml b/barbican/templates/job-db-sync.yaml index 1cb7a85070..29ba887970 100644 --- a/barbican/templates/job-db-sync.yaml +++ b/barbican/templates/job-db-sync.yaml @@ -49,6 +49,7 @@ spec: - name: barbican-etc configMap: name: barbican-etc + defaultMode: 0444 - name: barbican-bin configMap: name: barbican-bin diff --git a/ceph/templates/daemonset-osd.yaml b/ceph/templates/daemonset-osd.yaml index f0c5ffa54a..4f4197ff33 100644 --- a/ceph/templates/daemonset-osd.yaml +++ b/ceph/templates/daemonset-osd.yaml @@ -114,6 +114,7 @@ spec: - name: ceph-etc configMap: name: ceph-etc + defaultMode: 0444 - name: ceph-client-admin-keyring secret: secretName: {{ .Values.secrets.keyrings.admin }} diff --git a/ceph/templates/deployment-mds.yaml b/ceph/templates/deployment-mds.yaml index 964677ec40..a77ccff378 100644 --- a/ceph/templates/deployment-mds.yaml +++ b/ceph/templates/deployment-mds.yaml @@ -101,6 +101,7 @@ spec: - name: ceph-etc configMap: name: ceph-etc + defaultMode: 0444 - name: ceph-client-admin-keyring secret: secretName: {{ .Values.secrets.keyrings.admin }} diff --git a/ceph/templates/deployment-moncheck.yaml b/ceph/templates/deployment-moncheck.yaml index 54228cf3ad..95a8923fdc 100644 --- a/ceph/templates/deployment-moncheck.yaml +++ b/ceph/templates/deployment-moncheck.yaml @@ -92,6 +92,7 @@ spec: - name: ceph-etc configMap: name: ceph-etc + defaultMode: 0444 - name: ceph-client-admin-keyring secret: secretName: {{ .Values.secrets.keyrings.admin }} diff --git a/ceph/templates/deployment-rgw.yaml b/ceph/templates/deployment-rgw.yaml index c754b1ae40..76b20e863f 100644 --- a/ceph/templates/deployment-rgw.yaml +++ b/ceph/templates/deployment-rgw.yaml @@ -104,6 +104,7 @@ spec: - name: ceph-etc configMap: name: ceph-etc + defaultMode: 0444 - name: ceph-client-admin-keyring secret: secretName: {{ .Values.secrets.keyrings.admin }} diff --git a/ceph/templates/job-keyring.yaml b/ceph/templates/job-keyring.yaml index 677167dfaf..aa067605b6 100644 --- a/ceph/templates/job-keyring.yaml +++ b/ceph/templates/job-keyring.yaml @@ -81,5 +81,6 @@ spec: - name: ceph-templates configMap: name: ceph-templates + defaultMode: 0444 {{ end }} {{ end }} diff --git a/ceph/templates/job-storage-admin-keys.yaml b/ceph/templates/job-storage-admin-keys.yaml index 571057b8d7..f2fbd4f00f 100644 --- a/ceph/templates/job-storage-admin-keys.yaml +++ b/ceph/templates/job-storage-admin-keys.yaml @@ -74,4 +74,5 @@ spec: - name: ceph-templates configMap: name: ceph-templates + defaultMode: 0444 {{- end }} diff --git a/ceph/templates/statefulset-mon.yaml b/ceph/templates/statefulset-mon.yaml index 7ab91e8bf0..cd67f457a9 100644 --- a/ceph/templates/statefulset-mon.yaml +++ b/ceph/templates/statefulset-mon.yaml @@ -133,6 +133,7 @@ spec: - name: ceph-etc configMap: name: ceph-etc + defaultMode: 0444 - name: ceph-client-admin-keyring secret: secretName: {{ .Values.secrets.keyrings.admin }} diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml index 9c4125832f..b6a313232e 100644 --- a/cinder/templates/deployment-api.yaml +++ b/cinder/templates/deployment-api.yaml @@ -85,4 +85,5 @@ spec: - name: cinder-etc configMap: name: cinder-etc + defaultMode: 0444 {{- if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }} diff --git a/cinder/templates/deployment-backup.yaml b/cinder/templates/deployment-backup.yaml index a95dd68614..113e9a0f40 100644 --- a/cinder/templates/deployment-backup.yaml +++ b/cinder/templates/deployment-backup.yaml @@ -88,6 +88,7 @@ spec: - name: cinder-etc configMap: name: cinder-etc + defaultMode: 0444 - name: cinder-bin configMap: name: cinder-bin @@ -98,6 +99,7 @@ spec: - name: ceph-etc configMap: name: ceph-etc + defaultMode: 0444 - name: ceph-keyring secret: secretName: pvc-ceph-client-key diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml index 7449f4de2e..18a8bc0b67 100644 --- a/cinder/templates/deployment-scheduler.yaml +++ b/cinder/templates/deployment-scheduler.yaml @@ -71,4 +71,5 @@ spec: - name: cinder-etc configMap: name: cinder-etc + defaultMode: 0444 {{- if $mounts_cinder_scheduler.volumes }}{{ toYaml $mounts_cinder_scheduler.volumes | indent 8 }}{{ end }} diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml index 85a3f449aa..770eadb497 100644 --- a/cinder/templates/deployment-volume.yaml +++ b/cinder/templates/deployment-volume.yaml @@ -102,6 +102,7 @@ spec: - name: ceph-etc configMap: name: ceph-etc + defaultMode: 0444 - name: ceph-keyring secret: secretName: pvc-ceph-client-key diff --git a/cinder/templates/job-bootstrap.yaml b/cinder/templates/job-bootstrap.yaml index 34cd1d4ea8..0eaf625802 100644 --- a/cinder/templates/job-bootstrap.yaml +++ b/cinder/templates/job-bootstrap.yaml @@ -43,13 +43,16 @@ spec: - name: cinder-etc mountPath: /etc/cinder/cinder.conf subPath: cinder.conf + readOnly: true - name: cinder-bin mountPath: /tmp/bootstrap.sh subPath: bootstrap.sh + readOnly: true volumes: - name: cinder-etc configMap: name: cinder-etc + defaultMode: 0444 - name: cinder-bin configMap: name: cinder-bin diff --git a/cinder/templates/job-db-init.yaml b/cinder/templates/job-db-init.yaml index b51bc929b9..54397b0d10 100644 --- a/cinder/templates/job-db-init.yaml +++ b/cinder/templates/job-db-init.yaml @@ -63,6 +63,7 @@ spec: - name: cinder-etc configMap: name: cinder-etc + defaultMode: 0444 - name: cinder-bin configMap: name: cinder-bin diff --git a/cinder/templates/pod-rally-test.yaml b/cinder/templates/pod-rally-test.yaml index ac0989cd70..2549adbf2b 100644 --- a/cinder/templates/pod-rally-test.yaml +++ b/cinder/templates/pod-rally-test.yaml @@ -56,6 +56,7 @@ spec: - name: cinder-etc configMap: name: cinder-etc + defaultMode: 0444 - name: cinder-bin configMap: name: cinder-bin diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml index 5e0ffa72f2..c4d7f1e75c 100644 --- a/glance/templates/deployment-api.yaml +++ b/glance/templates/deployment-api.yaml @@ -67,6 +67,7 @@ spec: - name: glance-bin mountPath: /tmp/ceph-keyring.sh subPath: ceph-keyring.sh + readOnly: true - name: ceph-keyring mountPath: /tmp/client-keyring subPath: key @@ -136,6 +137,7 @@ spec: - name: glance-etc configMap: name: glance-etc + defaultMode: 0444 {{- if eq .Values.storage "pvc" }} - name: glance-images persistentVolumeClaim: @@ -146,6 +148,7 @@ spec: - name: ceph-etc configMap: name: ceph-etc + defaultMode: 0444 - name: ceph-keyring secret: secretName: pvc-ceph-client-key diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml index d32016c131..95494e6b34 100644 --- a/glance/templates/deployment-registry.yaml +++ b/glance/templates/deployment-registry.yaml @@ -88,4 +88,5 @@ spec: - name: glance-etc configMap: name: glance-etc + defaultMode: 0444 {{- if $mounts_glance_registry.volumes }}{{ toYaml $mounts_glance_registry.volumes | indent 8 }}{{ end }} diff --git a/glance/templates/job-bootstrap.yaml b/glance/templates/job-bootstrap.yaml index 5a70663b6f..ea42a9c2e7 100644 --- a/glance/templates/job-bootstrap.yaml +++ b/glance/templates/job-bootstrap.yaml @@ -59,3 +59,4 @@ spec: - name: glance-etc configMap: name: glance-etc + defaultMode: 0444 diff --git a/glance/templates/job-db-init.yaml b/glance/templates/job-db-init.yaml index 88426e5871..84c7de1565 100644 --- a/glance/templates/job-db-init.yaml +++ b/glance/templates/job-db-init.yaml @@ -63,6 +63,7 @@ spec: - name: glance-etc configMap: name: glance-etc + defaultMode: 0444 - name: glance-bin configMap: name: glance-bin diff --git a/glance/templates/job-db-sync.yaml b/glance/templates/job-db-sync.yaml index c94ba6e249..7efa6a2932 100644 --- a/glance/templates/job-db-sync.yaml +++ b/glance/templates/job-db-sync.yaml @@ -51,6 +51,7 @@ spec: - name: glance-etc configMap: name: glance-etc + defaultMode: 0444 - name: glance-bin configMap: name: glance-bin diff --git a/glance/templates/pod-rally-test.yaml b/glance/templates/pod-rally-test.yaml index ce344aaf5d..d01139a32b 100644 --- a/glance/templates/pod-rally-test.yaml +++ b/glance/templates/pod-rally-test.yaml @@ -56,6 +56,7 @@ spec: - name: glance-etc configMap: name: glance-etc + defaultMode: 0444 - name: glance-bin configMap: name: glance-bin diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml index 9120e95ec9..5fed9bdf42 100644 --- a/heat/templates/deployment-api.yaml +++ b/heat/templates/deployment-api.yaml @@ -92,4 +92,5 @@ spec: - name: heat-etc configMap: name: heat-etc + defaultMode: 0444 {{- if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }} diff --git a/heat/templates/deployment-cfn.yaml b/heat/templates/deployment-cfn.yaml index 69907d4265..a102ac911e 100644 --- a/heat/templates/deployment-cfn.yaml +++ b/heat/templates/deployment-cfn.yaml @@ -92,4 +92,5 @@ spec: - name: heat-etc configMap: name: heat-etc + defaultMode: 0444 {{- if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }} diff --git a/heat/templates/deployment-cloudwatch.yaml b/heat/templates/deployment-cloudwatch.yaml index 9ff4b65fc7..267c7dc975 100644 --- a/heat/templates/deployment-cloudwatch.yaml +++ b/heat/templates/deployment-cloudwatch.yaml @@ -92,4 +92,5 @@ spec: - name: heat-etc configMap: name: heat-etc + defaultMode: 0444 {{- if $mounts_heat_cloudwatch.volumes }}{{ toYaml $mounts_heat_cloudwatch.volumes | indent 8 }}{{ end }} diff --git a/heat/templates/job-db-init.yaml b/heat/templates/job-db-init.yaml index 4d4b075413..dc082e70aa 100644 --- a/heat/templates/job-db-init.yaml +++ b/heat/templates/job-db-init.yaml @@ -63,6 +63,7 @@ spec: - name: heat-etc configMap: name: heat-etc + defaultMode: 0444 - name: heat-bin configMap: name: heat-bin diff --git a/heat/templates/job-db-sync.yaml b/heat/templates/job-db-sync.yaml index c3939235d2..54780fb495 100644 --- a/heat/templates/job-db-sync.yaml +++ b/heat/templates/job-db-sync.yaml @@ -51,6 +51,7 @@ spec: - name: heat-etc configMap: name: heat-etc + defaultMode: 0444 - name: heat-bin configMap: name: heat-bin diff --git a/heat/templates/statefulset-engine.yaml b/heat/templates/statefulset-engine.yaml index ecb3b5ea01..f3eb51deab 100644 --- a/heat/templates/statefulset-engine.yaml +++ b/heat/templates/statefulset-engine.yaml @@ -72,4 +72,5 @@ spec: - name: heat-etc configMap: name: heat-etc + defaultMode: 0444 {{- if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }} diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml index a70b26a545..64745166f3 100644 --- a/horizon/templates/deployment.yaml +++ b/horizon/templates/deployment.yaml @@ -82,4 +82,5 @@ spec: - name: horizon-etc configMap: name: horizon-etc + defaultMode: 0444 {{- if $mounts_horizon.volumes }}{{ toYaml $mounts_horizon.volumes | indent 8 }}{{ end }} diff --git a/ingress/templates/deployment-ingress.yaml b/ingress/templates/deployment-ingress.yaml index 7189296acb..dd51e7404a 100644 --- a/ingress/templates/deployment-ingress.yaml +++ b/ingress/templates/deployment-ingress.yaml @@ -74,8 +74,10 @@ spec: - name: ingress-etc mountPath: /etc/resolv.conf subPath: resolv.conf + readOnly: true volumes: - name: ingress-etc configMap: name: ingress-etc + defaultMode: 0444 {{- end }} diff --git a/keystone/templates/deployment.yaml b/keystone/templates/deployment.yaml index e8661f2635..217a02f178 100644 --- a/keystone/templates/deployment.yaml +++ b/keystone/templates/deployment.yaml @@ -103,6 +103,7 @@ spec: - name: keystone-etc configMap: name: keystone-etc + defaultMode: 0444 - name: keystone-bin configMap: name: keystone-bin diff --git a/keystone/templates/job-bootstrap.yaml b/keystone/templates/job-bootstrap.yaml index 4cde8c9223..a4cc0ac316 100644 --- a/keystone/templates/job-bootstrap.yaml +++ b/keystone/templates/job-bootstrap.yaml @@ -45,6 +45,7 @@ spec: - name: keystone-bin mountPath: /tmp/bootstrap.sh subPath: bootstrap.sh + readOnly: true {{- if $mounts_keystone_bootstrap.volumeMounts }}{{ toYaml $mounts_keystone_bootstrap.volumeMounts | indent 10 }}{{ end }} volumes: - name: keystone-bin diff --git a/keystone/templates/job-db-init.yaml b/keystone/templates/job-db-init.yaml index 19fafa6fa7..195c91d713 100644 --- a/keystone/templates/job-db-init.yaml +++ b/keystone/templates/job-db-init.yaml @@ -67,6 +67,7 @@ spec: - name: keystone-etc configMap: name: keystone-etc + defaultMode: 0444 - name: keystone-bin configMap: name: keystone-bin diff --git a/keystone/templates/job-db-sync.yaml b/keystone/templates/job-db-sync.yaml index fb64370f9a..50af2a8c72 100644 --- a/keystone/templates/job-db-sync.yaml +++ b/keystone/templates/job-db-sync.yaml @@ -66,6 +66,7 @@ spec: - name: keystone-etc configMap: name: keystone-etc + defaultMode: 0444 - name: keystone-bin configMap: name: keystone-bin diff --git a/keystone/templates/pod-rally-test.yaml b/keystone/templates/pod-rally-test.yaml index b66ac731e9..543ce19556 100644 --- a/keystone/templates/pod-rally-test.yaml +++ b/keystone/templates/pod-rally-test.yaml @@ -56,6 +56,7 @@ spec: - name: keystone-etc configMap: name: keystone-etc + defaultMode: 0444 - name: keystone-bin configMap: name: keystone-bin diff --git a/magnum/templates/deployment-api.yaml b/magnum/templates/deployment-api.yaml index be40df7871..039e23ad0f 100644 --- a/magnum/templates/deployment-api.yaml +++ b/magnum/templates/deployment-api.yaml @@ -92,4 +92,5 @@ spec: - name: magnum-etc configMap: name: magnum-etc + defaultMode: 0444 {{- if $mounts_magnum_api.volumes }}{{ toYaml $mounts_magnum_api.volumes | indent 8 }}{{ end }} diff --git a/magnum/templates/job-db-init.yaml b/magnum/templates/job-db-init.yaml index 9add5dc24f..ed86f05b59 100644 --- a/magnum/templates/job-db-init.yaml +++ b/magnum/templates/job-db-init.yaml @@ -63,6 +63,7 @@ spec: - name: magnum-etc configMap: name: magnum-etc + defaultMode: 0444 - name: magnum-bin configMap: name: magnum-bin diff --git a/magnum/templates/job-db-sync.yaml b/magnum/templates/job-db-sync.yaml index 2fcc44d88b..9a80aee329 100644 --- a/magnum/templates/job-db-sync.yaml +++ b/magnum/templates/job-db-sync.yaml @@ -51,6 +51,7 @@ spec: - name: magnum-etc configMap: name: magnum-etc + defaultMode: 0444 - name: magnum-bin configMap: name: magnum-bin diff --git a/magnum/templates/statefulset-conductor.yaml b/magnum/templates/statefulset-conductor.yaml index 6089ca9c4f..fa1b781246 100644 --- a/magnum/templates/statefulset-conductor.yaml +++ b/magnum/templates/statefulset-conductor.yaml @@ -72,4 +72,5 @@ spec: - name: magnum-etc configMap: name: magnum-etc + defaultMode: 0444 {{- if $mounts_magnum_conductor.volumes }}{{ toYaml $mounts_magnum_conductor.volumes | indent 8 }}{{ end }} diff --git a/mariadb/templates/statefulset.yaml b/mariadb/templates/statefulset.yaml index 3b318acd3e..fd117a5fd6 100644 --- a/mariadb/templates/statefulset.yaml +++ b/mariadb/templates/statefulset.yaml @@ -100,6 +100,7 @@ spec: - name: mariadb-etc configMap: name: mariadb-etc + defaultMode: 0444 {{- if not .Values.volume.enabled }} - name: mysql-data emptyDir: {} diff --git a/mistral/templates/deployment-api.yaml b/mistral/templates/deployment-api.yaml index 8abaa7f7f5..0bffe51f24 100644 --- a/mistral/templates/deployment-api.yaml +++ b/mistral/templates/deployment-api.yaml @@ -85,4 +85,5 @@ spec: - name: mistral-etc configMap: name: mistral-etc + defaultMode: 0444 {{- if $mounts_mistral_api.volumes }}{{ toYaml $mounts_mistral_api.volumes | indent 8 }}{{ end }} diff --git a/mistral/templates/deployment-executor.yaml b/mistral/templates/deployment-executor.yaml index c10fb14cd8..adfc3e4316 100644 --- a/mistral/templates/deployment-executor.yaml +++ b/mistral/templates/deployment-executor.yaml @@ -67,4 +67,5 @@ spec: - name: mistral-etc configMap: name: mistral-etc + defaultMode: 0444 {{- if $mounts_mistral_executor.volumes }}{{ toYaml $mounts_mistral_executor.volumes | indent 8 }}{{ end }} diff --git a/mistral/templates/job-db-init.yaml b/mistral/templates/job-db-init.yaml index 0352c8e976..cbfbfbb268 100644 --- a/mistral/templates/job-db-init.yaml +++ b/mistral/templates/job-db-init.yaml @@ -67,3 +67,4 @@ spec: - name: mistral-etc configMap: name: mistral-etc + defaultMode: 0444 diff --git a/mistral/templates/job-db-sync.yaml b/mistral/templates/job-db-sync.yaml index c09e5bd572..25b45ef24c 100644 --- a/mistral/templates/job-db-sync.yaml +++ b/mistral/templates/job-db-sync.yaml @@ -51,6 +51,7 @@ spec: - name: mistral-etc configMap: name: mistral-etc + defaultMode: 0444 - name: mistral-bin configMap: name: mistral-bin diff --git a/mistral/templates/statefulset-engine.yaml b/mistral/templates/statefulset-engine.yaml index 76a853f5ff..b5eceac7e0 100644 --- a/mistral/templates/statefulset-engine.yaml +++ b/mistral/templates/statefulset-engine.yaml @@ -62,4 +62,5 @@ spec: - name: mistral-etc configMap: name: mistral-etc + defaultMode: 0444 {{- if $mounts_mistral_engine.volumes }}{{ toYaml $mounts_mistral_engine.volumes | indent 8 }}{{ end }} diff --git a/mistral/templates/statefulset-event-engine.yaml b/mistral/templates/statefulset-event-engine.yaml index 09e41d0fc8..33e0c74320 100644 --- a/mistral/templates/statefulset-event-engine.yaml +++ b/mistral/templates/statefulset-event-engine.yaml @@ -64,4 +64,5 @@ spec: - name: mistral-etc configMap: name: mistral-etc + defaultMode: 0444 {{- if $mounts_mistral_event_engine.volumes }}{{ toYaml $mounts_mistral_event_engine.volumes | indent 8 }}{{ end }} diff --git a/neutron/templates/daemonset-dhcp-agent.yaml b/neutron/templates/daemonset-dhcp-agent.yaml index e29adcc4ff..372cd7c90f 100644 --- a/neutron/templates/daemonset-dhcp-agent.yaml +++ b/neutron/templates/daemonset-dhcp-agent.yaml @@ -90,6 +90,7 @@ spec: - name: neutron-etc configMap: name: neutron-etc + defaultMode: 0444 - name: runopenvswitch hostPath: path: /run/openvswitch diff --git a/neutron/templates/daemonset-l3-agent.yaml b/neutron/templates/daemonset-l3-agent.yaml index 9832cc6f3c..fba00ec2d7 100644 --- a/neutron/templates/daemonset-l3-agent.yaml +++ b/neutron/templates/daemonset-l3-agent.yaml @@ -89,6 +89,7 @@ spec: - name: neutron-etc configMap: name: neutron-etc + defaultMode: 0444 - name: runopenvswitch hostPath: path: /run/openvswitch diff --git a/neutron/templates/daemonset-metadata-agent.yaml b/neutron/templates/daemonset-metadata-agent.yaml index d29cac2583..2445041711 100644 --- a/neutron/templates/daemonset-metadata-agent.yaml +++ b/neutron/templates/daemonset-metadata-agent.yaml @@ -88,6 +88,7 @@ spec: - name: neutron-etc configMap: name: neutron-etc + defaultMode: 0444 - name: runopenvswitch hostPath: path: /run/openvswitch diff --git a/neutron/templates/daemonset-ovs-agent.yaml b/neutron/templates/daemonset-ovs-agent.yaml index cb0fd4f9e3..54eaf5f429 100644 --- a/neutron/templates/daemonset-ovs-agent.yaml +++ b/neutron/templates/daemonset-ovs-agent.yaml @@ -131,6 +131,7 @@ spec: - name: neutron-etc configMap: name: neutron-etc + defaultMode: 0444 - name: libmodules hostPath: path: /lib/modules diff --git a/neutron/templates/daemonset-ovs-db.yaml b/neutron/templates/daemonset-ovs-db.yaml index e3764fe69b..d337dce647 100644 --- a/neutron/templates/daemonset-ovs-db.yaml +++ b/neutron/templates/daemonset-ovs-db.yaml @@ -66,6 +66,7 @@ spec: - name: neutron-etc configMap: name: neutron-etc + defaultMode: 0444 - name: libmodules hostPath: path: /lib/modules diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml index ccdc33a767..6109c9b946 100644 --- a/neutron/templates/deployment-server.yaml +++ b/neutron/templates/deployment-server.yaml @@ -88,4 +88,5 @@ spec: - name: neutron-etc configMap: name: neutron-etc + defaultMode: 0444 {{- if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }} diff --git a/neutron/templates/job-db-init.yaml b/neutron/templates/job-db-init.yaml index cbc4cb4c50..e8e97e6db3 100644 --- a/neutron/templates/job-db-init.yaml +++ b/neutron/templates/job-db-init.yaml @@ -63,6 +63,7 @@ spec: - name: neutron-etc configMap: name: neutron-etc + defaultMode: 0444 - name: neutron-bin configMap: name: neutron-bin diff --git a/neutron/templates/job-db-sync.yaml b/neutron/templates/job-db-sync.yaml index 7ea65a698c..8b30f16be5 100644 --- a/neutron/templates/job-db-sync.yaml +++ b/neutron/templates/job-db-sync.yaml @@ -64,6 +64,7 @@ spec: - name: neutron-etc configMap: name: neutron-etc + defaultMode: 0444 - name: neutron-bin configMap: name: neutron-bin diff --git a/neutron/templates/pod-rally-test.yaml b/neutron/templates/pod-rally-test.yaml index 7316ed2692..7990a11d32 100644 --- a/neutron/templates/pod-rally-test.yaml +++ b/neutron/templates/pod-rally-test.yaml @@ -56,6 +56,7 @@ spec: - name: neutron-etc configMap: name: neutron-etc + defaultMode: 0444 - name: neutron-bin configMap: name: neutron-bin diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml index 1240788458..cdb5a6bb2b 100644 --- a/nova/templates/daemonset-compute.yaml +++ b/nova/templates/daemonset-compute.yaml @@ -167,12 +167,14 @@ spec: - name: nova-etc configMap: name: nova-etc + defaultMode: 0444 {{- if .Values.ceph.enabled }} - name: etcceph emptyDir: {} - name: ceph-etc configMap: name: ceph-etc + defaultMode: 0444 - name: ceph-keyring secret: secretName: pvc-ceph-client-key diff --git a/nova/templates/daemonset-libvirt.yaml b/nova/templates/daemonset-libvirt.yaml index eb93cbc5ee..2f32359395 100644 --- a/nova/templates/daemonset-libvirt.yaml +++ b/nova/templates/daemonset-libvirt.yaml @@ -52,6 +52,7 @@ spec: - name: nova-bin mountPath: /tmp/ceph-keyring.sh subPath: ceph-keyring.sh + readOnly: true - name: ceph-keyring mountPath: /tmp/client-keyring subPath: key @@ -136,12 +137,14 @@ spec: - name: nova-etc configMap: name: nova-etc + defaultMode: 0444 {{- if .Values.ceph.enabled }} - name: etcceph emptyDir: {} - name: ceph-etc configMap: name: ceph-etc + defaultMode: 0444 - name: ceph-keyring secret: secretName: pvc-ceph-client-key diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml index 9c0779bf3f..ba9f9055f4 100644 --- a/nova/templates/deployment-api-metadata.yaml +++ b/nova/templates/deployment-api-metadata.yaml @@ -96,4 +96,5 @@ spec: - name: nova-etc configMap: name: nova-etc + defaultMode: 0444 {{- if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }} diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml index 99f1c6479b..6a9df39398 100644 --- a/nova/templates/deployment-api-osapi.yaml +++ b/nova/templates/deployment-api-osapi.yaml @@ -84,4 +84,5 @@ spec: - name: nova-etc configMap: name: nova-etc + defaultMode: 0444 {{- if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }} diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml index 2c344e614a..99c596c98c 100644 --- a/nova/templates/deployment-conductor.yaml +++ b/nova/templates/deployment-conductor.yaml @@ -67,4 +67,5 @@ spec: - name: nova-etc configMap: name: nova-etc + defaultMode: 0444 {{- if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }} diff --git a/nova/templates/deployment-consoleauth.yaml b/nova/templates/deployment-consoleauth.yaml index ed2f72a60f..c2b8ff2a0f 100644 --- a/nova/templates/deployment-consoleauth.yaml +++ b/nova/templates/deployment-consoleauth.yaml @@ -67,4 +67,5 @@ spec: - name: nova-etc configMap: name: nova-etc + defaultMode: 0444 {{- if $mounts_nova_consoleauth.volumes }}{{ toYaml $mounts_nova_consoleauth.volumes | indent 8 }}{{ end }} diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml index 4fc7c0defe..82faabf62f 100644 --- a/nova/templates/deployment-scheduler.yaml +++ b/nova/templates/deployment-scheduler.yaml @@ -67,4 +67,5 @@ spec: - name: nova-etc configMap: name: nova-etc + defaultMode: 0444 {{- if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }} diff --git a/nova/templates/job-bootstrap.yaml b/nova/templates/job-bootstrap.yaml index 7185980914..5b44e9054a 100644 --- a/nova/templates/job-bootstrap.yaml +++ b/nova/templates/job-bootstrap.yaml @@ -54,6 +54,7 @@ spec: - name: nova-etc configMap: name: nova-etc + defaultMode: 0444 - name: nova-bin configMap: name: nova-bin diff --git a/nova/templates/job-db-init.yaml b/nova/templates/job-db-init.yaml index eb648cce16..d53e7efe6a 100644 --- a/nova/templates/job-db-init.yaml +++ b/nova/templates/job-db-init.yaml @@ -92,6 +92,7 @@ spec: - name: nova-etc configMap: name: nova-etc + defaultMode: 0444 - name: nova-bin configMap: name: nova-bin diff --git a/nova/templates/job-db-sync.yaml b/nova/templates/job-db-sync.yaml index c00fef5b1b..5f86f7c427 100644 --- a/nova/templates/job-db-sync.yaml +++ b/nova/templates/job-db-sync.yaml @@ -51,6 +51,7 @@ spec: - name: nova-etc configMap: name: nova-etc + defaultMode: 0444 - name: nova-bin configMap: name: nova-bin diff --git a/nova/templates/pod-rally-test.yaml b/nova/templates/pod-rally-test.yaml index 13e10088ad..feba24efc7 100644 --- a/nova/templates/pod-rally-test.yaml +++ b/nova/templates/pod-rally-test.yaml @@ -54,6 +54,7 @@ spec: - name: nova-etc configMap: name: nova-etc + defaultMode: 0444 - name: nova-bin configMap: name: nova-bin diff --git a/rabbitmq/templates/deployment.yaml b/rabbitmq/templates/deployment.yaml index d5e92ce3c8..1b67d794bb 100644 --- a/rabbitmq/templates/deployment.yaml +++ b/rabbitmq/templates/deployment.yaml @@ -40,15 +40,6 @@ spec: {{ tuple $envAll "rabbitmq" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} - volumes: - - name: rabbitmq-emptydir - emptyDir: {} - - name: rabbitmq-bin - configMap: - name: rabbitmq-bin - - name: rabbitmq-etc - configMap: - name: rabbitmq-etc initContainers: {{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 9 }} containers: @@ -105,3 +96,14 @@ spec: mountPath: /etc/rabbitmq/rabbitmq.config subPath: rabbitmq.config readOnly: true + volumes: + - name: rabbitmq-emptydir + emptyDir: {} + - name: rabbitmq-bin + configMap: + name: rabbitmq-bin + defaultMode: 0555 + - name: rabbitmq-etc + configMap: + name: rabbitmq-etc + defaultMode: 0444 diff --git a/senlin/templates/deployment-api.yaml b/senlin/templates/deployment-api.yaml index dfac5c5930..e778534992 100644 --- a/senlin/templates/deployment-api.yaml +++ b/senlin/templates/deployment-api.yaml @@ -92,4 +92,5 @@ spec: - name: senlin-etc configMap: name: senlin-etc + defaultMode: 0444 {{- if $mounts_senlin_api.volumes }}{{ toYaml $mounts_senlin_api.volumes | indent 8 }}{{ end }} diff --git a/senlin/templates/job-db-init.yaml b/senlin/templates/job-db-init.yaml index c35d5c5a78..5f9c882d2e 100644 --- a/senlin/templates/job-db-init.yaml +++ b/senlin/templates/job-db-init.yaml @@ -63,6 +63,7 @@ spec: - name: senlin-etc configMap: name: senlin-etc + defaultMode: 0444 - name: senlin-bin configMap: name: senlin-bin diff --git a/senlin/templates/job-db-sync.yaml b/senlin/templates/job-db-sync.yaml index c6b6d961c8..49b2b7f647 100644 --- a/senlin/templates/job-db-sync.yaml +++ b/senlin/templates/job-db-sync.yaml @@ -51,6 +51,7 @@ spec: - name: senlin-etc configMap: name: senlin-etc + defaultMode: 0444 - name: senlin-bin configMap: name: senlin-bin diff --git a/senlin/templates/statefulset-engine.yaml b/senlin/templates/statefulset-engine.yaml index 144cce0cca..f1d5def7c0 100644 --- a/senlin/templates/statefulset-engine.yaml +++ b/senlin/templates/statefulset-engine.yaml @@ -72,4 +72,5 @@ spec: - name: senlin-etc configMap: name: senlin-etc + defaultMode: 0444 {{- if $mounts_senlin_engine.volumes }}{{ toYaml $mounts_senlin_engine.volumes | indent 8 }}{{ end }}