From a1fc694ae9c883ac02cb9bf53a81118288b4e058 Mon Sep 17 00:00:00 2001 From: Gage Hugo Date: Thu, 30 Jan 2020 08:37:47 -0600 Subject: [PATCH] Move apparmor to use feature gates This change refactors the apparmor job to utilize the feature gates system instead of relying on separate scripts. Also disabled barbican running in the apparmor job temporarily until the correct profile gets used and it can deploy succesfully. Change-Id: Iadacd214de3fdb06e4acde4433c5fa86973371d5 --- barbican/values_overrides/apparmor.yaml | 6 + keystone/values_overrides/apparmor.yaml | 5 + neutron/values_overrides/apparmor.yaml | 15 +++ nova/templates/daemonset-compute.yaml | 2 +- .../templates/statefulset-compute-ironic.yaml | 2 +- nova/values_overrides/apparmor.yaml | 5 + tools/deployment/apparmor/barbican.sh | 43 ------- tools/deployment/apparmor/compute-kit.sh | 106 ------------------ zuul.d/jobs-openstack-helm.yaml | 6 +- 9 files changed, 37 insertions(+), 153 deletions(-) create mode 100644 barbican/values_overrides/apparmor.yaml create mode 100644 keystone/values_overrides/apparmor.yaml create mode 100644 neutron/values_overrides/apparmor.yaml create mode 100644 nova/values_overrides/apparmor.yaml delete mode 100755 tools/deployment/apparmor/barbican.sh delete mode 100755 tools/deployment/apparmor/compute-kit.sh diff --git a/barbican/values_overrides/apparmor.yaml b/barbican/values_overrides/apparmor.yaml new file mode 100644 index 0000000000..639db5dac4 --- /dev/null +++ b/barbican/values_overrides/apparmor.yaml @@ -0,0 +1,6 @@ +# NOTE: Enable this with the correct policy +#pod: +# mandatory_access_control: +# type: apparmor +# barbican-api: +# barbican-api: localhost/docker-default diff --git a/keystone/values_overrides/apparmor.yaml b/keystone/values_overrides/apparmor.yaml new file mode 100644 index 0000000000..234a533916 --- /dev/null +++ b/keystone/values_overrides/apparmor.yaml @@ -0,0 +1,5 @@ +pod: + mandatory_access_control: + type: apparmor + keystone-api-default: + keystone-api-default: runtime/default diff --git a/neutron/values_overrides/apparmor.yaml b/neutron/values_overrides/apparmor.yaml new file mode 100644 index 0000000000..a602d95c2a --- /dev/null +++ b/neutron/values_overrides/apparmor.yaml @@ -0,0 +1,15 @@ +pod: + mandatory_access_control: + type: apparmor + neutron-dhcp-agent-default: + neutron-dhcp-agent-default: runtime/default + neutron-l3-agent-default: + neutron-l3-agent-default: runtime/default + neutron-lb-agent-default: + neutron-lb-agent-default: runtime/default + neutron-metadata-agent-default: + neutron-metadata-agent-default: runtime/default + neutron-ovs-agent-default: + neutron-ovs-agent-default: runtime/default + neutron-sriov-agent-default: + neutron-sriov-agent-default: runtime/default diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml index 8e9bc29528..43e53d72d7 100644 --- a/nova/templates/daemonset-compute.yaml +++ b/nova/templates/daemonset-compute.yaml @@ -45,7 +45,7 @@ spec: annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} -{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute-default") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} +{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} {{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} diff --git a/nova/templates/statefulset-compute-ironic.yaml b/nova/templates/statefulset-compute-ironic.yaml index 44c2b5e677..fa04d10ddb 100644 --- a/nova/templates/statefulset-compute-ironic.yaml +++ b/nova/templates/statefulset-compute-ironic.yaml @@ -45,7 +45,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} -{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute-default") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} +{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} {{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} diff --git a/nova/values_overrides/apparmor.yaml b/nova/values_overrides/apparmor.yaml new file mode 100644 index 0000000000..1cae26ad8a --- /dev/null +++ b/nova/values_overrides/apparmor.yaml @@ -0,0 +1,5 @@ +pod: + mandatory_access_control: + type: apparmor + nova-compute-default: + nova-compute: runtime/default diff --git a/tools/deployment/apparmor/barbican.sh b/tools/deployment/apparmor/barbican.sh deleted file mode 100755 index bac93281e0..0000000000 --- a/tools/deployment/apparmor/barbican.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash - -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -set -xe - -#NOTE: Lint and package chart -make barbican - -#NOTE: Deploy barbican -tee /tmp/barbican.yaml << EOF -pod: - mandatory_access_control: - type: apparmor - barbican-api: - barbican-api: localhost/docker-default -EOF - -#NOTE: Deploy command - helm upgrade --install barbican ./barbican \ - --namespace=openstack \ - --values=/tmp/barbican.yaml - ${OSH_EXTRA_HELM_ARGS} \ - ${OSH_EXTRA_HELM_ARGS_BARBICAN} - -#NOTE: Wait for deploy -./tools/deployment/common/wait-for-pods.sh openstack - -#NOTE: Validate Deployment info -helm status barbican - -helm test barbican \ No newline at end of file diff --git a/tools/deployment/apparmor/compute-kit.sh b/tools/deployment/apparmor/compute-kit.sh deleted file mode 100755 index eaadcfbe57..0000000000 --- a/tools/deployment/apparmor/compute-kit.sh +++ /dev/null @@ -1,106 +0,0 @@ -#!/bin/bash - -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -set -xe - -#NOTE: Lint and package chart -make nova -make neutron - -#NOTE: Deploy nova -: ${OSH_EXTRA_HELM_ARGS:=""} -tee /tmp/nova.yaml << EOF -conf: - ceph: - enabled: false -pod: - mandatory_access_control: - type: apparmor - nova-compute-default: - nova-compute-default: localhost/docker-default -EOF -if [ "x$(systemd-detect-virt)" == "xnone" ]; then - echo 'OSH is not being deployed in virtualized environment' - helm upgrade --install nova ./nova \ - --namespace=openstack \ - --values=/tmp/nova.yaml \ - ${OSH_EXTRA_HELM_ARGS} \ - ${OSH_EXTRA_HELM_ARGS_NOVA} -else - echo 'OSH is being deployed in virtualized environment, using qemu for nova' - helm upgrade --install nova ./nova \ - --namespace=openstack \ - --set conf.nova.libvirt.virt_type=qemu \ - --set conf.nova.libvirt.cpu_mode=none \ - --values=/tmp/nova.yaml - ${OSH_EXTRA_HELM_ARGS} \ - ${OSH_EXTRA_HELM_ARGS_NOVA} -fi - -#NOTE: Deploy neutron -tee /tmp/neutron.yaml << EOF -pod: - mandatory_access_control: - type: apparmor - neutron-dhcp-agent-default: - neutron-dhcp-agent-default: localhost/docker-default - neutron-l3-agent-default: - neutron-l3-agent-default: localhost/docker-default - neutron-lb-agent-default: - neutron-lb-agent-default: localhost/docker-default - neutron-metadata-agent-default: - neutron-metadata-agent-default: localhost/docker-default - neutron-ovs-agent-default: - neutron-ovs-agent-default: localhost/docker-default - neutron-sriov-agent-default: - neutron-sriov-agent-default: localhost/docker-default -network: - interface: - tunnel: docker0 -conf: - neutron: - DEFAULT: - l3_ha: False - max_l3_agents_per_router: 1 - l3_ha_network_type: vxlan - dhcp_agents_per_network: 1 - plugins: - ml2_conf: - ml2_type_flat: - flat_networks: public - openvswitch_agent: - agent: - tunnel_types: vxlan - ovs: - bridge_mappings: public:br-ex - linuxbridge_agent: - linux_bridge: - bridge_mappings: public:br-ex -EOF -helm upgrade --install neutron ./neutron \ - --namespace=openstack \ - --values=/tmp/neutron.yaml \ - ${OSH_EXTRA_HELM_ARGS} \ - ${OSH_EXTRA_HELM_ARGS_NEUTRON} - -#NOTE: Wait for deploy -./tools/deployment/common/wait-for-pods.sh openstack - -#NOTE: Validate Deployment info -export OS_CLOUD=openstack_helm -openstack service list -sleep 30 #NOTE(portdirect): Wait for ingress controller to update rules and restart Nginx -openstack compute service list -openstack network agent list diff --git a/zuul.d/jobs-openstack-helm.yaml b/zuul.d/jobs-openstack-helm.yaml index 1c433fb74b..db419eb1ab 100644 --- a/zuul.d/jobs-openstack-helm.yaml +++ b/zuul.d/jobs-openstack-helm.yaml @@ -245,6 +245,7 @@ openstack_release: stein container_distro_name: ubuntu container_distro_version: bionic + feature_gates: apparmor gate_scripts: - ./tools/deployment/common/install-packages.sh - ./tools/deployment/common/deploy-k8s.sh @@ -259,8 +260,9 @@ - ./tools/deployment/component/glance/glance.sh - ./tools/deployment/component/compute-kit/openvswitch.sh - ./tools/deployment/component/compute-kit/libvirt.sh - - ./tools/deployment/apparmor/compute-kit.sh - - ./tools/deployment/apparmor/barbican.sh + - ./tools/deployment/developer/nfs/160-compute-kit.sh + # NOTE: Re-enable barbican once the profile gets sorted out + #- ./tools/deployment/component/barbican/barbican.sh - ./tools/deployment/developer/common/170-setup-gateway.sh - ./tools/deployment/developer/common/900-use-it.sh