Add NC Cluster Testing utility chart and Dockerfile

Change-Id: Ied237113fb3148e0cbfe31e8abbd847e47d22e09

Dockerfiles/ncct-utility/Dockerfile.alpine

@@ -0,0 +1,33 @@
+ARG DOCKER_REGISTRY=quay.io
+ARG NCCT_IMAGE_PREFIX=nc/aqua-images-patchset/network-policy
+ARG NCCT_SHA256=cc192f2221fa8e7cd562223ef40e27ae92ab6f5a127b11e6a2ddb456f18aac97
+
+ARG NCCT_IMAGE="${DOCKER_REGISTRY}/${NCCT_IMAGE_PREFIX}@sha256:${NCCT_SHA256}"
+FROM ${NCCT_IMAGE}
+
+LABEL org.opencontainers.image.authors='Openstack-Helm Authors' \
+    org.opencontainers.image.url='https://opendev.org/airship/porthole/src/branch/master/Dockerfiles/ncct-utility' \
+    org.opencontainers.image.documentation='https://opendev.org/airship/porthole/src/branch/master/Dockerfiles/ncct-utility/README' \
+    org.opencontainers.image.source='https://opendev.org/airship/porthole/src/branch/master/Dockerfiles/ncct-utility' \
+    org.opencontainers.image.vendor='Openstack-Helm Authors' \
+    org.opencontainers.image.licenses='BSD-3-Clause'
+
+RUN set -xe \
+    && export DEBIAN_FRONTEND=noninteractive \
+    && apk add dpkg --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main \
+    && apk add --update dpkg \
+    && touch /var/lib/dpkg/status \
+    && apk update \
+    && apk add --update \
+       python python-dev py-pip build-base \
+       sudo vim screen \
+       wget curl socat \
+    && pip install oslo.rootwrap
+
+RUN mv /app /usr/local/bin/ncct \
+    && chmod 0750 /usr/local/bin/ncct \
+    && chmod 0750 /bin/ncct_agent \
+    && chmod 0750 /usr/bin/socat
+
+WORKDIR /tmp
+ENTRYPOINT ["/bin/sh", "-c"]

Dockerfiles/ncct-utility/Makefile

@@ -0,0 +1,36 @@
+# Copyright 2019 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+SHELL := /bin/bash
+
+DOCKER_REGISTRY ?= quay.io
+IMAGE_NAME      ?= ncct-utility
+IMAGE_PREFIX    ?= airship/porthole
+IMAGE_TAG       ?= latest
+OS_RELEASE      ?= alpine
+
+IMAGE := $(DOCKER_REGISTRY)/$(IMAGE_PREFIX)/$(IMAGE_NAME):$(IMAGE_TAG)
+
+# Build ncct-utility Docker image for this project
+.PHONY: images
+images: build_$(IMAGE_NAME)
+
+# Make targets intended for use by the primary targets above.
+.PHONY: build_$(IMAGE_NAME)
+build_$(IMAGE_NAME):
+	docker build -f Dockerfile.$(OS_RELEASE) \
+		--network host \
+		$(EXTRA_BUILD_ARGS) \
+		-t $(IMAGE) \
+		.

ncct-utility/Chart.yaml

@@ -0,0 +1,18 @@
+# Copyright 2019 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: OpenStack-Helm NC Cluster Testing
+name: ncct-utility
+version: 0.1.0

ncct-utility/requirements.yaml

@@ -0,0 +1,18 @@
+# Copyright 2019 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: http://localhost:8879/charts
+    version: 0.1.0

ncct-utility/templates/bin/_bootstrap.sh.tpl

@@ -0,0 +1,19 @@
+#!/bin/sh
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+sudo /usr/local/bin/override-oslo-rootwrap-logging.sh
+exec sudo socat -d -s -t0 -T0 -u UNIX-RECV:/dev/log,reuseaddr stdout

ncct-utility/templates/bin/_ncct-utility-rootwrap.tpl

@@ -0,0 +1,52 @@
+#!/usr/bin/python
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+import logging
+import os
+import sys
+
+from oslo_rootwrap.cmd import main
+
+exec_name = sys.argv[0]
+host_name = os.environ.get("HOSTNAME")
+log_level = {{ .Values.conf.ncct_rootwrap.DEFAULT.syslog_log_level | quote }}
+facility = {{ .Values.conf.ncct_rootwrap.DEFAULT.syslog_log_facility | quote }}
+
+if "AUSER" in os.environ:
+    user_id = os.environ.get("AUSER")
+elif {{ .Values.conf.utility.always_log_user | quote }} == 'true':
+    user_id = 'development site'
+else:
+    print("No username set in AUSER environment variable, for security reasons access restricted from connecting to container.")
+    exit()
+
+try:
+    handler = logging.handlers.SysLogHandler(address='/dev/log',facility=facility)
+except IOError:
+    print("Unable to setup logging, for security reasons access restricted from connecting to container.")
+    exit()
+
+formatter = logging.Formatter('%(asctime)s ' + host_name + ' ' +
+    os.path.basename(exec_name) + ': ' + 'ActualUser=' + user_id + ': %(message)s\n')
+handler.setFormatter(formatter)
+root = logging.getLogger()
+root.setLevel(log_level)
+root.addHandler(handler)
+
+
+if __name__ == "__main__":
+    sys.exit(main())

ncct-utility/templates/bin/_override-oslo-rootwrap-logging.sh.tpl

@@ -0,0 +1,26 @@
+#!/bin/sh
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+These lines will disable extra handler, extra formatter, extra level to the
+root logger by oslo-rootwrap module, imported in _openstack-utility-rootwrap.tpl.
+These lines will get rid of duplicate logs, generated because of the formatter
+attached by oslo-rootwrap.
+*/}}
+sed -i "/rootwrap_logger.setLevel/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py
+sed -i "/handler.setFormatter/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py
+sed -i "/os.path.basename/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py
+sed -i "/rootwrap_logger.addHandler/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py

ncct-utility/templates/bin/_utilscli-sudo.tpl

@@ -0,0 +1,20 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+nobody ALL=SETENV: NOPASSWD: /usr/bin/socat -d -s -t0 -T0 -u \
+  UNIX-RECV\:/dev/log\,reuseaddr stdout, \
+  /usr/local/bin/override-oslo-rootwrap-logging.sh, \
+  /usr/local/bin/ncct-utility-rootwrap /etc/ncct/rootwrap.conf *

ncct-utility/templates/bin/_utilscli.tpl

@@ -0,0 +1,18 @@
+#!/bin/sh
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+sudo -E /usr/local/bin/ncct-utility-rootwrap /etc/ncct/rootwrap.conf $*

ncct-utility/templates/configmap-bin.yaml

@@ -0,0 +1,43 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ printf "%s-%s" $envAll.Release.Name "bin" }}
+data:
+  image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+  ncct-utility-rootwrap: |
+{{ tuple "bin/_ncct-utility-rootwrap.tpl" . | include  "helm-toolkit.utils.template" | indent 4 }}
+  override-oslo-rootwrap-logging.sh: |
+{{ tuple "bin/_override-oslo-rootwrap-logging.sh.tpl" . | include  "helm-toolkit.utils.template" | indent 4 }}
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ printf "%s-%s" $envAll.Release.Name "bin-utilscli" }}
+data:
+  bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include  "helm-toolkit.utils.template" | indent 4 }}
+  utilscli: |
+{{ tuple "bin/_utilscli.tpl" . | include  "helm-toolkit.utils.template" | indent 4 }}
+
+{{- end }}

ncct-utility/templates/configmap-etc.yaml

@@ -0,0 +1,41 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_ncct_etc }}
+{{- $envAll := . }}
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ printf "%s-%s" $envAll.Release.Name "etc" }}
+data:
+  rootwrap.conf: |
+{{ include "helm-toolkit.utils.to_ini" .Values.conf.ncct_rootwrap | indent 4 }}
+
+  ncct.filter: |
+{{ include "helm-toolkit.utils.to_ini" .Values.conf.ncct_filter | indent 4 }}
+
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }}
+data:
+  utilscli-sudo: |
+{{ tuple "bin/_utilscli-sudo.tpl" . | include  "helm-toolkit.utils.template" | indent 4 }}
+
+{{- end }}

ncct-utility/templates/deployment-ncct-utility.yaml

@@ -0,0 +1,129 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment_ncct_utility }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := printf "%s" $envAll.Release.Name }}
+{{ tuple $envAll "utility" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ $serviceAccountName }}
+subjects:
+- kind: ServiceAccount
+  name: {{ $serviceAccountName }}
+  namespace: {{ .Release.Namespace }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["networkpolicies"]
+    verbs: ["list"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["create"]
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: {{ printf "%s" $envAll.Release.Name }}
+  labels:
+{{ tuple $envAll "utility" "ncct-util" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.utility }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "utility" "ncct-util" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+  template:
+    metadata:
+      name: {{ printf "%s" $envAll.Release.Name }}
+      labels:
+{{ tuple $envAll "utility" "ncct-util" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      securityContext:
+        runAsUser: {{ $envAll.Values.pod.sec_context.run_as_user }}
+        allowPrivilegeEscalation: false
+      serviceAccountName: {{ $serviceAccountName }}
+      nodeSelector:
+        {{ .Values.labels.utility.node_selector_key }}: {{ .Values.labels.utility.node_selector_value }}
+      containers:
+        - name: {{ printf "%s" $envAll.Release.Name }}
+{{ tuple $envAll "ncct_utility" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.ncct_utility | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - "bootstrap.sh"
+          volumeMounts:
+            - name: ncct-utility-bin-utilscli
+              mountPath: /usr/local/bin/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: ncct-utility-bin-utilscli
+              mountPath: /usr/local/bin/utilscli
+              subPath: utilscli
+              readOnly: true
+            - name: ncct-utility-bin
+              mountPath: /usr/local/bin/ncct-utility-rootwrap
+              subPath: ncct-utility-rootwrap
+              readOnly: true
+            - name: ncct-utility-bin
+              mountPath: /usr/local/bin/override-oslo-rootwrap-logging.sh
+              subPath: override-oslo-rootwrap-logging.sh
+              readOnly: true
+            - name: ncct-utility-sudoers
+              mountPath: /etc/sudoers.d/nobody
+              subPath: utilscli-sudo
+              readOnly: true
+            - name: ncct-utility-etc
+              mountPath: /etc/ncct/rootwrap.d/ncct.filter
+              subPath: ncct.filter
+              readOnly: true
+            - name: ncct-utility-etc
+              mountPath: /etc/ncct/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+      volumes:
+        - name: ncct-utility-sudoers
+          configMap:
+            name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }}
+            defaultMode: 0644
+        - name: ncct-utility-bin
+          configMap:
+            name: {{ printf "%s-%s" $envAll.Release.Name "bin" }}
+            defaultMode: 0500
+        - name: ncct-utility-bin-utilscli
+          configMap:
+            name: {{ printf "%s-%s" $envAll.Release.Name "bin-utilscli" }}
+            defaultMode: 0555
+        - name: ncct-utility-etc
+          configMap:
+            name: {{ printf "%s-%s" $envAll.Release.Name "etc" }}
+            defaultMode: 0400
+{{- end }}

ncct-utility/templates/job-image-repo-sync.yaml

@@ -0,0 +1,21 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
+
+{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "ncct-utility" -}}
+{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
+{{- end }}

ncct-utility/values.yaml

@@ -0,0 +1,133 @@
+# Copyright 2019 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for ncct-utility.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+images:
+  tags:
+    ncct_utility: 'docker.io/alexandervl/ncct-utility:v1'
+    image_repo_sync: docker.io/docker:17.07.0
+  pull_policy: IfNotPresent
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+      - ncct_utility
+
+pod:
+  resources:
+    enabled: true
+    jobs:
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+    utility:
+      requests:
+        memory: "100Mi"
+        cpu: "250m"
+      limits:
+        memory: "250Mi"
+        cpu: "500m"
+  dns_policy: "ClusterFirstWithHostNet"
+  replicas:
+    utility: 1
+  sec_context:
+    run_as_user: 65534
+
+release_group: null
+
+labels:
+  utility:
+    node_selector_key: util-ncct
+    node_selector_value: enabled
+  job:
+    node_selector_key: openstack-helm-node-class
+    node_selector_value: primary
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - ncct-utility-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+  static:
+    image_repo_sync:
+      services:
+        - endpoint: internal
+          service: local_image_registry
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+
+conf:
+  ncct_filter:
+    Filters:
+      ncct_00: CommandFilter, ncct, root
+
+  ncct_rootwrap:
+    DEFAULT:
+      # Configuration for ncct-rootwrap
+      # This file should be owned by (and only-writeable by) the root user
+      # List of directories to load filter definitions from (separated by ',').
+      # These directories MUST all be only writeable by root !
+      filters_path: /etc/ncct/rootwrap.d
+      # List of directories to search executables in, in case filters do not
+      # explicitely specify a full path (separated by ',')
+      # If not specified, defaults to system PATH environment variable.
+      # These directories MUST all be only writeable by root !
+      exec_dirs: /sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/tmp
+      # Enable logging to syslog
+      # Default value is False
+      use_syslog: true
+      # Which syslog facility to use.
+      # Valid values include auth, authpriv, syslog, local0, local1...
+      # Default value is 'syslog'
+      syslog_log_facility: syslog
+      # Which messages to log.
+      # INFO means log all usage
+      # ERROR means only log unsuccessful attempts
+      syslog_log_level: DEBUG
+  utility:
+    # Set to true for development sites,
+    # Set to false otherwise
+    always_log_user: true
+
+manifests:
+  configmap_bin: true
+  configmap_ncct_etc: true
+  deployment_ncct_utility: true
+  job_image_repo_sync: false