diff --git a/Dockerfiles/ncct-utility/Dockerfile.alpine b/Dockerfiles/ncct-utility/Dockerfile.alpine new file mode 100644 index 00000000..9495d2e6 --- /dev/null +++ b/Dockerfiles/ncct-utility/Dockerfile.alpine @@ -0,0 +1,33 @@ +ARG DOCKER_REGISTRY=quay.io +ARG NCCT_IMAGE_PREFIX=nc/aqua-images-patchset/network-policy +ARG NCCT_SHA256=cc192f2221fa8e7cd562223ef40e27ae92ab6f5a127b11e6a2ddb456f18aac97 + +ARG NCCT_IMAGE="${DOCKER_REGISTRY}/${NCCT_IMAGE_PREFIX}@sha256:${NCCT_SHA256}" +FROM ${NCCT_IMAGE} + +LABEL org.opencontainers.image.authors='Openstack-Helm Authors' \ + org.opencontainers.image.url='https://opendev.org/airship/porthole/src/branch/master/Dockerfiles/ncct-utility' \ + org.opencontainers.image.documentation='https://opendev.org/airship/porthole/src/branch/master/Dockerfiles/ncct-utility/README' \ + org.opencontainers.image.source='https://opendev.org/airship/porthole/src/branch/master/Dockerfiles/ncct-utility' \ + org.opencontainers.image.vendor='Openstack-Helm Authors' \ + org.opencontainers.image.licenses='BSD-3-Clause' + +RUN set -xe \ + && export DEBIAN_FRONTEND=noninteractive \ + && apk add dpkg --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main \ + && apk add --update dpkg \ + && touch /var/lib/dpkg/status \ + && apk update \ + && apk add --update \ + python python-dev py-pip build-base \ + sudo vim screen \ + wget curl socat \ + && pip install oslo.rootwrap + +RUN mv /app /usr/local/bin/ncct \ + && chmod 0750 /usr/local/bin/ncct \ + && chmod 0750 /bin/ncct_agent \ + && chmod 0750 /usr/bin/socat + +WORKDIR /tmp +ENTRYPOINT ["/bin/sh", "-c"] diff --git a/Dockerfiles/ncct-utility/Makefile b/Dockerfiles/ncct-utility/Makefile new file mode 100644 index 00000000..d153767f --- /dev/null +++ b/Dockerfiles/ncct-utility/Makefile @@ -0,0 +1,36 @@ +# Copyright 2019 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +SHELL := /bin/bash + +DOCKER_REGISTRY ?= quay.io +IMAGE_NAME ?= ncct-utility +IMAGE_PREFIX ?= airship/porthole +IMAGE_TAG ?= latest +OS_RELEASE ?= alpine + +IMAGE := $(DOCKER_REGISTRY)/$(IMAGE_PREFIX)/$(IMAGE_NAME):$(IMAGE_TAG) + +# Build ncct-utility Docker image for this project +.PHONY: images +images: build_$(IMAGE_NAME) + +# Make targets intended for use by the primary targets above. +.PHONY: build_$(IMAGE_NAME) +build_$(IMAGE_NAME): + docker build -f Dockerfile.$(OS_RELEASE) \ + --network host \ + $(EXTRA_BUILD_ARGS) \ + -t $(IMAGE) \ + . diff --git a/ncct-utility/Chart.yaml b/ncct-utility/Chart.yaml new file mode 100644 index 00000000..5e33bde7 --- /dev/null +++ b/ncct-utility/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright 2019 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: OpenStack-Helm NC Cluster Testing +name: ncct-utility +version: 0.1.0 diff --git a/ncct-utility/requirements.yaml b/ncct-utility/requirements.yaml new file mode 100644 index 00000000..e69c985d --- /dev/null +++ b/ncct-utility/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright 2019 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: helm-toolkit + repository: http://localhost:8879/charts + version: 0.1.0 diff --git a/ncct-utility/templates/bin/_bootstrap.sh.tpl b/ncct-utility/templates/bin/_bootstrap.sh.tpl new file mode 100644 index 00000000..68635254 --- /dev/null +++ b/ncct-utility/templates/bin/_bootstrap.sh.tpl @@ -0,0 +1,19 @@ +#!/bin/sh +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +sudo /usr/local/bin/override-oslo-rootwrap-logging.sh +exec sudo socat -d -s -t0 -T0 -u UNIX-RECV:/dev/log,reuseaddr stdout diff --git a/ncct-utility/templates/bin/_ncct-utility-rootwrap.tpl b/ncct-utility/templates/bin/_ncct-utility-rootwrap.tpl new file mode 100644 index 00000000..028cc15f --- /dev/null +++ b/ncct-utility/templates/bin/_ncct-utility-rootwrap.tpl @@ -0,0 +1,52 @@ +#!/usr/bin/python +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +import logging +import os +import sys + +from oslo_rootwrap.cmd import main + +exec_name = sys.argv[0] +host_name = os.environ.get("HOSTNAME") +log_level = {{ .Values.conf.ncct_rootwrap.DEFAULT.syslog_log_level | quote }} +facility = {{ .Values.conf.ncct_rootwrap.DEFAULT.syslog_log_facility | quote }} + +if "AUSER" in os.environ: + user_id = os.environ.get("AUSER") +elif {{ .Values.conf.utility.always_log_user | quote }} == 'true': + user_id = 'development site' +else: + print("No username set in AUSER environment variable, for security reasons access restricted from connecting to container.") + exit() + +try: + handler = logging.handlers.SysLogHandler(address='/dev/log',facility=facility) +except IOError: + print("Unable to setup logging, for security reasons access restricted from connecting to container.") + exit() + +formatter = logging.Formatter('%(asctime)s ' + host_name + ' ' + + os.path.basename(exec_name) + ': ' + 'ActualUser=' + user_id + ': %(message)s\n') +handler.setFormatter(formatter) +root = logging.getLogger() +root.setLevel(log_level) +root.addHandler(handler) + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/ncct-utility/templates/bin/_override-oslo-rootwrap-logging.sh.tpl b/ncct-utility/templates/bin/_override-oslo-rootwrap-logging.sh.tpl new file mode 100644 index 00000000..e76cb321 --- /dev/null +++ b/ncct-utility/templates/bin/_override-oslo-rootwrap-logging.sh.tpl @@ -0,0 +1,26 @@ +#!/bin/sh +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +These lines will disable extra handler, extra formatter, extra level to the +root logger by oslo-rootwrap module, imported in _openstack-utility-rootwrap.tpl. +These lines will get rid of duplicate logs, generated because of the formatter +attached by oslo-rootwrap. +*/}} +sed -i "/rootwrap_logger.setLevel/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py +sed -i "/handler.setFormatter/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py +sed -i "/os.path.basename/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py +sed -i "/rootwrap_logger.addHandler/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py diff --git a/ncct-utility/templates/bin/_utilscli-sudo.tpl b/ncct-utility/templates/bin/_utilscli-sudo.tpl new file mode 100644 index 00000000..6a62da2f --- /dev/null +++ b/ncct-utility/templates/bin/_utilscli-sudo.tpl @@ -0,0 +1,20 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +nobody ALL=SETENV: NOPASSWD: /usr/bin/socat -d -s -t0 -T0 -u \ + UNIX-RECV\:/dev/log\,reuseaddr stdout, \ + /usr/local/bin/override-oslo-rootwrap-logging.sh, \ + /usr/local/bin/ncct-utility-rootwrap /etc/ncct/rootwrap.conf * diff --git a/ncct-utility/templates/bin/_utilscli.tpl b/ncct-utility/templates/bin/_utilscli.tpl new file mode 100644 index 00000000..5ec49c0d --- /dev/null +++ b/ncct-utility/templates/bin/_utilscli.tpl @@ -0,0 +1,18 @@ +#!/bin/sh +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +sudo -E /usr/local/bin/ncct-utility-rootwrap /etc/ncct/rootwrap.conf $* diff --git a/ncct-utility/templates/configmap-bin.yaml b/ncct-utility/templates/configmap-bin.yaml new file mode 100644 index 00000000..91fcce53 --- /dev/null +++ b/ncct-utility/templates/configmap-bin.yaml @@ -0,0 +1,43 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_bin }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "bin" }} +data: + image-repo-sync.sh: | +{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }} + ncct-utility-rootwrap: | +{{ tuple "bin/_ncct-utility-rootwrap.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + override-oslo-rootwrap-logging.sh: | +{{ tuple "bin/_override-oslo-rootwrap-logging.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "bin-utilscli" }} +data: + bootstrap.sh: | +{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + utilscli: | +{{ tuple "bin/_utilscli.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + +{{- end }} diff --git a/ncct-utility/templates/configmap-etc.yaml b/ncct-utility/templates/configmap-etc.yaml new file mode 100644 index 00000000..399879b5 --- /dev/null +++ b/ncct-utility/templates/configmap-etc.yaml @@ -0,0 +1,41 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_ncct_etc }} +{{- $envAll := . }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "etc" }} +data: + rootwrap.conf: | +{{ include "helm-toolkit.utils.to_ini" .Values.conf.ncct_rootwrap | indent 4 }} + + ncct.filter: | +{{ include "helm-toolkit.utils.to_ini" .Values.conf.ncct_filter | indent 4 }} + + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }} +data: + utilscli-sudo: | +{{ tuple "bin/_utilscli-sudo.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + +{{- end }} diff --git a/ncct-utility/templates/deployment-ncct-utility.yaml b/ncct-utility/templates/deployment-ncct-utility.yaml new file mode 100644 index 00000000..969d1208 --- /dev/null +++ b/ncct-utility/templates/deployment-ncct-utility.yaml @@ -0,0 +1,129 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.deployment_ncct_utility }} +{{- $envAll := . }} + +{{- $serviceAccountName := printf "%s" $envAll.Release.Name }} +{{ tuple $envAll "utility" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $serviceAccountName }} +subjects: +- kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: ["networking.k8s.io"] + resources: ["networkpolicies"] + verbs: ["list"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["create"] +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ printf "%s" $envAll.Release.Name }} + labels: +{{ tuple $envAll "utility" "ncct-util" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + replicas: {{ .Values.pod.replicas.utility }} + selector: + matchLabels: +{{ tuple $envAll "utility" "ncct-util" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} + template: + metadata: + name: {{ printf "%s" $envAll.Release.Name }} + labels: +{{ tuple $envAll "utility" "ncct-util" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + spec: + securityContext: + runAsUser: {{ $envAll.Values.pod.sec_context.run_as_user }} + allowPrivilegeEscalation: false + serviceAccountName: {{ $serviceAccountName }} + nodeSelector: + {{ .Values.labels.utility.node_selector_key }}: {{ .Values.labels.utility.node_selector_value }} + containers: + - name: {{ printf "%s" $envAll.Release.Name }} +{{ tuple $envAll "ncct_utility" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.ncct_utility | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - "bootstrap.sh" + volumeMounts: + - name: ncct-utility-bin-utilscli + mountPath: /usr/local/bin/bootstrap.sh + subPath: bootstrap.sh + readOnly: true + - name: ncct-utility-bin-utilscli + mountPath: /usr/local/bin/utilscli + subPath: utilscli + readOnly: true + - name: ncct-utility-bin + mountPath: /usr/local/bin/ncct-utility-rootwrap + subPath: ncct-utility-rootwrap + readOnly: true + - name: ncct-utility-bin + mountPath: /usr/local/bin/override-oslo-rootwrap-logging.sh + subPath: override-oslo-rootwrap-logging.sh + readOnly: true + - name: ncct-utility-sudoers + mountPath: /etc/sudoers.d/nobody + subPath: utilscli-sudo + readOnly: true + - name: ncct-utility-etc + mountPath: /etc/ncct/rootwrap.d/ncct.filter + subPath: ncct.filter + readOnly: true + - name: ncct-utility-etc + mountPath: /etc/ncct/rootwrap.conf + subPath: rootwrap.conf + readOnly: true + volumes: + - name: ncct-utility-sudoers + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }} + defaultMode: 0644 + - name: ncct-utility-bin + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "bin" }} + defaultMode: 0500 + - name: ncct-utility-bin-utilscli + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "bin-utilscli" }} + defaultMode: 0555 + - name: ncct-utility-etc + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "etc" }} + defaultMode: 0400 +{{- end }} diff --git a/ncct-utility/templates/job-image-repo-sync.yaml b/ncct-utility/templates/job-image-repo-sync.yaml new file mode 100644 index 00000000..537e3cf1 --- /dev/null +++ b/ncct-utility/templates/job-image-repo-sync.yaml @@ -0,0 +1,21 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }} + +{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "ncct-utility" -}} +{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} +{{- end }} diff --git a/ncct-utility/values.yaml b/ncct-utility/values.yaml new file mode 100644 index 00000000..c12389f9 --- /dev/null +++ b/ncct-utility/values.yaml @@ -0,0 +1,133 @@ +# Copyright 2019 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for ncct-utility. +# This is a YAML-formatted file. +# Declare name/value pairs to be passed into your templates. +# name: value + +images: + tags: + ncct_utility: 'docker.io/alexandervl/ncct-utility:v1' + image_repo_sync: docker.io/docker:17.07.0 + pull_policy: IfNotPresent + local_registry: + active: false + exclude: + - dep_check + - image_repo_sync + - ncct_utility + +pod: + resources: + enabled: true + jobs: + image_repo_sync: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + utility: + requests: + memory: "100Mi" + cpu: "250m" + limits: + memory: "250Mi" + cpu: "500m" + dns_policy: "ClusterFirstWithHostNet" + replicas: + utility: 1 + sec_context: + run_as_user: 65534 + +release_group: null + +labels: + utility: + node_selector_key: util-ncct + node_selector_value: enabled + job: + node_selector_key: openstack-helm-node-class + node_selector_value: primary + +dependencies: + dynamic: + common: + local_image_registry: + jobs: + - ncct-utility-image-repo-sync + services: + - endpoint: node + service: local_image_registry + static: + image_repo_sync: + services: + - endpoint: internal + service: local_image_registry + +endpoints: + cluster_domain_suffix: cluster.local + local_image_registry: + name: docker-registry + namespace: docker-registry + hosts: + default: localhost + internal: docker-registry + node: localhost + host_fqdn_override: + default: null + port: + registry: + node: 5000 + +conf: + ncct_filter: + Filters: + ncct_00: CommandFilter, ncct, root + + ncct_rootwrap: + DEFAULT: + # Configuration for ncct-rootwrap + # This file should be owned by (and only-writeable by) the root user + # List of directories to load filter definitions from (separated by ','). + # These directories MUST all be only writeable by root ! + filters_path: /etc/ncct/rootwrap.d + # List of directories to search executables in, in case filters do not + # explicitely specify a full path (separated by ',') + # If not specified, defaults to system PATH environment variable. + # These directories MUST all be only writeable by root ! + exec_dirs: /sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/tmp + # Enable logging to syslog + # Default value is False + use_syslog: true + # Which syslog facility to use. + # Valid values include auth, authpriv, syslog, local0, local1... + # Default value is 'syslog' + syslog_log_facility: syslog + # Which messages to log. + # INFO means log all usage + # ERROR means only log unsuccessful attempts + syslog_log_level: DEBUG + utility: + # Set to true for development sites, + # Set to false otherwise + always_log_user: true + +manifests: + configmap_bin: true + configmap_ncct_etc: true + deployment_ncct_utility: true + job_image_repo_sync: false