From 69d9e6db4cb251335a5e8c3faccbb5b89e89b5e7 Mon Sep 17 00:00:00 2001
From: "Dodda Prateek (pd2839)" <pd2839@att.com>
Date: Wed, 7 Aug 2019 10:19:35 -0500
Subject: [PATCH] Chart/Dockerfile for Openstack Utility Container Added
 Support for rbac

Change-Id: I6644824776f7890c2475904ba3404e281e10e54e
Co-authored-by: Sreejith Punnapuzha <Sreejith.Punnapuzha@outlook.com>
---
 .../Dockerfile.ubuntu_xenial                  |  31 ++++
 Dockerfiles/openstack-utility/build.sh        |  14 ++
 Openstack_Utility_Readme                      | 109 ++++++++++++++
 install_openstack_utility.sh                  |  20 +++
 openstack-utility/Chart.yaml                  |  33 +++++
 openstack-utility/requirements.yaml           |  18 +++
 .../templates/bin/_bootstrap.sh.tpl           |  19 +++
 openstack-utility/templates/bin/_start.sh.tpl |  19 +++
 .../templates/bin/_utilscli-sudo.tpl          |  16 ++
 .../utility/_openstack-utility-rootwrap.tpl   |  22 +++
 .../templates/bin/utility/_utilscli.tpl       |  17 +++
 .../templates/configmap-bin.yaml              |  49 +++++++
 .../templates/configmap-etc-client.yaml       |  30 ++++
 .../templates/configmap-etc-sudoers.yaml      |  27 ++++
 .../templates/deployment-utility.yaml         | 135 +++++++++++++++++
 .../test-openstackutility-running.yaml        |  30 ++++
 openstack-utility/values.yaml                 | 138 ++++++++++++++++++
 zuul.d/openstack-utility.yaml                 |  35 +++++
 18 files changed, 762 insertions(+)
 create mode 100755 Dockerfiles/openstack-utility/Dockerfile.ubuntu_xenial
 create mode 100755 Dockerfiles/openstack-utility/build.sh
 create mode 100644 Openstack_Utility_Readme
 create mode 100755 install_openstack_utility.sh
 create mode 100644 openstack-utility/Chart.yaml
 create mode 100644 openstack-utility/requirements.yaml
 create mode 100644 openstack-utility/templates/bin/_bootstrap.sh.tpl
 create mode 100644 openstack-utility/templates/bin/_start.sh.tpl
 create mode 100644 openstack-utility/templates/bin/_utilscli-sudo.tpl
 create mode 100644 openstack-utility/templates/bin/utility/_openstack-utility-rootwrap.tpl
 create mode 100644 openstack-utility/templates/bin/utility/_utilscli.tpl
 create mode 100644 openstack-utility/templates/configmap-bin.yaml
 create mode 100644 openstack-utility/templates/configmap-etc-client.yaml
 create mode 100644 openstack-utility/templates/configmap-etc-sudoers.yaml
 create mode 100644 openstack-utility/templates/deployment-utility.yaml
 create mode 100644 openstack-utility/templates/test-openstackutility-running.yaml
 create mode 100644 openstack-utility/values.yaml
 create mode 100644 zuul.d/openstack-utility.yaml

diff --git a/Dockerfiles/openstack-utility/Dockerfile.ubuntu_xenial b/Dockerfiles/openstack-utility/Dockerfile.ubuntu_xenial
new file mode 100755
index 00000000..dd4e3a42
--- /dev/null
+++ b/Dockerfiles/openstack-utility/Dockerfile.ubuntu_xenial
@@ -0,0 +1,31 @@
+ARG FROM=docker.io/ubuntu:xenial
+FROM ${FROM}
+MAINTAINER Prateek Reddy Dodda <pd2839@att.com>
+
+RUN set -xe \
+	&& echo '#!/bin/sh' > /usr/sbin/policy-rc.d \
+        ## If there is no shebang at the beginning of the file, the OS will try to execute it as a “normal” binary.
+	&& echo 'exit 101' >> /usr/sbin/policy-rc.d \
+	&& chmod +x /usr/sbin/policy-rc.d \
+        ## To prevent services from being started automatically when you install packages with dpkg, apt, etc.,
+	&& sed -i '/nobody/d' /etc/passwd \
+	&& echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \
+        ## To Restrict User to nobody for User login.
+	&& dpkg-divert --local --rename --add /sbin/initctl \
+	&& cp -a /usr/sbin/policy-rc.d /sbin/initctl \
+	&& sed -i 's/^exit.*/exit 0/' /sbin/initctl \
+        ## To use an updated version of some application instead of old version existing on your machine.
+	&& echo 'force-unsafe-io' > /etc/dpkg/dpkg.cfg.d/docker-apt-speedup \
+        ## Temporarily disable dpkg fsync to make building faster.
+	&& echo 'DPkg::Post-Invoke { "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"; };' > /etc/apt/apt.conf.d/docker-clean \
+	&& echo 'APT::Update::Post-Invoke { "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"; };' >> /etc/apt/apt.conf.d/docker-clean \
+	&& echo 'Dir::Cache::pkgcache ""; Dir::Cache::srcpkgcache "";' >> /etc/apt/apt.conf.d/docker-clean \
+	&& echo 'Acquire::Languages "none";' > /etc/apt/apt.conf.d/docker-no-languages \
+	&& echo 'Acquire::GzipIndexes "true"; Acquire::CompressionTypes::Order:: "gz";' > /etc/apt/apt.conf.d/docker-gzip-indexes \
+	&& echo 'Apt::AutoRemove::SuggestsImportant "false";' > /etc/apt/apt.conf.d/docker-autoremove-suggests \
+        # Docker configurations for base Image
+	&& apt-get update && apt-get install -y bash moreutils vim sudo screen rsyslog x11-apps python-oslo.rootwrap python-openstackclient python-glanceclient python-novaclient python-neutronclient python-cinderclient python-heat python3-oslo.rootwrap python3-openstackclient python3-glanceclient python3-novaclient python3-neutronclient python3-cinderclient \
+        ## Install bash utilities,rsyslog,openstack client which is required for Keystone and oslo rootwrap.
+        && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+CMD ["/bin/bash"]
diff --git a/Dockerfiles/openstack-utility/build.sh b/Dockerfiles/openstack-utility/build.sh
new file mode 100755
index 00000000..04f82342
--- /dev/null
+++ b/Dockerfiles/openstack-utility/build.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+SCRIPT=`realpath $0`
+SCRIPT_DIR=`dirname ${SCRIPT}`
+## Only build from main folder
+cd ${SCRIPT_DIR}/..
+
+IMAGE="openstack-utility"
+VERSION=${VERSION:-latest}
+DISTRO=${DISTRO:-ubuntu_xenial}
+REGISTRY_URI=${REGISTRY_URI:-"openstackhelm/"}
+EXTRA_TAG_INFO=${EXTRA_TAG_INFO:-""}
+docker build -f ${IMAGE}/Dockerfile.${DISTRO} --network=host -t ${REGISTRY_URI}${IMAGE}:${VERSION}-${DISTRO}${EXTRA_TAG_INFO} ${extra_build_args} ${IMAGE}
+
+cd -
diff --git a/Openstack_Utility_Readme b/Openstack_Utility_Readme
new file mode 100644
index 00000000..ac8ca76f
--- /dev/null
+++ b/Openstack_Utility_Readme
@@ -0,0 +1,109 @@
+Openstack Utility Container
+-----------------
+Prerequisites: Deploy OSH-AIO
+
+
+Installation
+------------
+1. Add the below to /etc/sudoers
+
+  root    ALL=(ALL) NOPASSWD: ALL
+  ubuntu  ALL=(ALL) NOPASSWD: ALL
+
+2. Install the latest versions of Git, CA Certs & Make if necessary
+
+  sudo apt-get update \
+  sudo apt-get dist-upgrade -y \
+  sudo apt-get install --no-install-recommends -y \
+        ca-certificates \
+        git \
+        make \
+        jq \
+        nmap \
+        curl \
+        uuid-runtime
+
+3.  Clone the OpenStack-Helm Repos
+
+   git clone https://git.openstack.org/openstack/openstack-helm-infra.git
+   git clone https://git.openstack.org/openstack/openstack-helm.git
+
+
+4. Proxy Configuration
+
+    In order to deploy OpenStack-Helm behind corporate proxy servers, add the following entries to openstack-helm-infra/tools/gate/devel/local-vars.yaml.
+
+   proxy:
+      http: http://username:password@host:port
+      https: https://username:password@host:port
+      noproxy: 127.0.0.1,localhost,172.17.0.1,.svc.cluster.local
+
+   Add the address of the Kubernetes API, 172.17.0.1, and .svc.cluster.local to your no_proxy and NO_PROXY environment variables.
+
+   export no_proxy=${no_proxy},172.17.0.1,.svc.cluster.local
+   export NO_PROXY=${NO_PROXY},172.17.0.1,.svc.cluster.local
+
+5. Deploy Kubernetes & Helm
+
+   cd openstack-helm
+     ./tools/deployment/developer/common/010-deploy-k8s.sh
+
+   Please remove DNS Nameservers (namespace 10.96.0.10) from /etc/resolv.conf, Since python set-up client would fail without it.
+
+   Setup Clients on the host and assemble the charts
+     ./tools/deployment/developer/common/020-setup-client.sh
+
+   Re-add DNS nameservers back in (/etc/resolv.conf) so that keystone URL's DNS would resolve.
+
+   Deploy the ingress controller
+     ./tools/deployment/developer/common/030-ingress.sh
+
+6. Deploy Ceph
+
+     ./tools/deployment/developer/ceph/040-ceph.sh
+
+   Activate the  namespace to be able to use Ceph
+     ./tools/deployment/developer/ceph/045-ceph-ns-activate.sh
+
+7. Deploy Keystone
+     ./tools/deployment/developer/ceph/080-keystone.sh
+
+8. Deploy Heat
+     ./tools/deployment/developer/ceph/090-heat.sh
+
+9. Deploy Horizon
+     ./tools/deployment/developer/ceph/100-horizon.sh
+
+10.Deploy Glance
+     ./tools/deployment/developer/ceph/120-glance.sh
+
+11.Deploy Cinder
+     ./tools/deployment/developer/ceph/130-cinder.sh
+
+12.Deploy LibVirt
+     ./tools/deployment/developer/ceph/150-libvirt.sh
+
+13.Deploy Compute Kit (Nova and Neutron)
+     ./tools/deployment/developer/ceph/160-compute-kit.sh
+
+15.To run further commands from the CLI manually, execute the following to set up authentication credentials
+      export OS_CLOUD=openstack_helm
+
+16.Clone the Porthole and openstack utility repo as well.
+
+      git clone https://review.opendev.org/openstack/airship-porthole
+      git pull ssh://pd2839@review.opendev.org:29418/airship/porthole refs/changes/70/674670/13
+
+      cd porthole
+       ./install_openstack_utility.sh
+
+Usage
+-----
+
+Get in to the utility pod using kubectl exec. To perform any operation use the below example. Please be ready with password for accessing below cli commands.
+
+kubectl exec -it <POD_NAME> -n utility /bin/bash
+
+example:
+   utilscli openstack server list --os-username <USER_NAME> --os-domain-name <DOMAIN_NAME> --os-project-name <PROJECT_NAME
+   utilscli openstack user list --os-username <USER_NAME> --os-domain-name <DOMAIN_NAME> --os-project-name <PROJECT_NAME
diff --git a/install_openstack_utility.sh b/install_openstack_utility.sh
new file mode 100755
index 00000000..cb694aa5
--- /dev/null
+++ b/install_openstack_utility.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+set -xe
+
+#NOTE: Lint and package chart
+: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
+
+make openstack-utility
+
+helm  upgrade --install openstack-utility openstack-utility --namespace=utility
+
+#NOTE: Wait for deploy
+./${OSH_INFRA_PATH}/tools/deployment/common/wait-for-pods.sh utility
+
+#NOTE: Validate Deployment info
+kubectl get pods --all-namespaces | grep openstack-utility
+helm status openstack-utility
+export OS_CLOUD=openstack_helm
+sleep 30 #NOTE(portdirect): Wait for ingress controller to update rules and restart Nginx
+openstack endpoint list
+helm test openstack-utility --timeout 900
diff --git a/openstack-utility/Chart.yaml b/openstack-utility/Chart.yaml
new file mode 100644
index 00000000..1c900aeb
--- /dev/null
+++ b/openstack-utility/Chart.yaml
@@ -0,0 +1,33 @@
+# Copyright 2019 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: OpenStack Client
+name: openstack-utility
+version: 0.1.0
+
+---
+
+apiVersion: v1
+description: OpenStack-Helm Helm-Toolkit
+name: helm-toolkit
+version: 0.1.0
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+sources:
+  - https://git.openstack.org/cgit/openstack/openstack-helm-infra
+  - https://git.openstack.org/cgit/openstack/openstack-helm
+maintainers:
+  - name: OpenStack-Helm Authors
+
diff --git a/openstack-utility/requirements.yaml b/openstack-utility/requirements.yaml
new file mode 100644
index 00000000..e69c985d
--- /dev/null
+++ b/openstack-utility/requirements.yaml
@@ -0,0 +1,18 @@
+# Copyright 2019 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: http://localhost:8879/charts
+    version: 0.1.0
diff --git a/openstack-utility/templates/bin/_bootstrap.sh.tpl b/openstack-utility/templates/bin/_bootstrap.sh.tpl
new file mode 100644
index 00000000..4b5d093a
--- /dev/null
+++ b/openstack-utility/templates/bin/_bootstrap.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+set -ex
+sudo /tmp/start.sh
+tail -f /var/log/syslog
diff --git a/openstack-utility/templates/bin/_start.sh.tpl b/openstack-utility/templates/bin/_start.sh.tpl
new file mode 100644
index 00000000..b3b279ed
--- /dev/null
+++ b/openstack-utility/templates/bin/_start.sh.tpl
@@ -0,0 +1,19 @@
+#!/bin/bash
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+set -ex
+sed -i 's/$PrivDropToUser syslog/$PrivDropToUser nobody/' /etc/rsyslog.conf
+/etc/init.d/rsyslog start
diff --git a/openstack-utility/templates/bin/_utilscli-sudo.tpl b/openstack-utility/templates/bin/_utilscli-sudo.tpl
new file mode 100644
index 00000000..03d44ad2
--- /dev/null
+++ b/openstack-utility/templates/bin/_utilscli-sudo.tpl
@@ -0,0 +1,16 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+nobody ALL=SETENV: NOPASSWD: /tmp/start.sh, /tmp/bootstrap.sh, /usr/local/bin/openstack-utility-rootwrap /etc/openstack-utility/rootwrap.conf *
diff --git a/openstack-utility/templates/bin/utility/_openstack-utility-rootwrap.tpl b/openstack-utility/templates/bin/utility/_openstack-utility-rootwrap.tpl
new file mode 100644
index 00000000..c6237540
--- /dev/null
+++ b/openstack-utility/templates/bin/utility/_openstack-utility-rootwrap.tpl
@@ -0,0 +1,22 @@
+#!/usr/bin/python
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+# PBR Generated from u'console_scripts'
+import sys
+from oslo_rootwrap.cmd import main
+
+if __name__ == "__main__":
+    sys.exit(main())
diff --git a/openstack-utility/templates/bin/utility/_utilscli.tpl b/openstack-utility/templates/bin/utility/_utilscli.tpl
new file mode 100644
index 00000000..f532f489
--- /dev/null
+++ b/openstack-utility/templates/bin/utility/_utilscli.tpl
@@ -0,0 +1,17 @@
+#!/bin/bash
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+script -f -a -q /var/log/syslog -c "sudo -E /usr/local/bin/openstack-utility-rootwrap /etc/openstack-utility/rootwrap.conf $*"
diff --git a/openstack-utility/templates/configmap-bin.yaml b/openstack-utility/templates/configmap-bin.yaml
new file mode 100644
index 00000000..c8685cd5
--- /dev/null
+++ b/openstack-utility/templates/configmap-bin.yaml
@@ -0,0 +1,49 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.configmap_bin .Values.deployment.openstack }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ printf "%s-%s" $envAll.Release.Name "bin" }}
+data:
+{{- if .Values.images.local_registry.active }}
+  image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+
+  start.sh: |
+{{ tuple "bin/_start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+
+  openstack-utility-rootwrap: |
+{{ tuple "bin/utility/_openstack-utility-rootwrap.tpl" . | include  "helm-toolkit.utils.template" | indent 4 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ printf "%s-%s" $envAll.Release.Name "bin-utilscli" }}
+data:
+  utilscli: |
+{{ tuple "bin/utility/_utilscli.tpl" . | include  "helm-toolkit.utils.template" | indent 4 }}
+
+{{- if .Values.bootstrap.enabled }}
+  bootstrap.sh: |
+{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+
+{{- end }}
diff --git a/openstack-utility/templates/configmap-etc-client.yaml b/openstack-utility/templates/configmap-etc-client.yaml
new file mode 100644
index 00000000..b8af4752
--- /dev/null
+++ b/openstack-utility/templates/configmap-etc-client.yaml
@@ -0,0 +1,30 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.configmap_etc_client .Values.deployment.openstack }}
+{{- $envAll := . }}
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ printf "%s-%s" $envAll.Release.Name "etc" }}
+data:
+  rootwrap.conf: |
+{{ include "helm-toolkit.utils.to_ini" .Values.conf.openstackrootwrapconf | indent 4 }}
+  openstack-rootwrap-filter: |
+{{ include "helm-toolkit.utils.to_ini" .Values.conf.openstackfilter | indent 4 }}
+{{- end }}
diff --git a/openstack-utility/templates/configmap-etc-sudoers.yaml b/openstack-utility/templates/configmap-etc-sudoers.yaml
new file mode 100644
index 00000000..e23f046f
--- /dev/null
+++ b/openstack-utility/templates/configmap-etc-sudoers.yaml
@@ -0,0 +1,27 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.configmap_etc_sudoers .Values.deployment.openstack }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }}
+data:
+  utilscli-sudo: |
+{{ tuple "bin/_utilscli-sudo.tpl" . | include  "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
diff --git a/openstack-utility/templates/deployment-utility.yaml b/openstack-utility/templates/deployment-utility.yaml
new file mode 100644
index 00000000..f0397f88
--- /dev/null
+++ b/openstack-utility/templates/deployment-utility.yaml
@@ -0,0 +1,135 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.manifests.deployment_utility ( and .Values.deployment.openstack) }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := printf "%s" $envAll.Release.Name }}
+{{ tuple $envAll "utility" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+  - apiGroups: [""]
+    resources:
+      - namespaces
+      - nodes
+      - pods
+      - persistentvolumeclaims
+      - persistentvolumes
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $serviceAccountName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ $serviceAccountName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: {{ printf "%s" $envAll.Release.Name }}
+  labels:
+{{ tuple $envAll "openstack" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ .Values.pod.replicas.utility }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "openstack" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+  template:
+    metadata:
+      name: {{ printf "%s" $envAll.Release.Name }}
+      annotations:
+        {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+      labels:
+{{ tuple $envAll "openstack" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      securityContext:
+        runAsUser: 65534
+      serviceAccountName: {{ $serviceAccountName }}
+      affinity:
+{{ tuple $envAll "openstack" "utility" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      nodeSelector:
+        {{ .Values.labels.utility.node_selector_key }}: {{ .Values.labels.utility.node_selector_value }}
+      containers:
+        - name: {{ printf "%s" $envAll.Release.Name }}
+{{ tuple $envAll "openstack_utility" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.openstack_utility | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: OS_AUTH_URL
+              value: {{ .Values.conf.keystone_auth.auth_url }}
+            - name: OS_IDENTITY_API_VERSION
+              value: "{{ .Values.conf.keystone_auth.auth_version }}"
+          command:
+            - /tmp/bootstrap.sh
+          volumeMounts:
+            - name: openstack-utility-bin-utilscli
+              mountPath: /tmp/bootstrap.sh
+              subPath: bootstrap.sh
+              readOnly: true
+            - name: openstack-utility-bin
+              mountPath: /tmp/start.sh
+              subPath: start.sh
+              readOnly: true
+            - name: openstack-utility-bin-utilscli
+              mountPath: /usr/local/bin/utilscli
+              subPath: utilscli
+              readOnly: true
+            - name: openstack-utility-bin
+              mountPath: /usr/local/bin/openstack-utility-rootwrap
+              subPath: openstack-utility-rootwrap
+              readOnly: true
+            - name: openstack-utility-sudoers
+              mountPath: /etc/sudoers.d/utilscli-sudo
+              subPath: utilscli-sudo
+              readOnly: true
+            - name: openstack-utility-etc
+              mountPath: /etc/openstack-utility/rootwrap.d/openstack-rootwrap-filter
+              subPath: openstack-rootwrap-filter
+              readOnly: true
+            - name: openstack-utility-etc
+              mountPath: /etc/openstack-utility/rootwrap.conf
+              subPath: rootwrap.conf
+              readOnly: true
+      volumes:
+        - name: openstack-utility-sudoers
+          configMap:
+            name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }}
+            defaultMode: 0644
+        - name: openstack-utility-bin
+          configMap:
+            name: {{ printf "%s-%s" $envAll.Release.Name "bin" }}
+            defaultMode: 0500
+        - name: openstack-utility-etc
+          configMap:
+            name: {{ printf "%s-%s" $envAll.Release.Name "etc" }}
+            defaultMode: 0400
+        - name: openstack-utility-bin-utilscli
+          configMap:
+            name: {{ printf "%s-%s" $envAll.Release.Name "bin-utilscli" }}
+            defaultMode: 0755
+{{- end }}
diff --git a/openstack-utility/templates/test-openstackutility-running.yaml b/openstack-utility/templates/test-openstackutility-running.yaml
new file mode 100644
index 00000000..aaa1c9c3
--- /dev/null
+++ b/openstack-utility/templates/test-openstackutility-running.yaml
@@ -0,0 +1,30 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ .Release.Name }}-exists-test"
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  containers:
+  - name: {{ .Release.Name }}-exists-test
+    image: {{ .Values.images.tags.openstack_utility}}
+    env:
+            - name: OS_AUTH_URL
+              value: {{ .Values.conf.keystone_auth.auth_url }}
+            - name: OS_IDENTITY_API_VERSION
+              value: "{{ .Values.conf.keystone_auth.auth_version }}"
+    command: ["/bin/bash", "-c", "openstack user list --os-username admin --os-domain-name default --os-project-name admin --os-password password"]
+  restartPolicy: Never
diff --git a/openstack-utility/values.yaml b/openstack-utility/values.yaml
new file mode 100644
index 00000000..fcdee480
--- /dev/null
+++ b/openstack-utility/values.yaml
@@ -0,0 +1,138 @@
+# Default values for openstack-utility.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+# name: value
+
+
+deployment:
+  openstack: true
+
+release_group: null
+
+images:
+  pull_policy: IfNotPresent
+  tags:
+    openstack_utility: 'docker.io/diwakarthyagaraj/openstackutility:v0.0.2'
+    image_repo_sync: docker.io/docker:17.07.0
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+labels:
+  utility:
+    node_selector_key: openstack-helm-node-class
+    node_selector_value: primary
+
+pod:
+  dns_policy: "ClusterFirstWithHostNet"
+  replicas:
+    utility: 1
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+  resources:
+    enabled: false
+    utility:
+      requests:
+        memory: "100Mi"
+        cpu: "250m"
+      limits:
+        memory: "250Mi"
+        cpu: "500m"
+    jobs:
+      bootstrap:
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+        requests:
+          memory: "128Mi"
+          cpu: "500m"
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+
+
+conf:
+  openstackfilter:
+    Filters:
+      # openstack-rootwrap command filters for openstack utility container
+      # This file should be owned by (and only-writeable by) the root user
+      openstack: CommandFilter, openstack, root
+  openstackrootwrapconf:
+    DEFAULT:
+      # Configuration for openstack-rootwrap
+      # This file should be owned by (and only-writeable by) the root user
+      # List of directories to load filter definitions from (separated by ',').
+      # These directories MUST all be only writeable by root !
+      filters_path: /etc/openstack-utility/rootwrap.d
+      # List of directories to search executables in, in case filters do not
+      # explicitely specify a full path (separated by ',')
+      # If not specified, defaults to system PATH environment variable.
+      # These directories MUST all be only writeable by root !
+      exec_dirs: /sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin
+      # Enable logging to syslog
+      # Default value is False
+      use_syslog: True
+      # Which syslog facility to use.
+      # Valid values include auth, authpriv, syslog, local0, local1...
+      # Default value is 'syslog'
+      syslog_log_facility: syslog
+      # Which messages to log.
+      # INFO means log all usage
+      # ERROR means only log unsuccessful attempts
+      syslog_log_level: INFO
+  keystone_auth:
+    auth_url: http://keystone.openstack.svc.cluster.local/v3
+    auth_version: "3"
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - openstack-utility-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+  static:
+    image_repo_sync:
+      services:
+        - endpoint: internal
+          service: local_image_registry
+
+bootstrap:
+  enabled: true
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+
+monitoring:
+  prometheus:
+    enabled: true
+
+manifests:
+  configmap_bin: true
+  configmap_etc_client: true
+  configmap_etc_sudoers: true
+  deployment_utility: true
diff --git a/zuul.d/openstack-utility.yaml b/zuul.d/openstack-utility.yaml
new file mode 100644
index 00000000..d3da4be7
--- /dev/null
+++ b/zuul.d/openstack-utility.yaml
@@ -0,0 +1,35 @@
+# Copyright 2019 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- project:
+    check:
+      jobs:
+        - porthole-openstack-utility-lint-ws
+    gate:
+      jobs:
+        - porthole-openstack-utility-lint-ws
+
+- nodeset:
+    name: porthole-openstack-utility-single-node
+    nodes:
+      - name: primary
+        label: ubuntu-xenial
+
+- job:
+    name: porthole-openstack-utility-lint-ws
+    description: |
+      Lints all files by checking them for whitespace.
+    run: tools/gate/playbooks/zuul-linter.yaml
+    timeout: 300
+    nodeset: porthole-openstack-utility-single-node