airship/porthole
Code Issues Proposed changes

Initial commit of mysqlclient-utility container.

Browse Source 
Utility containers shall act as an interface to an Airship environment
and shall enable them to perform routine operational and debugging
activities. Utility containers shall enable Operations to seamlessly
support Airship environment without exposing secrets and credentials,
and at the same time restricting the access to actual containers.

This container allows users access to MariaDB pods remotely to perform
db functions. Authorized users will able to run db queries through
'utilscli' helper.

Change-Id: I72f5f202b094de9733c13b6a5a6ce3d29205b574
This commit is contained in:
Trung Thai 2019-07-10 23:32:45 -04:00
parent 4b71275e37
commit 7ff0ba880b
24 changed files with 1192 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.zuul.yaml
View File

@ -1,3 +0,0 @@
- project:
templates:
- noop-jobs

28
Dockerfiles/mysqlclient-utility/Dockerfile.ubuntu_xenial Normal file
View File

@ -0,0 +1,28 @@
ARG FROM=docker.io/ubuntu:xenial
FROM ${FROM}
MAINTAINER Trung Thai <tthai@att.com>
RUN set -xe \
&& sed -i '/nobody/d' /etc/passwd \
&& echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd ;\
apt-get update ;\
apt-get dist-upgrade -y ;\
apt-get install -y \
bash \
moreutils \
vim \
sudo \
screen \
rsyslog \
python-oslo.rootwrap \
python3-oslo.rootwrap \
mysql-client ;\
sed -i 's/$PrivDropToUser syslog/$PrivDropToUser nobody/' /etc/rsyslog.conf ; \
apt-get clean -y ;\
rm -rf \
/var/cache/debconf/* \
/var/lib/apt/lists/* \
/var/log/* \
/tmp/* \
/var/tmp/*
CMD ["/bin/bash"]

19
Dockerfiles/mysqlclient-utility/build.sh Normal file
View File

@ -0,0 +1,19 @@
#!/bin/bash
set -xe
SCRIPT=`realpath $0`
SCRIPT_DIR=`dirname ${SCRIPT}`
## Only build from main folder
cd ${SCRIPT_DIR}/..
IMAGE="mysqlclient-utility"
VERSION=${VERSION:-latest}
DISTRO=${DISTRO:-ubuntu_xenial}
REGISTRY_URI=${REGISTRY_URI:-"airshipit/"}
EXTRA_TAG_INFO=${EXTRA_TAG_INFO:-""}
docker build \
-f ${IMAGE}/Dockerfile.${DISTRO} \
--network=host \
-t ${REGISTRY_URI}${IMAGE}:${VERSION}-${DISTRO}${EXTRA_TAG_INFO} \
${extra_build_args} ${IMAGE}
cd -

19
install_mysqlclient_utility.sh Executable file
View File

@ -0,0 +1,19 @@
#!/bin/bash
set -xe
#NOTE: Lint and package chart
: ${OSH_INFRA_PATH:="../../openstack-helm-infra"}
typeset uc=mysqlclient-utility
make ${uc}
helm upgrade --install ${uc} ${uc} --namespace=utility
#NOTE: Wait for deploy
./${OSH_INFRA_PATH}/tools/deployment/common/wait-for-pods.sh utility
#NOTE: Validate Deployment info
kubectl get pods -n utility |grep ${uc}
helm status ${uc}
helm test ${uc} --timeout 900

18
mysqlclient-utility/Chart.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
description: Porthole MySql Client
name: mysqlclient-utility
version: 0.1.0

237
mysqlclient-utility/README.md Normal file
View File

@ -0,0 +1,237 @@
# MySqlClient Utility Container
## Prerequisites: Deploy OSH-AIO
## Installation
1. Add the below to /etc/sudoers
>root ALL=(ALL) NOPASSWD: ALL \
ubuntu ALL=(ALL) NOPASSWD: ALL
2. Install the latest versions of Git, CA Certs bundle & Make if necessary
>sudo apt-get update \
sudo apt-get dist-upgrade -y \
sudo apt-get install --no-install-recommends -y \
ca-certificates \
git \
make \
jq \
nmap \
curl \
uuid-runtime
3. Clone the OpenStack-Helm Repos
>git clone https://git.openstack.org/openstack/openstack-helm-infra.git \
git clone https://git.openstack.org/openstack/openstack-helm.git
4. Proxy Configuration
In order to deploy OpenStack-Helm behind corporate proxy servers (if any)
add the following entries to openstack-helm-infra/tools/gate/devel/local-vars.yaml
>proxy: \
http: http://username:password@host:port \
https: https://username:password@host:port \
noproxy: 127.0.0.1,localhost,172.17.0.1,.svc.cluster.local
Add the address of the Kubernetes API, 172.17.0.1, and .svc.cluster.local to your no_proxy and NO_PROXY environment variables.
>export no_proxy=${no_proxy},172.17.0.1,.svc.cluster.local \
export NO_PROXY=${NO_PROXY},172.17.0.1,.svc.cluster.local
5. Deploy Kubernetes & Helm
- cd openstack-helm
- ./tools/deployment/developer/common/010-deploy-k8s.sh
- Setup Clients on the host and assemble the charts
- ./tools/deployment/developer/common/020-setup-client.sh
- Deploy the ingress controller
- ./tools/deployment/developer/common/030-ingress.sh
- Deploy Ceph
- ./tools/deployment/developer/ceph/040-ceph.sh
- Activate the namespace to be able to use Ceph
- ./tools/deployment/developer/ceph/045-ceph-ns-activate.sh
-. Deploy Keystone
- ./tools/deployment/developer/ceph/080-keystone.sh
- Deploy Heat
- ./tools/deployment/developer/ceph/090-heat.sh
- Deploy Horizon
- ./tools/deployment/developer/ceph/100-horizon.sh
- Deploy Glance
- ./tools/deployment/developer/ceph/120-glance.sh
- Deploy Cinder
- ./tools/deployment/developer/ceph/130-cinder.sh
- Deploy LibVirt
- ./tools/deployment/developer/ceph/150-libvirt.sh
- Deploy Compute Kit (Nova and Neutron)
- ./tools/deployment/developer/ceph/160-compute-kit.sh
- To run further commands from the CLI manually, execute the following to set up authentication credentials
- export OS_CLOUD=openstack_helm
6. Clone the Porthole and this utility repo as well.
- $git clone https://review.opendev.org/airship/porthole
7. $cd porthole
**Optionally pull in this PS if it's not ready merged; otherwise, skip step below.**
- $git pull https://review.opendev.org/airship/porthole refs/changes/81/674881/[latest change set]
- **$bash ./install_mysqlclient_utility.sh**
---
<blockquote>
+../../openstack-helm-infra
+ typeset uc=mysqlclient-utility
+ make mysqlclient-utility
===== Processing [mysqlclient-utility] chart =====
make[1]: Entering directory '/home/ubuntu/osh/openstack-helm/porthole'
if [ -f mysqlclient-utility/Makefile ]; then make -C mysqlclient-utility; fi
if [ -f mysqlclient-utility/requirements.yaml ]; then helm dep up mysqlclient-utility; fi
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "local" chart repository
Update Complete. ⎈Happy Helming!⎈
Saving 1 charts
Downloading helm-toolkit from repo http://localhost:8879/charts
Deleting outdated charts
if [ -d mysqlclient-utility ]; then helm lint mysqlclient-utility; fi
==> Linting mysqlclient-utility
[INFO] Chart.yaml: icon is recommended
1 chart(s) linted, no failures
if [ -d mysqlclient-utility ]; then helm package mysqlclient-utility; fi
Successfully packaged chart and saved it to: /home/ubuntu/osh/openstack-helm/porthole/mysqlclient-utility-0.1.0.tgz
make[1]: Leaving directory '/home/ubuntu/osh/openstack-helm/porthole'
+ helm upgrade --install mysqlclient-utility mysqlclient-utility --namespace=utility
Release "mysqlclient-utility" does not exist. Installing it now.
NAME: mysqlclient-utility
LAST DEPLOYED: Fri Jul 19 01:38:55 2019
NAMESPACE: utility
STATUS: DEPLOYED
RESOURCES:
==> v1/ConfigMap
NAME DATA AGE
mysqlclient-utility-bin 2 1s
mysqlclient-utility-bin-utilscli 2 1s
mysqlclient-utility-etc 2 1s
mysqlclient-utility-sudoers 1 1s
==> v1/Deployment
NAME READY UP-TO-DATE AVAILABLE AGE
mysqlclient-utility 0/1 1 0 1s
==> v1/Pod(related)
NAME READY STATUS RESTARTS AGE
mysqlclient-utility-775bf65c97-8z97s 0/1 ContainerCreating 0 1s
==> v1/ServiceAccount
NAME SECRETS AGE
mysqlclient-utility 1 1s
==> v1beta1/ClusterRole
NAME AGE
mysqlclient-utility 1s
==> v1beta1/ClusterRoleBinding
NAME AGE
mysqlclient-utility 1s
+ ../../openstack-helm-infra/tools/deployment/common/wait-for-pods.sh utility
+ kubectl get pods -n utility
+ grep mysqlclient-utility
mysqlclient-utility-775bf65c97-8z97s 1/1 Running 0 17s
+ helm status mysqlclient-utility
LAST DEPLOYED: Fri Jul 19 01:38:55 2019
NAMESPACE: utility
STATUS: DEPLOYED
RESOURCES:
==> v1/ConfigMap
NAME DATA AGE
mysqlclient-utility-bin 2 18s
mysqlclient-utility-bin-utilscli 2 18s
mysqlclient-utility-etc 2 18s
mysqlclient-utility-sudoers 1 18s
==> v1/Deployment
NAME READY UP-TO-DATE AVAILABLE AGE
mysqlclient-utility 1/1 1 1 18s
==> v1/Pod(related)
NAME READY STATUS RESTARTS AGE
mysqlclient-utility-775bf65c97-8z97s 1/1 Running 0 18s
==> v1/ServiceAccount
NAME SECRETS AGE
mysqlclient-utility 1 18s
==> v1beta1/ClusterRole
NAME AGE
mysqlclient-utility 18s
==> v1beta1/ClusterRoleBinding
NAME AGE
mysqlclient-utility 18s
+ helm test mysqlclient-utility --timeout 900
RUNNING: mysqlclient-utility-check-mysql-client-installation
PASSED: mysqlclient-utility-check-mysql-client-installation
</blockquote>
## POST-Installation
Validate pods are deployed and running
$ kubectl get pods -n utility
- NAME READY STATUS RESTARTS AGE
- mysqlclient-utility-775bf65c97-8z97s 1/1 Running 0 8m47s
- mysqlclient-utility-check-mysql-client-installation 0/1 Completed 0 8m29s
## Usage & Test
Get in to the utility pod using kubectl exec, perform the followings:
### Case 1 - Execute into the pod
$kubectl exec -it <POD_NAME> -n utility /bin/bash
### Case 2 - Test connectiviy to Mariadb (optional)
- Find mariadb pod and its corresponding IP
---
- $kubectl get pods --all-namespaces |grep -i mariadb-server |awk '{print $1,$2}'|while read a b ; do
kubectl get pod $b -n $a -o wide
done
---
- An Output should look similar to below
- NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
- mariadb-server-0 1/1 Running 0 5h49m 192.168.251.93 mtn13b2 <none> <none>
- Now connect to the pod as prescribe in Case 1 by providing the arguements accordingly to CLI, like below.
- $kubectl exec <POD_NAME> -it -n utility -- mysql -h <IP> -u root -p<PASSWORD> -e 'show databases;'
It's expected to see an output looks similar to below.
>--------------------+\
| Database |\
|--------------------|\
| cinder |\
| glance |\
| heat |\
| horizon |\
| information_schema |\
| keystone |\
| mysql |\
| neutron |\
| nova |\
| nova_api |\
| nova_cell0 |\
| performance_schema |\
+--------------------+\

18
mysqlclient-utility/requirements.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2019 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
version: 0.1.0

19
mysqlclient-utility/templates/bin/_bootstrap.sh.tpl Normal file
View File

@ -0,0 +1,19 @@
#!/bin/bash
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex
sudo ./tmp/start.sh
tail -f /var/log/syslog

34
mysqlclient-utility/templates/bin/_start.sh.tpl Normal file
View File

@ -0,0 +1,34 @@
#!/bin/bash
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex
# move this into build image v1.0.1 8/13/19
#sed -i 's/$PrivDropToUser syslog/$PrivDropToUser nobody/' /etc/rsyslog.conf
/etc/init.d/rsyslog start
# for readiness probe
touch /tmp/done
{{/*
These lines will disable extra handler, extra formatter, extra level to the
root logger by oslo-rootwrap module, imported in _openstack-utility-rootwrap.tpl.
These lines will get rid of duplicate logs, generated because of the formatter
attached by oslo-rootwrap.
*/}}
sed -i "/rootwrap_logger.setLevel/s/.*/#&/" /usr/lib/python2.7/dist-packages/oslo_rootwrap/wrapper.py
sed -i "/handler.setFormatter/s/.*/#&/" /usr/lib/python2.7/dist-packages/oslo_rootwrap/wrapper.py
sed -i "/os.path.basename/s/.*/#&/" /usr/lib/python2.7/dist-packages/oslo_rootwrap/wrapper.py
sed -i "/rootwrap_logger.addHandler/s/.*/#&/" /usr/lib/python2.7/dist-packages/oslo_rootwrap/wrapper.py

16
mysqlclient-utility/templates/bin/_utilscli-sudo.tpl Normal file
View File

@ -0,0 +1,16 @@
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
nobody ALL=SETENV: NOPASSWD: /tmp/start.sh, /tmp/bootstrap.sh, /usr/local/bin/mysqlclient-utility-rootwrap /etc/mysqlclient-utility/rootwrap.conf *

49
mysqlclient-utility/templates/bin/utility/_mysqlclient-utility-rootwrap.tpl Normal file
View File

@ -0,0 +1,49 @@
#!/usr/bin/python
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# PBR Generated from u'console_scripts'
import sys
import os
import logging
import getpass
from oslo_rootwrap.cmd import main
exec_name = sys.argv[0]
host_name = os.environ.get("HOSTNAME")
log_level = {{ .Values.conf.mysqlclientrootwrapconf.DEFAULT.syslog_log_level | quote }}
facility = {{ .Values.conf.mysqlclientrootwrapconf.DEFAULT.syslog_log_facility | quote }}
if "AUSER" in os.environ:
user_id = os.environ["AUSER"]
elif {{ .Values.conf.utility.always_log_user | quote }} == 'true':
user_id = 'development site'
else:
print("No username set in AUSER environment variable, for security reasons access restricted from connecting to container.")
exit()
try:
handler = logging.handlers.SysLogHandler(address='/dev/log',facility=facility)
except IOError:
print("Unable to setup logging, for security reasons access restricted from connecting to container.")
exit()
formatter = logging.Formatter('%(asctime)s ' + host_name + ' ' + '%(levelname)s' + os.path.basename(exec_name) + ': ' + 'ActualUser=' + user_id + ': %(message)s')
handler.setFormatter(formatter)
root = logging.getLogger()
root.setLevel(log_level)
root.addHandler(handler)
if __name__ == "__main__":
sys.exit(main())

17
mysqlclient-utility/templates/bin/utility/_utilscli.tpl Normal file
View File

@ -0,0 +1,17 @@
#!/bin/bash
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
script -f -a -q /var/log/syslog -c "sudo -E /usr/local/bin/mysqlclient-utility-rootwrap /etc/mysqlclient-utility/rootwrap.conf $*"

48
mysqlclient-utility/templates/configmap-bin.yaml Normal file
View File

@ -0,0 +1,48 @@
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.configmap_bin .Values.deployment.mysqlclient }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-%s" $envAll.Release.Name "bin" }}
data:
{{- if .Values.images.local_registry.active }}
image-repo-sync.sh: |
{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
{{- end }}
start.sh: |
{{ tuple "bin/_start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
mysqlclient-utility-rootwrap: |
{{ tuple "bin/utility/_mysqlclient-utility-rootwrap.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-%s" $envAll.Release.Name "bin-utilscli" }}
data:
utilscli: |
{{ tuple "bin/utility/_utilscli.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
bootstrap.sh: |
{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

30
mysqlclient-utility/templates/configmap-etc-client.yaml Normal file
View File

@ -0,0 +1,30 @@
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.configmap_etc_client .Values.deployment.mysqlclient }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-%s" $envAll.Release.Name "etc" }}
data:
rootwrap.conf: |
{{ include "helm-toolkit.utils.to_ini" .Values.conf.mysqlclientrootwrapconf | indent 4 }}
mysqlclient-rootwrap-filter: |
{{ include "helm-toolkit.utils.to_ini" .Values.conf.mysqlclientfilter | indent 4 }}
{{- end }}

27
mysqlclient-utility/templates/configmap-etc-sudoers.yaml Normal file
View File

@ -0,0 +1,27 @@
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.configmap_etc_sudoers .Values.deployment.mysqlclient }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }}
data:
utilscli-sudo: |
{{ tuple "bin/_utilscli-sudo.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

143
mysqlclient-utility/templates/deployment-utility.yaml Normal file
View File

@ -0,0 +1,143 @@
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.deployment_utility ( and .Values.deployment.mysqlclient .Values.conf.features.utility) }}
{{- $envAll := . }}
{{- $serviceAccountName := printf "%s" $envAll.Release.Name }}
{{ tuple $envAll "utility" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: {{ $serviceAccountName }}
rules:
- apiGroups:
- ""
resources:
- pods
- pods/exec
verbs:
- get
- list
- watch
- exec
- create
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: {{ $serviceAccountName }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $serviceAccountName }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: {{ printf "%s" $envAll.Release.Name }}
labels:
{{ tuple $envAll "mysqlclient" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
replicas: {{ .Values.pod.replicas.utility }}
selector:
matchLabels:
{{ tuple $envAll "mysqlclient" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
template:
metadata:
name: {{ printf "%s" $envAll.Release.Name }}
annotations:
{{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
labels:
{{ tuple $envAll "mysqlclient" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
securityContext:
runAsUser: 65534
serviceAccountName: {{ $serviceAccountName }}
affinity:
{{ tuple $envAll "mysqlclient" "utility" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
{{ .Values.labels.utility.node_selector_key }}: {{ .Values.labels.utility.node_selector_value }}
containers:
- name: {{ printf "%s" $envAll.Release.Name }}
{{ tuple $envAll "mysqlclient_utility" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.mysql_utility | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:
- /tmp/bootstrap.sh
readinessProbe:
exec:
command:
- cat
- /tmp/done
initialDelaySeconds: 5
periodSeconds: 15
livenessProbe:
exec:
command:
- utilscli
initialDelaySeconds: 5
periodSeconds: 15
volumeMounts:
- name: mysqlclient-utility-bin-utilscli
mountPath: /tmp/bootstrap.sh
subPath: bootstrap.sh
readOnly: true
- name: mysqlclient-utility-bin
mountPath: /tmp/start.sh
subPath: start.sh
readOnly: true
- name: mysqlclient-utility-bin-utilscli
mountPath: /usr/local/bin/utilscli
subPath: utilscli
readOnly: true
- name: mysqlclient-utility-bin
mountPath: /usr/local/bin/mysqlclient-utility-rootwrap
subPath: mysqlclient-utility-rootwrap
readOnly: true
- name: mysqlclient-utility-sudoers
mountPath: /etc/sudoers.d/utilscli-sudo
subPath: utilscli-sudo
readOnly: true
- name: mysqlclient-utility-etc
mountPath: /etc/mysqlclient-utility/rootwrap.d/mysqlclient-rootwrap-filter
subPath: mysqlclient-rootwrap-filter
readOnly: true
- name: mysqlclient-utility-etc
mountPath: /etc/mysqlclient-utility/rootwrap.conf
subPath: rootwrap.conf
readOnly: true
volumes:
- name: mysqlclient-utility-sudoers
configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }}
defaultMode: 0644
- name: mysqlclient-utility-bin
configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "bin" }}
defaultMode: 0555
- name: mysqlclient-utility-etc
configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "etc" }}
defaultMode: 0555
- name: mysqlclient-utility-bin-utilscli
configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "bin-utilscli" }}
defaultMode: 0755
{{- end }}

26
mysqlclient-utility/templates/tests/check-mysql-client.yaml Normal file
View File

@ -0,0 +1,26 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
apiVersion: v1
kind: Pod
metadata:
name: "{{ .Release.Name }}-check-mysql-client-installation"
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: "{{ .Release.Name }}-check-mysql-client-installation"
image: {{ .Values.images.tags.mysqlclient_utility }}
command: ["/bin/bash", "-c", "type mysql"]
restartPolicy: Never

161
mysqlclient-utility/values.yaml Normal file
View File

@ -0,0 +1,161 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for mysql-client.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
deployment:
mysqlclient: true
release_group: null
images:
tags:
mysqlclient_utility: 'quay.io/trthai/tuc:mysql-client-utility-v1.0.1'
image_repo_sync: docker.io/docker:18.09.02
pull_policy: IfNotPresent
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
labels:
utility:
node_selector_key: openstack-helm-node-class
node_selector_value: primary
pod:
dns_policy: "ClusterFirstWithHostNet"
replicas:
utility: 1
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
resources:
enabled: false
utility:
requests:
memory: "100Mi"
cpu: "250m"
limits:
memory: "250Mi"
cpu: "500m"
jobs:
bootstrap:
limits:
memory: "1024Mi"
cpu: "2000m"
requests:
memory: "128Mi"
cpu: "500m"
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
conf:
features:
utility: true
mysqlclientconf:
etc: mysqlclient-etc
mysqlclientfilter:
Filters:
# mysqlclient-rootwrap command filters for mysqlclient utility container
# This file should be owned by (and only-writeable by) the root user
mysql: CommandFilter, mysql, root
#kubectl: CommandFilter, kubectl, root
mysqlclientrootwrapconf:
DEFAULT:
# Configuration for mysqlclient-rootwrap
# This file should be owned by (and only-writeable by) the root user
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path: /etc/mysqlclient-utility/rootwrap.d
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs: /sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/tmp
# Enable logging to syslog
# Default value is False
use_syslog: True
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility: syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level: INFO
#keystone_auth:
# auth_url: http://keystone.openstack.svc.cluster.local/v3
# auth_version: "3"
utility:
# Set to true for development sites,
# Set to false otherwise
always_log_user: true
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- mysqlclient-utility-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
bootstrap:
enabled: true
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
monitoring:
prometheus:
enabled: true
manifests:
configmap_bin: true
configmap_etc_client: true
configmap_etc_sudoers: true
deployment_utility: true

112
tools/gate/playbooks/docker-image-upload.yaml Normal file
View File

@ -0,0 +1,112 @@
- hosts: all
tasks:
- include_vars: vars.yaml
- name: Install Docker (Debian)
when: ansible_os_family == 'Debian'
block:
- file:
path: "{{ item }}"
state: directory
with_items:
- /etc/docker/
- /etc/systemd/system/docker.service.d/
- /var/lib/docker/
- mount:
path: /var/lib/docker/
src: tmpfs
fstype: tmpfs
opts: size=25g
state: mounted
- copy: "{{ item }}"
with_items:
- content: "{{ docker_daemon | to_json }}"
dest: /etc/docker/daemon.json
- src: files/docker-systemd.conf
dest: /etc/systemd/system/docker.service.d/
- apt_key:
url: https://download.docker.com/linux/ubuntu/gpg
- apt_repository:
repo: deb http://{{ zuul_site_mirror_fqdn }}/deb-docker xenial stable
- apt:
name: "{{ item }}"
allow_unauthenticated: True
with_items:
- docker-ce
- python-pip
- pip:
name: docker
version: 2.7.0
# NOTE(SamYaple): Allow all connections from containers to host so the
# containers can access the http server for git and wheels
- iptables:
action: insert
chain: INPUT
in_interface: docker0
jump: ACCEPT
become: True
- name: Debug tag generation inputs
block:
- debug:
var: publish
- debug:
var: tags
- debug:
var: zuul
- debug:
msg: "{{ tags | to_json }}"
- name: Determine tags
shell: echo '{{ tags | to_json }}' | python {{ zuul.project.src_dir }}/tools/image_tags.py
environment:
BRANCH: "{{ zuul.branch | default('') }}"
CHANGE: "{{ zuul.change | default('') }}"
COMMIT: "{{ zuul.newrev | default('') }}"
PATCHSET: "{{ zuul.patchset | default('') }}"
register: image_tags
- name: Debug computed tags
debug:
var: image_tags
- name: Make images
when: not publish
block:
- make:
chdir: "{{ zuul.project.src_dir }}"
target: images
params:
IMAGE_TAG: "{{ item }}"
with_items: "{{ image_tags.stdout_lines }}"
- shell: "docker images"
register: docker_images
- debug:
var: docker_images
become: True
- name: Publish images
block:
- docker_login:
username: "{{ quay_credentials.username }}"
password: "{{ quay_credentials.password }}"
registry_url: "https://quay.io/api/v1/"
- make:
chdir: "{{ zuul.project.src_dir }}"
target: images
params:
DOCKER_REGISTRY: "quay.io"
IMAGE_PREFIX: "airshipit"
IMAGE_TAG: "{{ item }}"
COMMIT: "{{ zuul.newrev | default('') }}"
PUSH_IMAGE: "true"
with_items: "{{ image_tags.stdout_lines }}"
- shell: "docker images"
register: docker_images
- debug:
var: docker_images
when: publish
become: True

8
tools/gate/playbooks/files/docker-systemd.conf Normal file
View File

@ -0,0 +1,8 @@
# NOTE(SamYaple): CentOS cannot be build with userns-remap enabled. httpd uses
# cap_set_file capability and there is no way to pass that in at build as of
# docker 17.06.
# TODO(SamYaple): Periodically check to see if this is possible in newer
# versions of Docker
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd

19
tools/gate/playbooks/vars.yaml Normal file
View File

@ -0,0 +1,19 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
docker_daemon:
group: zuul
registry-mirrors:
- "http://{{ zuul_site_mirror_fqdn }}:8082/"
storage-driver: overlay2

4
tools/gate/playbooks/zuul-linter.yaml
View File

@ -1,4 +1,4 @@
# Copyright 2019 The Openstack-Helm Authors.
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -15,6 +15,6 @@
- hosts: primary
tasks:
- name: Execute a Whitespace Linter check
command: find . -not -path "*/\.*" -not -path "*/doc/build/*" -not -name "*.tgz" -not -name "*.png" -type f -exec egrep -l " +$" {} \;
command: find . -not -path "*/\.*" -not -path "*/doc/build/*" -not -name "*.tgz" -type f -exec egrep -l " +$" {} \;
register: result
failed_when: result.stdout != ""

67
zuul.d/base.yaml Normal file
View File

@ -0,0 +1,67 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- nodeset:
name: airship-porthole-single-node
nodes:
- name: primary
label: ubuntu-xenial
- job:
name: porthole-images-build
parent: build-docker-image
abstract: true
ansible-version: 2.8
description: |
irrelevant-files:
- ^\.git.*
- ^.*\.(example|md|rst)$
- ^doc/.*
- ^releasenotes/.*
timeout: 3600
- job:
name: porthole-images-upload
parent: upload-docker-image
abstract: true
ansible-version: 2.8
secrets:
name: quay_credentials
secret: quay_credentials
pass-to-parent: true
timeout: 3600
- secret:
name: quay_credentials
data:
username: !encrypted/pkcs1-oaep
- SQ0e+mvFN7eU+snMDhXC417r3yy+OoZ+QQcAPAoI2xuUDbZOrCSXIlRATrNZX+NrRx/sT
GoxeeScqpX3hnBTHAvWn6iDzVoSIOgW8aG4+/kCjU1dtKzPgyuo4t+rFEe1iplLFyG1P1
xshMrc8dRpAJTjyUwWzY1zatb46LEBK1DD15kkAaS+6KKfD2dH/AX3XYzp3671cdsXtC7
R7Lm8lKh2MYYmF+ybuCd/JbeuH2aLQc1pLnigPBWJgslzxQ2F2hLXssj8cd+rGSxQ8jVG
SCqFkyggBdv/TGQdhihnse8Taj8tqgmqbh5KPZIKeCM5ekXbsCMuI1KNH0Fr7UeffOYNU
5CJsWnuZoX5xQxcRHWAprBaGr8jr6EeklW896GC7wMcFq+C4166H1Y44NMrLtzAlXEs8p
uO6Vl2AGqt4/ORkJ7aIUdjI21u0r7ULEFcj+Q7hMoC0q81f1RVqbvTWtAi6CfjiUdpEwm
vwpyfwUP4JugjC3UALe4tMyMO5pQiAIPzYs34/skqxvEQN+5+8BrBnr2tNAIbxMmgpZOU
Ov89WfURzb7pxBbVgC6HuyX2mQi3OHdYS33TM9e+pXgLN8XK7dzASaCFXa0zjA1xj4pHh
oBO66rVON6DsjEmliMUHLnkgXJnqqm9pLEa+avCuK0Kt7i5st1DBnxK/Goy2ec=
password: !encrypted/pkcs1-oaep
- CuInAjNp1dAXxxNzfs9O9I7+T6OJLx4gaPeafLxfjJs4uCRC8L6N1Kcyc1QPYlr6hfvFz
D8Er9OKTzbmQixDxGzCSJh/RRcpjwh8GJMn7cvGYMTsrWcYzvK2RC5778huxVnwT0gWiB
TaqUqOBsHQMlXumEAKO7qqaKxJ4LadXMp/eqcyVfCw1roEOO69QqhBajwhk/5RS3qm6QZ
KGr0T3AfDAtF276e4GI9L5paVNjME7Au22+S1pVaIxX91/qx3HFAz+HSErvhxGHVKhHr4
4G/YygeSJMWyKpk28kjoncxgzHNwREXZXbRabMwXoGuweOB4ZZ7JXy9yEkagojx0buBtn
Phv48p/8C/7ZN3v8xOiHRAnLk6jsWA4cu5Zhplark22Uq+d7MtlEgRpWvqDBWNF+9GCOQ
Vlpomy02Nj4PkZZDKY7Eo3uf/+3aa8/hhvJursqv6VvqwYl75euT8Immo1EUw/Hw4PBpJ
JXcwlGoK6kvXmYaG2c7yEiH2xNtTzVTai10fsalubQWR4FTmJA5LU9+HatHBa46XLy4gS
vMHs2uJudmxhqLIhs5Er248FVjfxw7le5dPun3ir4J7Mjgypu5y8eLCMZAFIwpeqlJrVU
uih8ByaTlSEh6FBzle7Hb330RjSztC4pX6xiNAmtkpxhF2rEEFS66B/ixwCphQ=

75
zuul.d/mysqlclient-utility.yaml Normal file
View File

@ -0,0 +1,75 @@
# Copyright 2019 The Airship Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- project:
check:
jobs:
- porthole-mysqlclient-lint-ws
- porthole-mysqlclient-images-build
gate:
jobs:
- porthole-mysqlclient-lint-ws
- porthole-mysqlclient-images-build
post:
jobs:
- porthole-mysqlclient-images-upload
- job:
name: porthole-mysqlclient-lint-ws
description: |
Lints all files for trailing whitespace
run: tools/gate/playbooks/zuul-linter.yaml
timeout: 300
nodeset: airship-porthole-single-node
- job:
name: porthole-mysqlclient-images-build
parent: porthole-images-build
description: Build mysqclient images
vars: &mysqlclient_vars
currentdate: "{{ now(utc=True,fmt='%Y%m%d') }}"
docker_images:
- context: Dockerfiles/mysqlclient-utility
repository: porthole/mysqlclient-utility
dockerfile: Dockerfile.ubuntu_xenial
tags:
- latest-ubuntu_xenial
- "ubuntu_xenial-{{ currentdate }}"
files: &mysqlclient_files
- Dockerfiles/mysqlclient-utility/.*
- zuul.d/mysqlclient-utility.yaml
- job:
name: porthole-mysqlclient-images-upload
timeout: 1800
run: tools/gate/playbooks/docker-image-upload.yaml
nodeset: airship-porthole-single-node
secrets:
- quay_credentials
vars:
publish: true
tags:
dynamic:
branch: true
commit: true
static:
- latest
irrelevant-files:
- ^charts/.*$
- ^etc/.*$
- ^tests/.*$
- ^tools/.*$