airship/porthole
Code Issues Proposed changes

Remove ncct-utility

Browse Source 
This patchset removed the ncct-utility.

Change-Id: I4a169581b9956e926adabea3f91cb18e23f2d321
Signed-off-by: Sreejith Punnapuzha <Sreejith.Punnapuzha@outlook.com>
This commit is contained in:
Sreejith Punnapuzha 2019-10-14 16:47:20 -05:00
parent b7d00a795d
commit 8a08f26f4a
15 changed files with 1 additions and 609 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
charts/ncct-utility/Chart.yaml
View File

@ -1,18 +0,0 @@
# Copyright 2019 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
description: OpenStack-Helm NC Cluster Testing
name: ncct-utility
version: 0.1.0

18
charts/ncct-utility/requirements.yaml
View File

@ -1,18 +0,0 @@
# Copyright 2019 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
version: 0.1.0

19
charts/ncct-utility/templates/bin/_bootstrap.sh.tpl
View File

@ -1,19 +0,0 @@
#!/bin/sh
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
sudo /usr/local/bin/override-oslo-rootwrap-logging.sh
exec sudo socat -d -s -t0 -T0 -u UNIX-RECV:/dev/log,reuseaddr stdout

52
charts/ncct-utility/templates/bin/_ncct-utility-rootwrap.tpl
View File

@ -1,52 +0,0 @@
#!/usr/bin/python
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
import logging
import os
import sys
from oslo_rootwrap.cmd import main
exec_name = sys.argv[0]
host_name = os.environ.get("HOSTNAME")
log_level = {{ .Values.conf.ncct_rootwrap.DEFAULT.syslog_log_level | quote }}
facility = {{ .Values.conf.ncct_rootwrap.DEFAULT.syslog_log_facility | quote }}
if "AUSER" in os.environ:
user_id = os.environ.get("AUSER")
elif {{ .Values.conf.utility.always_log_user | quote }} == 'true':
user_id = 'development site'
else:
print("No username set in AUSER environment variable, for security reasons access restricted from connecting to container.")
exit()
try:
handler = logging.handlers.SysLogHandler(address='/dev/log',facility=facility)
except IOError:
print("Unable to setup logging, for security reasons access restricted from connecting to container.")
exit()
formatter = logging.Formatter('%(asctime)s ' + host_name + ' ' +
os.path.basename(exec_name) + ': ' + 'ActualUser=' + user_id + ': %(message)s\n')
handler.setFormatter(formatter)
root = logging.getLogger()
root.setLevel(log_level)
root.addHandler(handler)
if __name__ == "__main__":
sys.exit(main())

26
charts/ncct-utility/templates/bin/_override-oslo-rootwrap-logging.sh.tpl
View File

@ -1,26 +0,0 @@
#!/bin/sh
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
These lines will disable extra handler, extra formatter, extra level to the
root logger by oslo-rootwrap module, imported in _openstack-utility-rootwrap.tpl.
These lines will get rid of duplicate logs, generated because of the formatter
attached by oslo-rootwrap.
*/}}
sed -i "/rootwrap_logger.setLevel/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py
sed -i "/handler.setFormatter/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py
sed -i "/os.path.basename/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py
sed -i "/rootwrap_logger.addHandler/s/.*/#&/" /usr/lib/python2.7/site-packages/oslo_rootwrap/wrapper.py

20
charts/ncct-utility/templates/bin/_utilscli-sudo.tpl
View File

@ -1,20 +0,0 @@
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
nobody ALL=SETENV: NOPASSWD: /usr/bin/socat -d -s -t0 -T0 -u \
UNIX-RECV\:/dev/log\,reuseaddr stdout, \
/usr/local/bin/override-oslo-rootwrap-logging.sh, \
/usr/local/bin/ncct-utility-rootwrap /etc/ncct/rootwrap.conf *

18
charts/ncct-utility/templates/bin/_utilscli.tpl
View File

@ -1,18 +0,0 @@
#!/bin/sh
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
sudo -E /usr/local/bin/ncct-utility-rootwrap /etc/ncct/rootwrap.conf $*

43
charts/ncct-utility/templates/configmap-bin.yaml
View File

@ -1,43 +0,0 @@
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_bin }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-%s" $envAll.Release.Name "bin" }}
data:
image-repo-sync.sh: |
{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
ncct-utility-rootwrap: |
{{ tuple "bin/_ncct-utility-rootwrap.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
override-oslo-rootwrap-logging.sh: |
{{ tuple "bin/_override-oslo-rootwrap-logging.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-%s" $envAll.Release.Name "bin-utilscli" }}
data:
bootstrap.sh: |
{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
utilscli: |
{{ tuple "bin/_utilscli.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

41
charts/ncct-utility/templates/configmap-etc.yaml
View File

@ -1,41 +0,0 @@
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_ncct_etc }}
{{- $envAll := . }}
---
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ printf "%s-%s" $envAll.Release.Name "etc" }}
data:
rootwrap.conf: |
{{ include "helm-toolkit.utils.to_ini" .Values.conf.ncct_rootwrap | indent 4 }}
ncct.filter: |
{{ include "helm-toolkit.utils.to_ini" .Values.conf.ncct_filter | indent 4 }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }}
data:
utilscli-sudo: |
{{ tuple "bin/_utilscli-sudo.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

129
charts/ncct-utility/templates/deployment-ncct-utility.yaml
View File

@ -1,129 +0,0 @@
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.deployment_ncct_utility }}
{{- $envAll := . }}
{{- $serviceAccountName := printf "%s" $envAll.Release.Name }}
{{ tuple $envAll "utility" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: {{ $serviceAccountName }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $serviceAccountName }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: {{ $serviceAccountName }}
rules:
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies"]
verbs: ["list"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: {{ printf "%s" $envAll.Release.Name }}
labels:
{{ tuple $envAll "utility" "ncct-util" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
replicas: {{ .Values.pod.replicas.utility }}
selector:
matchLabels:
{{ tuple $envAll "utility" "ncct-util" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
template:
metadata:
name: {{ printf "%s" $envAll.Release.Name }}
labels:
{{ tuple $envAll "utility" "ncct-util" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
securityContext:
runAsUser: {{ $envAll.Values.pod.sec_context.run_as_user }}
allowPrivilegeEscalation: false
serviceAccountName: {{ $serviceAccountName }}
nodeSelector:
{{ .Values.labels.utility.node_selector_key }}: {{ .Values.labels.utility.node_selector_value }}
containers:
- name: {{ printf "%s" $envAll.Release.Name }}
{{ tuple $envAll "ncct_utility" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ncct_utility | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:
- "bootstrap.sh"
volumeMounts:
- name: ncct-utility-bin-utilscli
mountPath: /usr/local/bin/bootstrap.sh
subPath: bootstrap.sh
readOnly: true
- name: ncct-utility-bin-utilscli
mountPath: /usr/local/bin/utilscli
subPath: utilscli
readOnly: true
- name: ncct-utility-bin
mountPath: /usr/local/bin/ncct-utility-rootwrap
subPath: ncct-utility-rootwrap
readOnly: true
- name: ncct-utility-bin
mountPath: /usr/local/bin/override-oslo-rootwrap-logging.sh
subPath: override-oslo-rootwrap-logging.sh
readOnly: true
- name: ncct-utility-sudoers
mountPath: /etc/sudoers.d/nobody
subPath: utilscli-sudo
readOnly: true
- name: ncct-utility-etc
mountPath: /etc/ncct/rootwrap.d/ncct.filter
subPath: ncct.filter
readOnly: true
- name: ncct-utility-etc
mountPath: /etc/ncct/rootwrap.conf
subPath: rootwrap.conf
readOnly: true
volumes:
- name: ncct-utility-sudoers
configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }}
defaultMode: 0644
- name: ncct-utility-bin
configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "bin" }}
defaultMode: 0500
- name: ncct-utility-bin-utilscli
configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "bin-utilscli" }}
defaultMode: 0555
- name: ncct-utility-etc
configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "etc" }}
defaultMode: 0400
{{- end }}

21
charts/ncct-utility/templates/job-image-repo-sync.yaml
View File

@ -1,21 +0,0 @@
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "ncct-utility" -}}
{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
{{- end }}

133
charts/ncct-utility/values.yaml
View File

@ -1,133 +0,0 @@
# Copyright 2019 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for ncct-utility.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
images:
tags:
ncct_utility: 'docker.io/alexandervl/ncct-utility:v1'
image_repo_sync: docker.io/docker:17.07.0
pull_policy: IfNotPresent
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
- ncct_utility
pod:
resources:
enabled: true
jobs:
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
utility:
requests:
memory: "100Mi"
cpu: "250m"
limits:
memory: "250Mi"
cpu: "500m"
dns_policy: "ClusterFirstWithHostNet"
replicas:
utility: 1
sec_context:
run_as_user: 65534
release_group: null
labels:
utility:
node_selector_key: util-ncct
node_selector_value: enabled
job:
node_selector_key: openstack-helm-node-class
node_selector_value: primary
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- ncct-utility-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
conf:
ncct_filter:
Filters:
ncct_00: CommandFilter, ncct, root
ncct_rootwrap:
DEFAULT:
# Configuration for ncct-rootwrap
# This file should be owned by (and only-writeable by) the root user
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path: /etc/ncct/rootwrap.d
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs: /sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/tmp
# Enable logging to syslog
# Default value is False
use_syslog: true
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility: syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level: DEBUG
utility:
# Set to true for development sites,
# Set to false otherwise
always_log_user: true
manifests:
configmap_bin: true
configmap_ncct_etc: true
deployment_ncct_utility: true
job_image_repo_sync: false

33
images/ncct-utility/Dockerfile.alpine
View File

@ -1,33 +0,0 @@
ARG DOCKER_REGISTRY=quay.io
ARG NCCT_IMAGE_PREFIX=nc/aqua-images-patchset/network-policy
ARG NCCT_SHA256=cc192f2221fa8e7cd562223ef40e27ae92ab6f5a127b11e6a2ddb456f18aac97
ARG NCCT_IMAGE="${DOCKER_REGISTRY}/${NCCT_IMAGE_PREFIX}@sha256:${NCCT_SHA256}"
FROM ${NCCT_IMAGE}
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' \
org.opencontainers.image.url='https://airshipit.org' \
org.opencontainers.image.documentation='https://opendev.org/airship/porthole' \
org.opencontainers.image.source='https://opendev.org/airship/porthole' \
org.opencontainers.image.vendor='The Airship Authors' \
org.opencontainers.image.licenses='Apache-2.0'
RUN export DEBIAN_FRONTEND=noninteractive \
&& apk add dpkg --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main \
&& apk add --update dpkg \
&& sed -i '/nobody/d' /etc/passwd \
&& echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd \
&& touch /var/lib/dpkg/status \
&& apk update \
&& apk add --update \
sudo socat \
python python-dev py-pip build-base \
&& pip install oslo.rootwrap
RUN mv /app /usr/local/bin/ncct \
&& chmod 0750 /usr/local/bin/ncct \
&& chmod 0750 /bin/ncct_agent \
&& chmod 0750 /usr/bin/socat
WORKDIR /tmp
ENTRYPOINT ["/bin/sh", "-c"]

36
images/ncct-utility/Makefile
View File

@ -1,36 +0,0 @@
# Copyright 2019 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
SHELL := /bin/bash
DOCKER_REGISTRY ?= quay.io
IMAGE_NAME ?= ncct-utility
IMAGE_PREFIX ?= airship/porthole
IMAGE_TAG ?= latest
OS_RELEASE ?= alpine
IMAGE := $(DOCKER_REGISTRY)/$(IMAGE_PREFIX)/$(IMAGE_NAME):$(IMAGE_TAG)
# Build ncct-utility Docker image for this project
.PHONY: images
images: build_$(IMAGE_NAME)
# Make targets intended for use by the primary targets above.
.PHONY: build_$(IMAGE_NAME)
build_$(IMAGE_NAME):
docker build -f Dockerfile.$(OS_RELEASE) \
--network host \
$(EXTRA_BUILD_ARGS) \
-t $(IMAGE) \
.

3
jmphost/README.md
View File

@ -146,7 +146,6 @@ For testing purposes:
NAME READY STATUS RESTARTS AGE
clcp-calicoctl-utility-6457864fc8-zpfxk 1/1 Running 0 4h27m
clcp-ncct-utility-6588ff5566-8mqsb 1/1 Running 0 4h27m
clcp-tenant-ceph-utility-7b8f6d45f8-5q4ts 1/1 Running 0 99m
clcp-tenant-ceph-utility-config-ceph-ns-key-generator-hd9rb 0/1 Completed 0 99m
clcp-ucp-ceph-utility-6f4bbd4569-vrm7c 1/1 Running 0 4h11m
@ -162,4 +161,4 @@ For testing purposes:
command terminated with exit code 126
Because the user id entered in the configuration file is not a member in UCP keystone
RBAC to execute into the pod, it's expecting to see "permission denied".
RBAC to execute into the pod, it's expecting to see "permission denied".