Enable Apparmor for ElasticSearch

Change-Id: Ie7dc4399be4f0a62576e336c1de02810eeb09212

elasticsearch/templates/job-es-cluster-wait.yaml

@@ -34,6 +34,8 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "elasticsearch" "es_cluster_wait" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "elastic-cluster-wait" "containerNames" (list "elasticsearch-cluster-wait" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "es_cluster_wait" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}

elasticsearch/templates/job-register-snapshot-repository.yaml

@@ -35,6 +35,8 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "elasticsearch" "snapshot-repository" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "elasticsearch-register-snapshot-repository" "containerNames" (list "register-snapshot-repository" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "snapshot_repository" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}

elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml

@@ -40,6 +40,7 @@ spec:
 {{ tuple $envAll "prometheus-elasticsearch-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
       annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "prometheus-elasticsearch-exporter" "containerNames" (list "elasticsearch-exporter" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}

elasticsearch/values.yaml

@@ -136,14 +136,6 @@ pod:
     client: null
     data: null
     master: null
-  mandatory_access_control:
-    type: apparmor
-    elasticsearch-master:
-      elasticsearch-master: runtime/default
-    elasticsearch-data:
-      elasticsearch-data: runtime/default
-    elasticsearch-client:
-      elasticsearch-client: runtime/default
   security_context:
     exporter:
       pod:

elasticsearch/values_overrides/apparmor.yaml

@@ -0,0 +1,22 @@
+pod:
+  env:
+    client: null
+    data: null
+    master: null
+  mandatory_access_control:
+    type: apparmor
+    elastic-cluster-wait:
+      elasticsearch-cluster-wait: runtime/default
+      init: runtime/default
+    elasticsearch-register-snapshot-repository:
+      register-snapshot-repository: runtime/default
+      init: runtime/default
+    elasticsearch-master:
+      elasticsearch-master: runtime/default
+    elasticsearch-data:
+      elasticsearch-data: runtime/default
+    elasticsearch-client:
+      elasticsearch-client: runtime/default
+    prometheus-elasticsearch-exporter:
+      elasticsearch-exporter: runtime/default
+      init: runtime/default

zuul.d/jobs.yaml

@@ -258,7 +258,7 @@
 - job:
     name: openstack-helm-infra-apparmor
     parent: openstack-helm-infra-functional
-    timeout: 7200
+    timeout: 9600
     pre-run: playbooks/osh-infra-upgrade-host.yaml
     run: playbooks/osh-infra-gate-runner.yaml
     post-run: playbooks/osh-infra-collect-logs.yaml
@@ -285,10 +285,38 @@
         - ./tools/deployment/apparmor/080-grafana.sh
         - ./tools/deployment/apparmor/085-rabbitmq.sh
         - ./tools/deployment/apparmor/095-nagios.sh
-        - ./tools/deployment/apparmor/100-fluentbit.sh
-        - ./tools/deployment/apparmor/110-fluentd-daemonset.sh
         - ./tools/deployment/apparmor/120-openvswitch.sh
         - ./tools/deployment/apparmor/130-postgresql.sh
+- job:
+    name: openstack-helm-infra-aio-logging-apparmor
+    parent: openstack-helm-infra-functional
+    timeout: 7200
+    pre-run:
+      - playbooks/osh-infra-upgrade-host.yaml
+      - playbooks/osh-infra-deploy-selenium.yaml
+    run: playbooks/osh-infra-gate-runner.yaml
+    post-run: playbooks/osh-infra-collect-logs.yaml
+    nodeset: openstack-helm-single-node
+    vars:
+      osh_params:
+        container_distro_name: ubuntu
+        container_distro_version: bionic
+        feature_gates: apparmor
+      gate_scripts:
+        - ./tools/deployment/osh-infra-logging/000-install-packages.sh
+        - ./tools/deployment/osh-infra-logging/005-deploy-k8s.sh
+        - ./tools/deployment/osh-infra-logging/010-ingress.sh
+        - ./tools/deployment/osh-infra-logging/020-ceph.sh
+        - ./tools/deployment/osh-infra-logging/025-ceph-ns-activate.sh
+        - ./tools/deployment/osh-infra-logging/030-radosgw-osh-infra.sh
+        - ./tools/deployment/osh-infra-logging/040-ldap.sh
+        - ./tools/deployment/osh-infra-logging/050-elasticsearch.sh
+        - ./tools/deployment/osh-infra-logging/060-fluentd-daemonset.sh
+        - ./tools/deployment/osh-infra-logging/065-fluentd-deployment.sh
+        - ./tools/deployment/osh-infra-logging/070-kibana.sh
+        - ./tools/deployment/osh-infra-logging/600-kibana-selenium.sh || true
+
+
 
 - job:
     name: openstack-helm-infra-aio-logging-apparmor