From 1871b830af5797abf313e2c21a1cf6b8601a1385 Mon Sep 17 00:00:00 2001
From: "dt241s@att.com" <diwakar.chitoor.thyagaraj@att.com>
Date: Thu, 5 Mar 2020 22:01:03 +0000
Subject: [PATCH] Enable Apparmor for ElasticSearch

Change-Id: Ie7dc4399be4f0a62576e336c1de02810eeb09212
---
 .../templates/job-es-cluster-wait.yaml        |  2 ++
 .../job-register-snapshot-repository.yaml     |  2 ++
 .../prometheus/exporter-deployment.yaml       |  1 +
 elasticsearch/values.yaml                     |  8 -----
 elasticsearch/values_overrides/apparmor.yaml  | 22 ++++++++++++
 zuul.d/jobs.yaml                              | 34 +++++++++++++++++--
 6 files changed, 58 insertions(+), 11 deletions(-)
 create mode 100644 elasticsearch/values_overrides/apparmor.yaml

diff --git a/elasticsearch/templates/job-es-cluster-wait.yaml b/elasticsearch/templates/job-es-cluster-wait.yaml
index 235b3bdef..391a9c2b5 100644
--- a/elasticsearch/templates/job-es-cluster-wait.yaml
+++ b/elasticsearch/templates/job-es-cluster-wait.yaml
@@ -34,6 +34,8 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "elasticsearch" "es_cluster_wait" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "elastic-cluster-wait" "containerNames" (list "elasticsearch-cluster-wait" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "es_cluster_wait" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/elasticsearch/templates/job-register-snapshot-repository.yaml b/elasticsearch/templates/job-register-snapshot-repository.yaml
index 6472fe861..580d8ef35 100644
--- a/elasticsearch/templates/job-register-snapshot-repository.yaml
+++ b/elasticsearch/templates/job-register-snapshot-repository.yaml
@@ -35,6 +35,8 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "elasticsearch" "snapshot-repository" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "elasticsearch-register-snapshot-repository" "containerNames" (list "register-snapshot-repository" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "snapshot_repository" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml b/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml
index 88caad0b0..2712e4a1a 100644
--- a/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml
+++ b/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml
@@ -40,6 +40,7 @@ spec:
 {{ tuple $envAll "prometheus-elasticsearch-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
       annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "prometheus-elasticsearch-exporter" "containerNames" (list "elasticsearch-exporter" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml
index 03b6e4918..7252d71fd 100644
--- a/elasticsearch/values.yaml
+++ b/elasticsearch/values.yaml
@@ -136,14 +136,6 @@ pod:
     client: null
     data: null
     master: null
-  mandatory_access_control:
-    type: apparmor
-    elasticsearch-master:
-      elasticsearch-master: runtime/default
-    elasticsearch-data:
-      elasticsearch-data: runtime/default
-    elasticsearch-client:
-      elasticsearch-client: runtime/default
   security_context:
     exporter:
       pod:
diff --git a/elasticsearch/values_overrides/apparmor.yaml b/elasticsearch/values_overrides/apparmor.yaml
new file mode 100644
index 000000000..668261d58
--- /dev/null
+++ b/elasticsearch/values_overrides/apparmor.yaml
@@ -0,0 +1,22 @@
+pod:
+  env:
+    client: null
+    data: null
+    master: null
+  mandatory_access_control:
+    type: apparmor
+    elastic-cluster-wait:
+      elasticsearch-cluster-wait: runtime/default
+      init: runtime/default
+    elasticsearch-register-snapshot-repository:
+      register-snapshot-repository: runtime/default
+      init: runtime/default
+    elasticsearch-master:
+      elasticsearch-master: runtime/default
+    elasticsearch-data:
+      elasticsearch-data: runtime/default
+    elasticsearch-client:
+      elasticsearch-client: runtime/default
+    prometheus-elasticsearch-exporter:
+      elasticsearch-exporter: runtime/default
+      init: runtime/default
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index 4ec50b107..5570510b0 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -258,7 +258,7 @@
 - job:
     name: openstack-helm-infra-apparmor
     parent: openstack-helm-infra-functional
-    timeout: 7200
+    timeout: 9600
     pre-run: playbooks/osh-infra-upgrade-host.yaml
     run: playbooks/osh-infra-gate-runner.yaml
     post-run: playbooks/osh-infra-collect-logs.yaml
@@ -285,10 +285,38 @@
         - ./tools/deployment/apparmor/080-grafana.sh
         - ./tools/deployment/apparmor/085-rabbitmq.sh
         - ./tools/deployment/apparmor/095-nagios.sh
-        - ./tools/deployment/apparmor/100-fluentbit.sh
-        - ./tools/deployment/apparmor/110-fluentd-daemonset.sh
         - ./tools/deployment/apparmor/120-openvswitch.sh
         - ./tools/deployment/apparmor/130-postgresql.sh
+- job:
+    name: openstack-helm-infra-aio-logging-apparmor
+    parent: openstack-helm-infra-functional
+    timeout: 7200
+    pre-run:
+      - playbooks/osh-infra-upgrade-host.yaml
+      - playbooks/osh-infra-deploy-selenium.yaml
+    run: playbooks/osh-infra-gate-runner.yaml
+    post-run: playbooks/osh-infra-collect-logs.yaml
+    nodeset: openstack-helm-single-node
+    vars:
+      osh_params:
+        container_distro_name: ubuntu
+        container_distro_version: bionic
+        feature_gates: apparmor
+      gate_scripts:
+        - ./tools/deployment/osh-infra-logging/000-install-packages.sh
+        - ./tools/deployment/osh-infra-logging/005-deploy-k8s.sh
+        - ./tools/deployment/osh-infra-logging/010-ingress.sh
+        - ./tools/deployment/osh-infra-logging/020-ceph.sh
+        - ./tools/deployment/osh-infra-logging/025-ceph-ns-activate.sh
+        - ./tools/deployment/osh-infra-logging/030-radosgw-osh-infra.sh
+        - ./tools/deployment/osh-infra-logging/040-ldap.sh
+        - ./tools/deployment/osh-infra-logging/050-elasticsearch.sh
+        - ./tools/deployment/osh-infra-logging/060-fluentd-daemonset.sh
+        - ./tools/deployment/osh-infra-logging/065-fluentd-deployment.sh
+        - ./tools/deployment/osh-infra-logging/070-kibana.sh
+        - ./tools/deployment/osh-infra-logging/600-kibana-selenium.sh || true
+
+
 
 - job:
     name: openstack-helm-infra-aio-logging-apparmor