Enable Apparmor to Ceph-rgw Components

This also adds ceph-rgw Apparmor Job. Change-Id: I09b4e125197602b2e3518b02901e37a4ae1ddc18
2020-05-20 10:09:44 -05:00 · 2020-05-20 10:09:44 -05:00 · d7675b072e
commit d7675b072e
parent 7703cbbf6a
8 changed files with 109 additions and 1 deletions
--- a/ceph-rgw/templates/deployment-rgw.yaml
+++ b/ceph-rgw/templates/deployment-rgw.yaml
@ -51,6 +51,7 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-client-hash: {{ tuple "configmap-etc-client.yaml" . | include "helm-toolkit.utils.hash" }}
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-rgw" "containerNames" (list "init" "ceph-rgw" "ceph-init-dirs" "ceph-rgw-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
 {{ dict "envAll" $envAll "application" "rgw" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
--- a/ceph-rgw/templates/job-bootstrap.yaml
+++ b/ceph-rgw/templates/job-bootstrap.yaml
@ -57,6 +57,9 @@ spec:
    metadata:
      labels:
 {{ tuple $envAll "ceph" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-rgw-bootstrap" "containerNames" (list "ceph-keyring-placement" "init" "ceph-rgw-bootstrap") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
 {{ dict "envAll" $envAll "application" "bootstrap" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
--- a/ceph-rgw/templates/job-rgw-storage-init.yaml
+++ b/ceph-rgw/templates/job-rgw-storage-init.yaml
@ -55,6 +55,9 @@ spec:
    metadata:
      labels:
 {{ tuple $envAll "ceph" "rgw-storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-rgw-storage-init" "containerNames" (list "ceph-keyring-placement" "init" "ceph-rgw-storage-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
 {{ dict "envAll" $envAll "application" "rgw_storage_init" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
--- a/ceph-rgw/templates/job-s3-admin.yaml
+++ b/ceph-rgw/templates/job-s3-admin.yaml
@ -59,6 +59,9 @@ spec:
    metadata:
      labels:
 {{ tuple $envAll "ceph" "rgw-s3-admin" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-rgw-s3-admin" "containerNames" (list "ceph-keyring-placement" "init" "create-s3-admin") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
 {{ dict "envAll" $envAll "application" "rgw_s3_admin" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
--- a/ceph-rgw/templates/pod-helm-tests.yaml
+++ b/ceph-rgw/templates/pod-helm-tests.yaml
@ -11,7 +11,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
-
 {{- if and .Values.manifests.helm_tests .Values.deployment.ceph }}
 {{- $envAll := . }}

@ -26,6 +25,7 @@ metadata:
 {{ tuple $envAll "ceph" "rgw-test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
  annotations:
    "helm.sh/hook": test-success
+{{ dict "envAll" $envAll "podName" "ceph-rgw-test" "containerNames" (list "ceph-rgw-ks-validation") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
  restartPolicy: Never
  serviceAccountName: {{ $serviceAccountName }}
--- a/ceph-rgw/values_overrides/apparmor.yaml
+++ b/ceph-rgw/values_overrides/apparmor.yaml
@ -0,0 +1,29 @@
+pod:
+  mandatory_access_control:
+    type: apparmor
+    ceph-rgw:
+      init: runtime/default
+      ceph-rgw: runtime/default
+      ceph-init-dirs: runtime/default
+      ceph-rgw-init: runtime/default
+    ceph-rgw-bootstrap:
+      ceph-keyring-placement: runtime/default
+      init: runtime/default
+      ceph-rgw-bootstrap: runtime/default
+    ceph-rgw-storage-init:
+      ceph-keyring-placement: runtime/default
+      init: runtime/default
+      ceph-rgw-storage-init: runtime/default
+    ceph-rgw-s3-admin:
+      ceph-keyring-placement: runtime/default
+      init: runtime/default
+      create-s3-admin: runtime/default
+    ceph-rgw-test:
+      ceph-rgw-ks-validation: runtime/default
+conf:
+  rgw_s3:
+   enabled: true
+bootstrap:
+  enabled: true
+manifests:
+  job_bootstrap: true
--- a/tools/deployment/apparmor/140-ceph-radosgateway.sh
+++ b/tools/deployment/apparmor/140-ceph-radosgateway.sh
@ -0,0 +1,64 @@
+#!/bin/bash
+
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+: ${OSH_INFRA_EXTRA_HELM_ARGS_CEPH_RGW:="$(./tools/deployment/common/get-values-overrides.sh ceph-rgw)"}
+
+#NOTE: Lint and package chart
+: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
+make -C ${OSH_INFRA_PATH} ceph-rgw
+
+#NOTE: Deploy command
+: ${OSH_INFRA_EXTRA_HELM_ARGS:=""}
+tee /tmp/radosgw-openstack.yaml <<EOF
+endpoints:
+  identity:
+    namespace: openstack
+  object_store:
+    namespace: openstack
+  ceph_mon:
+    namespace: ceph
+network:
+  public: 172.17.0.1/16
+  cluster: 172.17.0.1/16
+deployment:
+  ceph: true
+  rgw_keystone_user_and_endpoints: true
+bootstrap:
+  enabled: false
+conf:
+  rgw_ks:
+    enabled: true
+pod:
+  replicas:
+    rgw: 1
+EOF
+helm upgrade --install radosgw-openstack ${OSH_INFRA_PATH}/ceph-rgw \
+  --namespace=openstack \
+  --values=/tmp/radosgw-openstack.yaml \
+  ${OSH_INFRA_EXTRA_HELM_ARGS} \
+  ${OSH_INFRA_EXTRA_HELM_ARGS_CEPH_RGW}
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh openstack
+
+#NOTE: Validate Deployment info
+helm status radosgw-openstack
+export OS_CLOUD=openstack_helm
+sleep 60 #NOTE(portdirect): Wait for ingress controller to update rules and restart Nginx
+
+openstack service list
+openstack endpoint list
+
+helm test radosgw-openstack --timeout 900
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@ -341,6 +341,11 @@
        - ./tools/deployment/openstack-support/030-rabbitmq.sh
        - ./tools/deployment/openstack-support/040-memcached.sh
        - ./tools/deployment/openstack-support/050-libvirt.sh
+        - ./tools/deployment/openstack-support/060-openvswitch.sh
+        - ./tools/deployment/openstack-support/070-mariadb.sh
+        - ./tools/deployment/openstack-support/080-setup-client.sh
+        - ./tools/deployment/openstack-support/090-keystone.sh
+        - ./tools/deployment/apparmor/140-ceph-radosgateway.sh

 - job:
    name: openstack-helm-infra-metacontroller