From d7675b072e21065fa8a0075f0a5bd152ecc08021 Mon Sep 17 00:00:00 2001
From: dt241s <diwakar.chitoor.thyagaraj@att.com>
Date: Wed, 20 May 2020 10:09:44 -0500
Subject: [PATCH] Enable Apparmor to Ceph-rgw Components

This also adds ceph-rgw Apparmor Job.

Change-Id: I09b4e125197602b2e3518b02901e37a4ae1ddc18
---
 ceph-rgw/templates/deployment-rgw.yaml        |  1 +
 ceph-rgw/templates/job-bootstrap.yaml         |  3 +
 ceph-rgw/templates/job-rgw-storage-init.yaml  |  3 +
 ceph-rgw/templates/job-s3-admin.yaml          |  3 +
 ceph-rgw/templates/pod-helm-tests.yaml        |  2 +-
 ceph-rgw/values_overrides/apparmor.yaml       | 29 +++++++++
 .../apparmor/140-ceph-radosgateway.sh         | 64 +++++++++++++++++++
 zuul.d/jobs.yaml                              |  5 ++
 8 files changed, 109 insertions(+), 1 deletion(-)
 create mode 100644 ceph-rgw/values_overrides/apparmor.yaml
 create mode 100755 tools/deployment/apparmor/140-ceph-radosgateway.sh

diff --git a/ceph-rgw/templates/deployment-rgw.yaml b/ceph-rgw/templates/deployment-rgw.yaml
index 19888aff3..88c634d4b 100644
--- a/ceph-rgw/templates/deployment-rgw.yaml
+++ b/ceph-rgw/templates/deployment-rgw.yaml
@@ -51,6 +51,7 @@ spec:
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-client-hash: {{ tuple "configmap-etc-client.yaml" . | include "helm-toolkit.utils.hash" }}
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-rgw" "containerNames" (list "init" "ceph-rgw" "ceph-init-dirs" "ceph-rgw-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "rgw" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/ceph-rgw/templates/job-bootstrap.yaml b/ceph-rgw/templates/job-bootstrap.yaml
index c4dddf6f3..073188dcf 100644
--- a/ceph-rgw/templates/job-bootstrap.yaml
+++ b/ceph-rgw/templates/job-bootstrap.yaml
@@ -57,6 +57,9 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "ceph" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-rgw-bootstrap" "containerNames" (list "ceph-keyring-placement" "init" "ceph-rgw-bootstrap") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "bootstrap" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/ceph-rgw/templates/job-rgw-storage-init.yaml b/ceph-rgw/templates/job-rgw-storage-init.yaml
index 862a19f2f..6a66c62ea 100644
--- a/ceph-rgw/templates/job-rgw-storage-init.yaml
+++ b/ceph-rgw/templates/job-rgw-storage-init.yaml
@@ -55,6 +55,9 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "ceph" "rgw-storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-rgw-storage-init" "containerNames" (list "ceph-keyring-placement" "init" "ceph-rgw-storage-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "rgw_storage_init" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/ceph-rgw/templates/job-s3-admin.yaml b/ceph-rgw/templates/job-s3-admin.yaml
index f6b8d7d55..e8e8db2a6 100644
--- a/ceph-rgw/templates/job-s3-admin.yaml
+++ b/ceph-rgw/templates/job-s3-admin.yaml
@@ -59,6 +59,9 @@ spec:
     metadata:
       labels:
 {{ tuple $envAll "ceph" "rgw-s3-admin" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "ceph-rgw-s3-admin" "containerNames" (list "ceph-keyring-placement" "init" "create-s3-admin") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
 {{ dict "envAll" $envAll "application" "rgw_s3_admin" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
diff --git a/ceph-rgw/templates/pod-helm-tests.yaml b/ceph-rgw/templates/pod-helm-tests.yaml
index fc9e65d43..0508c8141 100644
--- a/ceph-rgw/templates/pod-helm-tests.yaml
+++ b/ceph-rgw/templates/pod-helm-tests.yaml
@@ -11,7 +11,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
-
 {{- if and .Values.manifests.helm_tests .Values.deployment.ceph }}
 {{- $envAll := . }}
 
@@ -26,6 +25,7 @@ metadata:
 {{ tuple $envAll "ceph" "rgw-test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
   annotations:
     "helm.sh/hook": test-success
+{{ dict "envAll" $envAll "podName" "ceph-rgw-test" "containerNames" (list "ceph-rgw-ks-validation") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
   restartPolicy: Never
   serviceAccountName: {{ $serviceAccountName }}
diff --git a/ceph-rgw/values_overrides/apparmor.yaml b/ceph-rgw/values_overrides/apparmor.yaml
new file mode 100644
index 000000000..9a4ac311f
--- /dev/null
+++ b/ceph-rgw/values_overrides/apparmor.yaml
@@ -0,0 +1,29 @@
+pod:
+  mandatory_access_control:
+    type: apparmor
+    ceph-rgw:
+      init: runtime/default
+      ceph-rgw: runtime/default
+      ceph-init-dirs: runtime/default
+      ceph-rgw-init: runtime/default
+    ceph-rgw-bootstrap:
+      ceph-keyring-placement: runtime/default
+      init: runtime/default
+      ceph-rgw-bootstrap: runtime/default
+    ceph-rgw-storage-init:
+      ceph-keyring-placement: runtime/default
+      init: runtime/default
+      ceph-rgw-storage-init: runtime/default
+    ceph-rgw-s3-admin:
+      ceph-keyring-placement: runtime/default
+      init: runtime/default
+      create-s3-admin: runtime/default
+    ceph-rgw-test:
+      ceph-rgw-ks-validation: runtime/default
+conf:
+  rgw_s3:
+   enabled: true
+bootstrap:
+  enabled: true
+manifests:
+  job_bootstrap: true
\ No newline at end of file
diff --git a/tools/deployment/apparmor/140-ceph-radosgateway.sh b/tools/deployment/apparmor/140-ceph-radosgateway.sh
new file mode 100755
index 000000000..57dd7a6a5
--- /dev/null
+++ b/tools/deployment/apparmor/140-ceph-radosgateway.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+: ${OSH_INFRA_EXTRA_HELM_ARGS_CEPH_RGW:="$(./tools/deployment/common/get-values-overrides.sh ceph-rgw)"}
+
+#NOTE: Lint and package chart
+: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
+make -C ${OSH_INFRA_PATH} ceph-rgw
+
+#NOTE: Deploy command
+: ${OSH_INFRA_EXTRA_HELM_ARGS:=""}
+tee /tmp/radosgw-openstack.yaml <<EOF
+endpoints:
+  identity:
+    namespace: openstack
+  object_store:
+    namespace: openstack
+  ceph_mon:
+    namespace: ceph
+network:
+  public: 172.17.0.1/16
+  cluster: 172.17.0.1/16
+deployment:
+  ceph: true
+  rgw_keystone_user_and_endpoints: true
+bootstrap:
+  enabled: false
+conf:
+  rgw_ks:
+    enabled: true
+pod:
+  replicas:
+    rgw: 1
+EOF
+helm upgrade --install radosgw-openstack ${OSH_INFRA_PATH}/ceph-rgw \
+  --namespace=openstack \
+  --values=/tmp/radosgw-openstack.yaml \
+  ${OSH_INFRA_EXTRA_HELM_ARGS} \
+  ${OSH_INFRA_EXTRA_HELM_ARGS_CEPH_RGW}
+
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh openstack
+
+#NOTE: Validate Deployment info
+helm status radosgw-openstack
+export OS_CLOUD=openstack_helm
+sleep 60 #NOTE(portdirect): Wait for ingress controller to update rules and restart Nginx
+
+openstack service list
+openstack endpoint list
+
+helm test radosgw-openstack --timeout 900
\ No newline at end of file
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index 61c189fab..92d54ea79 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -341,6 +341,11 @@
         - ./tools/deployment/openstack-support/030-rabbitmq.sh
         - ./tools/deployment/openstack-support/040-memcached.sh
         - ./tools/deployment/openstack-support/050-libvirt.sh
+        - ./tools/deployment/openstack-support/060-openvswitch.sh
+        - ./tools/deployment/openstack-support/070-mariadb.sh
+        - ./tools/deployment/openstack-support/080-setup-client.sh
+        - ./tools/deployment/openstack-support/090-keystone.sh
+        - ./tools/deployment/apparmor/140-ceph-radosgateway.sh
 
 - job:
     name: openstack-helm-infra-metacontroller