From 1ba6ec05b6c23207fc191ddd6d4b627b7b82aaa0 Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Wed, 12 Apr 2017 01:18:20 -0500 Subject: [PATCH] Nova: Update volume mount params This commit update the volume mounts in pods to ensure: * Config files and scripts are mounted readonly * volume mounts added for bootstrap job Co-Authored-By: Larry Rensing Change-Id: I1e89419858c0f72b705ad9b7968ec01bfaab5740 --- nova/templates/daemonset-compute.yaml | 8 ++++++++ nova/templates/daemonset-libvirt.yaml | 10 ++++++++++ nova/templates/deployment-api-metadata.yaml | 5 +++++ nova/templates/deployment-api-osapi.yaml | 5 +++++ nova/templates/deployment-conductor.yaml | 1 + nova/templates/deployment-consoleauth.yaml | 1 + nova/templates/deployment-scheduler.yaml | 1 + nova/templates/job-bootstrap.yaml | 14 ++++++++++---- nova/templates/job-db-sync.yaml | 12 +++++++++--- nova/values.yaml | 3 +++ 10 files changed, 53 insertions(+), 7 deletions(-) diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml index 03177a9659..cc21122928 100644 --- a/nova/templates/daemonset-compute.yaml +++ b/nova/templates/daemonset-compute.yaml @@ -63,15 +63,23 @@ spec: - name: nova-etc mountPath: /etc/nova/nova.conf subPath: nova.conf + readOnly: true + - name: nova-etc + mountPath: /etc/nova/api-paste.ini + subPath: api-paste.ini + readOnly: true - name: nova-etc mountPath: /etc/resolv.conf subPath: resolv.conf + readOnly: true - name: nova-etc mountPath: /etc/ceph/ceph.conf subPath: ceph.conf + readOnly: true - name: nova-etc mountPath: /etc/ceph/ceph.client.keyring subPath: ceph.client.keyring + readOnly: true - mountPath: /lib/modules name: libmodules readOnly: true diff --git a/nova/templates/daemonset-libvirt.yaml b/nova/templates/daemonset-libvirt.yaml index 7fc8646be6..e112c1b08d 100644 --- a/nova/templates/daemonset-libvirt.yaml +++ b/nova/templates/daemonset-libvirt.yaml @@ -60,15 +60,23 @@ spec: - name: nova-etc mountPath: /etc/libvirt/libvirtd.conf subPath: libvirtd.conf + readOnly: true - name: nova-bin mountPath: /tmp/libvirt.sh subPath: libvirt.sh + readOnly: true - name: nova-etc mountPath: /etc/nova/nova.conf subPath: nova.conf + readOnly: true + - name: nova-etc + mountPath: /etc/nova/api-paste.ini + subPath: api-paste.ini + readOnly: true - name: nova-etc mountPath: /etc/resolv.conf subPath: resolv.conf + readOnly: true - mountPath: /lib/modules name: libmodules readOnly: true @@ -84,9 +92,11 @@ spec: - name: nova-etc mountPath: /etc/ceph/ceph.conf subPath: ceph.conf + readOnly: true - name: nova-etc mountPath: /etc/ceph/ceph.client.keyring subPath: ceph.client.keyring + readOnly: true {{- end }} {{ if $mounts_nova_libvirt.volumeMounts }}{{ toYaml $mounts_nova_libvirt.volumeMounts | indent 12 }}{{ end }} volumes: diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml index e6a2244ad3..c0eb414de5 100644 --- a/nova/templates/deployment-api-metadata.yaml +++ b/nova/templates/deployment-api-metadata.yaml @@ -73,6 +73,11 @@ spec: - name: nova-etc mountPath: /etc/nova/nova.conf subPath: nova.conf + readOnly: true + - name: nova-etc + mountPath: /etc/nova/api-paste.ini + subPath: api-paste.ini + readOnly: true {{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }} volumes: - name: nova-etc diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml index 2312ec8f05..2dde6a95dc 100644 --- a/nova/templates/deployment-api-osapi.yaml +++ b/nova/templates/deployment-api-osapi.yaml @@ -72,6 +72,11 @@ spec: - name: nova-etc mountPath: /etc/nova/nova.conf subPath: nova.conf + readOnly: true + - name: nova-etc + mountPath: /etc/nova/api-paste.ini + subPath: api-paste.ini + readOnly: true {{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }} volumes: - name: nova-etc diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml index c885108764..ae14c9c87a 100644 --- a/nova/templates/deployment-conductor.yaml +++ b/nova/templates/deployment-conductor.yaml @@ -64,6 +64,7 @@ spec: - name: nova-etc mountPath: /etc/nova/nova.conf subPath: nova.conf + readOnly: true {{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }} volumes: - name: nova-etc diff --git a/nova/templates/deployment-consoleauth.yaml b/nova/templates/deployment-consoleauth.yaml index 1cc2801137..ea48466de5 100644 --- a/nova/templates/deployment-consoleauth.yaml +++ b/nova/templates/deployment-consoleauth.yaml @@ -65,6 +65,7 @@ spec: - name: nova-etc mountPath: /etc/nova/nova.conf subPath: nova.conf + readOnly: true {{ if $mounts_nova_consoleauth.volumeMounts }}{{ toYaml $mounts_nova_consoleauth.volumeMounts | indent 12 }}{{ end }} volumes: - name: nova-etc diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml index b45cf70c7b..4dc1cdccf2 100644 --- a/nova/templates/deployment-scheduler.yaml +++ b/nova/templates/deployment-scheduler.yaml @@ -65,6 +65,7 @@ spec: - name: nova-etc mountPath: /etc/nova/nova.conf subPath: nova.conf + readOnly: true {{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }} volumes: - name: nova-etc diff --git a/nova/templates/job-bootstrap.yaml b/nova/templates/job-bootstrap.yaml index 40dfc917e2..59c31836eb 100644 --- a/nova/templates/job-bootstrap.yaml +++ b/nova/templates/job-bootstrap.yaml @@ -15,6 +15,8 @@ {{- $envAll := . }} {{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "nova-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.bootstrap }} +{{- $mounts_nova_bootstrap := .Values.mounts.nova_bootstrap.nova_bootstrap }} +{{- $mounts_nova_bootstrap_init := .Values.mounts.nova_bootstrap.init_container }} apiVersion: batch/v1 kind: Job metadata: @@ -24,7 +26,7 @@ spec: metadata: annotations: pod.beta.kubernetes.io/init-containers: '[ -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} +{{ tuple $envAll $dependencies $mounts_nova_bootstrap_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} ]' spec: restartPolicy: OnFailure @@ -51,12 +53,15 @@ spec: {{- include "helm-toolkit.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} volumeMounts: - - name: novaconf - mountPath: /etc/nova/nova.conf - subPath: nova.conf - name: nova-bin mountPath: /tmp/bootstrap.sh subPath: bootstrap.sh + readOnly: true + - name: novaconf + mountPath: /etc/nova/nova.conf + subPath: nova.conf + readOnly: true +{{ if $mounts_nova_bootstrap.volumeMounts }}{{ toYaml $mounts_nova_bootstrap.volumeMounts | indent 12 }}{{ end }} volumes: - name: novaconf configMap: @@ -64,3 +69,4 @@ spec: - name: nova-bin configMap: name: nova-bin +{{ if $mounts_nova_bootstrap.volumes }}{{ toYaml $mounts_nova_bootstrap.volumes | indent 8 }}{{ end }} diff --git a/nova/templates/job-db-sync.yaml b/nova/templates/job-db-sync.yaml index 88bd42f8f9..84876c19a5 100644 --- a/nova/templates/job-db-sync.yaml +++ b/nova/templates/job-db-sync.yaml @@ -46,13 +46,19 @@ spec: - bash - /tmp/db-sync.sh volumeMounts: - - name: novaconf - mountPath: /etc/nova/nova.conf - subPath: nova.conf - name: nova-bin mountPath: /tmp/db-sync.sh subPath: db-sync.sh + readOnly: true + - name: etcnova + mountPath: /etc/nova + - name: novaconf + mountPath: /etc/nova/nova.conf + subPath: nova.conf + readOnly: true volumes: + - name: etcnova + emptyDir: {} - name: novaconf configMap: name: nova-etc diff --git a/nova/values.yaml b/nova/values.yaml index 96c528983d..b8a9ec700b 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -214,6 +214,9 @@ mounts: nova_scheduler: init_container: null nova_scheduler: + nova_bootstrap: + init_container: null + nova_bootstrap: conf: paste: