From 5c5f1be812728ca043a1172e4fc7a1ea96daa4ef Mon Sep 17 00:00:00 2001
From: "xuxant02@gmail.com" <xuxant02@gmail.com>
Date: Thu, 9 Dec 2021 13:35:55 +0545
Subject: [PATCH] Mount Sudoers file for masakari-hostmonitors

masakari hostmonitors needs to run the privsep-helper as root. As masakari monitors runs as masakari-monitors users, sudoers file is added so that privsep-helper can be run as root user without using password.

Change-Id: I3501d8913f4b8b0bf9d7e03c8d411137d9c25a8c
---
 masakari/Chart.yaml                            | 2 +-
 masakari/templates/configmap-etc.yaml          | 1 +
 masakari/templates/daemonset-host-monitor.yaml | 3 +++
 masakari/values.yaml                           | 5 ++++-
 releasenotes/notes/masakari.yaml               | 1 +
 5 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/masakari/Chart.yaml b/masakari/Chart.yaml
index c220995165..2c86004bb4 100644
--- a/masakari/Chart.yaml
+++ b/masakari/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Masakari
 name: masakari
-version: 0.1.2
+version: 0.1.3
 home: https://docs.openstack.org/developer/masakari
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Masakari/OpenStack_Project_masakari_vertical.png
 sources:
diff --git a/masakari/templates/configmap-etc.yaml b/masakari/templates/configmap-etc.yaml
index 3c10e34e9a..58a290ab8d 100644
--- a/masakari/templates/configmap-etc.yaml
+++ b/masakari/templates/configmap-etc.yaml
@@ -132,6 +132,7 @@ data:
   masakari.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.masakari | b64enc }}
   api-paste.ini: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.paste | b64enc }}
   masakarimonitors.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.masakarimonitors | b64enc }}
+  masakari_sudoers: {{ $envAll.Values.conf.masakari_sudoers | b64enc }}
 {{- end }}
 {{- end }}
 {{- if .Values.manifests.configmap_etc }}
diff --git a/masakari/templates/daemonset-host-monitor.yaml b/masakari/templates/daemonset-host-monitor.yaml
index ebbf566346..5dde0862ac 100644
--- a/masakari/templates/daemonset-host-monitor.yaml
+++ b/masakari/templates/daemonset-host-monitor.yaml
@@ -102,6 +102,9 @@ spec:
             - name: masakari-etc
               mountPath: /etc/masakari/masakarimonitors.conf
               subPath: masakarimonitors.conf
+            - name: masakari-etc
+              mountPath: /etc/sudoers.d/masakari_sudoers
+              subPath: masakari_sudoers
             - name: masakarietc
               mountPath: /etc/masakari
             - name: varrun
diff --git a/masakari/values.yaml b/masakari/values.yaml
index 9f867df39e..72af72ed0d 100644
--- a/masakari/values.yaml
+++ b/masakari/values.yaml
@@ -571,6 +571,9 @@ conf:
       disable_ipmi_checks: true
       corosync_multicast_ports: 5405
       pacemaker_node_type: remote
+  masakari_sudoers: |
+    Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin"
+    masakari-monitors ALL=(ALL:ALL) NOPASSWD: /var/lib/openstack/bin/privsep-helper
 
 # Note(xuxant): Hooks will break the upgrade for helm2
 # Set to false if using helm2.
@@ -602,5 +605,5 @@ manifests:
   pdb_api: true
   # Host Monitors in containers needs pacemaker remote.
   host_monitor: false
-  instance_monitor: true
+  instance_monitor: false
   process_monitor: false
diff --git a/releasenotes/notes/masakari.yaml b/releasenotes/notes/masakari.yaml
index a840acba72..49717d9193 100644
--- a/releasenotes/notes/masakari.yaml
+++ b/releasenotes/notes/masakari.yaml
@@ -3,4 +3,5 @@ masakari:
   - 0.1.0 Initial Chart
   - 0.1.1 Seperate node labels for monitors
   - 0.1.2 Added halm hook and fix for hostmonitors to support pacemaker remote
+  - 0.1.3 Mount sudoers file for masakari hostmonitors
 ...