fix(log): reduces chattiness in keystone log

Current implementation of Keystone prints a warning message if the
directory containing the fernet keys is world readable (o+r). As OSH
uses a volumeMount to handle fernet keys and is by default readonly,
there is no meaningful way to make the directory (not the keys) world
unreadable. Consequently, keystone just keep logging that warning,
adding no particular value besides flooding the log.

Rather than disabling the log message in keystone (as that warning is
meaningful from a security standpoint), this patch set changes the way
we deal with the secret volume so the directory is no longer world
readable, so keystone will stop issuing that warning message.

Signed-off-by: Tin Lam <t@lam.wtf>
Change-Id: Id29abe667f5ef0b61da3d3825b5bf795f2d98865

keystone/Chart.yaml

@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Keystone
 name: keystone
-version: 0.2.14
+version: 0.2.15
 home: https://docs.openstack.org/keystone/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
 sources:

keystone/templates/deployment-api.yaml

@@ -61,6 +61,23 @@ spec:
       terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
       initContainers:
 {{ tuple $envAll "api" $mounts_keystone_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: link-keys
+          image: {{ .Values.images.tags.keystone_api }}
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+          args:
+            - set -xe;
+              find /etc/keystone/mounted-keys -type l -exec ln -sfn {} {{ .Values.conf.keystone.fernet_tokens.key_repository }} \; ;
+              chmod o-wrx {{ .Values.conf.keystone.fernet_tokens.key_repository }} ;
+          securityContext:
+            runAsUser: 0
+          volumeMounts:
+            - name: keystone-fernet-keys
+              mountPath: /etc/keystone/mounted-keys
+            - name: post-keystone-fernet-keys
+              mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }}
       containers:
         - name: keystone-api
 {{ tuple $envAll "keystone_api" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -143,6 +160,8 @@ spec:
 {{- end }}
 {{- if eq .Values.conf.keystone.token.provider "fernet" }}
             - name: keystone-fernet-keys
+              mountPath: /etc/keystone/mounted-keys
+            - name: post-keystone-fernet-keys
               mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }}
 {{- end }}
             - name: keystone-credential-keys
@@ -171,7 +190,7 @@ spec:
         - name: keystone-etc
           secret:
             secretName: keystone-etc
-            defaultMode: 0444
+            defaultMode: 0440
         - name: keystone-bin
           configMap:
             name: keystone-bin
@@ -182,9 +201,12 @@ spec:
             secretName: keystone-ldap-tls
 {{- end }}
 {{- if eq .Values.conf.keystone.token.provider "fernet" }}
+        - name: post-keystone-fernet-keys
+          emptyDir: {}
         - name: keystone-fernet-keys
           secret:
             secretName: keystone-fernet-keys
+            defaultMode: 0440
 {{- end }}
         - name: keystone-credential-keys
           secret:

keystone/values.yaml

@@ -163,10 +163,13 @@ pod:
     keystone:
       pod:
         runAsUser: 42424
+        fsGroup: 42424
       container:
         keystone_api:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+          runAsGroup: 42424
+          fsGroup: 42424
     credential_setup:
       pod:
         runAsUser: 42424

releasenotes/notes/keystone.yaml

@@ -30,4 +30,5 @@ keystone:
   - 0.2.12 Helm 3 - Fix Job Labels
   - 0.2.13 Helm 3 - Fix more Job Labels
   - 0.2.14 Update htk requirements repo
+  - 0.2.15 Reduce log chattiness
 ...