From 73531436e975e6091df0f501239159c0df69e3e3 Mon Sep 17 00:00:00 2001
From: Tin Lam <t@lam.wtf>
Date: Tue, 19 Oct 2021 22:26:29 -0500
Subject: [PATCH] fix(log): reduces chattiness in keystone log

Current implementation of Keystone prints a warning message if the
directory containing the fernet keys is world readable (o+r). As OSH
uses a volumeMount to handle fernet keys and is by default readonly,
there is no meaningful way to make the directory (not the keys) world
unreadable. Consequently, keystone just keep logging that warning,
adding no particular value besides flooding the log.

Rather than disabling the log message in keystone (as that warning is
meaningful from a security standpoint), this patch set changes the way
we deal with the secret volume so the directory is no longer world
readable, so keystone will stop issuing that warning message.

Signed-off-by: Tin Lam <t@lam.wtf>
Change-Id: Id29abe667f5ef0b61da3d3825b5bf795f2d98865
---
 keystone/Chart.yaml                    |  2 +-
 keystone/templates/deployment-api.yaml | 24 +++++++++++++++++++++++-
 keystone/values.yaml                   |  3 +++
 releasenotes/notes/keystone.yaml       |  1 +
 4 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/keystone/Chart.yaml b/keystone/Chart.yaml
index 64c600a0cc..37c73f8e73 100644
--- a/keystone/Chart.yaml
+++ b/keystone/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Keystone
 name: keystone
-version: 0.2.14
+version: 0.2.15
 home: https://docs.openstack.org/keystone/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
 sources:
diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml
index f4154932e2..b9f5701f7b 100644
--- a/keystone/templates/deployment-api.yaml
+++ b/keystone/templates/deployment-api.yaml
@@ -61,6 +61,23 @@ spec:
       terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
       initContainers:
 {{ tuple $envAll "api" $mounts_keystone_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: link-keys
+          image: {{ .Values.images.tags.keystone_api }}
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+          args:
+            - set -xe;
+              find /etc/keystone/mounted-keys -type l -exec ln -sfn {} {{ .Values.conf.keystone.fernet_tokens.key_repository }} \; ;
+              chmod o-wrx {{ .Values.conf.keystone.fernet_tokens.key_repository }} ;
+          securityContext:
+            runAsUser: 0
+          volumeMounts:
+            - name: keystone-fernet-keys
+              mountPath: /etc/keystone/mounted-keys
+            - name: post-keystone-fernet-keys
+              mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }}
       containers:
         - name: keystone-api
 {{ tuple $envAll "keystone_api" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -143,6 +160,8 @@ spec:
 {{- end }}
 {{- if eq .Values.conf.keystone.token.provider "fernet" }}
             - name: keystone-fernet-keys
+              mountPath: /etc/keystone/mounted-keys
+            - name: post-keystone-fernet-keys
               mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }}
 {{- end }}
             - name: keystone-credential-keys
@@ -171,7 +190,7 @@ spec:
         - name: keystone-etc
           secret:
             secretName: keystone-etc
-            defaultMode: 0444
+            defaultMode: 0440
         - name: keystone-bin
           configMap:
             name: keystone-bin
@@ -182,9 +201,12 @@ spec:
             secretName: keystone-ldap-tls
 {{- end }}
 {{- if eq .Values.conf.keystone.token.provider "fernet" }}
+        - name: post-keystone-fernet-keys
+          emptyDir: {}
         - name: keystone-fernet-keys
           secret:
             secretName: keystone-fernet-keys
+            defaultMode: 0440
 {{- end }}
         - name: keystone-credential-keys
           secret:
diff --git a/keystone/values.yaml b/keystone/values.yaml
index 5f0e7aa1f8..4b04dcdf8d 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -163,10 +163,13 @@ pod:
     keystone:
       pod:
         runAsUser: 42424
+        fsGroup: 42424
       container:
         keystone_api:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+          runAsGroup: 42424
+          fsGroup: 42424
     credential_setup:
       pod:
         runAsUser: 42424
diff --git a/releasenotes/notes/keystone.yaml b/releasenotes/notes/keystone.yaml
index 4221d9f6a3..4f0212c9f4 100644
--- a/releasenotes/notes/keystone.yaml
+++ b/releasenotes/notes/keystone.yaml
@@ -30,4 +30,5 @@ keystone:
   - 0.2.12 Helm 3 - Fix Job Labels
   - 0.2.13 Helm 3 - Fix more Job Labels
   - 0.2.14 Update htk requirements repo
+  - 0.2.15 Reduce log chattiness
 ...