Move apparmor to use feature gates

This change refactors the apparmor job to utilize the feature gates system instead of relying on separate scripts. Also disabled barbican running in the apparmor job temporarily until the correct profile gets used and it can deploy succesfully. Change-Id: Iadacd214de3fdb06e4acde4433c5fa86973371d5
2020-01-30 08:37:47 -06:00 · 2020-01-30 08:37:47 -06:00 · a1fc694ae9
commit a1fc694ae9
parent 406ee0065b
9 changed files with 37 additions and 153 deletions
--- a/barbican/values_overrides/apparmor.yaml
+++ b/barbican/values_overrides/apparmor.yaml
@ -0,0 +1,6 @@
+# NOTE: Enable this with the correct policy
+#pod:
+#  mandatory_access_control:
+#    type: apparmor
+#    barbican-api:
+#      barbican-api: localhost/docker-default
--- a/keystone/values_overrides/apparmor.yaml
+++ b/keystone/values_overrides/apparmor.yaml
@ -0,0 +1,5 @@
+pod:
+  mandatory_access_control:
+    type: apparmor
+    keystone-api-default:
+      keystone-api-default: runtime/default
--- a/neutron/values_overrides/apparmor.yaml
+++ b/neutron/values_overrides/apparmor.yaml
@ -0,0 +1,15 @@
+pod:
+  mandatory_access_control:
+    type: apparmor
+    neutron-dhcp-agent-default:
+      neutron-dhcp-agent-default: runtime/default
+    neutron-l3-agent-default:
+      neutron-l3-agent-default: runtime/default
+    neutron-lb-agent-default:
+      neutron-lb-agent-default: runtime/default
+    neutron-metadata-agent-default:
+      neutron-metadata-agent-default: runtime/default
+    neutron-ovs-agent-default:
+      neutron-ovs-agent-default: runtime/default
+    neutron-sriov-agent-default:
+      neutron-sriov-agent-default: runtime/default
--- a/nova/templates/daemonset-compute.yaml
+++ b/nova/templates/daemonset-compute.yaml
@ -45,7 +45,7 @@ spec:
      annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute-default") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
 {{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
--- a/nova/templates/statefulset-compute-ironic.yaml
+++ b/nova/templates/statefulset-compute-ironic.yaml
@ -45,7 +45,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute-default") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
 {{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
--- a/nova/values_overrides/apparmor.yaml
+++ b/nova/values_overrides/apparmor.yaml
@ -0,0 +1,5 @@
+pod:
+  mandatory_access_control:
+    type: apparmor
+    nova-compute-default:
+      nova-compute: runtime/default
--- a/tools/deployment/apparmor/barbican.sh
+++ b/tools/deployment/apparmor/barbican.sh
@ -1,43 +0,0 @@
-#!/bin/bash
-
-# Copyright 2017 The Openstack-Helm Authors.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-set -xe
-
-#NOTE: Lint and package chart
-make barbican
-
-#NOTE: Deploy barbican
-tee /tmp/barbican.yaml << EOF
-pod:
-  mandatory_access_control:
-    type: apparmor
-    barbican-api:
-      barbican-api: localhost/docker-default
-EOF
-
-#NOTE: Deploy command
-  helm upgrade --install barbican ./barbican \
-      --namespace=openstack \
-      --values=/tmp/barbican.yaml
-      ${OSH_EXTRA_HELM_ARGS} \
-      ${OSH_EXTRA_HELM_ARGS_BARBICAN}
-
-#NOTE: Wait for deploy
-./tools/deployment/common/wait-for-pods.sh openstack
-
-#NOTE: Validate Deployment info
-helm status  barbican
-
-helm test barbican
--- a/tools/deployment/apparmor/compute-kit.sh
+++ b/tools/deployment/apparmor/compute-kit.sh
@ -1,106 +0,0 @@
-#!/bin/bash
-
-# Copyright 2017 The Openstack-Helm Authors.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-set -xe
-
-#NOTE: Lint and package chart
-make nova
-make neutron
-
-#NOTE: Deploy nova
-: ${OSH_EXTRA_HELM_ARGS:=""}
-tee /tmp/nova.yaml << EOF
-conf:
-  ceph:
-    enabled: false
-pod:
-  mandatory_access_control:
-    type: apparmor
-    nova-compute-default:
-      nova-compute-default: localhost/docker-default
-EOF
-if [ "x$(systemd-detect-virt)" == "xnone" ]; then
-  echo 'OSH is not being deployed in virtualized environment'
-  helm upgrade --install nova ./nova \
-      --namespace=openstack \
-      --values=/tmp/nova.yaml \
-      ${OSH_EXTRA_HELM_ARGS} \
-      ${OSH_EXTRA_HELM_ARGS_NOVA}
-else
-  echo 'OSH is being deployed in virtualized environment, using qemu for nova'
-  helm upgrade --install nova ./nova \
-      --namespace=openstack \
-      --set conf.nova.libvirt.virt_type=qemu \
-      --set conf.nova.libvirt.cpu_mode=none \
-      --values=/tmp/nova.yaml
-      ${OSH_EXTRA_HELM_ARGS} \
-      ${OSH_EXTRA_HELM_ARGS_NOVA}
-fi
-
-#NOTE: Deploy neutron
-tee /tmp/neutron.yaml << EOF
-pod:
-  mandatory_access_control:
-    type: apparmor
-    neutron-dhcp-agent-default:
-      neutron-dhcp-agent-default: localhost/docker-default
-    neutron-l3-agent-default:
-      neutron-l3-agent-default: localhost/docker-default
-    neutron-lb-agent-default:
-      neutron-lb-agent-default: localhost/docker-default
-    neutron-metadata-agent-default:
-      neutron-metadata-agent-default: localhost/docker-default
-    neutron-ovs-agent-default:
-      neutron-ovs-agent-default: localhost/docker-default
-    neutron-sriov-agent-default:
-      neutron-sriov-agent-default: localhost/docker-default
-network:
-  interface:
-    tunnel: docker0
-conf:
-  neutron:
-    DEFAULT:
-      l3_ha: False
-      max_l3_agents_per_router: 1
-      l3_ha_network_type: vxlan
-      dhcp_agents_per_network: 1
-  plugins:
-    ml2_conf:
-      ml2_type_flat:
-        flat_networks: public
-    openvswitch_agent:
-      agent:
-        tunnel_types: vxlan
-      ovs:
-        bridge_mappings: public:br-ex
-    linuxbridge_agent:
-      linux_bridge:
-        bridge_mappings: public:br-ex
-EOF
-helm upgrade --install neutron ./neutron \
-    --namespace=openstack \
-    --values=/tmp/neutron.yaml \
-    ${OSH_EXTRA_HELM_ARGS} \
-    ${OSH_EXTRA_HELM_ARGS_NEUTRON}
-
-#NOTE: Wait for deploy
-./tools/deployment/common/wait-for-pods.sh openstack
-
-#NOTE: Validate Deployment info
-export OS_CLOUD=openstack_helm
-openstack service list
-sleep 30 #NOTE(portdirect): Wait for ingress controller to update rules and restart Nginx
-openstack compute service list
-openstack network agent list
--- a/zuul.d/jobs-openstack-helm.yaml
+++ b/zuul.d/jobs-openstack-helm.yaml
@ -245,6 +245,7 @@
        openstack_release: stein
        container_distro_name: ubuntu
        container_distro_version: bionic
+        feature_gates: apparmor
      gate_scripts:
        - ./tools/deployment/common/install-packages.sh
        - ./tools/deployment/common/deploy-k8s.sh
@ -259,8 +260,9 @@
        - ./tools/deployment/component/glance/glance.sh
        - ./tools/deployment/component/compute-kit/openvswitch.sh
        - ./tools/deployment/component/compute-kit/libvirt.sh
-        - ./tools/deployment/apparmor/compute-kit.sh
-        - ./tools/deployment/apparmor/barbican.sh
+        - ./tools/deployment/developer/nfs/160-compute-kit.sh
+        # NOTE: Re-enable barbican once the profile gets sorted out
+        #- ./tools/deployment/component/barbican/barbican.sh
        - ./tools/deployment/developer/common/170-setup-gateway.sh
        - ./tools/deployment/developer/common/900-use-it.sh