Move apparmor to use feature gates
This change refactors the apparmor job to utilize the feature gates system instead of relying on separate scripts. Also disabled barbican running in the apparmor job temporarily until the correct profile gets used and it can deploy succesfully. Change-Id: Iadacd214de3fdb06e4acde4433c5fa86973371d5
This commit is contained in:
parent
406ee0065b
commit
a1fc694ae9
6
barbican/values_overrides/apparmor.yaml
Normal file
6
barbican/values_overrides/apparmor.yaml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
# NOTE: Enable this with the correct policy
|
||||||
|
#pod:
|
||||||
|
# mandatory_access_control:
|
||||||
|
# type: apparmor
|
||||||
|
# barbican-api:
|
||||||
|
# barbican-api: localhost/docker-default
|
5
keystone/values_overrides/apparmor.yaml
Normal file
5
keystone/values_overrides/apparmor.yaml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
pod:
|
||||||
|
mandatory_access_control:
|
||||||
|
type: apparmor
|
||||||
|
keystone-api-default:
|
||||||
|
keystone-api-default: runtime/default
|
15
neutron/values_overrides/apparmor.yaml
Normal file
15
neutron/values_overrides/apparmor.yaml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
pod:
|
||||||
|
mandatory_access_control:
|
||||||
|
type: apparmor
|
||||||
|
neutron-dhcp-agent-default:
|
||||||
|
neutron-dhcp-agent-default: runtime/default
|
||||||
|
neutron-l3-agent-default:
|
||||||
|
neutron-l3-agent-default: runtime/default
|
||||||
|
neutron-lb-agent-default:
|
||||||
|
neutron-lb-agent-default: runtime/default
|
||||||
|
neutron-metadata-agent-default:
|
||||||
|
neutron-metadata-agent-default: runtime/default
|
||||||
|
neutron-ovs-agent-default:
|
||||||
|
neutron-ovs-agent-default: runtime/default
|
||||||
|
neutron-sriov-agent-default:
|
||||||
|
neutron-sriov-agent-default: runtime/default
|
@ -45,7 +45,7 @@ spec:
|
|||||||
annotations:
|
annotations:
|
||||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute-default") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
serviceAccountName: {{ $serviceAccountName }}
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||||
|
@ -45,7 +45,7 @@ spec:
|
|||||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute-default") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
serviceAccountName: {{ $serviceAccountName }}
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||||
|
5
nova/values_overrides/apparmor.yaml
Normal file
5
nova/values_overrides/apparmor.yaml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
pod:
|
||||||
|
mandatory_access_control:
|
||||||
|
type: apparmor
|
||||||
|
nova-compute-default:
|
||||||
|
nova-compute: runtime/default
|
@ -1,43 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
set -xe
|
|
||||||
|
|
||||||
#NOTE: Lint and package chart
|
|
||||||
make barbican
|
|
||||||
|
|
||||||
#NOTE: Deploy barbican
|
|
||||||
tee /tmp/barbican.yaml << EOF
|
|
||||||
pod:
|
|
||||||
mandatory_access_control:
|
|
||||||
type: apparmor
|
|
||||||
barbican-api:
|
|
||||||
barbican-api: localhost/docker-default
|
|
||||||
EOF
|
|
||||||
|
|
||||||
#NOTE: Deploy command
|
|
||||||
helm upgrade --install barbican ./barbican \
|
|
||||||
--namespace=openstack \
|
|
||||||
--values=/tmp/barbican.yaml
|
|
||||||
${OSH_EXTRA_HELM_ARGS} \
|
|
||||||
${OSH_EXTRA_HELM_ARGS_BARBICAN}
|
|
||||||
|
|
||||||
#NOTE: Wait for deploy
|
|
||||||
./tools/deployment/common/wait-for-pods.sh openstack
|
|
||||||
|
|
||||||
#NOTE: Validate Deployment info
|
|
||||||
helm status barbican
|
|
||||||
|
|
||||||
helm test barbican
|
|
@ -1,106 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
set -xe
|
|
||||||
|
|
||||||
#NOTE: Lint and package chart
|
|
||||||
make nova
|
|
||||||
make neutron
|
|
||||||
|
|
||||||
#NOTE: Deploy nova
|
|
||||||
: ${OSH_EXTRA_HELM_ARGS:=""}
|
|
||||||
tee /tmp/nova.yaml << EOF
|
|
||||||
conf:
|
|
||||||
ceph:
|
|
||||||
enabled: false
|
|
||||||
pod:
|
|
||||||
mandatory_access_control:
|
|
||||||
type: apparmor
|
|
||||||
nova-compute-default:
|
|
||||||
nova-compute-default: localhost/docker-default
|
|
||||||
EOF
|
|
||||||
if [ "x$(systemd-detect-virt)" == "xnone" ]; then
|
|
||||||
echo 'OSH is not being deployed in virtualized environment'
|
|
||||||
helm upgrade --install nova ./nova \
|
|
||||||
--namespace=openstack \
|
|
||||||
--values=/tmp/nova.yaml \
|
|
||||||
${OSH_EXTRA_HELM_ARGS} \
|
|
||||||
${OSH_EXTRA_HELM_ARGS_NOVA}
|
|
||||||
else
|
|
||||||
echo 'OSH is being deployed in virtualized environment, using qemu for nova'
|
|
||||||
helm upgrade --install nova ./nova \
|
|
||||||
--namespace=openstack \
|
|
||||||
--set conf.nova.libvirt.virt_type=qemu \
|
|
||||||
--set conf.nova.libvirt.cpu_mode=none \
|
|
||||||
--values=/tmp/nova.yaml
|
|
||||||
${OSH_EXTRA_HELM_ARGS} \
|
|
||||||
${OSH_EXTRA_HELM_ARGS_NOVA}
|
|
||||||
fi
|
|
||||||
|
|
||||||
#NOTE: Deploy neutron
|
|
||||||
tee /tmp/neutron.yaml << EOF
|
|
||||||
pod:
|
|
||||||
mandatory_access_control:
|
|
||||||
type: apparmor
|
|
||||||
neutron-dhcp-agent-default:
|
|
||||||
neutron-dhcp-agent-default: localhost/docker-default
|
|
||||||
neutron-l3-agent-default:
|
|
||||||
neutron-l3-agent-default: localhost/docker-default
|
|
||||||
neutron-lb-agent-default:
|
|
||||||
neutron-lb-agent-default: localhost/docker-default
|
|
||||||
neutron-metadata-agent-default:
|
|
||||||
neutron-metadata-agent-default: localhost/docker-default
|
|
||||||
neutron-ovs-agent-default:
|
|
||||||
neutron-ovs-agent-default: localhost/docker-default
|
|
||||||
neutron-sriov-agent-default:
|
|
||||||
neutron-sriov-agent-default: localhost/docker-default
|
|
||||||
network:
|
|
||||||
interface:
|
|
||||||
tunnel: docker0
|
|
||||||
conf:
|
|
||||||
neutron:
|
|
||||||
DEFAULT:
|
|
||||||
l3_ha: False
|
|
||||||
max_l3_agents_per_router: 1
|
|
||||||
l3_ha_network_type: vxlan
|
|
||||||
dhcp_agents_per_network: 1
|
|
||||||
plugins:
|
|
||||||
ml2_conf:
|
|
||||||
ml2_type_flat:
|
|
||||||
flat_networks: public
|
|
||||||
openvswitch_agent:
|
|
||||||
agent:
|
|
||||||
tunnel_types: vxlan
|
|
||||||
ovs:
|
|
||||||
bridge_mappings: public:br-ex
|
|
||||||
linuxbridge_agent:
|
|
||||||
linux_bridge:
|
|
||||||
bridge_mappings: public:br-ex
|
|
||||||
EOF
|
|
||||||
helm upgrade --install neutron ./neutron \
|
|
||||||
--namespace=openstack \
|
|
||||||
--values=/tmp/neutron.yaml \
|
|
||||||
${OSH_EXTRA_HELM_ARGS} \
|
|
||||||
${OSH_EXTRA_HELM_ARGS_NEUTRON}
|
|
||||||
|
|
||||||
#NOTE: Wait for deploy
|
|
||||||
./tools/deployment/common/wait-for-pods.sh openstack
|
|
||||||
|
|
||||||
#NOTE: Validate Deployment info
|
|
||||||
export OS_CLOUD=openstack_helm
|
|
||||||
openstack service list
|
|
||||||
sleep 30 #NOTE(portdirect): Wait for ingress controller to update rules and restart Nginx
|
|
||||||
openstack compute service list
|
|
||||||
openstack network agent list
|
|
@ -245,6 +245,7 @@
|
|||||||
openstack_release: stein
|
openstack_release: stein
|
||||||
container_distro_name: ubuntu
|
container_distro_name: ubuntu
|
||||||
container_distro_version: bionic
|
container_distro_version: bionic
|
||||||
|
feature_gates: apparmor
|
||||||
gate_scripts:
|
gate_scripts:
|
||||||
- ./tools/deployment/common/install-packages.sh
|
- ./tools/deployment/common/install-packages.sh
|
||||||
- ./tools/deployment/common/deploy-k8s.sh
|
- ./tools/deployment/common/deploy-k8s.sh
|
||||||
@ -259,8 +260,9 @@
|
|||||||
- ./tools/deployment/component/glance/glance.sh
|
- ./tools/deployment/component/glance/glance.sh
|
||||||
- ./tools/deployment/component/compute-kit/openvswitch.sh
|
- ./tools/deployment/component/compute-kit/openvswitch.sh
|
||||||
- ./tools/deployment/component/compute-kit/libvirt.sh
|
- ./tools/deployment/component/compute-kit/libvirt.sh
|
||||||
- ./tools/deployment/apparmor/compute-kit.sh
|
- ./tools/deployment/developer/nfs/160-compute-kit.sh
|
||||||
- ./tools/deployment/apparmor/barbican.sh
|
# NOTE: Re-enable barbican once the profile gets sorted out
|
||||||
|
#- ./tools/deployment/component/barbican/barbican.sh
|
||||||
- ./tools/deployment/developer/common/170-setup-gateway.sh
|
- ./tools/deployment/developer/common/170-setup-gateway.sh
|
||||||
- ./tools/deployment/developer/common/900-use-it.sh
|
- ./tools/deployment/developer/common/900-use-it.sh
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user