Move apparmor to use feature gates

This change refactors the apparmor job to utilize the feature
gates system instead of relying on separate scripts.

Also disabled barbican running in the apparmor job temporarily
until the correct profile gets used and it can deploy
succesfully.

Change-Id: Iadacd214de3fdb06e4acde4433c5fa86973371d5
This commit is contained in:
Gage Hugo 2020-01-30 08:37:47 -06:00
parent 406ee0065b
commit a1fc694ae9
9 changed files with 37 additions and 153 deletions

View File

@ -0,0 +1,6 @@
# NOTE: Enable this with the correct policy
#pod:
# mandatory_access_control:
# type: apparmor
# barbican-api:
# barbican-api: localhost/docker-default

View File

@ -0,0 +1,5 @@
pod:
mandatory_access_control:
type: apparmor
keystone-api-default:
keystone-api-default: runtime/default

View File

@ -0,0 +1,15 @@
pod:
mandatory_access_control:
type: apparmor
neutron-dhcp-agent-default:
neutron-dhcp-agent-default: runtime/default
neutron-l3-agent-default:
neutron-l3-agent-default: runtime/default
neutron-lb-agent-default:
neutron-lb-agent-default: runtime/default
neutron-metadata-agent-default:
neutron-metadata-agent-default: runtime/default
neutron-ovs-agent-default:
neutron-ovs-agent-default: runtime/default
neutron-sriov-agent-default:
neutron-sriov-agent-default: runtime/default

View File

@ -45,7 +45,7 @@ spec:
annotations: annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute-default") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} {{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec: spec:
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}
{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} {{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}

View File

@ -45,7 +45,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute-default") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} {{ dict "envAll" $envAll "podName" "nova-compute-default" "containerNames" (list "nova-compute") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec: spec:
serviceAccountName: {{ $serviceAccountName }} serviceAccountName: {{ $serviceAccountName }}
{{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} {{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}

View File

@ -0,0 +1,5 @@
pod:
mandatory_access_control:
type: apparmor
nova-compute-default:
nova-compute: runtime/default

View File

@ -1,43 +0,0 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make barbican
#NOTE: Deploy barbican
tee /tmp/barbican.yaml << EOF
pod:
mandatory_access_control:
type: apparmor
barbican-api:
barbican-api: localhost/docker-default
EOF
#NOTE: Deploy command
helm upgrade --install barbican ./barbican \
--namespace=openstack \
--values=/tmp/barbican.yaml
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_BARBICAN}
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh openstack
#NOTE: Validate Deployment info
helm status barbican
helm test barbican

View File

@ -1,106 +0,0 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make nova
make neutron
#NOTE: Deploy nova
: ${OSH_EXTRA_HELM_ARGS:=""}
tee /tmp/nova.yaml << EOF
conf:
ceph:
enabled: false
pod:
mandatory_access_control:
type: apparmor
nova-compute-default:
nova-compute-default: localhost/docker-default
EOF
if [ "x$(systemd-detect-virt)" == "xnone" ]; then
echo 'OSH is not being deployed in virtualized environment'
helm upgrade --install nova ./nova \
--namespace=openstack \
--values=/tmp/nova.yaml \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_NOVA}
else
echo 'OSH is being deployed in virtualized environment, using qemu for nova'
helm upgrade --install nova ./nova \
--namespace=openstack \
--set conf.nova.libvirt.virt_type=qemu \
--set conf.nova.libvirt.cpu_mode=none \
--values=/tmp/nova.yaml
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_NOVA}
fi
#NOTE: Deploy neutron
tee /tmp/neutron.yaml << EOF
pod:
mandatory_access_control:
type: apparmor
neutron-dhcp-agent-default:
neutron-dhcp-agent-default: localhost/docker-default
neutron-l3-agent-default:
neutron-l3-agent-default: localhost/docker-default
neutron-lb-agent-default:
neutron-lb-agent-default: localhost/docker-default
neutron-metadata-agent-default:
neutron-metadata-agent-default: localhost/docker-default
neutron-ovs-agent-default:
neutron-ovs-agent-default: localhost/docker-default
neutron-sriov-agent-default:
neutron-sriov-agent-default: localhost/docker-default
network:
interface:
tunnel: docker0
conf:
neutron:
DEFAULT:
l3_ha: False
max_l3_agents_per_router: 1
l3_ha_network_type: vxlan
dhcp_agents_per_network: 1
plugins:
ml2_conf:
ml2_type_flat:
flat_networks: public
openvswitch_agent:
agent:
tunnel_types: vxlan
ovs:
bridge_mappings: public:br-ex
linuxbridge_agent:
linux_bridge:
bridge_mappings: public:br-ex
EOF
helm upgrade --install neutron ./neutron \
--namespace=openstack \
--values=/tmp/neutron.yaml \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_NEUTRON}
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh openstack
#NOTE: Validate Deployment info
export OS_CLOUD=openstack_helm
openstack service list
sleep 30 #NOTE(portdirect): Wait for ingress controller to update rules and restart Nginx
openstack compute service list
openstack network agent list

View File

@ -245,6 +245,7 @@
openstack_release: stein openstack_release: stein
container_distro_name: ubuntu container_distro_name: ubuntu
container_distro_version: bionic container_distro_version: bionic
feature_gates: apparmor
gate_scripts: gate_scripts:
- ./tools/deployment/common/install-packages.sh - ./tools/deployment/common/install-packages.sh
- ./tools/deployment/common/deploy-k8s.sh - ./tools/deployment/common/deploy-k8s.sh
@ -259,8 +260,9 @@
- ./tools/deployment/component/glance/glance.sh - ./tools/deployment/component/glance/glance.sh
- ./tools/deployment/component/compute-kit/openvswitch.sh - ./tools/deployment/component/compute-kit/openvswitch.sh
- ./tools/deployment/component/compute-kit/libvirt.sh - ./tools/deployment/component/compute-kit/libvirt.sh
- ./tools/deployment/apparmor/compute-kit.sh - ./tools/deployment/developer/nfs/160-compute-kit.sh
- ./tools/deployment/apparmor/barbican.sh # NOTE: Re-enable barbican once the profile gets sorted out
#- ./tools/deployment/component/barbican/barbican.sh
- ./tools/deployment/developer/common/170-setup-gateway.sh - ./tools/deployment/developer/common/170-setup-gateway.sh
- ./tools/deployment/developer/common/900-use-it.sh - ./tools/deployment/developer/common/900-use-it.sh