Audit armada app and helm charts configuration

This commit adds an armada app and helm charts configuration
for a containerized auditd solution for StarlingX.

Story: 2008849
Task: 42534

Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
Change-Id: I884e92d57a99d7e814196458a852da8198b60d2d

.gitignore

@@ -0,0 +1,2 @@
+.idea
+.tox

.zuul.yaml

@@ -0,0 +1,8 @@
+---
+- project:
+    check:
+      jobs:
+        - openstack-tox-linters
+    gate:
+      jobs:
+        - openstack-tox-linters

CONTRIBUTING.rst

@@ -0,0 +1,16 @@
+If you would like to contribute to the development of OpenStack,
+you must follow the steps in this page:
+
+   https://docs.openstack.org/infra/manual/developers.html
+
+Once those steps have been completed, changes to OpenStack
+should be submitted for review via the Gerrit tool, following
+the workflow documented at:
+
+   https://docs.openstack.org/infra/manual/developers.html#development-workflow
+
+Pull requests submitted through GitHub will be ignored.
+
+Bugs should be filed in Launchpad:
+
+   https://bugs.launchpad.net/starlingx

HACKING.rst

@@ -0,0 +1,17 @@
+StarlingX AUDIT-Armada-App Style Commandments
+================================================================
+
+- Step 1: Read the OpenStack style commandments
+  https://docs.openstack.org/hacking/latest/
+- Step 2: Read on
+
+Audit-Armada-App Specific Commandments
+---------------------------------------------------------
+
+None so far
+
+Running tests
+-------------
+The approach to running tests is to simply run the command ``tox``. This will
+create virtual environments, populate them with dependencies and run all of
+the tests that OpenStack CI systems run.

centos_build_layer.cfg

@@ -0,0 +1 @@
+flock

centos_iso_image.inc

@@ -0,0 +1 @@
+stx-audit-helm

centos_pkg_dirs

@@ -0,0 +1 @@
+stx-audit-helm

centos_pkg_dirs_containers

@@ -0,0 +1 @@
+stx-audit-helm

centos_stable_docker_images.inc

@@ -0,0 +1 @@
+stx-audit-helm

config

@@ -0,0 +1,12 @@
+[core]
+    repositoryformatversion = 0
+    filemode = true
+    bare = false
+    logallrefupdates = true
+[remote "origin"]
+    url = https://opendev.org/starlingx/audit-armada-app.git
+    fetch = +refs/heads/*:refs/remotes/origin/*
+[branch "master"]
+    remote = origin
+    merge = refs/heads/master
+    rebase = true

github_sync.trigger

@@ -0,0 +1,2 @@
+# to trigger the upload job to sync to GitHub
+0

requirements.txt

@@ -0,0 +1 @@
+# Nothing

stx-audit-helm/centos/build_srpm.data

@@ -0,0 +1,4 @@
+SRC_DIR="stx-audit-helm"
+
+TIS_PATCH_VER=PKG_GITREVCOUNT
+

stx-audit-helm/centos/docker/stx-audit/Dockerfile

@@ -0,0 +1,7 @@
+ARG BASE
+FROM ${BASE} AS stx
+RUN yum -y update
+RUN yum -y install\
+           audit
+
+ENTRYPOINT ["/sbin/auditd", "-l"]

stx-audit-helm/centos/stx-audit-helm.spec

@@ -0,0 +1,75 @@
+# Application tunables (maps to metadata)
+%global app_name audit
+%global helm_repo stx-platform
+
+%global armada_folder /usr/lib/armada
+
+# Install location
+%global app_folder /usr/local/share/applications/helm
+
+# Build variables
+%global helm_folder /usr/lib/helm
+%global toolkit_version 0.1.0
+
+Summary: StarlingX AUDIT Armada Helm Charts
+Name: stx-audit-helm
+Version: 1.0
+Release: %{tis_patch_ver}%{?_tis_dist}
+License: Apache-2.0
+Group: base
+Packager: Wind River <info@windriver.com>
+URL: unknown
+
+Source0: %{name}-%{version}.tar.gz
+
+BuildArch: noarch
+
+BuildRequires: helm
+
+%description
+StarlingX AUDIT Helm Charts
+
+%prep
+%setup -n %{name}-%{version}
+
+%build
+
+cd helm-charts
+make
+cd -
+
+# Create a chart tarball compliant with sysinv kube-app.py
+%define app_staging %{_builddir}/staging
+%define app_tarball %{app_name}-%{version}-%{tis_patch_ver}.tgz
+
+# Setup staging
+mkdir -p %{app_staging}
+cp files/metadata.yaml %{app_staging}
+cp manifests/*.yaml %{app_staging}
+mkdir -p %{app_staging}/charts
+cp helm-charts/*.tgz %{app_staging}/charts
+cd %{app_staging}
+
+# Populate metadata
+sed -i 's/@APP_NAME@/%{app_name}/g' %{app_staging}/metadata.yaml
+sed -i 's/@APP_VERSION@/%{version}-%{tis_patch_ver}/g' %{app_staging}/metadata.yaml
+sed -i 's/@HELM_REPO@/%{helm_repo}/g' %{app_staging}/metadata.yaml
+
+# Copy the plugins: installed in the buildroot
+# mkdir -p %{app_staging}/plugins
+# cp /plugins/%{app_name}/*.whl %{app_staging}/plugins
+
+# package it up
+find . -type f ! -name '*.md5' -print0 | xargs -0 md5sum > checksum.md5
+tar -zcf %{_builddir}/%{app_tarball} -C %{app_staging}/ .
+
+# Cleanup staging
+rm -fr %{app_staging}
+
+%install
+install -d -m 755 %{buildroot}/%{app_folder}
+install -p -D -m 755 %{_builddir}/%{app_tarball} %{buildroot}/%{app_folder}
+
+%files
+%defattr(-,root,root,-)
+%{app_folder}/*

stx-audit-helm/centos/stx-snmp-helm-audit.stable_docker_image

@@ -0,0 +1,3 @@
+BUILDER=docker
+LABEL=stx-audit
+DOCKER_CONTEXT=docker/stx-audit

stx-audit-helm/stx-audit-helm/README

@@ -0,0 +1,5 @@
+This directory contains all StarlingX charts that need to be built for this
+application. Some charts are common across applications. These common charts
+reside in the stx-config/kubernetes/helm-charts directory. To include these in
+this application update the build_srpm.data file and use the COPY_LIST_TO_TAR
+mechanism to populate these common charts.

stx-audit-helm/stx-audit-helm/files/index.yaml

@@ -0,0 +1,3 @@
+apiVersion: v1
+entries: {}
+generated: 2019-01-07T12:33:46.098166523-06:00

stx-audit-helm/stx-audit-helm/files/metadata.yaml

@@ -0,0 +1,5 @@
+maintain_user_overrides: true
+
+app_name: @APP_NAME@
+app_version: @APP_VERSION@
+helm_repo: @HELM_REPO@

stx-audit-helm/stx-audit-helm/files/repositories.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+generated: 2019-01-02T15:19:36.215111369-06:00
+repositories:
+- caFile: ""
+  cache: /builddir/.helm/repository/cache/local-index.yaml
+  certFile: ""
+  keyFile: ""
+  name: local
+  password: ""
+  url: http://127.0.0.1:8879/charts
+  username: ""

stx-audit-helm/stx-audit-helm/helm-charts/Makefile

@@ -0,0 +1,43 @@
+#
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Copyright (c) 2021 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# It's necessary to set this because some environments don't link sh -> bash.
+SHELL := /bin/bash
+TASK  := build
+
+EXCLUDES := helm-toolkit doc tests tools logs tmp
+CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
+
+.PHONY: $(EXCLUDES) $(CHARTS)
+
+all: $(CHARTS)
+
+$(CHARTS):
+	@if [ -d $@ ]; then \
+		echo; \
+		echo "===== Processing [$@] chart ====="; \
+		make $(TASK)-$@; \
+	fi
+
+init-%:
+	if [ -f $*/Makefile ]; then make -C $*; fi
+	if [ -f $*/requirements.yaml ]; then helm dep up $*; fi
+
+lint-%: init-%
+	if [ -d $* ]; then helm lint $*; fi
+
+build-%:
+	if [ -d $* ]; then helm package $*; fi
+
+clean:
+	@echo "Clean all build artifacts"
+	rm -f */templates/_partials.tpl */templates/_globals.tpl
+	rm -f *tgz */charts/*tgz */requirements.lock
+	rm -rf */charts */tmpcharts
+
+%:
+	@:

stx-audit-helm/stx-audit-helm/helm-charts/audit/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

stx-audit-helm/stx-audit-helm/helm-charts/audit/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v2
+appVersion: "1.0"
+description:  A Helm chart for AUDIT service
+name: audit-helm
+version: 1.0.0

stx-audit-helm/stx-audit-helm/helm-charts/audit/auditd/auditd.conf

@@ -0,0 +1,36 @@
+#
+# This file controls the configuration of the audit daemon
+#
+local_events = yes
+write_logs = yes
+log_file = /var/log/audit/audit.log
+log_group = root
+log_format = RAW
+flush = INCREMENTAL_ASYNC
+freq = 50
+max_log_file = 8
+num_logs = 5
+priority_boost = 4
+disp_qos = lossy
+dispatcher = /sbin/audispd
+name_format = NONE
+##name = mydomain
+max_log_file_action = ROTATE
+space_left = 75
+space_left_action = SYSLOG
+##verify_email = yes
+##action_mail_acct = root
+admin_space_left = 50
+admin_space_left_action = SYSLOG
+disk_full_action = SYSLOG
+disk_error_action = SYSLOG
+use_libwrap = yes
+##tcp_listen_port = 60
+##tcp_listen_queue = 5
+##tcp_max_per_addr = 1
+##tcp_client_ports = 1024-65535
+##tcp_client_max_idle = 0
+enable_krb5 = no
+krb5_principal = auditd
+##krb5_key_file = /etc/audit/audit.key
+distribute_network = no

stx-audit-helm/stx-audit-helm/helm-charts/audit/templates/NOTES.txt

@@ -0,0 +1,4 @@
+1. AUDIT containerized deployment
+   This helm charts configuration creates:
+      - Config map for /etc/audit/auditd.conf
+      - Deploys auditd in a container

stx-audit-helm/stx-audit-helm/helm-charts/audit/templates/_helpers.tpl

@@ -0,0 +1,33 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "audit.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this
+(by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "audit.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "audit.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

stx-audit-helm/stx-audit-helm/helm-charts/audit/templates/configmap.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.configmap.name_auditd }}
+data:
+  auditd.conf: {{ toYaml .Values.auditdconf | indent 2 }}
+

stx-audit-helm/stx-audit-helm/helm-charts/audit/templates/daemonset.yaml

@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "audit.fullname" . }}
+  namespace: kube-system
+  labels:
+    k8s-app: auditd-logging
+spec:
+  selector:
+    matchLabels:
+      name: {{ include "audit.name" . }}
+  template:
+    metadata:
+      labels:
+        name: {{ include "audit.name" . }}
+    spec:
+      hostNetwork: true
+      hostPID: true
+      containers:
+      - name: {{ include "audit.name" . }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        securityContext:
+          privileged: true
+          runAsGroup: 0
+          runAsUser: 0
+        volumeMounts:
+        - name: varlog
+          mountPath: /var/log/audit
+        stdin: true
+        tty: true
+      volumes:
+      - name: varlog
+        hostPath:
+          path: /var/log/audit
+      imagePullSecrets:
+      - name: default-registry-key

stx-audit-helm/stx-audit-helm/helm-charts/audit/values.yaml

@@ -0,0 +1,55 @@
+# Default values for audit.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+image:
+  repository: docker.io/starlingx/stx-audit
+  tag: dev-centos-stable-2021.05.22.21.26.0
+  pullPolicy: IfNotPresent
+  debug: ''
+
+nameOverride: ""
+fullnameOverride: ""
+
+configmap:
+  name_auditd: auditd-etc-config
+
+auditdconf: |-
+  ##########################################################################
+  #
+  # auditd.conf
+  #
+  ###########################################################################
+  local_events = yes
+  write_logs = yes
+  log_file = /var/log/audit/audit.log
+  log_group = root
+  log_format = RAW
+  flush = INCREMENTAL_ASYNC
+  freq = 50
+  max_log_file = 8
+  num_logs = 5
+  priority_boost = 4
+  disp_qos = lossy
+  dispatcher = /sbin/audispd
+  name_format = NONE
+  ##name = mydomain
+  max_log_file_action = ROTATE
+  space_left = 75
+  space_left_action = SYSLOG
+  ##verify_email = yes
+  ##action_mail_acct = root
+  admin_space_left = 50
+  admin_space_left_action = SYSLOG
+  disk_full_action = SYSLOG
+  disk_error_action = SYSLOG
+  use_libwrap = yes
+  ##tcp_listen_port = 60
+  ##tcp_listen_queue = 5
+  ##tcp_max_per_addr = 1
+  ##tcp_client_ports = 1024-65535
+  ##tcp_client_max_idle = 0
+  enable_krb5 = no
+  krb5_principal = auditd
+  ##krb5_key_file = /etc/audit/audit.key
+  distribute_network = no

stx-audit-helm/stx-audit-helm/manifests/audit_manifest.yaml

@@ -0,0 +1,45 @@
+---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: audit
+data:
+  chart_name: audit
+  release: audit
+  namespace: kube-system
+  source:
+    location: http://172.17.0.1:8080/helm_charts/stx-platform/audit-helm-1.0.0.tgz
+    subpath: audit
+    type: tar
+    reference: master
+  wait:
+    timeout: 1800
+  install:
+    no_hooks: false
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+        - type: job
+          labels:
+            app: audit
+  dependencies: []
+---
+schema: armada/ChartGroup/v1
+metadata:
+  schema: metadata/Document/v1
+  name: audit
+data:
+  description: "StarlingX AUDIT"
+  sequenced: false
+  chart_group:
+    - audit
+---
+schema: armada/Manifest/v1
+metadata:
+  schema: metadata/Document/v1
+  name: audit-manifest
+data:
+  release_prefix: ns
+  chart_groups:
+    - audit

test-requirements.txt

@@ -0,0 +1,3 @@
+# hacking pulls in flake8
+hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
+bashate >= 0.2

tox.ini

@@ -0,0 +1,35 @@
+[tox]
+envlist = linters
+minversion = 2.3
+skipsdist = True
+sitepackages=False
+
+[testenv]
+install_command = pip install -U {opts} {packages}
+setenv =
+   VIRTUAL_ENV={envdir}
+   OS_STDOUT_CAPTURE=1
+   OS_STDERR_CAPTURE=1
+   OS_DEBUG=1
+   OS_LOG_CAPTURE=1
+deps =
+  -r{toxinidir}/requirements.txt
+  -r{toxinidir}/test-requirements.txt
+whitelist_externals =
+  bash
+
+[testenv:bashate]
+# Treat all E* codes as Errors rather than warnings using: -e 'E*'
+commands =
+  bash -c "find {toxinidir}                    \
+         -not \( -type d -name .?\* -prune \) \
+         -type f                              \
+         -not -name \*~                       \
+         -not -name \*.md                     \
+         -name \*.sh                          \
+         -print0 | xargs -r -n 1 -0 bashate -v   \
+         -e 'E*'"
+
+[testenv:linters]
+commands =
+    {[testenv:bashate]commands}