From 9831e545c9f76745fe41de88acd1fa6f693f354d Mon Sep 17 00:00:00 2001 From: "DODDA, PRATEEK" Date: Fri, 26 Jun 2020 09:11:41 -0500 Subject: [PATCH] Enabling Apparmor profile to shipyard init containers Remove OSH Authors copyright The current copyright refers to a non-existent group "openstack helm authors" with often out-of-date references that are confusing when adding a new file to the repo. This change removes all references to this copyright by the non-existent group and any blank lines underneath. Change-Id: Ic8de1678a754ba466dbd8d12c4f078151a78a091 --- .../deployment-airflow-scheduler.yaml | 2 +- .../templates/deployment-shipyard.yaml | 3 +-- .../templates/job-airflow-db-init.yaml | 4 +++- .../templates/job-airflow-db-sync.yaml | 4 +++- .../templates/job-shipyard-db-auxiliary.yaml | 3 +++ .../templates/job-shipyard-db-init.yaml | 4 +++- .../templates/job-shipyard-db-sync.yaml | 4 +++- .../templates/statefulset-airflow-worker.yaml | 2 +- .../templates/tests/test-shipyard-api.yaml | 5 ++-- charts/shipyard/values.yaml | 24 ++++++++++++++++++- 10 files changed, 44 insertions(+), 11 deletions(-) diff --git a/charts/shipyard/templates/deployment-airflow-scheduler.yaml b/charts/shipyard/templates/deployment-airflow-scheduler.yaml index 9de44a6b..884e3dd0 100644 --- a/charts/shipyard/templates/deployment-airflow-scheduler.yaml +++ b/charts/shipyard/templates/deployment-airflow-scheduler.yaml @@ -1,4 +1,3 @@ -# Copyright 2017 The Openstack-Helm Authors. # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -50,6 +49,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-airflow-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-airflow-etc.yaml" . | include "helm-toolkit.utils.hash" }} +{{ dict "envAll" $envAll "podName" "airflow-scheduler" "containerNames" (list "init" "airflow-scheduler") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} affinity: diff --git a/charts/shipyard/templates/deployment-shipyard.yaml b/charts/shipyard/templates/deployment-shipyard.yaml index a301763d..036cb667 100644 --- a/charts/shipyard/templates/deployment-shipyard.yaml +++ b/charts/shipyard/templates/deployment-shipyard.yaml @@ -1,4 +1,3 @@ -# Copyright 2017 The Openstack-Helm Authors. # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -44,7 +43,7 @@ spec: shipyard-configmap-etc-hash: {{ tuple "configmap-shipyard-etc.yaml" . | include "helm-toolkit.utils.hash" }} airflow-configmap-bin-hash: {{ tuple "configmap-airflow-bin.yaml" . | include "helm-toolkit.utils.hash" }} airflow-configmap-etc-hash: {{ tuple "configmap-airflow-etc.yaml" . | include "helm-toolkit.utils.hash" }} -{{ dict "envAll" $envAll "podName" "shipyard-api" "containerNames" (list "shipyard-api" "airflow-web") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} +{{ dict "envAll" $envAll "podName" "shipyard-api" "containerNames" (list "init" "shipyard-api" "airflow-web") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: {{ dict "envAll" $envAll "application" "shipyard" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} diff --git a/charts/shipyard/templates/job-airflow-db-init.yaml b/charts/shipyard/templates/job-airflow-db-init.yaml index 12cf0ca2..3d3c96c0 100644 --- a/charts/shipyard/templates/job-airflow-db-init.yaml +++ b/charts/shipyard/templates/job-airflow-db-init.yaml @@ -1,5 +1,4 @@ {{/* -Copyright 2017 The Openstack-Helm Authors. Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); @@ -31,6 +30,9 @@ spec: metadata: labels: {{ tuple $envAll "airflow" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} +{{ dict "envAll" $envAll "podName" "airflow-db-init" "containerNames" (list "init" "airflow-db-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure diff --git a/charts/shipyard/templates/job-airflow-db-sync.yaml b/charts/shipyard/templates/job-airflow-db-sync.yaml index 82396a5f..3323ccc6 100644 --- a/charts/shipyard/templates/job-airflow-db-sync.yaml +++ b/charts/shipyard/templates/job-airflow-db-sync.yaml @@ -1,5 +1,4 @@ {{/* -Copyright 2017 The Openstack-Helm Authors. Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); @@ -31,6 +30,9 @@ spec: metadata: labels: {{ tuple $envAll "airflow" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} +{{ dict "envAll" $envAll "podName" "airflow-db-sync" "containerNames" (list "init" "airflow-db-sync") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure diff --git a/charts/shipyard/templates/job-shipyard-db-auxiliary.yaml b/charts/shipyard/templates/job-shipyard-db-auxiliary.yaml index 8a5f9398..32845f6d 100644 --- a/charts/shipyard/templates/job-shipyard-db-auxiliary.yaml +++ b/charts/shipyard/templates/job-shipyard-db-auxiliary.yaml @@ -32,6 +32,9 @@ spec: metadata: labels: {{ tuple $envAll "shipyard" "db-auxiliary" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} +{{ dict "envAll" $envAll "podName" "shipyard-db-auxiliary" "containerNames" (list "init" "shipyard-db-auxiliary") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure diff --git a/charts/shipyard/templates/job-shipyard-db-init.yaml b/charts/shipyard/templates/job-shipyard-db-init.yaml index 13623781..1e31edf8 100644 --- a/charts/shipyard/templates/job-shipyard-db-init.yaml +++ b/charts/shipyard/templates/job-shipyard-db-init.yaml @@ -1,5 +1,4 @@ {{/* -Copyright 2017 The Openstack-Helm Authors. Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); @@ -33,6 +32,9 @@ spec: metadata: labels: {{ tuple $envAll "shipyard" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} +{{ dict "envAll" $envAll "podName" "shipyard-db-init" "containerNames" (list "init" "shipyard-db-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure diff --git a/charts/shipyard/templates/job-shipyard-db-sync.yaml b/charts/shipyard/templates/job-shipyard-db-sync.yaml index 03dafa68..af88bada 100644 --- a/charts/shipyard/templates/job-shipyard-db-sync.yaml +++ b/charts/shipyard/templates/job-shipyard-db-sync.yaml @@ -1,5 +1,4 @@ {{/* -Copyright 2017 The Openstack-Helm Authors. Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); @@ -33,6 +32,9 @@ spec: metadata: labels: {{ tuple $envAll "shipyard" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} +{{ dict "envAll" $envAll "podName" "shipyard-db-sync" "containerNames" (list "init" "shipyard-db-sync") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure diff --git a/charts/shipyard/templates/statefulset-airflow-worker.yaml b/charts/shipyard/templates/statefulset-airflow-worker.yaml index ee9a9a33..3efe182c 100644 --- a/charts/shipyard/templates/statefulset-airflow-worker.yaml +++ b/charts/shipyard/templates/statefulset-airflow-worker.yaml @@ -86,7 +86,7 @@ spec: {{ $labels | indent 8 }} annotations: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} -{{ dict "envAll" $envAll "podName" "airflow-worker" "containerNames" (list "airflow-worker" "airflow-scheduler" "airflow-logrotate") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} +{{ dict "envAll" $envAll "podName" "airflow-worker" "containerNames" (list "init" "worker-perms" "airflow-worker" "airflow-scheduler" "airflow-logrotate") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} affinity: diff --git a/charts/shipyard/templates/tests/test-shipyard-api.yaml b/charts/shipyard/templates/tests/test-shipyard-api.yaml index 8c93e207..84e3ed9d 100644 --- a/charts/shipyard/templates/tests/test-shipyard-api.yaml +++ b/charts/shipyard/templates/tests/test-shipyard-api.yaml @@ -22,10 +22,11 @@ Test the Shipyard API, to ensure that the health endpoint is active and able to apiVersion: v1 kind: Pod metadata: - name: "{{ .Release.Name }}-shipyard-api-test" + name: shipyard-api-test annotations: "helm.sh/hook": "test-success" {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{ dict "envAll" $envAll "podName" "shipyard-api-test" "containerNames" (list "shipyard-api-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} labels: {{ tuple $envAll "shipyard" "api-test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} spec: @@ -33,7 +34,7 @@ spec: nodeSelector: {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} containers: - - name: "{{ .Release.Name }}-shipyard-api-test" + - name: shipyard-api-test env: - name: 'SHIPYARD_URL' value: {{ tuple "shipyard" "internal" "api" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | quote }} diff --git a/charts/shipyard/values.yaml b/charts/shipyard/values.yaml index 4b037428..61d1336c 100644 --- a/charts/shipyard/values.yaml +++ b/charts/shipyard/values.yaml @@ -1,4 +1,3 @@ -# Copyright 2017 The Openstack-Helm Authors. # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -722,12 +721,35 @@ pod: mandatory_access_control: type: apparmor shipyard-api: + init: runtime/default shipyard-api: runtime/default airflow-web: runtime/default airflow-worker: + init: runtime/default + worker-perms: runtime/default airflow-worker: runtime/default airflow-scheduler: runtime/default airflow-logrotate: runtime/default + airflow-scheduler: + init: runtime/default + airflow-scheduler: runtime/default + shipyard-db-auxiliary: + init: runtime/default + shipyard-db-auxiliary: runtime/default + shipyard-db-init: + init: runtime/default + shipyard-db-init: runtime/default + shipyard-db-sync: + init: runtime/default + shipyard-db-sync: runtime/default + airflow-db-init: + init: runtime/default + airflow-db-init: runtime/default + airflow-db-sync: + init: runtime/default + airflow-db-sync: runtime/default + shipyard-api-test: + shipyard-api-test: runtime/default security_context: shipyard: pod: