summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCrank, Daniel (dc6350) <dc6350@att.com>2018-10-23 13:19:31 -0500
committerCrank, Daniel (dc6350) <dc6350@att.com>2018-12-07 16:17:11 -0600
commit2aaca3f60bbee0d3eb1acde1f0eaa5295b622cb7 (patch)
tree94a35478e1f0988fad953fd7a8936c9084afdd80
parent9b527b4b99ac773a1b3c7ed39d43fa2d18534efb (diff)
Apparmor profile for MaaS
All containers were already running in non-privileged containers except region-controller and rack-controller. Both of those require privileged containers but can still function with the docker-default apparmor profile applied. This PS uses the new, more generic HTK snippet name (see https://review.openstack.org/613703). Change-Id: Icaa720f05b18f4264ae7098b427fe5f639cba2c6
Notes
Notes (review): Code-Review+2: Scott Hussey <sthussey@att.com> Code-Review+2: Aaron Sheffield <ajs@sheffieldfamily.net> Workflow+1: Aaron Sheffield <ajs@sheffieldfamily.net> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Fri, 07 Dec 2018 22:47:12 +0000 Reviewed-on: https://review.openstack.org/612772 Project: openstack/airship-maas Branch: refs/heads/master
-rw-r--r--charts/maas/templates/statefulset-rack.yaml1
-rw-r--r--charts/maas/templates/statefulset-region.yaml1
-rw-r--r--charts/maas/values.yaml6
-rwxr-xr-xtools/helm_tk.sh2
4 files changed, 9 insertions, 1 deletions
diff --git a/charts/maas/templates/statefulset-rack.yaml b/charts/maas/templates/statefulset-rack.yaml
index 47a5cba..ea1dd0b 100644
--- a/charts/maas/templates/statefulset-rack.yaml
+++ b/charts/maas/templates/statefulset-rack.yaml
@@ -42,6 +42,7 @@ spec:
42 annotations: 42 annotations:
43 configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} 43 configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
44 configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} 44 configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
45{{ dict "envAll" $envAll "podName" "maas-rack" "containerNames" (list "maas-rack") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
45 spec: 46 spec:
46 serviceAccountName: {{ $serviceAccountName }} 47 serviceAccountName: {{ $serviceAccountName }}
47 affinity: 48 affinity:
diff --git a/charts/maas/templates/statefulset-region.yaml b/charts/maas/templates/statefulset-region.yaml
index 7593761..a165118 100644
--- a/charts/maas/templates/statefulset-region.yaml
+++ b/charts/maas/templates/statefulset-region.yaml
@@ -36,6 +36,7 @@ spec:
36 labels: 36 labels:
37{{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} 37{{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
38 annotations: 38 annotations:
39{{ dict "envAll" $envAll "podName" "maas-region" "containerNames" (list "maas-region") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
39 spec: 40 spec:
40 serviceAccountName: {{ $serviceAccountName }} 41 serviceAccountName: {{ $serviceAccountName }}
41 affinity: 42 affinity:
diff --git a/charts/maas/values.yaml b/charts/maas/values.yaml
index f9a2c01..1facbdf 100644
--- a/charts/maas/values.yaml
+++ b/charts/maas/values.yaml
@@ -230,6 +230,12 @@ secrets:
230 ssh_key: ssh-private-key 230 ssh_key: ssh-private-key
231 231
232pod: 232pod:
233 mandatory_access_control:
234 type: apparmor
235 maas-rack:
236 maas-rack: localhost/docker-default
237 maas-region:
238 maas-region: localhost/docker-default
233 affinity: 239 affinity:
234 anti: 240 anti:
235 type: 241 type:
diff --git a/tools/helm_tk.sh b/tools/helm_tk.sh
index 9e3e6a3..e0b6a93 100755
--- a/tools/helm_tk.sh
+++ b/tools/helm_tk.sh
@@ -18,7 +18,7 @@
18HELM=$1 18HELM=$1
19HTK_REPO=${HTK_REPO:-"https://github.com/openstack/openstack-helm-infra"} 19HTK_REPO=${HTK_REPO:-"https://github.com/openstack/openstack-helm-infra"}
20HTK_PATH=${HTK_PATH:-""} 20HTK_PATH=${HTK_PATH:-""}
21HTK_STABLE_COMMIT=${HTK_COMMIT:-"4cd00f3ac539f625e7cd9733ae46232b2082027a"} 21HTK_STABLE_COMMIT=${HTK_COMMIT:-"5316586d9efeec2c1e2c5f282fc03b51c3fee9aa"}
22DEP_UP_LIST=${DEP_UP_LIST:-"maas"} 22DEP_UP_LIST=${DEP_UP_LIST:-"maas"}
23 23
24if [[ ! -z $(echo $http_proxy) ]] 24if [[ ! -z $(echo $http_proxy) ]]