Merge branch 'master' into CASM-4679

Cray-HPE · May 22, 2024 · cc91398 · cc91398
2 parents f4a0b32 + 377723b
commit cc91398
Show file tree

Hide file tree

Showing 10 changed files with 82 additions and 63 deletions.
diff --git a/kubernetes/cray-opa/Chart.yaml b/kubernetes/cray-opa/Chart.yaml
@@ -1,7 +1,7 @@
 #
 # MIT License
 #
-# (C) Copyright 2022-2023 Hewlett Packard Enterprise Development LP
+# (C) Copyright 2022-2024 Hewlett Packard Enterprise Development LP
 #
 # Permission is hereby granted, free of charge, to any person obtaining a
 # copy of this software and associated documentation files (the "Software"),
@@ -23,7 +23,7 @@
 #
 apiVersion: v2
 name: cray-opa
-version: 1.33.1
+version: 1.34.3
 description: Cray Open Policy Agent
 keywords:
   - opa
@@ -33,9 +33,9 @@ sources:
 maintainers:
   - name: bo-quan
   - name: ndavidson-hpe
-appVersion: 0.52.0
+appVersion: 0.62.0
 annotations:
   artifacthub.io/images: |-
     - name: cray-opa
-      image: artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa:0.52.0-envoy-rootless
+      image: artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa:0.62.0-envoy-rootless
   artifacthub.io/license: MIT
diff --git a/...rnetes/cray-opa/templates/deployment.yaml → kubernetes/cray-opa/templates/daemonset.yaml b/...rnetes/cray-opa/templates/deployment.yaml → kubernetes/cray-opa/templates/daemonset.yaml
@@ -1,7 +1,7 @@
 {{/*
 MIT License
 
-(C) Copyright 2021-2022 Hewlett Packard Enterprise Development LP
+(C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP
 
 Permission is hereby granted, free of charge, to any person obtaining a
 copy of this software and associated documentation files (the "Software"),
@@ -22,29 +22,28 @@ ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
 OTHER DEALINGS IN THE SOFTWARE.
 */}}
 {{- range $name, $options:= .Values.ingresses }}
-{{ $uuid := uuidv4 }}
 ---
 apiVersion: apps/v1
-kind: Deployment
+kind: DaemonSet
 metadata:
   name: cray-opa-{{ $name }}
   namespace: {{ $.Release.Namespace }}
 spec:
-  replicas: {{ $.Values.opa.replicas }}
-  strategy:
+  updateStrategy:
     {{- $.Values.opa.strategy | toYaml | nindent 4}}
   selector:
     matchLabels:
+      daemonset: cray-opa-{{ $name }}
       app.kubernetes.io/name: cray-opa-{{ $name }}
       app.kubernetes.io/instance: {{ $.Release.Name }}
       app.kubernetes.io/managed-by: {{ $.Release.Service }}
   template:
     metadata:
       labels:
+        daemonset: cray-opa-{{ $name }}
         app.kubernetes.io/name: cray-opa-{{ $name }}
         app.kubernetes.io/instance: {{ $.Release.Name }}
         app.kubernetes.io/managed-by: {{ $.Release.Service }}
-        deployment/uuid: {{ $uuid }}
     spec:
       containers:
       - image: {{ $.Values.image.repository }}:{{ $.Values.image.tag }}
@@ -151,34 +150,6 @@ spec:
       - configMap:
           name: cray-configmap-ca-public-key
         name: fetch-jwt-certs-ca-vol
-      affinity:
-      {{- if eq $.Values.affinity.default "preferred" }}
-        podAntiAffinity:
-           preferredDuringSchedulingIgnoredDuringExecution:
-           - weight: 1
-             podAffinityTerm:
-               labelSelector:
-                 matchExpressions:
-                 - key: app.kubernetes.io/name
-                   operator: In
-                   values:
-                   - cray-opa-{{ $name }}
-               topologyKey: kubernetes.io/hostname
-      {{- end }}
-      {{- if eq $.Values.affinity.default "required" }}
-        podAntiAffinity:
-           requiredDuringSchedulingIgnoredDuringExecution:
-             - labelSelector:
-                 matchExpressions:
-                 - key: deployment/uuid
-                   operator: In
-                   values:
-                   - {{ $uuid }}
-               topologyKey: kubernetes.io/hostname
-      {{- end }}
-      {{ if $options.affinity }}
-{{ toYaml $options.affinity | indent 8 }}
-      {{- end }}
       nodeSelector:
 {{ toYaml $.Values.nodeSelector | indent 8 }}
       tolerations:

diff --git a/kubernetes/cray-opa/templates/policies/keycloak-admin.yaml b/kubernetes/cray-opa/templates/policies/keycloak-admin.yaml
@@ -1,5 +1,5 @@
 {{- /*
-Copyright 2021-2023 Hewlett Packard Enterprise Development LP
+Copyright 2021-2024 Hewlett Packard Enterprise Development LP
 */ -}}
 {{- range $name, $options := .Values.ingresses }}
 {{- if $options.policies.keycloak.admin }}
@@ -172,6 +172,7 @@ data:
         {"method": "GET",  "path": `^/apis/bos/v2/components$`}, # GET allows a listing of all active components states
         {"method": "GET",  "path": `^/apis/bos/v2/components/.*$`}, # GET information on an individual component
         {"method": "GET",  "path": `^/apis/bos/v2/healthz$`}, # Allow tenant admins to know the overall health of the deployment
+        {"method": "GET",  "path": `^/apis/bos/v2/sessions$`}, # GET BOSv2 Sessions (list all)
         {"method": "POST", "path": `^/apis/bos/v2/sessions$`}, # POST Creates a new BOSv2 Session
         {"method": "GET",  "path": `^/apis/bos/v2/sessions/.*$`}, # GET allows monitoring status of individual sessions
         {"method": "GET",  "path": `^/apis/bos/v2/sessions/.*?/status$`}, # Obtain more detailed status information for an individual session

diff --git a/kubernetes/cray-opa/templates/policies/spire.yaml b/kubernetes/cray-opa/templates/policies/spire.yaml
@@ -1,5 +1,5 @@
 {{- /*
-Copyright 2021-2023 Hewlett Packard Enterprise Development LP
+Copyright 2021-2024 Hewlett Packard Enterprise Development LP
 */ -}}
 {{- range $name, $options := .Values.ingresses }}
 {{- if $options.policies.spire }}
@@ -80,11 +80,15 @@ data:
           # These pass xnames via POST. This will be removed once the v2 API is being used.
           {"method": "POST", "path": `^/apis/hmnfd/hmi/v1/subscribe$`},
 
-          #SMD -> GET everything,  DVS needs SoftwareStatus.  REVOKED permission to update BulkSoftwareStatus
+          # SMD -> GET everything,  DVS needs SoftwareStatus.  REVOKED permission to update BulkSoftwareStatus
           {"method": "GET",   "path": `^/apis/smd/hsm/v2/.*$`},
           {"method": "HEAD",  "path": `^/apis/smd/hsm/v2/.*$`},
 
-          #HMNFD -> subscribe only, cannot create state change notifications
+          # SLS -> GET - node map IP addresses
+          {"method": "GET",   "path": `^/apis/sls/v1/.*$`},
+          {"method": "HEAD",  "path": `^/apis/sls/v1/.*$`},
+
+          # HMNFD -> subscribe only, cannot create state change notifications
           {"method": "GET",   "path": `^/apis/hmnfd/hmi/v1/subscriptions$`},
           {"method": "HEAD",  "path": `^/apis/hmnfd/hmi/v1/subscriptions$`},
           {"method": "PATCH", "path": `^/apis/hmnfd/hmi/v1/subscribe$`},
@@ -117,6 +121,11 @@ data:
             {"method": "HEAD", "path": `^/apis/jackaloped/.*$`},
             {"method": "POST", "path": `^/apis/jackaloped/.*$`},
             {"method": "DELETE", "path": `^/apis/jackaloped/.*$`},
+            # ogopogod - DRC2
+            {"method": "GET", "path": `^/apis/ogopogod/.*$`},
+            {"method": "HEAD", "path": `^/apis/ogopogod/.*$`},
+            {"method": "POST", "path": `^/apis/ogopogod/.*$`},
+            {"method": "DELETE", "path": `^/apis/ogopogod/.*$`},
         ],
         "heartbeat": [
         {{- if and (eq $.Values.opa.xnamePolicy.heartbeat true) (eq $.Values.opa.xnamePolicy.enabled true) }}
@@ -126,6 +135,9 @@ data:
           {"method": "POST", "path": `^/apis/hbtd/hmi/v1/heartbeat/.*$`},
           {{- end }}
           {"method": "GET", "path": `^/apis/hbtd/hmi/v1/params$`},
+        ],
+        "sbps-marshal": [
+          {"method": "GET", "path": `^/apis/ims/v3/images$`},
         ]
       }
 
@@ -194,6 +206,7 @@ data:
           "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/XNAME/workload/heartbeat": spire_methods["heartbeat"],
           "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/XNAME/workload/orca": spire_methods["dvs"],
           "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/XNAME/workload/tpm-provisioner": spire_methods["tpm-provisioner"],
+          "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/XNAME/workload/sbps-marshal": spire_methods["sbps-marshal"],  
           "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/storage/XNAME/workload/cfs-state-reporter": spire_methods["cfs"],
           "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/storage/XNAME/workload/heartbeat": spire_methods["heartbeat"],
           "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/storage/XNAME/workload/tpm-provisioner": spire_methods["tpm-provisioner"],
@@ -263,6 +276,7 @@ data:
         "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/workload/heartbeat": spire_methods["heartbeat"],
         "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/workload/orca": spire_methods["dvs"],
         "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/workload/tpm-provisioner": spire_methods["tpm-provisioner"],
+        "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/ncn/workload/sbps-marshal": spire_methods["sbps-marshal"],
         "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/storage/workload/cfs-state-reporter": spire_methods["cfs"],
         "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/storage/workload/heartbeat": spire_methods["heartbeat"],
         "spiffe://{{ $.Values.jwtValidation.spire.trustDomain }}/storage/workload/tpm-provisioner": spire_methods["tpm-provisioner"],

diff --git a/kubernetes/cray-opa/templates/service.yaml b/kubernetes/cray-opa/templates/service.yaml
@@ -1,7 +1,7 @@
 {{/*
 MIT License
 
-(C) Copyright 2021-2022 Hewlett Packard Enterprise Development LP
+(C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP
 
 Permission is hereby granted, free of charge, to any person obtaining a
 copy of this software and associated documentation files (the "Software"),
@@ -33,6 +33,7 @@ metadata:
     app.kubernetes.io/instance: {{ $.Release.Name }}
     app.kubernetes.io/managed-by: {{ $.Release.Service }}
 spec:
+  internalTrafficPolicy: {{ $.Values.opa.internalTrafficPolicy }}
   ports:
   - name: http
     port: {{ $.Values.opa.port }}

diff --git a/kubernetes/cray-opa/tests/opa/Dockerfile b/kubernetes/cray-opa/tests/opa/Dockerfile
@@ -1,7 +1,7 @@
 #
 # MIT License
 #
-# (C) Copyright 2021-2022 Hewlett Packard Enterprise Development LP
+# (C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP
 #
 # Permission is hereby granted, free of charge, to any person obtaining a
 # copy of this software and associated documentation files (the "Software"),
@@ -37,7 +37,7 @@ RUN cd src/run_tests && go mod download
 RUN cd src/run_tests && go build .
 RUN ls src/run_tests
 
-FROM artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa:0.52.0-envoy-rootless
+FROM artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa:0.62.0-envoy-rootless
 WORKDIR /tmp
 COPY --from=builder --chown=1000:1000 /go/src/run_tests/run_tests .
 COPY --chown=1000:1000 tests/opa/certificate_authority.crt /jwtValidationFetchTls/certificate_authority.crt
diff --git a/kubernetes/cray-opa/tests/opa/keycloak-admin_test.rego.tpl b/kubernetes/cray-opa/tests/opa/keycloak-admin_test.rego.tpl
@@ -1,4 +1,4 @@
-# Copyright 2021-2023 Hewlett Packard Enterprise Development LP
+# Copyright 2021-2024 Hewlett Packard Enterprise Development LP
 
 package istio.authz
 ## HOW TO DO UNIT TESTING
@@ -188,6 +188,7 @@ test_tenant_admin {
   not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2/components", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}}
   not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2/components/foo", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}}
   not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2/healthz", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}}
+  not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2/sessions", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}}
   not allow.http_status with input as {"attributes": {"request": {"http": {"method": "POST", "path": "/apis/bos/v2/sessions", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}}
   not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2/sessions/foo", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}}
   not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/bos/v2/sessions/foo/status", "headers": {"authorization": "Bearer {{ .tenantAdminToken }}", "cray-tenant-name": "vcluster-blue"}}}}}

diff --git a/kubernetes/cray-opa/tests/opa/run_tests/run_tests.go b/kubernetes/cray-opa/tests/opa/run_tests/run_tests.go
@@ -351,6 +351,16 @@ func main() {
 	}
 	fmt.Println(spireSub, ":", spireNcnTPMProvisioner)
 
+	spireSub = spireSubNCNPrefix + "sbps-marshal"
+        args = createTokenArgs{
+                issuer: spireIssuer, aud: systemComputeAud, sub: spireSub,
+        }
+        spireNcnSBPSMarshal, err := tc.create(args)
+        if err != nil {
+                log.Fatal(err)
+        }
+        fmt.Println(spireSub, ":", spireNcnSBPSMarshal)
+
 	spireSub = spireSubComputePrefix + "cfs-state-reporter"
 	args = createTokenArgs{
 		issuer: spireIssuer, aud: systemComputeAud, sub: spireSub,
@@ -625,6 +635,7 @@ func main() {
 				"heartbeat":          spireNcnHeartbeat,
 				"orca":               spireNcnOrca,
 				"tpm_provisioner":    spireNcnTPMProvisioner,
+				"sbps_marshal":       spireNcnSBPSMarshal,
 			},
 			"compute": map[string]interface{}{
 				"cfs_state_reporter":   spireComputeCfsStateReporter,