From 5c82e9d982f5a956f016d1344d0a717af2be43f5 Mon Sep 17 00:00:00 2001
From: Eric Harney <eharney@redhat.com>
Date: Wed, 10 Jul 2024 17:45:42 -0400
Subject: [PATCH] Run cinder-api and scheduler as cinder user

Run cinder-api and cinder-scheduler as the cinder user.

This reconfigures httpd with the necessary mount
permissions to run as the cinder user.
---
 pkg/cinderapi/statefuleset.go                       |  3 ++-
 pkg/cinderscheduler/statefulset.go                  |  3 +--
 templates/cinder/config/cinder-api-config.json      | 11 ++++++++---
 templates/cinder/config/httpd.conf                  |  1 +
 test/kuttl/common/assert_sample_deployment.yaml     |  2 +-
 test/kuttl/common/assert_tls_sample_deployment.yaml |  2 ++
 6 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/pkg/cinderapi/statefuleset.go b/pkg/cinderapi/statefuleset.go
index 0cb7e234..60999653 100644
--- a/pkg/cinderapi/statefuleset.go
+++ b/pkg/cinderapi/statefuleset.go
@@ -41,6 +41,7 @@ func StatefulSet(
 	annotations map[string]string,
 ) (*appsv1.StatefulSet, error) {
 	runAsUser := int64(0)
+	cinderUser := int64(cinderv1beta1.CinderUserID)
 
 	livenessProbe := &corev1.Probe{
 		// TODO might need tuning
@@ -156,7 +157,7 @@ func StatefulSet(
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
+								RunAsUser: &cinderUser,
 							},
 							Env:            env.MergeEnvs([]corev1.EnvVar{}, envVars),
 							VolumeMounts:   volumeMounts,
diff --git a/pkg/cinderscheduler/statefulset.go b/pkg/cinderscheduler/statefulset.go
index 87d9cd5f..8036967d 100644
--- a/pkg/cinderscheduler/statefulset.go
+++ b/pkg/cinderscheduler/statefulset.go
@@ -38,7 +38,6 @@ func StatefulSet(
 	labels map[string]string,
 	annotations map[string]string,
 ) *appsv1.StatefulSet {
-	rootUser := int64(0)
 	cinderUser := int64(cinderv1.CinderUserID)
 	cinderGroup := int64(cinderv1.CinderGroupID)
 
@@ -112,7 +111,7 @@ func StatefulSet(
 							Args:  args,
 							Image: instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &rootUser,
+								RunAsUser: &cinderUser,
 							},
 							Env:           env.MergeEnvs([]corev1.EnvVar{}, envVars),
 							VolumeMounts:  volumeMounts,
diff --git a/templates/cinder/config/cinder-api-config.json b/templates/cinder/config/cinder-api-config.json
index 1812cce0..d7929108 100644
--- a/templates/cinder/config/cinder-api-config.json
+++ b/templates/cinder/config/cinder-api-config.json
@@ -16,13 +16,13 @@
     {
       "source": "/var/lib/config-data/merged/ssl.conf",
       "dest": "/etc/httpd/conf.d/ssl.conf",
-      "owner": "root",
+      "owner": "cinder",
       "perm": "0644"
     },
     {
       "source": "/var/lib/config-data/tls/certs/*",
       "dest": "/etc/pki/tls/certs/",
-      "owner": "root",
+      "owner": "cinder",
       "perm": "0640",
       "optional": true,
       "merge": true
@@ -30,7 +30,7 @@
     {
       "source": "/var/lib/config-data/tls/private/*",
       "dest": "/etc/pki/tls/private/",
-      "owner": "root",
+      "owner": "cinder",
       "perm": "0600",
       "optional": true,
       "merge": true
@@ -41,6 +41,11 @@
           "path": "/var/log/cinder",
           "owner": "cinder:apache",
           "recurse": true
+      },
+      {
+	  "path": "/etc/httpd/run",
+	  "owner": "cinder:apache",
+	  "recurse": true
       }
   ]
 }
diff --git a/templates/cinder/config/httpd.conf b/templates/cinder/config/httpd.conf
index 73f69710..30430ead 100644
--- a/templates/cinder/config/httpd.conf
+++ b/templates/cinder/config/httpd.conf
@@ -19,6 +19,7 @@ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-A
 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
 CustomLog /dev/stdout combined env=!forwarded
 CustomLog /dev/stdout proxy env=forwarded
+ErrorLog /dev/stdout
 
 # XXX: To disable SSL
 #Include conf.d/*.conf
diff --git a/test/kuttl/common/assert_sample_deployment.yaml b/test/kuttl/common/assert_sample_deployment.yaml
index d6e9c6e9..3cbb0c0e 100644
--- a/test/kuttl/common/assert_sample_deployment.yaml
+++ b/test/kuttl/common/assert_sample_deployment.yaml
@@ -104,7 +104,7 @@ spec:
           timeoutSeconds: 5
         resources: {}
         securityContext:
-          runAsUser: 0
+          runAsUser: 42407
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
         volumeMounts:
diff --git a/test/kuttl/common/assert_tls_sample_deployment.yaml b/test/kuttl/common/assert_tls_sample_deployment.yaml
index 94f6d15f..ab31d5b4 100644
--- a/test/kuttl/common/assert_tls_sample_deployment.yaml
+++ b/test/kuttl/common/assert_tls_sample_deployment.yaml
@@ -193,6 +193,8 @@ spec:
           name: combined-ca-bundle
           readOnly: true
           subPath: tls-ca-bundle.pem
+        securityContext:
+          runAsUser: 42407
       - command:
         - /usr/local/bin/container-scripts/healthcheck.py
         - scheduler