Skip to content

Commit

Permalink
Merge pull request #413 from fmount/httpd_scc
Browse files Browse the repository at this point in the history
Run neutron httpd sidecar container using NeutronUID
  • Loading branch information
openshift-merge-bot[bot] authored Sep 30, 2024
2 parents 337ebd0 + 696eada commit 85910cc
Show file tree
Hide file tree
Showing 9 changed files with 85 additions and 50 deletions.
13 changes: 7 additions & 6 deletions pkg/neutronapi/deployment.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,7 @@ import (
)

const (
ServiceCommand = "/usr/local/bin/kolla_start"
NeutronAPIHttpdCommand = "/usr/sbin/httpd"
ServiceCommand = "/usr/local/bin/kolla_start"
)

// Deployment func
Expand All @@ -58,7 +57,6 @@ func Deployment(
InitialDelaySeconds: 5,
}
args := []string{"-c", ServiceCommand}
httpdArgs := []string{"-DFOREGROUND"}

//
// https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
Expand Down Expand Up @@ -141,6 +139,9 @@ func Deployment(
Labels: labels,
},
Spec: corev1.PodSpec{
SecurityContext: &corev1.PodSecurityContext{
FSGroup: ptr.To(NeutronUID),
},
ServiceAccountName: instance.RbacResourceName(),
Containers: []corev1.Container{
{
Expand All @@ -157,10 +158,10 @@ func Deployment(
},
{
Name: ServiceName + "-httpd",
Command: []string{NeutronAPIHttpdCommand},
Args: httpdArgs,
Command: []string{"/bin/bash"},
Args: args,
Image: instance.Spec.ContainerImage,
SecurityContext: getNeutronHttpdSecurityContext(),
SecurityContext: getNeutronSecurityContext(),
Env: env.MergeEnvs([]corev1.EnvVar{}, envVars),
VolumeMounts: httpdVolumeMounts,
Resources: instance.Spec.Resources,
Expand Down
22 changes: 7 additions & 15 deletions pkg/neutronapi/scc.go
Original file line number Diff line number Diff line change
@@ -1,28 +1,20 @@
package neutronapi

import corev1 "k8s.io/api/core/v1"
import (
corev1 "k8s.io/api/core/v1"
"k8s.io/utils/ptr"
)

func getNeutronSecurityContext() *corev1.SecurityContext {
trueVal := true
runAsUser := int64(NeutronUID)
runAsGroup := int64(NeutronGID)

return &corev1.SecurityContext{
RunAsUser: &runAsUser,
RunAsGroup: &runAsGroup,
RunAsNonRoot: &trueVal,
RunAsUser: ptr.To(NeutronUID),
RunAsGroup: ptr.To(NeutronGID),
RunAsNonRoot: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{
"MKNOD",
},
},
}
}

func getNeutronHttpdSecurityContext() *corev1.SecurityContext {
runAsUser := int64(0)

return &corev1.SecurityContext{
RunAsUser: &runAsUser,
}
}
19 changes: 7 additions & 12 deletions pkg/neutronapi/volumes.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,25 +60,20 @@ func GetVolumeMounts(serviceName string, extraVol []neutronv1beta1.NeutronExtraV
}
return res

} // GetHttpdVolumeMount - Returns the VolumeMounts used by the httpd sidecar
}

// GetHttpdVolumeMount - Returns the VolumeMounts used by the httpd sidecar
func GetHttpdVolumeMount() []corev1.VolumeMount {
return []corev1.VolumeMount{
{
Name: "httpd-config",
MountPath: "/etc/httpd/conf/httpd.conf",
SubPath: "httpd.conf",
ReadOnly: true,
},
{
Name: "httpd-config",
MountPath: "/etc/httpd/conf.d/10-neutron.conf",
SubPath: "10-neutron-httpd.conf",
MountPath: "/var/lib/config-data/default",
ReadOnly: true,
},
{
Name: "httpd-config",
MountPath: "/etc/httpd/conf.d/ssl.conf",
SubPath: "ssl.conf",
Name: "config",
MountPath: "/var/lib/kolla/config_files/config.json",
SubPath: "neutron-httpd-config.json",
ReadOnly: true,
},
}
Expand Down
4 changes: 2 additions & 2 deletions templates/neutronapi/config/neutron-api-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -29,15 +29,15 @@
{
"source": "/var/lib/config-data/tls/certs/*",
"dest": "/etc/pki/tls/certs/",
"owner": "root:neutron",
"owner": "neutron:neutron",
"perm": "0640",
"optional": true,
"merge": true
},
{
"source": "/var/lib/config-data/tls/private/*",
"dest": "/etc/pki/tls/private/",
"owner": "root:neutron",
"owner": "neutron:neutron",
"perm": "0640",
"optional": true,
"merge": true
Expand Down
49 changes: 49 additions & 0 deletions templates/neutronapi/config/neutron-httpd-config.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
{
"command": "/usr/sbin/httpd -DFOREGROUND",
"config_files": [
{
"source": "/var/lib/config-data/tls/certs/*",
"dest": "/etc/pki/tls/certs/",
"owner": "neutron:neutron",
"perm": "0640",
"optional": true,
"merge": true
},
{
"source": "/var/lib/config-data/tls/private/*",
"dest": "/etc/pki/tls/private/",
"owner": "neutron:neutron",
"perm": "0640",
"optional": true,
"merge": true
},
{
"source": "/var/lib/config-data/default/httpd.conf",
"dest": "/etc/httpd/conf/httpd.conf",
"owner": "neutron:apache",
"optional": true,
"perm": "0644"
},
{
"source": "/var/lib/config-data/default/10-neutron-httpd.conf",
"dest": "/etc/httpd/conf.d/10-neutron.conf",
"owner": "neutron:apache",
"optional": true,
"perm": "0644"
},
{
"source": "/var/lib/config-data/default/ssl.conf",
"dest": "/etc/httpd/conf.d/ssl.conf",
"owner": "neutron:apache",
"optional": true,
"perm": "0644"
}
],
"permissions": [
{
"path": "/etc/httpd/run",
"owner": "neutron:apache",
"recurse": true
}
]
}
1 change: 1 addition & 0 deletions templates/neutronapi/httpd/httpd.conf
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,6 @@ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-A
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
ErrorLog /dev/stdout

Include conf.d/10-neutron.conf
2 changes: 1 addition & 1 deletion test/functional/neutronapi_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -869,7 +869,7 @@ var _ = Describe("NeutronAPI controller", func() {
nHttpdProxyContainer := deployment.Spec.Template.Spec.Containers[1]
Expect(nHttpdProxyContainer.LivenessProbe.HTTPGet.Port.IntVal).To(Equal(int32(9696)))
Expect(nHttpdProxyContainer.ReadinessProbe.HTTPGet.Port.IntVal).To(Equal(int32(9696)))
Expect(nHttpdProxyContainer.VolumeMounts).To(HaveLen(3))
Expect(nHttpdProxyContainer.VolumeMounts).To(HaveLen(2))
Expect(nHttpdProxyContainer.Image).To(Equal(util.GetEnvVar("RELATED_IMAGE_NEUTRON_API_IMAGE_URL_DEFAULT", neutronv1.NeutronAPIContainerImage)))
})
})
Expand Down
7 changes: 5 additions & 2 deletions test/kuttl/common/assert_sample_deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,10 @@ spec:
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
- command:
- /usr/sbin/httpd
- /bin/bash
args:
- -c
- /usr/local/bin/kolla_start
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
Expand All @@ -111,7 +114,7 @@ spec:
timeoutSeconds: 30
resources: {}
securityContext:
runAsUser: 0
runAsUser: 42435
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
schedulerName: default-scheduler
Expand Down
18 changes: 6 additions & 12 deletions test/kuttl/tests/neutron_tls/01-assert.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -47,22 +47,16 @@ spec:
readOnly: true
subPath: tls-ca-bundle.pem
- args:
- -DFOREGROUND
command:
- /usr/sbin/httpd
- -c
- /usr/local/bin/kolla_start
volumeMounts:
- mountPath: /etc/httpd/conf/httpd.conf
name: httpd-config
readOnly: true
subPath: httpd.conf
- mountPath: /etc/httpd/conf.d/10-neutron.conf
- mountPath: /var/lib/config-data/default
name: httpd-config
readOnly: true
subPath: 10-neutron-httpd.conf
- mountPath: /etc/httpd/conf.d/ssl.conf
name: httpd-config
- mountPath: /var/lib/kolla/config_files/config.json
name: config
readOnly: true
subPath: ssl.conf
subPath: neutron-httpd-config.json
- mountPath: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
name: combined-ca-bundle
readOnly: true
Expand Down

0 comments on commit 85910cc

Please sign in to comment.