From 696eadac11ab9fd207988d60baedcda5e8d8c839 Mon Sep 17 00:00:00 2001
From: Francesco Pantano <fpantano@redhat.com>
Date: Thu, 19 Sep 2024 13:56:56 +0200
Subject: [PATCH] Run neutron httpd sidecar container using NeutronUID instead
 or root

This patch moves the httpd sidecar container under kolla management
and by doing this we are also able to not run it as root and use the
same NeutronUID/NeutronGID used for the API.

Signed-off-by: Francesco Pantano <fpantano@redhat.com>
---
 pkg/neutronapi/deployment.go                  | 13 ++---
 pkg/neutronapi/scc.go                         | 22 +++------
 pkg/neutronapi/volumes.go                     | 19 +++----
 .../neutronapi/config/neutron-api-config.json |  4 +-
 .../config/neutron-httpd-config.json          | 49 +++++++++++++++++++
 templates/neutronapi/httpd/httpd.conf         |  1 +
 test/functional/neutronapi_controller_test.go |  2 +-
 .../common/assert_sample_deployment.yaml      |  7 ++-
 test/kuttl/tests/neutron_tls/01-assert.yaml   | 18 +++----
 9 files changed, 85 insertions(+), 50 deletions(-)
 create mode 100644 templates/neutronapi/config/neutron-httpd-config.json

diff --git a/pkg/neutronapi/deployment.go b/pkg/neutronapi/deployment.go
index 4d64d3e7..c65d21c6 100644
--- a/pkg/neutronapi/deployment.go
+++ b/pkg/neutronapi/deployment.go
@@ -30,8 +30,7 @@ import (
 )
 
 const (
-	ServiceCommand         = "/usr/local/bin/kolla_start"
-	NeutronAPIHttpdCommand = "/usr/sbin/httpd"
+	ServiceCommand = "/usr/local/bin/kolla_start"
 )
 
 // Deployment func
@@ -58,7 +57,6 @@ func Deployment(
 		InitialDelaySeconds: 5,
 	}
 	args := []string{"-c", ServiceCommand}
-	httpdArgs := []string{"-DFOREGROUND"}
 
 	//
 	// https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
@@ -141,6 +139,9 @@ func Deployment(
 					Labels:      labels,
 				},
 				Spec: corev1.PodSpec{
+					SecurityContext: &corev1.PodSecurityContext{
+						FSGroup: ptr.To(NeutronUID),
+					},
 					ServiceAccountName: instance.RbacResourceName(),
 					Containers: []corev1.Container{
 						{
@@ -157,10 +158,10 @@ func Deployment(
 						},
 						{
 							Name:                     ServiceName + "-httpd",
-							Command:                  []string{NeutronAPIHttpdCommand},
-							Args:                     httpdArgs,
+							Command:                  []string{"/bin/bash"},
+							Args:                     args,
 							Image:                    instance.Spec.ContainerImage,
-							SecurityContext:          getNeutronHttpdSecurityContext(),
+							SecurityContext:          getNeutronSecurityContext(),
 							Env:                      env.MergeEnvs([]corev1.EnvVar{}, envVars),
 							VolumeMounts:             httpdVolumeMounts,
 							Resources:                instance.Spec.Resources,
diff --git a/pkg/neutronapi/scc.go b/pkg/neutronapi/scc.go
index a4b5f780..1c1568fa 100644
--- a/pkg/neutronapi/scc.go
+++ b/pkg/neutronapi/scc.go
@@ -1,16 +1,16 @@
 package neutronapi
 
-import corev1 "k8s.io/api/core/v1"
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/ptr"
+)
 
 func getNeutronSecurityContext() *corev1.SecurityContext {
-	trueVal := true
-	runAsUser := int64(NeutronUID)
-	runAsGroup := int64(NeutronGID)
 
 	return &corev1.SecurityContext{
-		RunAsUser:    &runAsUser,
-		RunAsGroup:   &runAsGroup,
-		RunAsNonRoot: &trueVal,
+		RunAsUser:    ptr.To(NeutronUID),
+		RunAsGroup:   ptr.To(NeutronGID),
+		RunAsNonRoot: ptr.To(true),
 		Capabilities: &corev1.Capabilities{
 			Drop: []corev1.Capability{
 				"MKNOD",
@@ -18,11 +18,3 @@ func getNeutronSecurityContext() *corev1.SecurityContext {
 		},
 	}
 }
-
-func getNeutronHttpdSecurityContext() *corev1.SecurityContext {
-	runAsUser := int64(0)
-
-	return &corev1.SecurityContext{
-		RunAsUser: &runAsUser,
-	}
-}
diff --git a/pkg/neutronapi/volumes.go b/pkg/neutronapi/volumes.go
index dd4d73a6..7be5a042 100644
--- a/pkg/neutronapi/volumes.go
+++ b/pkg/neutronapi/volumes.go
@@ -60,25 +60,20 @@ func GetVolumeMounts(serviceName string, extraVol []neutronv1beta1.NeutronExtraV
 	}
 	return res
 
-} // GetHttpdVolumeMount - Returns the VolumeMounts used by the httpd sidecar
+}
+
+// GetHttpdVolumeMount - Returns the VolumeMounts used by the httpd sidecar
 func GetHttpdVolumeMount() []corev1.VolumeMount {
 	return []corev1.VolumeMount{
 		{
 			Name:      "httpd-config",
-			MountPath: "/etc/httpd/conf/httpd.conf",
-			SubPath:   "httpd.conf",
-			ReadOnly:  true,
-		},
-		{
-			Name:      "httpd-config",
-			MountPath: "/etc/httpd/conf.d/10-neutron.conf",
-			SubPath:   "10-neutron-httpd.conf",
+			MountPath: "/var/lib/config-data/default",
 			ReadOnly:  true,
 		},
 		{
-			Name:      "httpd-config",
-			MountPath: "/etc/httpd/conf.d/ssl.conf",
-			SubPath:   "ssl.conf",
+			Name:      "config",
+			MountPath: "/var/lib/kolla/config_files/config.json",
+			SubPath:   "neutron-httpd-config.json",
 			ReadOnly:  true,
 		},
 	}
diff --git a/templates/neutronapi/config/neutron-api-config.json b/templates/neutronapi/config/neutron-api-config.json
index 2da3d594..8df0fb81 100644
--- a/templates/neutronapi/config/neutron-api-config.json
+++ b/templates/neutronapi/config/neutron-api-config.json
@@ -29,7 +29,7 @@
     {
       "source": "/var/lib/config-data/tls/certs/*",
       "dest": "/etc/pki/tls/certs/",
-      "owner": "root:neutron",
+      "owner": "neutron:neutron",
       "perm": "0640",
       "optional": true,
       "merge": true
@@ -37,7 +37,7 @@
     {
       "source": "/var/lib/config-data/tls/private/*",
       "dest": "/etc/pki/tls/private/",
-      "owner": "root:neutron",
+      "owner": "neutron:neutron",
       "perm": "0640",
       "optional": true,
       "merge": true
diff --git a/templates/neutronapi/config/neutron-httpd-config.json b/templates/neutronapi/config/neutron-httpd-config.json
new file mode 100644
index 00000000..39b9d437
--- /dev/null
+++ b/templates/neutronapi/config/neutron-httpd-config.json
@@ -0,0 +1,49 @@
+{
+    "command": "/usr/sbin/httpd -DFOREGROUND",
+    "config_files": [
+      {
+        "source": "/var/lib/config-data/tls/certs/*",
+        "dest": "/etc/pki/tls/certs/",
+        "owner": "neutron:neutron",
+        "perm": "0640",
+        "optional": true,
+        "merge": true
+      },
+      {
+        "source": "/var/lib/config-data/tls/private/*",
+        "dest": "/etc/pki/tls/private/",
+        "owner": "neutron:neutron",
+        "perm": "0640",
+        "optional": true,
+        "merge": true
+      },
+      {
+        "source": "/var/lib/config-data/default/httpd.conf",
+        "dest": "/etc/httpd/conf/httpd.conf",
+        "owner": "neutron:apache",
+        "optional": true,
+        "perm": "0644"
+      },
+      {
+        "source": "/var/lib/config-data/default/10-neutron-httpd.conf",
+        "dest": "/etc/httpd/conf.d/10-neutron.conf",
+        "owner": "neutron:apache",
+        "optional": true,
+        "perm": "0644"
+      },
+      {
+        "source": "/var/lib/config-data/default/ssl.conf",
+        "dest": "/etc/httpd/conf.d/ssl.conf",
+        "owner": "neutron:apache",
+        "optional": true,
+        "perm": "0644"
+      }
+    ],
+    "permissions": [
+        {
+            "path": "/etc/httpd/run",
+            "owner": "neutron:apache",
+            "recurse": true
+        }
+    ]
+}
diff --git a/templates/neutronapi/httpd/httpd.conf b/templates/neutronapi/httpd/httpd.conf
index 7aa6c360..32815cf8 100644
--- a/templates/neutronapi/httpd/httpd.conf
+++ b/templates/neutronapi/httpd/httpd.conf
@@ -20,5 +20,6 @@ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-A
 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
 CustomLog /dev/stdout combined env=!forwarded
 CustomLog /dev/stdout proxy env=forwarded
+ErrorLog /dev/stdout
 
 Include conf.d/10-neutron.conf
diff --git a/test/functional/neutronapi_controller_test.go b/test/functional/neutronapi_controller_test.go
index a2d753f8..9f0226f1 100644
--- a/test/functional/neutronapi_controller_test.go
+++ b/test/functional/neutronapi_controller_test.go
@@ -869,7 +869,7 @@ var _ = Describe("NeutronAPI controller", func() {
 			nHttpdProxyContainer := deployment.Spec.Template.Spec.Containers[1]
 			Expect(nHttpdProxyContainer.LivenessProbe.HTTPGet.Port.IntVal).To(Equal(int32(9696)))
 			Expect(nHttpdProxyContainer.ReadinessProbe.HTTPGet.Port.IntVal).To(Equal(int32(9696)))
-			Expect(nHttpdProxyContainer.VolumeMounts).To(HaveLen(3))
+			Expect(nHttpdProxyContainer.VolumeMounts).To(HaveLen(2))
 			Expect(nHttpdProxyContainer.Image).To(Equal(util.GetEnvVar("RELATED_IMAGE_NEUTRON_API_IMAGE_URL_DEFAULT", neutronv1.NeutronAPIContainerImage)))
 		})
 	})
diff --git a/test/kuttl/common/assert_sample_deployment.yaml b/test/kuttl/common/assert_sample_deployment.yaml
index bff5a31c..7fdd0235 100644
--- a/test/kuttl/common/assert_sample_deployment.yaml
+++ b/test/kuttl/common/assert_sample_deployment.yaml
@@ -86,7 +86,10 @@ spec:
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: FallbackToLogsOnError
       - command:
-        - /usr/sbin/httpd
+        - /bin/bash
+        args:
+        - -c
+        - /usr/local/bin/kolla_start
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3
@@ -111,7 +114,7 @@ spec:
           timeoutSeconds: 30
         resources: {}
         securityContext:
-          runAsUser: 0
+          runAsUser: 42435
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: FallbackToLogsOnError
       schedulerName: default-scheduler
diff --git a/test/kuttl/tests/neutron_tls/01-assert.yaml b/test/kuttl/tests/neutron_tls/01-assert.yaml
index 2b5ed45c..7741e855 100644
--- a/test/kuttl/tests/neutron_tls/01-assert.yaml
+++ b/test/kuttl/tests/neutron_tls/01-assert.yaml
@@ -47,22 +47,16 @@ spec:
           readOnly: true
           subPath: tls-ca-bundle.pem
       - args:
-        - -DFOREGROUND
-        command:
-        - /usr/sbin/httpd
+        - -c
+        - /usr/local/bin/kolla_start
         volumeMounts:
-        - mountPath: /etc/httpd/conf/httpd.conf
-          name: httpd-config
-          readOnly: true
-          subPath: httpd.conf
-        - mountPath: /etc/httpd/conf.d/10-neutron.conf
+        - mountPath: /var/lib/config-data/default
           name: httpd-config
           readOnly: true
-          subPath: 10-neutron-httpd.conf
-        - mountPath: /etc/httpd/conf.d/ssl.conf
-          name: httpd-config
+        - mountPath: /var/lib/kolla/config_files/config.json
+          name: config
           readOnly: true
-          subPath: ssl.conf
+          subPath: neutron-httpd-config.json
         - mountPath: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
           name: combined-ca-bundle
           readOnly: true