openstack
/
openstack-helm
Code Issues Proposed changes

Keystone: Stop running keystone container with root user 

This PS updates the keystoen chart to stop running the keystone api
as the root user.

Change-Id: If3042210f761476846da02fc8e648c700267a591
Signed-off-by: Pete Birley <pete@port.direct>
This commit is contained in:
Pete Birley 2018-08-03 14:49:53 -05:00
parent 5038d92b4f
commit 4a6d740154
23 changed files with 44 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
barbican/values.yaml
View File

@ -551,6 +551,7 @@ endpoints:
port:
api:
default: 80
internal: 5000
key_manager:
name: barbican
hosts:

1
ceilometer/values.yaml
View File

@ -1712,6 +1712,7 @@ endpoints:
port:
api:
default: 80
internal: 5000
metering:
name: ceilometer
hosts:

1
ceph-client/values.yaml
View File

@ -456,6 +456,7 @@ endpoints:
port:
api:
default: 80
internal: 5000
object_store:
name: swift
namespace: null

1
cinder/values.yaml
View File

@ -1075,6 +1075,7 @@ endpoints:
port:
api:
default: 80
internal: 5000
image:
name: glance
hosts:

1
congress/values.yaml
View File

@ -250,6 +250,7 @@ endpoints:
port:
api:
default: 80
internal: 5000
policy:
name: congress
hosts:

1
glance/values.yaml
View File

@ -580,6 +580,7 @@ endpoints:
port:
api:
default: 80
internal: 5000
image:
name: glance
hosts:

1
gnocchi/values.yaml
View File

@ -491,6 +491,7 @@ endpoints:
port:
api:
default: 80
internal: 5000
metric:
name: gnocchi
hosts:

1
heat/values.yaml
View File

@ -817,6 +817,7 @@ endpoints:
port:
api:
default: 80
internal: 5000
orchestration:
name: heat
hosts:

2
horizon/values.yaml
View File

@ -2010,7 +2010,7 @@ endpoints:
port:
api:
default: 80
admin: 35357
internal: 5000
oslo_cache:
hosts:
default: memcached

1
ironic/values.yaml
View File

@ -405,6 +405,7 @@ endpoints:
port:
api:
default: 80
internal: 5000
baremetal:
name: ironic
hosts:

1
keystone/templates/configmap-etc.yaml
View File

@ -61,6 +61,7 @@ data:
{{- tuple .Values.conf.mpm_event "etc/_mpm_event.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
wsgi-keystone.conf: |
{{- tuple .Values.conf.wsgi_keystone "etc/_wsgi-keystone.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
ports.conf: ""
sso_callback_template.html: |
{{- tuple .Values.conf.sso_callback_template "etc/_sso_callback_template.html.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
{{- range $k, $v := .Values.conf.ks_domains }}

14
keystone/templates/deployment-api.yaml
View File

@ -55,6 +55,8 @@ spec:
- name: keystone-api
{{ tuple $envAll "keystone_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
runAsUser: {{ .Values.pod.user.keystone.uid }}
command:
- /tmp/keystone-api.sh
- start
@ -78,12 +80,20 @@ spec:
volumeMounts:
- name: etckeystone
mountPath: /etc/keystone
- name: logs-apache
mountPath: /var/log/apache2
- name: run-apache
mountPath: /var/run/apache2
- name: wsgi-keystone
mountPath: /var/www/cgi-bin/keystone
- name: keystone-etc
mountPath: /etc/keystone/keystone.conf
subPath: keystone.conf
readOnly: true
- name: keystone-etc
mountPath: /etc/apache2/ports.conf
subPath: ports.conf
readOnly: true
- name: keystone-etc
mountPath: {{ .Values.conf.keystone.DEFAULT.log_config_append }}
subPath: {{ base .Values.conf.keystone.DEFAULT.log_config_append }}
@ -130,6 +140,10 @@ spec:
emptyDir: {}
- name: wsgi-keystone
emptyDir: {}
- name: logs-apache
emptyDir: {}
- name: run-apache
emptyDir: {}
- name: keystone-etc
configMap:
name: keystone-etc

6
keystone/values.yaml
View File

@ -161,6 +161,9 @@ dependencies:
service: local_image_registry
pod:
user:
keystone:
uid: 42424
affinity:
anti:
type:
@ -926,6 +929,9 @@ endpoints:
port:
api:
default: 80
# NOTE(portdirect): to retain portability accross images, and allow
# running under a unprivileged user simply, we default to a port > 1000.
internal: 5000
oslo_db:
namespace: null
auth:

1
magnum/values.yaml
View File

@ -363,6 +363,7 @@ endpoints:
port:
api:
default: 80
internal: 5000
container_infra:
name: magnum
hosts:

1
mistral/values.yaml
View File

@ -247,6 +247,7 @@ endpoints:
port:
api:
default: 80
internal: 5000
workflowv2:
name: mistral
hosts:

1
neutron/values.yaml
View File

@ -1781,6 +1781,7 @@ endpoints:
port:
api:
default: 80
internal: 5000
network:
name: neutron
hosts:

1
nova/values.yaml
View File

@ -1791,6 +1791,7 @@ endpoints:
port:
api:
default: 80
internal: 5000
image:
name: glance
hosts:

1
rally/values.yaml
View File

@ -260,6 +260,7 @@ endpoints:
port:
api:
default: 80
internal: 5000
benchmark:
name: rally
hosts:

1
senlin/values.yaml
View File

@ -412,6 +412,7 @@ endpoints:
port:
api:
default: 80
internal: 5000
clustering:
name: senlin
hosts:

1
tempest/values.yaml
View File

@ -255,6 +255,7 @@ endpoints:
port:
api:
default: 80
internal: 5000
manifests:
configmap_bin: true

2
tools/overrides/releases/newton/kolla.yaml
View File

@ -87,6 +87,8 @@ images:
test: 'docker.io/kolla/ubuntu-source-rally:4.0.0'
pod:
user:
keystone:
uid: 1000
barbican:
uid: 1000
cinder:

2
tools/overrides/releases/ocata/kolla.yaml
View File

@ -85,6 +85,8 @@ images:
pod:
#NOTE(portdirect): see https://github.com/openstack/kolla/blob/f62f5ae2fa5e7808722f9b37b48a50b39c20b46d/kolla/common/config.py#L695-L998
user:
keystone:
uid: 42425
barbican:
uid: 42403
cinder:

2
tools/overrides/releases/pike/kolla.yaml
View File

@ -85,6 +85,8 @@ images:
pod:
#NOTE(portdirect): see https://github.com/openstack/kolla/blob/f62f5ae2fa5e7808722f9b37b48a50b39c20b46d/kolla/common/config.py#L695-L998
user:
keystone:
uid: 42425
barbican:
uid: 42403
cinder: