Keystone: Stop running keystone container with root user

This PS updates the keystoen chart to stop running the keystone api
as the root user.

Change-Id: If3042210f761476846da02fc8e648c700267a591
Signed-off-by: Pete Birley <pete@port.direct>
This commit is contained in:
Pete Birley 2018-08-03 14:49:53 -05:00
parent 5038d92b4f
commit 4a6d740154
23 changed files with 44 additions and 1 deletions

View File

@ -551,6 +551,7 @@ endpoints:
port: port:
api: api:
default: 80 default: 80
internal: 5000
key_manager: key_manager:
name: barbican name: barbican
hosts: hosts:

View File

@ -1712,6 +1712,7 @@ endpoints:
port: port:
api: api:
default: 80 default: 80
internal: 5000
metering: metering:
name: ceilometer name: ceilometer
hosts: hosts:

View File

@ -456,6 +456,7 @@ endpoints:
port: port:
api: api:
default: 80 default: 80
internal: 5000
object_store: object_store:
name: swift name: swift
namespace: null namespace: null

View File

@ -1075,6 +1075,7 @@ endpoints:
port: port:
api: api:
default: 80 default: 80
internal: 5000
image: image:
name: glance name: glance
hosts: hosts:

View File

@ -250,6 +250,7 @@ endpoints:
port: port:
api: api:
default: 80 default: 80
internal: 5000
policy: policy:
name: congress name: congress
hosts: hosts:

View File

@ -580,6 +580,7 @@ endpoints:
port: port:
api: api:
default: 80 default: 80
internal: 5000
image: image:
name: glance name: glance
hosts: hosts:

View File

@ -491,6 +491,7 @@ endpoints:
port: port:
api: api:
default: 80 default: 80
internal: 5000
metric: metric:
name: gnocchi name: gnocchi
hosts: hosts:

View File

@ -817,6 +817,7 @@ endpoints:
port: port:
api: api:
default: 80 default: 80
internal: 5000
orchestration: orchestration:
name: heat name: heat
hosts: hosts:

View File

@ -2010,7 +2010,7 @@ endpoints:
port: port:
api: api:
default: 80 default: 80
admin: 35357 internal: 5000
oslo_cache: oslo_cache:
hosts: hosts:
default: memcached default: memcached

View File

@ -405,6 +405,7 @@ endpoints:
port: port:
api: api:
default: 80 default: 80
internal: 5000
baremetal: baremetal:
name: ironic name: ironic
hosts: hosts:

View File

@ -61,6 +61,7 @@ data:
{{- tuple .Values.conf.mpm_event "etc/_mpm_event.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} {{- tuple .Values.conf.mpm_event "etc/_mpm_event.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
wsgi-keystone.conf: | wsgi-keystone.conf: |
{{- tuple .Values.conf.wsgi_keystone "etc/_wsgi-keystone.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} {{- tuple .Values.conf.wsgi_keystone "etc/_wsgi-keystone.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
ports.conf: ""
sso_callback_template.html: | sso_callback_template.html: |
{{- tuple .Values.conf.sso_callback_template "etc/_sso_callback_template.html.tpl" . | include "helm-toolkit.utils.configmap_templater" }} {{- tuple .Values.conf.sso_callback_template "etc/_sso_callback_template.html.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
{{- range $k, $v := .Values.conf.ks_domains }} {{- range $k, $v := .Values.conf.ks_domains }}

View File

@ -55,6 +55,8 @@ spec:
- name: keystone-api - name: keystone-api
{{ tuple $envAll "keystone_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "keystone_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
runAsUser: {{ .Values.pod.user.keystone.uid }}
command: command:
- /tmp/keystone-api.sh - /tmp/keystone-api.sh
- start - start
@ -78,12 +80,20 @@ spec:
volumeMounts: volumeMounts:
- name: etckeystone - name: etckeystone
mountPath: /etc/keystone mountPath: /etc/keystone
- name: logs-apache
mountPath: /var/log/apache2
- name: run-apache
mountPath: /var/run/apache2
- name: wsgi-keystone - name: wsgi-keystone
mountPath: /var/www/cgi-bin/keystone mountPath: /var/www/cgi-bin/keystone
- name: keystone-etc - name: keystone-etc
mountPath: /etc/keystone/keystone.conf mountPath: /etc/keystone/keystone.conf
subPath: keystone.conf subPath: keystone.conf
readOnly: true readOnly: true
- name: keystone-etc
mountPath: /etc/apache2/ports.conf
subPath: ports.conf
readOnly: true
- name: keystone-etc - name: keystone-etc
mountPath: {{ .Values.conf.keystone.DEFAULT.log_config_append }} mountPath: {{ .Values.conf.keystone.DEFAULT.log_config_append }}
subPath: {{ base .Values.conf.keystone.DEFAULT.log_config_append }} subPath: {{ base .Values.conf.keystone.DEFAULT.log_config_append }}
@ -130,6 +140,10 @@ spec:
emptyDir: {} emptyDir: {}
- name: wsgi-keystone - name: wsgi-keystone
emptyDir: {} emptyDir: {}
- name: logs-apache
emptyDir: {}
- name: run-apache
emptyDir: {}
- name: keystone-etc - name: keystone-etc
configMap: configMap:
name: keystone-etc name: keystone-etc

View File

@ -161,6 +161,9 @@ dependencies:
service: local_image_registry service: local_image_registry
pod: pod:
user:
keystone:
uid: 42424
affinity: affinity:
anti: anti:
type: type:
@ -926,6 +929,9 @@ endpoints:
port: port:
api: api:
default: 80 default: 80
# NOTE(portdirect): to retain portability accross images, and allow
# running under a unprivileged user simply, we default to a port > 1000.
internal: 5000
oslo_db: oslo_db:
namespace: null namespace: null
auth: auth:

View File

@ -363,6 +363,7 @@ endpoints:
port: port:
api: api:
default: 80 default: 80
internal: 5000
container_infra: container_infra:
name: magnum name: magnum
hosts: hosts:

View File

@ -247,6 +247,7 @@ endpoints:
port: port:
api: api:
default: 80 default: 80
internal: 5000
workflowv2: workflowv2:
name: mistral name: mistral
hosts: hosts:

View File

@ -1781,6 +1781,7 @@ endpoints:
port: port:
api: api:
default: 80 default: 80
internal: 5000
network: network:
name: neutron name: neutron
hosts: hosts:

View File

@ -1791,6 +1791,7 @@ endpoints:
port: port:
api: api:
default: 80 default: 80
internal: 5000
image: image:
name: glance name: glance
hosts: hosts:

View File

@ -260,6 +260,7 @@ endpoints:
port: port:
api: api:
default: 80 default: 80
internal: 5000
benchmark: benchmark:
name: rally name: rally
hosts: hosts:

View File

@ -412,6 +412,7 @@ endpoints:
port: port:
api: api:
default: 80 default: 80
internal: 5000
clustering: clustering:
name: senlin name: senlin
hosts: hosts:

View File

@ -255,6 +255,7 @@ endpoints:
port: port:
api: api:
default: 80 default: 80
internal: 5000
manifests: manifests:
configmap_bin: true configmap_bin: true

View File

@ -87,6 +87,8 @@ images:
test: 'docker.io/kolla/ubuntu-source-rally:4.0.0' test: 'docker.io/kolla/ubuntu-source-rally:4.0.0'
pod: pod:
user: user:
keystone:
uid: 1000
barbican: barbican:
uid: 1000 uid: 1000
cinder: cinder:

View File

@ -85,6 +85,8 @@ images:
pod: pod:
#NOTE(portdirect): see https://github.com/openstack/kolla/blob/f62f5ae2fa5e7808722f9b37b48a50b39c20b46d/kolla/common/config.py#L695-L998 #NOTE(portdirect): see https://github.com/openstack/kolla/blob/f62f5ae2fa5e7808722f9b37b48a50b39c20b46d/kolla/common/config.py#L695-L998
user: user:
keystone:
uid: 42425
barbican: barbican:
uid: 42403 uid: 42403
cinder: cinder:

View File

@ -85,6 +85,8 @@ images:
pod: pod:
#NOTE(portdirect): see https://github.com/openstack/kolla/blob/f62f5ae2fa5e7808722f9b37b48a50b39c20b46d/kolla/common/config.py#L695-L998 #NOTE(portdirect): see https://github.com/openstack/kolla/blob/f62f5ae2fa5e7808722f9b37b48a50b39c20b46d/kolla/common/config.py#L695-L998
user: user:
keystone:
uid: 42425
barbican: barbican:
uid: 42403 uid: 42403
cinder: cinder: