Merge pull request openstack-k8s-operators#555 from fmount/keystone-user

openshift-merge-bot[bot] · web-flow · commit 125187a9d3d8 · 2025-03-28T17:21:30.000Z
Run keystone services using keystone user
diff --git a/pkg/keystone/const.go b/pkg/keystone/const.go
@@ -28,9 +28,13 @@ const (
 	KeystonePublicPort int32 = 5000
 	// KeystoneInternalPort -
 	KeystoneInternalPort int32 = 5000
-
+	// KeystoneUID is based on kolla
+	// https://github.com/openstack/kolla/blob/master/kolla/common/users.py
+	KeystoneUID int64 = 42425
 	// DefaultFernetMaxActiveKeys -
 	DefaultFernetMaxActiveKeys = 5
 	// DefaultFernetRotationDays -
 	DefaultFernetRotationDays = 1
+	// DBSyncCommand -
+	DBSyncCommand = "keystone-manage db_sync"
 )
diff --git a/pkg/keystone/cronjob.go b/pkg/keystone/cronjob.go
@@ -26,7 +26,7 @@ import (
 
 const (
 	// TrustFlushCommand -
-	TrustFlushCommand = "/usr/local/bin/kolla_set_configs && keystone-manage trust_flush"
+	TrustFlushCommand = "keystone-manage trust_flush"
 )
 
 // CronJob func
@@ -35,7 +35,6 @@ func CronJob(
 	labels map[string]string,
 	annotations map[string]string,
 ) *batchv1.CronJob {
-	runAsUser := int64(0)
 
 	args := []string{"-c", TrustFlushCommand + instance.Spec.TrustFlushArgs}
 
@@ -47,12 +46,12 @@ func CronJob(
 
 	// create Volume and VolumeMounts
 	volumes := getVolumes(instance)
-	volumeMounts := getVolumeMounts()
+	volumeMounts := getCronJobVolumeMounts()
 
 	// add CA cert if defined
 	if instance.Spec.TLS.CaBundleSecretName != "" {
 		volumes = append(getVolumes(instance), instance.Spec.TLS.CreateVolume())
-		volumeMounts = append(getVolumeMounts(), instance.Spec.TLS.CreateVolumeMounts(nil)...)
+		volumeMounts = append(getCronJobVolumeMounts(), instance.Spec.TLS.CreateVolumeMounts(nil)...)
 	}
 
 	cronjob := &batchv1.CronJob{
@@ -81,12 +80,10 @@ func CronJob(
 									Command: []string{
 										"/bin/bash",
 									},
-									Args:         args,
-									Env:          env.MergeEnvs([]corev1.EnvVar{}, envVars),
-									VolumeMounts: volumeMounts,
-									SecurityContext: &corev1.SecurityContext{
-										RunAsUser: &runAsUser,
-									},
+									Args:            args,
+									Env:             env.MergeEnvs([]corev1.EnvVar{}, envVars),
+									VolumeMounts:    volumeMounts,
+									SecurityContext: baseSecurityContext(),
 								},
 							},
 							Volumes:            volumes,
diff --git a/pkg/keystone/dbsync.go b/pkg/keystone/dbsync.go
@@ -25,18 +25,12 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-const (
-	// DBSyncCommand -
-	DBSyncCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
-)
-
 // DbSyncJob func
 func DbSyncJob(
 	instance *keystonev1.KeystoneAPI,
 	labels map[string]string,
 	annotations map[string]string,
 ) *batchv1.Job {
-	runAsUser := int64(0)
 
 	args := []string{"-c", DBSyncCommand}
 
@@ -46,13 +40,13 @@ func DbSyncJob(
 
 	// create Volume and VolumeMounts
 	volumes := getVolumes(instance)
-	volumeMounts := getVolumeMounts()
+	volumeMounts := getDBSyncVolumeMounts()
 
 	// add CA cert if defined
 	if instance.Spec.TLS.CaBundleSecretName != "" {
 		//TODO(afaranha): Why not reuse the 'volumes'?
 		volumes = append(getVolumes(instance), instance.Spec.TLS.CreateVolume())
-		volumeMounts = append(getVolumeMounts(), instance.Spec.TLS.CreateVolumeMounts(nil)...)
+		volumeMounts = append(getDBSyncVolumeMounts(), instance.Spec.TLS.CreateVolumeMounts(nil)...)
 	}
 
 	job := &batchv1.Job{
@@ -75,13 +69,11 @@ func DbSyncJob(
 							Command: []string{
 								"/bin/bash",
 							},
-							Args:  args,
-							Image: instance.Spec.ContainerImage,
-							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
-							},
-							Env:          env.MergeEnvs([]corev1.EnvVar{}, envVars),
-							VolumeMounts: volumeMounts,
+							Args:            args,
+							Image:           instance.Spec.ContainerImage,
+							SecurityContext: dbSyncSecurityContext(),
+							Env:             env.MergeEnvs([]corev1.EnvVar{}, envVars),
+							VolumeMounts:    volumeMounts,
 						},
 					},
 					Volumes: volumes,
diff --git a/pkg/keystone/deployment.go b/pkg/keystone/deployment.go
@@ -32,7 +32,7 @@ import (
 
 const (
 	// ServiceCommand -
-	ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	ServiceCommand = "/usr/local/bin/kolla_start"
 )
 
 // Deployment func
@@ -43,7 +43,6 @@ func Deployment(
 	annotations map[string]string,
 	topology *topologyv1.Topology,
 ) (*appsv1.Deployment, error) {
-	runAsUser := int64(0)
 
 	livenessProbe := &corev1.Probe{
 		// TODO might need tuning
@@ -134,16 +133,14 @@ func Deployment(
 							Command: []string{
 								"/bin/bash",
 							},
-							Args:  args,
-							Image: instance.Spec.ContainerImage,
-							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
-							},
-							Env:            env.MergeEnvs([]corev1.EnvVar{}, envVars),
-							VolumeMounts:   volumeMounts,
-							Resources:      instance.Spec.Resources,
-							ReadinessProbe: readinessProbe,
-							LivenessProbe:  livenessProbe,
+							Args:            args,
+							Image:           instance.Spec.ContainerImage,
+							SecurityContext: httpdSecurityContext(),
+							Env:             env.MergeEnvs([]corev1.EnvVar{}, envVars),
+							VolumeMounts:    volumeMounts,
+							Resources:       instance.Spec.Resources,
+							ReadinessProbe:  readinessProbe,
+							LivenessProbe:   livenessProbe,
 						},
 					},
 				},
diff --git a/pkg/keystone/funcs.go b/pkg/keystone/funcs.go
@@ -0,0 +1,49 @@
+package keystone
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/ptr"
+)
+
+// baseSecurityContext - currently used to make sure we don't run cronJob and Log
+// Pods as root user, and we drop privileges and Capabilities we don't need
+func baseSecurityContext() *corev1.SecurityContext {
+	return &corev1.SecurityContext{
+		RunAsUser:                ptr.To(KeystoneUID),
+		RunAsGroup:               ptr.To(KeystoneUID),
+		RunAsNonRoot:             ptr.To(true),
+		AllowPrivilegeEscalation: ptr.To(false),
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{
+				"ALL",
+			},
+		},
+	}
+}
+
+// dbSyncSecurityContext - currently used to make sure we don't run db-sync as
+// root user
+func dbSyncSecurityContext() *corev1.SecurityContext {
+	return &corev1.SecurityContext{
+		RunAsUser:  ptr.To(KeystoneUID),
+		RunAsGroup: ptr.To(KeystoneUID),
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{
+				"MKNOD",
+			},
+		},
+	}
+}
+
+// httpdSecurityContext -
+func httpdSecurityContext() *corev1.SecurityContext {
+	return &corev1.SecurityContext{
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{
+				"MKNOD",
+			},
+		},
+		RunAsUser:  ptr.To(KeystoneUID),
+		RunAsGroup: ptr.To(KeystoneUID),
+	}
+}
diff --git a/pkg/keystone/volumes.go b/pkg/keystone/volumes.go
@@ -25,7 +25,7 @@ import (
 func getVolumes(instance *keystonev1.KeystoneAPI) []corev1.Volume {
 	name := instance.Name
 	var scriptsVolumeDefaultMode int32 = 0755
-	var config0640AccessMode int32 = 0640
+	var config0640AccessMode int32 = 0644
 
 	fernetKeys := []corev1.KeyToPath{}
 	numberKeys := int(*instance.Spec.FernetMaxActiveKeys)
@@ -121,3 +121,44 @@ func getVolumeMounts() []corev1.VolumeMount {
 		},
 	}
 }
+
+// getCronJobVolumeMounts - cronjob volumeMounts
+func getCronJobVolumeMounts() []corev1.VolumeMount {
+	return []corev1.VolumeMount{
+		{
+			Name:      "config-data",
+			MountPath: "/etc/keystone/keystone.conf",
+			SubPath:   "keystone.conf",
+			ReadOnly:  true,
+		},
+		{
+			Name:      "config-data",
+			MountPath: "/etc/my.cnf",
+			SubPath:   "my.cnf",
+			ReadOnly:  true,
+		},
+		{
+			Name:      "fernet-keys",
+			MountPath: "/etc/keystone/fernet-keys",
+			ReadOnly:  true,
+		},
+	}
+}
+
+// getDBSyncVolumeMounts - cronjob volumeMounts
+func getDBSyncVolumeMounts() []corev1.VolumeMount {
+	return []corev1.VolumeMount{
+		{
+			Name:      "config-data",
+			MountPath: "/etc/keystone/keystone.conf",
+			SubPath:   "keystone.conf",
+			ReadOnly:  true,
+		},
+		{
+			Name:      "config-data",
+			MountPath: "/etc/my.cnf",
+			SubPath:   "my.cnf",
+			ReadOnly:  true,
+		},
+	}
+}
diff --git a/templates/keystoneapi/config/keystone-api-config.json b/templates/keystoneapi/config/keystone-api-config.json
@@ -16,27 +16,27 @@
         {
             "source": "/var/lib/config-data/default/httpd.conf",
             "dest": "/etc/httpd/conf/httpd.conf",
-            "owner": "apache",
+            "owner": "keystone:apache",
             "perm": "0644"
         },
         {
             "source": "/var/lib/config-data/default/ssl.conf",
             "dest": "/etc/httpd/conf.d/ssl.conf",
-            "owner": "apache",
+            "owner": "keystone:apache",
             "perm": "0644"
         },
         {
             "source": "/var/lib/config-data/tls/certs/*",
             "dest": "/etc/pki/tls/certs/",
-            "owner": "root",
+            "owner": "keystone:apache",
             "perm": "0640",
             "optional": true,
             "merge": true
         },
         {
             "source": "/var/lib/config-data/tls/private/*",
             "dest": "/etc/pki/tls/private/",
-            "owner": "root",
+            "owner": "keystone:apache",
             "perm": "0600",
             "optional": true,
             "merge": true
@@ -62,9 +62,21 @@
         {
             "source": "/var/lib/config-data/default/httpd_custom_*",
             "dest": "/etc/httpd/conf/",
-            "owner": "apache",
+            "owner": "keystone:apache",
             "perm": "0444",
             "optional": true
         }
+    ],
+    "permissions": [
+        {
+            "path": "/etc/httpd",
+            "owner": "keystone:apache",
+            "recurse": true
+        },
+        {
+            "path": "/var/log/keystone",
+            "owner": "keystone:apache",
+            "recurse": true
+        }
     ]
 }
diff --git a/tests/kuttl/common/assert_sample_deployment.yaml b/tests/kuttl/common/assert_sample_deployment.yaml
@@ -61,7 +61,7 @@ spec:
       containers:
       - args:
         - -c
-        - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+        - /usr/local/bin/kolla_start
         command:
         - /bin/bash
         imagePullPolicy: IfNotPresent
diff --git a/tests/kuttl/tests/keystone_tls/01-assert.yaml b/tests/kuttl/tests/keystone_tls/01-assert.yaml
@@ -34,7 +34,7 @@ spec:
       containers:
       - args:
         - -c
-        - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+        - /usr/local/bin/kolla_start
         volumeMounts:
         - mountPath: /usr/local/bin/container-scripts
           name: scripts
@@ -78,7 +78,7 @@ spec:
           secretName: keystone-scripts
       - name: config-data
         secret:
-          defaultMode: 416
+          defaultMode: 420
           secretName: keystone-config-data
       - name: fernet-keys
         secret:
