Add SecurityContext for dbSync and remove kolla

We do not need kolla and the whole keystone config to run db_sync.
This patch adds two key items:
1. getDBSyncVolumeMounts function to get volumes mounted to the
   destination path directly
2. dbSyncSecurityContext to run the resulting Pod as unprivileged

Signed-off-by: Francesco Pantano <[email protected]>

Author: fmount

pkg/keystone/const.go

@@ -35,4 +35,6 @@ const (
 	DefaultFernetMaxActiveKeys = 5
 	// DefaultFernetRotationDays -
 	DefaultFernetRotationDays = 1
+	// DBSyncCommand -
+	DBSyncCommand = "keystone-manage db_sync"
 )

pkg/keystone/cronjob.go

@@ -83,7 +83,7 @@ func CronJob(
 									Args:            args,
 									Env:             env.MergeEnvs([]corev1.EnvVar{}, envVars),
 									VolumeMounts:    volumeMounts,
-									SecurityContext: BaseSecurityContext(),
+									SecurityContext: baseSecurityContext(),
 								},
 							},
 							Volumes:            volumes,

pkg/keystone/dbsync.go

@@ -25,18 +25,12 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-const (
-	// DBSyncCommand -
-	DBSyncCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
-)
-
 // DbSyncJob func
 func DbSyncJob(
 	instance *keystonev1.KeystoneAPI,
 	labels map[string]string,
 	annotations map[string]string,
 ) *batchv1.Job {
-	runAsUser := int64(0)
 
 	args := []string{"-c", DBSyncCommand}
 
@@ -46,13 +40,13 @@ func DbSyncJob(
 
 	// create Volume and VolumeMounts
 	volumes := getVolumes(instance)
-	volumeMounts := getVolumeMounts()
+	volumeMounts := getDBSyncVolumeMounts()
 
 	// add CA cert if defined
 	if instance.Spec.TLS.CaBundleSecretName != "" {
 		//TODO(afaranha): Why not reuse the 'volumes'?
 		volumes = append(getVolumes(instance), instance.Spec.TLS.CreateVolume())
-		volumeMounts = append(getVolumeMounts(), instance.Spec.TLS.CreateVolumeMounts(nil)...)
+		volumeMounts = append(getDBSyncVolumeMounts(), instance.Spec.TLS.CreateVolumeMounts(nil)...)
 	}
 
 	job := &batchv1.Job{
@@ -75,13 +69,11 @@ func DbSyncJob(
 							Command: []string{
 								"/bin/bash",
 							},
-							Args:  args,
-							Image: instance.Spec.ContainerImage,
-							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
-							},
-							Env:          env.MergeEnvs([]corev1.EnvVar{}, envVars),
-							VolumeMounts: volumeMounts,
+							Args:            args,
+							Image:           instance.Spec.ContainerImage,
+							SecurityContext: dbSyncSecurityContext(),
+							Env:             env.MergeEnvs([]corev1.EnvVar{}, envVars),
+							VolumeMounts:    volumeMounts,
 						},
 					},
 					Volumes: volumes,

pkg/keystone/funcs.go

@@ -5,9 +5,9 @@ import (
 	"k8s.io/utils/ptr"
 )
 
-// BaseSecurityContext - currently used to make sure we don't run cronJob and Log
+// baseSecurityContext - currently used to make sure we don't run cronJob and Log
 // Pods as root user, and we drop privileges and Capabilities we don't need
-func BaseSecurityContext() *corev1.SecurityContext {
+func baseSecurityContext() *corev1.SecurityContext {
 	return &corev1.SecurityContext{
 		RunAsUser:                ptr.To(KeystoneUID),
 		RunAsGroup:               ptr.To(KeystoneUID),
@@ -20,3 +20,17 @@ func BaseSecurityContext() *corev1.SecurityContext {
 		},
 	}
 }
+
+// dbSyncSecurityContext - currently used to make sure we don't run db-sync as
+// root user
+func dbSyncSecurityContext() *corev1.SecurityContext {
+	return &corev1.SecurityContext{
+		RunAsUser:  ptr.To(KeystoneUID),
+		RunAsGroup: ptr.To(KeystoneUID),
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{
+				"MKNOD",
+			},
+		},
+	}
+}

pkg/keystone/volumes.go

@@ -144,3 +144,21 @@ func getCronJobVolumeMounts() []corev1.VolumeMount {
 		},
 	}
 }
+
+// getDBSyncVolumeMounts - cronjob volumeMounts
+func getDBSyncVolumeMounts() []corev1.VolumeMount {
+	return []corev1.VolumeMount{
+		{
+			Name:      "config-data",
+			MountPath: "/etc/keystone/keystone.conf",
+			SubPath:   "keystone.conf",
+			ReadOnly:  true,
+		},
+		{
+			Name:      "config-data",
+			MountPath: "/etc/my.cnf",
+			SubPath:   "my.cnf",
+			ReadOnly:  true,
+		},
+	}
+}