Run keystone services using keystone user

fmount · fmount · commit b0e2bb6c9e76 · 2025-03-28T08:15:41.000+01:00
This patch represents an improvment of the existing code to make sure we run keystone services using the keystone user instead of root. Jira: https://issues.redhat.com/browse/OSPRH-15198 Signed-off-by: Francesco Pantano <fpantano@redhat.com>
diff --git a/pkg/keystone/const.go b/pkg/keystone/const.go
@@ -28,7 +28,9 @@ const (
 	KeystonePublicPort int32 = 5000
 	// KeystoneInternalPort -
 	KeystoneInternalPort int32 = 5000
-
+	// Keystone UID based on kolla
+	// https://github.com/openstack/kolla/blob/master/kolla/common/users.py
+	KeystoneUID = 42425
 	// DefaultFernetMaxActiveKeys -
 	DefaultFernetMaxActiveKeys = 5
 	// DefaultFernetRotationDays -
diff --git a/pkg/keystone/deployment.go b/pkg/keystone/deployment.go
@@ -32,7 +32,7 @@ import (
 
 const (
 	// ServiceCommand -
-	ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	ServiceCommand = "/usr/local/bin/kolla_start"
 )
 
 // Deployment func
@@ -43,7 +43,7 @@ func Deployment(
 	annotations map[string]string,
 	topology *topologyv1.Topology,
 ) (*appsv1.Deployment, error) {
-	runAsUser := int64(0)
+	runAsUser := int64(KeystoneUID)
 
 	livenessProbe := &corev1.Probe{
 		// TODO might need tuning
diff --git a/templates/keystoneapi/config/keystone-api-config.json b/templates/keystoneapi/config/keystone-api-config.json
@@ -16,27 +16,27 @@
         {
             "source": "/var/lib/config-data/default/httpd.conf",
             "dest": "/etc/httpd/conf/httpd.conf",
-            "owner": "apache",
+            "owner": "keystone:apache",
             "perm": "0644"
         },
         {
             "source": "/var/lib/config-data/default/ssl.conf",
             "dest": "/etc/httpd/conf.d/ssl.conf",
-            "owner": "apache",
+            "owner": "keystone:apache",
             "perm": "0644"
         },
         {
             "source": "/var/lib/config-data/tls/certs/*",
             "dest": "/etc/pki/tls/certs/",
-            "owner": "root",
+            "owner": "keystone:apache",
             "perm": "0640",
             "optional": true,
             "merge": true
         },
         {
             "source": "/var/lib/config-data/tls/private/*",
             "dest": "/etc/pki/tls/private/",
-            "owner": "root",
+            "owner": "keystone:apache",
             "perm": "0600",
             "optional": true,
             "merge": true
@@ -62,9 +62,21 @@
         {
             "source": "/var/lib/config-data/default/httpd_custom_*",
             "dest": "/etc/httpd/conf/",
-            "owner": "apache",
+            "owner": "keystone:apache",
             "perm": "0444",
             "optional": true
         }
+    ],
+    "permissions": [
+        {
+            "path": "/etc/httpd",
+            "owner": "keystone:apache",
+            "recurse": true
+        },
+        {
+            "path": "/var/log/keystone",
+            "owner": "keystone:apache",
+            "recurse": true
+        }
     ]
 }
diff --git a/tests/kuttl/common/assert_sample_deployment.yaml b/tests/kuttl/common/assert_sample_deployment.yaml
@@ -61,7 +61,7 @@ spec:
       containers:
       - args:
         - -c
-        - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+        - /usr/local/bin/kolla_start
         command:
         - /bin/bash
         imagePullPolicy: IfNotPresent
diff --git a/tests/kuttl/tests/keystone_tls/01-assert.yaml b/tests/kuttl/tests/keystone_tls/01-assert.yaml
@@ -34,7 +34,7 @@ spec:
       containers:
       - args:
         - -c
-        - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+        - /usr/local/bin/kolla_start
         volumeMounts:
         - mountPath: /usr/local/bin/container-scripts
           name: scripts
