Use octavia user in API and DBSync

JIRA: OSPRH-10287

Author: gthiemonge

pkg/octavia/dbsync.go

@@ -22,11 +22,12 @@ import (
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
 const (
-	// DBSyncCommand -
-	DBSyncCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	// InitContainerCommand -
+	InitContainerCommand = "/usr/local/bin/container-scripts/init.sh"
 )
 
 // DbSyncJob func
@@ -35,13 +36,9 @@ func DbSyncJob(
 	labels map[string]string,
 	annotations map[string]string,
 ) *batchv1.Job {
-	runAsUser := int64(0)
-	initVolumeMounts := GetInitVolumeMounts()
 	volumeMounts := GetVolumeMounts("db-sync")
 	volumes := GetVolumes(instance.Name)
 
-	args := []string{"-c", DBSyncCommand}
-
 	envVars := map[string]env.Setter{}
 	envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS")
 
@@ -51,6 +48,11 @@ func DbSyncJob(
 		volumeMounts = append(volumeMounts, instance.Spec.OctaviaAPI.TLS.CreateVolumeMounts(nil)...)
 	}
 
+	args := []string{
+		"-c",
+		InitContainerCommand,
+	}
+
 	job := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      instance.Name + "-db-sync",
@@ -63,21 +65,30 @@ func DbSyncJob(
 					Annotations: annotations,
 				},
 				Spec: corev1.PodSpec{
+					SecurityContext: &corev1.PodSecurityContext{
+						FSGroup: ptr.To(OctaviaUID),
+					},
 					RestartPolicy:      corev1.RestartPolicyOnFailure,
 					ServiceAccountName: instance.RbacResourceName(),
 					Containers: []corev1.Container{
 						{
-							Name: ServiceName + "-db-sync",
+							Name:            ServiceName + "-db-sync",
+							Image:           instance.Spec.OctaviaAPI.ContainerImage,
+							SecurityContext: GetOctaviaSecurityContext(),
+							Env:             env.MergeEnvs([]corev1.EnvVar{}, envVars),
+							VolumeMounts:    volumeMounts,
+						},
+					},
+					InitContainers: []corev1.Container{
+						{
+							Name:            "init",
+							Image:           instance.Spec.OctaviaAPI.ContainerImage,
+							SecurityContext: GetOctaviaSecurityContext(),
 							Command: []string{
 								"/bin/bash",
 							},
-							Args:  args,
-							Image: instance.Spec.OctaviaAPI.ContainerImage,
-							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
-							},
-							Env:          env.MergeEnvs([]corev1.EnvVar{}, envVars),
-							VolumeMounts: volumeMounts,
+							Args:         args,
+							VolumeMounts: GetInitVolumeMounts(),
 						},
 					},
 					Volumes: volumes,
@@ -86,11 +97,5 @@ func DbSyncJob(
 		},
 	}
 
-	initContainerDetails := APIDetails{
-		ContainerImage: instance.Spec.OctaviaAPI.ContainerImage,
-		VolumeMounts:   initVolumeMounts,
-	}
-	job.Spec.Template.Spec.InitContainers = InitContainer(initContainerDetails)
-
 	return job
 }

pkg/octavia/initcontainer.go

@@ -0,0 +1,34 @@
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package octavia
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/ptr"
+)
+
+const (
+	OctaviaUID int64 = 42437
+	OctaviaGID int64 = 42437
+)
+
+func GetOctaviaSecurityContext() *corev1.SecurityContext {
+	return &corev1.SecurityContext{
+		RunAsUser:    ptr.To(OctaviaUID),
+		RunAsGroup:   ptr.To(OctaviaGID),
+		RunAsNonRoot: ptr.To(true),
+	}
+}

pkg/octavia/securitycontext.go

@@ -35,7 +35,10 @@ import (
 
 const (
 	// ServiceCommand -
-	ServiceCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start"
+	ServiceCommand = "/usr/local/bin/kolla_start"
+
+	// InitContainerCommand -
+	InitContainerCommand = "/usr/local/bin/container-scripts/init.sh"
 )
 
 // Deployment func
@@ -45,8 +48,6 @@ func Deployment(
 	labels map[string]string,
 	annotations map[string]string,
 ) (*appsv1.Deployment, error) {
-	runAsUser := int64(0)
-	initVolumeMounts := octavia.GetInitVolumeMounts()
 
 	livenessProbe := &corev1.Probe{
 		// TODO might need tuning
@@ -133,6 +134,11 @@ func Deployment(
 
 	serviceName := fmt.Sprintf("%s-api", octavia.ServiceName)
 
+	initArgs := []string{
+		"-c",
+		InitContainerCommand,
+	}
+
 	deployment := &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      serviceName,
@@ -149,32 +155,46 @@ func Deployment(
 					Labels:      labels,
 				},
 				Spec: corev1.PodSpec{
+					SecurityContext: &corev1.PodSecurityContext{
+						FSGroup: ptr.To(octavia.OctaviaUID),
+					},
 					ServiceAccountName: instance.Spec.ServiceAccount,
 					Containers: []corev1.Container{
 						{
 							Name: serviceName,
 							Command: []string{
 								"/bin/bash",
 							},
-							Args:  args,
-							Image: instance.Spec.ContainerImage,
-							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: &runAsUser,
-							},
-							Env:            env.MergeEnvs([]corev1.EnvVar{}, envVars),
-							VolumeMounts:   volumeMounts,
-							Resources:      instance.Spec.Resources,
-							ReadinessProbe: readinessProbe,
-							LivenessProbe:  livenessProbe,
+							Args:            args,
+							Image:           instance.Spec.ContainerImage,
+							SecurityContext: octavia.GetOctaviaSecurityContext(),
+							Env:             env.MergeEnvs([]corev1.EnvVar{}, envVars),
+							VolumeMounts:    volumeMounts,
+							Resources:       instance.Spec.Resources,
+							ReadinessProbe:  readinessProbe,
+							LivenessProbe:   livenessProbe,
 						},
 						{
-							Name:           fmt.Sprintf("%s-provider-agent", serviceName),
-							Image:          instance.Spec.ContainerImage,
-							Env:            env.MergeEnvs([]corev1.EnvVar{}, agentEnvVars),
-							VolumeMounts:   volumeMountsDriverAgent,
-							Resources:      instance.Spec.Resources,
-							ReadinessProbe: readinessProbe,
-							LivenessProbe:  livenessProbe,
+							Name:            fmt.Sprintf("%s-provider-agent", serviceName),
+							Image:           instance.Spec.ContainerImage,
+							SecurityContext: octavia.GetOctaviaSecurityContext(),
+							Env:             env.MergeEnvs([]corev1.EnvVar{}, agentEnvVars),
+							VolumeMounts:    volumeMountsDriverAgent,
+							Resources:       instance.Spec.Resources,
+							ReadinessProbe:  readinessProbe,
+							LivenessProbe:   livenessProbe,
+						},
+					},
+					InitContainers: []corev1.Container{
+						{
+							Name:            "init",
+							Image:           instance.Spec.ContainerImage,
+							SecurityContext: octavia.GetOctaviaSecurityContext(),
+							Command: []string{
+								"/bin/bash",
+							},
+							Args:         initArgs,
+							VolumeMounts: octavia.GetInitVolumeMounts(),
 						},
 					},
 					Volumes: volumes,
@@ -192,15 +212,9 @@ func Deployment(
 		},
 		corev1.LabelHostname,
 	)
-	if instance.Spec.NodeSelector != nil && len(instance.Spec.NodeSelector) > 0 {
+	if len(instance.Spec.NodeSelector) > 0 {
 		deployment.Spec.Template.Spec.NodeSelector = instance.Spec.NodeSelector
 	}
 
-	initContainerDetails := octavia.APIDetails{
-		ContainerImage: instance.Spec.ContainerImage,
-		VolumeMounts:   initVolumeMounts,
-	}
-	deployment.Spec.Template.Spec.InitContainers = octavia.InitContainer(initContainerDetails)
-
 	return deployment, nil
 }

pkg/octaviaapi/deployment.go

@@ -22,6 +22,7 @@ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-A
 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
 CustomLog /dev/stdout combined env=!forwarded
 CustomLog /dev/stdout proxy env=forwarded
+ErrorLog /dev/stdout
 
 {{ range $endpt, $vhost := .VHosts }}
   # {{ $endpt }} vhost {{ $vhost.ServerName }} configuration

templates/octaviaapi/config/httpd.conf

@@ -60,6 +60,10 @@
             "path": "/run/octavia",
             "owner": "octavia:octavia",
             "recurse": true
+        }, {
+            "path": "/etc/httpd/run/",
+            "owner": "octavia:apache",
+            "recurse": true
         }
     ]
 }

templates/octaviaapi/config/octavia-api-config.json

@@ -96,7 +96,7 @@ spec:
       containers:
       - args:
         - -c
-        - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+        - /usr/local/bin/kolla_start
         command:
         - /bin/bash
         imagePullPolicy: IfNotPresent
@@ -121,6 +121,10 @@ spec:
           periodSeconds: 15
           successThreshold: 1
           timeoutSeconds: 15
+        securityContext:
+          runAsUser: 42437
+          runAsGroup: 42437
+          runAsNonRoot: true
       - env:
         - name: CONFIG_HASH
         - name: KOLLA_CONFIG_STRATEGY
@@ -155,6 +159,10 @@ spec:
         imagePullPolicy: IfNotPresent
         name: init
         resources: {}
+        securityContext:
+          runAsUser: 42437
+          runAsGroup: 42437
+          runAsNonRoot: true
       restartPolicy: Always
       serviceAccount: octavia-octavia
       serviceAccountName: octavia-octavia

tests/kuttl/common/assert_sample_deployment.yaml

@@ -100,7 +100,7 @@ spec:
       containers:
       - args:
         - -c
-        - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+        - /usr/local/bin/kolla_start
         command:
         - /bin/bash
         imagePullPolicy: IfNotPresent