From 9831e545c9f76745fe41de88acd1fa6f693f354d Mon Sep 17 00:00:00 2001
From: "DODDA, PRATEEK" <prateek.reddy.dodda@att.com>
Date: Fri, 26 Jun 2020 09:11:41 -0500
Subject: [PATCH] Enabling Apparmor profile to shipyard init containers
Remove OSH Authors copyright
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: Ic8de1678a754ba466dbd8d12c4f078151a78a091
---
.../deployment-airflow-scheduler.yaml | 2 +-
.../templates/deployment-shipyard.yaml | 3 +--
.../templates/job-airflow-db-init.yaml | 4 +++-
.../templates/job-airflow-db-sync.yaml | 4 +++-
.../templates/job-shipyard-db-auxiliary.yaml | 3 +++
.../templates/job-shipyard-db-init.yaml | 4 +++-
.../templates/job-shipyard-db-sync.yaml | 4 +++-
.../templates/statefulset-airflow-worker.yaml | 2 +-
.../templates/tests/test-shipyard-api.yaml | 5 ++--
charts/shipyard/values.yaml | 24 ++++++++++++++++++-
10 files changed, 44 insertions(+), 11 deletions(-)
diff --git a/charts/shipyard/templates/deployment-airflow-scheduler.yaml b/charts/shipyard/templates/deployment-airflow-scheduler.yaml
index 9de44a6b..884e3dd0 100644
--- a/charts/shipyard/templates/deployment-airflow-scheduler.yaml
+++ b/charts/shipyard/templates/deployment-airflow-scheduler.yaml
@@ -1,4 +1,3 @@
-# Copyright 2017 The Openstack-Helm Authors.
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -50,6 +49,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-airflow-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-airflow-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+{{ dict "envAll" $envAll "podName" "airflow-scheduler" "containerNames" (list "init" "airflow-scheduler") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
affinity:
diff --git a/charts/shipyard/templates/deployment-shipyard.yaml b/charts/shipyard/templates/deployment-shipyard.yaml
index a301763d..036cb667 100644
--- a/charts/shipyard/templates/deployment-shipyard.yaml
+++ b/charts/shipyard/templates/deployment-shipyard.yaml
@@ -1,4 +1,3 @@
-# Copyright 2017 The Openstack-Helm Authors.
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -44,7 +43,7 @@ spec:
shipyard-configmap-etc-hash: {{ tuple "configmap-shipyard-etc.yaml" . | include "helm-toolkit.utils.hash" }}
airflow-configmap-bin-hash: {{ tuple "configmap-airflow-bin.yaml" . | include "helm-toolkit.utils.hash" }}
airflow-configmap-etc-hash: {{ tuple "configmap-airflow-etc.yaml" . | include "helm-toolkit.utils.hash" }}
-{{ dict "envAll" $envAll "podName" "shipyard-api" "containerNames" (list "shipyard-api" "airflow-web") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "shipyard-api" "containerNames" (list "init" "shipyard-api" "airflow-web") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "shipyard" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
diff --git a/charts/shipyard/templates/job-airflow-db-init.yaml b/charts/shipyard/templates/job-airflow-db-init.yaml
index 12cf0ca2..3d3c96c0 100644
--- a/charts/shipyard/templates/job-airflow-db-init.yaml
+++ b/charts/shipyard/templates/job-airflow-db-init.yaml
@@ -1,5 +1,4 @@
{{/*
-Copyright 2017 The Openstack-Helm Authors.
Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
@@ -31,6 +30,9 @@ spec:
metadata:
labels:
{{ tuple $envAll "airflow" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "airflow-db-init" "containerNames" (list "init" "airflow-db-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
diff --git a/charts/shipyard/templates/job-airflow-db-sync.yaml b/charts/shipyard/templates/job-airflow-db-sync.yaml
index 82396a5f..3323ccc6 100644
--- a/charts/shipyard/templates/job-airflow-db-sync.yaml
+++ b/charts/shipyard/templates/job-airflow-db-sync.yaml
@@ -1,5 +1,4 @@
{{/*
-Copyright 2017 The Openstack-Helm Authors.
Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
@@ -31,6 +30,9 @@ spec:
metadata:
labels:
{{ tuple $envAll "airflow" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "airflow-db-sync" "containerNames" (list "init" "airflow-db-sync") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
diff --git a/charts/shipyard/templates/job-shipyard-db-auxiliary.yaml b/charts/shipyard/templates/job-shipyard-db-auxiliary.yaml
index 8a5f9398..32845f6d 100644
--- a/charts/shipyard/templates/job-shipyard-db-auxiliary.yaml
+++ b/charts/shipyard/templates/job-shipyard-db-auxiliary.yaml
@@ -32,6 +32,9 @@ spec:
metadata:
labels:
{{ tuple $envAll "shipyard" "db-auxiliary" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "shipyard-db-auxiliary" "containerNames" (list "init" "shipyard-db-auxiliary") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
diff --git a/charts/shipyard/templates/job-shipyard-db-init.yaml b/charts/shipyard/templates/job-shipyard-db-init.yaml
index 13623781..1e31edf8 100644
--- a/charts/shipyard/templates/job-shipyard-db-init.yaml
+++ b/charts/shipyard/templates/job-shipyard-db-init.yaml
@@ -1,5 +1,4 @@
{{/*
-Copyright 2017 The Openstack-Helm Authors.
Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
@@ -33,6 +32,9 @@ spec:
metadata:
labels:
{{ tuple $envAll "shipyard" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "shipyard-db-init" "containerNames" (list "init" "shipyard-db-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
diff --git a/charts/shipyard/templates/job-shipyard-db-sync.yaml b/charts/shipyard/templates/job-shipyard-db-sync.yaml
index 03dafa68..af88bada 100644
--- a/charts/shipyard/templates/job-shipyard-db-sync.yaml
+++ b/charts/shipyard/templates/job-shipyard-db-sync.yaml
@@ -1,5 +1,4 @@
{{/*
-Copyright 2017 The Openstack-Helm Authors.
Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
@@ -33,6 +32,9 @@ spec:
metadata:
labels:
{{ tuple $envAll "shipyard" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "shipyard-db-sync" "containerNames" (list "init" "shipyard-db-sync") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
diff --git a/charts/shipyard/templates/statefulset-airflow-worker.yaml b/charts/shipyard/templates/statefulset-airflow-worker.yaml
index ee9a9a33..3efe182c 100644
--- a/charts/shipyard/templates/statefulset-airflow-worker.yaml
+++ b/charts/shipyard/templates/statefulset-airflow-worker.yaml
@@ -86,7 +86,7 @@ spec:
{{ $labels | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
-{{ dict "envAll" $envAll "podName" "airflow-worker" "containerNames" (list "airflow-worker" "airflow-scheduler" "airflow-logrotate") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+{{ dict "envAll" $envAll "podName" "airflow-worker" "containerNames" (list "init" "worker-perms" "airflow-worker" "airflow-scheduler" "airflow-logrotate") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
affinity:
diff --git a/charts/shipyard/templates/tests/test-shipyard-api.yaml b/charts/shipyard/templates/tests/test-shipyard-api.yaml
index 8c93e207..84e3ed9d 100644
--- a/charts/shipyard/templates/tests/test-shipyard-api.yaml
+++ b/charts/shipyard/templates/tests/test-shipyard-api.yaml
@@ -22,10 +22,11 @@ Test the Shipyard API, to ensure that the health endpoint is active and able to
apiVersion: v1
kind: Pod
metadata:
- name: "{{ .Release.Name }}-shipyard-api-test"
+ name: shipyard-api-test
annotations:
"helm.sh/hook": "test-success"
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{ dict "envAll" $envAll "podName" "shipyard-api-test" "containerNames" (list "shipyard-api-test") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
labels:
{{ tuple $envAll "shipyard" "api-test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
@@ -33,7 +34,7 @@ spec:
nodeSelector:
{{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
containers:
- - name: "{{ .Release.Name }}-shipyard-api-test"
+ - name: shipyard-api-test
env:
- name: 'SHIPYARD_URL'
value: {{ tuple "shipyard" "internal" "api" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | quote }}
diff --git a/charts/shipyard/values.yaml b/charts/shipyard/values.yaml
index 4b037428..61d1336c 100644
--- a/charts/shipyard/values.yaml
+++ b/charts/shipyard/values.yaml
@@ -1,4 +1,3 @@
-# Copyright 2017 The Openstack-Helm Authors.
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -722,12 +721,35 @@ pod:
mandatory_access_control:
type: apparmor
shipyard-api:
+ init: runtime/default
shipyard-api: runtime/default
airflow-web: runtime/default
airflow-worker:
+ init: runtime/default
+ worker-perms: runtime/default
airflow-worker: runtime/default
airflow-scheduler: runtime/default
airflow-logrotate: runtime/default
+ airflow-scheduler:
+ init: runtime/default
+ airflow-scheduler: runtime/default
+ shipyard-db-auxiliary:
+ init: runtime/default
+ shipyard-db-auxiliary: runtime/default
+ shipyard-db-init:
+ init: runtime/default
+ shipyard-db-init: runtime/default
+ shipyard-db-sync:
+ init: runtime/default
+ shipyard-db-sync: runtime/default
+ airflow-db-init:
+ init: runtime/default
+ airflow-db-init: runtime/default
+ airflow-db-sync:
+ init: runtime/default
+ airflow-db-sync: runtime/default
+ shipyard-api-test:
+ shipyard-api-test: runtime/default
security_context:
shipyard:
pod: