from opslib.osm.pod import (
ContainerV3Builder,
IngressResourceV3Builder,
+ PodRestartPolicy,
PodSpecV3Builder,
)
from opslib.osm.validator import ModelValidator, validator
tls_secret_name: Optional[str]
mongodb_uri: Optional[str]
image_pull_policy: str
+ debug_mode: bool
+ security_context: bool
@validator("auth_backend")
def validate_auth_backend(cls, v):
# Check relations
self._check_missing_dependencies(config)
+ security_context_enabled = (
+ config.security_context if not config.debug_mode else False
+ )
+
# Create Builder for the PodSpec
- pod_spec_builder = PodSpecV3Builder()
+ pod_spec_builder = PodSpecV3Builder(
+ enable_security_context=security_context_enabled
+ )
+
+ # Add secrets to the pod
+ mongodb_secret_name = f"{self.app.name}-mongodb-secret"
+ pod_spec_builder.add_secret(
+ mongodb_secret_name,
+ {
+ "uri": config.mongodb_uri or self.mongodb_client.connection_string,
+ "commonkey": config.database_commonkey,
+ },
+ )
# Build Init Container
pod_spec_builder.add_init_container(
# Build Container
container_builder = ContainerV3Builder(
- self.app.name, image_info, config.image_pull_policy
+ self.app.name,
+ image_info,
+ config.image_pull_policy,
+ run_as_non_root=security_context_enabled,
)
container_builder.add_port(name=self.app.name, port=PORT)
container_builder.add_tcpsocket_readiness_probe(
"OSMNBI_MESSAGE_PORT": self.kafka_client.port,
# Database configuration
"OSMNBI_DATABASE_DRIVER": "mongo",
- "OSMNBI_DATABASE_URI": config.mongodb_uri
- or self.mongodb_client.connection_string,
- "OSMNBI_DATABASE_COMMONKEY": config.database_commonkey,
# Storage configuration
"OSMNBI_STORAGE_DRIVER": "mongo",
"OSMNBI_STORAGE_PATH": "/app/storage",
"OSMNBI_STORAGE_COLLECTION": "files",
- "OSMNBI_STORAGE_URI": config.mongodb_uri
- or self.mongodb_client.connection_string,
# Prometheus configuration
"OSMNBI_PROMETHEUS_HOST": self.prometheus_client.hostname,
"OSMNBI_PROMETHEUS_PORT": self.prometheus_client.port,
"OSMNBI_LOG_LEVEL": config.log_level,
}
)
+ container_builder.add_secret_envs(
+ secret_name=mongodb_secret_name,
+ envs={
+ "OSMNBI_DATABASE_URI": "uri",
+ "OSMNBI_DATABASE_COMMONKEY": "commonkey",
+ "OSMNBI_STORAGE_URI": "uri",
+ },
+ )
if config.auth_backend == "internal":
container_builder.add_env("OSMNBI_AUTHENTICATION_BACKEND", "internal")
elif config.auth_backend == "keystone":
- container_builder.add_envs(
+ keystone_secret_name = f"{self.app.name}-keystone-secret"
+ pod_spec_builder.add_secret(
+ keystone_secret_name,
{
- "OSMNBI_AUTHENTICATION_BACKEND": "keystone",
- "OSMNBI_AUTHENTICATION_AUTH_URL": self.keystone_client.host,
- "OSMNBI_AUTHENTICATION_AUTH_PORT": self.keystone_client.port,
- "OSMNBI_AUTHENTICATION_USER_DOMAIN_NAME": self.keystone_client.user_domain_name,
- "OSMNBI_AUTHENTICATION_PROJECT_DOMAIN_NAME": self.keystone_client.project_domain_name,
- "OSMNBI_AUTHENTICATION_SERVICE_USERNAME": self.keystone_client.username,
- "OSMNBI_AUTHENTICATION_SERVICE_PASSWORD": self.keystone_client.password,
- "OSMNBI_AUTHENTICATION_SERVICE_PROJECT": self.keystone_client.service,
- }
+ "url": self.keystone_client.host,
+ "port": self.keystone_client.port,
+ "user_domain": self.keystone_client.user_domain_name,
+ "project_domain": self.keystone_client.project_domain_name,
+ "service_username": self.keystone_client.username,
+ "service_password": self.keystone_client.password,
+ "service_project": self.keystone_client.service,
+ },
+ )
+ container_builder.add_env("OSMNBI_AUTHENTICATION_BACKEND", "keystone")
+ container_builder.add_secret_envs(
+ secret_name=keystone_secret_name,
+ envs={
+ "OSMNBI_AUTHENTICATION_AUTH_URL": "url",
+ "OSMNBI_AUTHENTICATION_AUTH_PORT": "port",
+ "OSMNBI_AUTHENTICATION_USER_DOMAIN_NAME": "user_domain",
+ "OSMNBI_AUTHENTICATION_PROJECT_DOMAIN_NAME": "project_domain",
+ "OSMNBI_AUTHENTICATION_SERVICE_USERNAME": "service_username",
+ "OSMNBI_AUTHENTICATION_SERVICE_PASSWORD": "service_password",
+ "OSMNBI_AUTHENTICATION_SERVICE_PROJECT": "service_project",
+ },
)
container = container_builder.build()
ingress_resource = ingress_resource_builder.build()
pod_spec_builder.add_ingress_resource(ingress_resource)
- logger.debug(pod_spec_builder.build())
+ # Add restart policy
+ restart_policy = PodRestartPolicy()
+ restart_policy.add_secrets()
+ pod_spec_builder.set_restart_policy(restart_policy)
return pod_spec_builder.build()
projects / osm / devops.git / blobdiff