Adding security_context flag to charms 16/11216/3
authorsousaedu <eduardo.sousa@canonical.com>
Wed, 29 Sep 2021 00:53:30 +0000 (01:53 +0100)
committerbeierlm <mark.beierl@canonical.com>
Wed, 29 Sep 2021 15:02:50 +0000 (17:02 +0200)
security_context is set to false while we don't have new
container images.

Change-Id: I99cf8c1ab7446811887445d596f416f7e79574e7
Signed-off-by: sousaedu <eduardo.sousa@canonical.com>
31 files changed:
installers/charm/grafana/config.yaml
installers/charm/grafana/src/charm.py
installers/charm/kafka-exporter/config.yaml
installers/charm/kafka-exporter/src/charm.py
installers/charm/kafka/config.yaml
installers/charm/kafka/src/charm.py
installers/charm/kafka/tests/test_charm.py
installers/charm/keystone/config.yaml
installers/charm/keystone/src/charm.py
installers/charm/lcm/config.yaml
installers/charm/lcm/src/charm.py
installers/charm/mon/config.yaml
installers/charm/mon/src/charm.py
installers/charm/mongodb-exporter/config.yaml
installers/charm/mongodb-exporter/src/charm.py
installers/charm/mysqld-exporter/config.yaml
installers/charm/mysqld-exporter/src/charm.py
installers/charm/nbi/config.yaml
installers/charm/nbi/src/charm.py
installers/charm/ng-ui/config.yaml
installers/charm/ng-ui/src/charm.py
installers/charm/pla/config.yaml
installers/charm/pla/src/charm.py
installers/charm/pol/config.yaml
installers/charm/pol/src/charm.py
installers/charm/prometheus/config.yaml
installers/charm/prometheus/src/charm.py
installers/charm/ro/config.yaml
installers/charm/ro/src/charm.py
installers/charm/zookeeper/config.yaml
installers/charm/zookeeper/src/charm.py

index d265786..7f97f58 100644 (file)
@@ -82,3 +82,7 @@ options:
     description: The port grafana-k8s will be listening on
     type: int
     default: 3000
+  security_context:
+    description: Enables the security context of the pods
+    type: boolean
+    default: false
index 78ec0e3..36bf696 100755 (executable)
@@ -60,6 +60,7 @@ class ConfigModel(ModelValidator):
     ingress_whitelist_source_range: Optional[str]
     tls_secret_name: Optional[str]
     image_pull_policy: str
+    security_context: bool
 
     @validator("log_level")
     def validate_log_level(cls, v):
@@ -183,7 +184,9 @@ class GrafanaCharm(CharmedOsmBase):
             self.grafana_cluster.set_initial_password(admin_initial_password)
 
         # Create Builder for the PodSpec
-        pod_spec_builder = PodSpecV3Builder()
+        pod_spec_builder = PodSpecV3Builder(
+            enable_security_context=config.security_context
+        )
 
         # Add secrets to the pod
         grafana_secret_name = f"{self.app.name}-admin-secret"
@@ -197,7 +200,10 @@ class GrafanaCharm(CharmedOsmBase):
 
         # Build Container
         container_builder = ContainerV3Builder(
-            self.app.name, image_info, config.image_pull_policy
+            self.app.name,
+            image_info,
+            config.image_pull_policy,
+            run_as_non_root=config.security_context,
         )
         container_builder.add_port(name=self.app.name, port=config.port)
         container_builder.add_http_readiness_probe(
index 456c9c4..22e9387 100644 (file)
@@ -52,3 +52,7 @@ options:
       ImagePullPolicy configuration for the pod.
       Possible values: always, ifnotpresent, never
     default: always
+  security_context:
+    description: Enables the security context of the pods
+    type: boolean
+    default: false
index a8ffab1..97ab3d0 100755 (executable)
@@ -53,6 +53,7 @@ class ConfigModel(ModelValidator):
     ingress_whitelist_source_range: Optional[str]
     tls_secret_name: Optional[str]
     image_pull_policy: str
+    security_context: bool
 
     @validator("site_url")
     def validate_site_url(cls, v):
@@ -173,11 +174,16 @@ class KafkaExporterCharm(CharmedOsmBase):
         self._check_missing_dependencies(config)
 
         # Create Builder for the PodSpec
-        pod_spec_builder = PodSpecV3Builder()
+        pod_spec_builder = PodSpecV3Builder(
+            enable_security_context=config.security_context
+        )
 
         # Build container
         container_builder = ContainerV3Builder(
-            self.app.name, image_info, config.image_pull_policy
+            self.app.name,
+            image_info,
+            config.image_pull_policy,
+            run_as_non_root=config.security_context,
         )
         container_builder.add_port(name=self.app.name, port=PORT)
         container_builder.add_http_readiness_probe(
index 4319a57..4049d93 100644 (file)
@@ -30,3 +30,7 @@ options:
     description: Kafka number of partitions per topic
     type: int
     default: 1
+  security_context:
+    description: Enables the security context of the pods
+    type: boolean
+    default: false
index 763d416..5be3404 100755 (executable)
@@ -43,6 +43,7 @@ KAFKA_RESERVED_BROKER_MAX_ID = "999999999"
 class ConfigModel(ModelValidator):
     num_partitions: int
     image_pull_policy: str
+    security_context: bool
 
     @validator("image_pull_policy")
     def validate_image_pull_policy(cls, v):
@@ -100,11 +101,16 @@ class KafkaCharm(CharmedOsmBase):
         self._check_missing_dependencies()
 
         # Create Builder for the PodSpec
-        pod_spec_builder = PodSpecV3Builder()
+        pod_spec_builder = PodSpecV3Builder(
+            enable_security_context=config.security_context
+        )
 
         # Build Container
         container_builder = ContainerV3Builder(
-            self.app.name, image_info, config.image_pull_policy
+            self.app.name,
+            image_info,
+            config.image_pull_policy,
+            run_as_non_root=config.security_context,
         )
 
         container_builder.add_port(name="kafka", port=KAFKA_PORT)
index ec0efbd..409dc0b 100644 (file)
@@ -56,9 +56,7 @@ class TestCharm(unittest.TestCase):
         self.assertIsInstance(self.harness.charm.unit.status, ActiveStatus)
 
     @patch("charm.KafkaCharm.num_units", new_callable=PropertyMock)
-    def test_with_relations_kafka(
-        self, mock_num_units
-    ) -> NoReturn:
+    def test_with_relations_kafka(self, mock_num_units) -> NoReturn:
         "Test with relations (kafka)"
         mock_num_units.return_value = 1
 
index e15d035..dc0953a 100644 (file)
@@ -48,6 +48,10 @@ options:
       ImagePullPolicy configuration for the pod.
       Possible values: always, ifnotpresent, never
     default: always
+  security_context:
+    description: Enables the security context of the pods
+    type: boolean
+    default: false
   region_id:
     type: string
     description: Region ID to be created when starting the service
index 808af3b..4560ff5 100755 (executable)
@@ -86,6 +86,7 @@ class ConfigModel(ModelValidator):
     mysql_port: Optional[int]
     mysql_root_password: Optional[str]
     image_pull_policy: str
+    security_context: bool
 
     @validator("max_file_size")
     def validate_max_file_size(cls, v):
@@ -266,9 +267,14 @@ class KeystoneCharm(CharmedOsmBase):
         self._check_missing_dependencies(config, external_db)
 
         # Create Builder for the PodSpec
-        pod_spec_builder = PodSpecV3Builder()
+        pod_spec_builder = PodSpecV3Builder(
+            enable_security_context=config.security_context
+        )
         container_builder = ContainerV3Builder(
-            self.app.name, image_info, config.image_pull_policy
+            self.app.name,
+            image_info,
+            config.image_pull_policy,
+            run_as_non_root=config.security_context,
         )
 
         # Build files
index becbc4a..0f218ea 100644 (file)
@@ -284,9 +284,14 @@ options:
     description: |
       If true, debug mode is activated. It means that the service will not run,
       and instead, the command for the container will be a `sleep infinity`.
+      Note: If enabled, security_context will be disabled.
     type: boolean
     default: false
   debug_pubkey:
     description: |
       Public SSH key that will be injected to the application pod.
     type: string
+  security_context:
+    description: Enables the security context of the pods
+    type: boolean
+    default: false
index b034624..2fb90e8 100755 (executable)
@@ -111,6 +111,8 @@ class ConfigModel(ModelValidator):
     vca_stablerepourl: Optional[str]
     vca_helm_ca_certs: Optional[str]
     image_pull_policy: str
+    debug_mode: bool
+    security_context: bool
 
     @validator("log_level")
     def validate_log_level(cls, v):
@@ -181,8 +183,14 @@ class LcmCharm(CharmedOsmBase):
         # Check relations
         self._check_missing_dependencies(config)
 
+        security_context_enabled = (
+            config.security_context if not config.debug_mode else False
+        )
+
         # Create Builder for the PodSpec
-        pod_spec_builder = PodSpecV3Builder()
+        pod_spec_builder = PodSpecV3Builder(
+            enable_security_context=security_context_enabled
+        )
 
         # Add secrets to the pod
         lcm_secret_name = f"{self.app.name}-lcm-secret"
@@ -197,7 +205,10 @@ class LcmCharm(CharmedOsmBase):
 
         # Build Container
         container_builder = ContainerV3Builder(
-            self.app.name, image_info, config.image_pull_policy
+            self.app.name,
+            image_info,
+            config.image_pull_policy,
+            run_as_non_root=security_context_enabled,
         )
         container_builder.add_port(name=self.app.name, port=PORT)
         container_builder.add_envs(
index b8477b1..a3394ff 100644 (file)
@@ -97,9 +97,14 @@ options:
     description: |
       If true, debug mode is activated. It means that the service will not run,
       and instead, the command for the container will be a `sleep infinity`.
+      Note: If enabled, security_context will be disabled.
     type: boolean
     default: false
   debug_pubkey:
     description: |
       Public SSH key that will be injected to the application pod.
     type: string
+  security_context:
+    description: Enables the security context of the pods
+    type: boolean
+    default: false
index 2721939..917b54a 100755 (executable)
@@ -86,6 +86,8 @@ class ConfigModel(ModelValidator):
     grafana_password: str
     certificates: Optional[str]
     image_pull_policy: str
+    debug_mode: bool
+    security_context: bool
 
     @validator("log_level")
     def validate_log_level(cls, v):
@@ -187,8 +189,14 @@ class MonCharm(CharmedOsmBase):
         # Check relations
         self._check_missing_dependencies(config)
 
+        security_context_enabled = (
+            config.security_context if not config.debug_mode else False
+        )
+
         # Create Builder for the PodSpec
-        pod_spec_builder = PodSpecV3Builder()
+        pod_spec_builder = PodSpecV3Builder(
+            enable_security_context=security_context_enabled
+        )
 
         # Add secrets to the pod
         mongodb_secret_name = f"{self.app.name}-mongodb-secret"
@@ -222,7 +230,10 @@ class MonCharm(CharmedOsmBase):
 
         # Build Container
         container_builder = ContainerV3Builder(
-            self.app.name, image_info, config.image_pull_policy
+            self.app.name,
+            image_info,
+            config.image_pull_policy,
+            run_as_non_root=security_context_enabled,
         )
         certs_files = self._build_cert_files(config)
 
index eb19d5b..fe5cd63 100644 (file)
@@ -55,3 +55,7 @@ options:
       ImagePullPolicy configuration for the pod.
       Possible values: always, ifnotpresent, never
     default: always
+  security_context:
+    description: Enables the security context of the pods
+    type: boolean
+    default: false
index 0b89931..500a1e3 100755 (executable)
@@ -55,6 +55,7 @@ class ConfigModel(ModelValidator):
     tls_secret_name: Optional[str]
     mongodb_uri: Optional[str]
     image_pull_policy: str
+    security_context: bool
 
     @validator("site_url")
     def validate_site_url(cls, v):
@@ -194,7 +195,9 @@ class MongodbExporterCharm(CharmedOsmBase):
             mongodb_uri += f"?{parsed.query}"
 
         # Create Builder for the PodSpec
-        pod_spec_builder = PodSpecV3Builder()
+        pod_spec_builder = PodSpecV3Builder(
+            enable_security_context=config.security_context
+        )
 
         # Add secrets to the pod
         mongodb_secret_name = f"{self.app.name}-mongodb-secret"
@@ -202,7 +205,10 @@ class MongodbExporterCharm(CharmedOsmBase):
 
         # Build container
         container_builder = ContainerV3Builder(
-            self.app.name, image_info, config.image_pull_policy
+            self.app.name,
+            image_info,
+            config.image_pull_policy,
+            run_as_non_root=config.security_context,
         )
         container_builder.add_port(name=self.app.name, port=PORT)
         container_builder.add_http_readiness_probe(
index c25886f..5c0a24b 100644 (file)
@@ -55,3 +55,7 @@ options:
       ImagePullPolicy configuration for the pod.
       Possible values: always, ifnotpresent, never
     default: always
+  security_context:
+    description: Enables the security context of the pods
+    type: boolean
+    default: false
index 6aeea5d..91be02a 100755 (executable)
@@ -55,6 +55,7 @@ class ConfigModel(ModelValidator):
     tls_secret_name: Optional[str]
     mysql_uri: Optional[str]
     image_pull_policy: str
+    security_context: bool
 
     @validator("site_url")
     def validate_site_url(cls, v):
@@ -190,7 +191,9 @@ class MysqlExporterCharm(CharmedOsmBase):
         )
 
         # Create Builder for the PodSpec
-        pod_spec_builder = PodSpecV3Builder()
+        pod_spec_builder = PodSpecV3Builder(
+            enable_security_context=config.security_context
+        )
 
         # Add secrets to the pod
         mysql_secret_name = f"{self.app.name}-mysql-secret"
@@ -201,7 +204,10 @@ class MysqlExporterCharm(CharmedOsmBase):
 
         # Build container
         container_builder = ContainerV3Builder(
-            self.app.name, image_info, config.image_pull_policy
+            self.app.name,
+            image_info,
+            config.image_pull_policy,
+            run_as_non_root=config.security_context,
         )
         container_builder.add_port(name=self.app.name, port=PORT)
         container_builder.add_http_readiness_probe(
index 89e248d..a85aa70 100644 (file)
@@ -82,9 +82,14 @@ options:
     description: |
       If true, debug mode is activated. It means that the service will not run,
       and instead, the command for the container will be a `sleep infinity`.
+      Note: If enabled, security_context will be disabled.
     type: boolean
     default: false
   debug_pubkey:
     description: |
       Public SSH key that will be injected to the application pod.
     type: string
+  security_context:
+    description: Enables the security context of the pods
+    type: boolean
+    default: false
index a47f618..f9088ab 100755 (executable)
@@ -63,6 +63,8 @@ class ConfigModel(ModelValidator):
     tls_secret_name: Optional[str]
     mongodb_uri: Optional[str]
     image_pull_policy: str
+    debug_mode: bool
+    security_context: bool
 
     @validator("auth_backend")
     def validate_auth_backend(cls, v):
@@ -183,8 +185,14 @@ class NbiCharm(CharmedOsmBase):
         # Check relations
         self._check_missing_dependencies(config)
 
+        security_context_enabled = (
+            config.security_context if not config.debug_mode else False
+        )
+
         # Create Builder for the PodSpec
-        pod_spec_builder = PodSpecV3Builder()
+        pod_spec_builder = PodSpecV3Builder(
+            enable_security_context=security_context_enabled
+        )
 
         # Add secrets to the pod
         mongodb_secret_name = f"{self.app.name}-mongodb-secret"
@@ -211,7 +219,10 @@ class NbiCharm(CharmedOsmBase):
 
         # Build Container
         container_builder = ContainerV3Builder(
-            self.app.name, image_info, config.image_pull_policy
+            self.app.name,
+            image_info,
+            config.image_pull_policy,
+            run_as_non_root=security_context_enabled,
         )
         container_builder.add_port(name=self.app.name, port=PORT)
         container_builder.add_tcpsocket_readiness_probe(
index 49226b7..c5f447b 100644 (file)
@@ -60,3 +60,7 @@ options:
       ImagePullPolicy configuration for the pod.
       Possible values: always, ifnotpresent, never
     default: always
+  security_context:
+    description: Enables the security context of the pods
+    type: boolean
+    default: false
index 7d8c59c..39675d0 100755 (executable)
@@ -55,6 +55,7 @@ class ConfigModel(ModelValidator):
     ingress_whitelist_source_range: Optional[str]
     tls_secret_name: Optional[str]
     image_pull_policy: str
+    security_context: bool
 
     @validator("port")
     def validate_port(cls, v):
@@ -132,10 +133,15 @@ class NgUiCharm(CharmedOsmBase):
         # Check relations
         self._check_missing_dependencies(config)
         # Create Builder for the PodSpec
-        pod_spec_builder = PodSpecV3Builder()
+        pod_spec_builder = PodSpecV3Builder(
+            enable_security_context=config.security_context
+        )
         # Build Container
         container_builder = ContainerV3Builder(
-            self.app.name, image_info, config.image_pull_policy
+            self.app.name,
+            image_info,
+            config.image_pull_policy,
+            run_as_non_root=config.security_context,
         )
         container_builder.add_port(name=self.app.name, port=config.port)
         container = container_builder.build()
index 75b19d8..642c165 100644 (file)
@@ -33,3 +33,7 @@ options:
       ImagePullPolicy configuration for the pod.
       Possible values: always, ifnotpresent, never
     default: always
+  security_context:
+    description: Enables the security context of the pods
+    type: boolean
+    default: false
index d0df179..7867991 100755 (executable)
@@ -48,6 +48,7 @@ class ConfigModel(ModelValidator):
     mongodb_uri: Optional[str]
     log_level: str
     image_pull_policy: str
+    security_context: bool
 
     @validator("log_level")
     def validate_log_level(cls, v):
@@ -108,7 +109,9 @@ class PlaCharm(CharmedOsmBase):
         self._check_missing_dependencies(config)
 
         # Create Builder for the PodSpec
-        pod_spec_builder = PodSpecV3Builder()
+        pod_spec_builder = PodSpecV3Builder(
+            enable_security_context=config.security_context
+        )
 
         # Add secrets to the pod
         mongodb_secret_name = f"{self.app.name}-mongodb-secret"
@@ -122,7 +125,10 @@ class PlaCharm(CharmedOsmBase):
 
         # Build Container
         container_builder = ContainerV3Builder(
-            self.app.name, image_info, config.image_pull_policy
+            self.app.name,
+            image_info,
+            config.image_pull_policy,
+            run_as_non_root=config.security_context,
         )
         container_builder.add_port(name=self.app.name, port=PORT)
         container_builder.add_envs(
index 3264ca3..0279bd5 100644 (file)
@@ -42,9 +42,14 @@ options:
     description: |
       If true, debug mode is activated. It means that the service will not run,
       and instead, the command for the container will be a `sleep infinity`.
+      Note: If enabled, security_context will be disabled.
     type: boolean
     default: false
   debug_pubkey:
     description: |
       Public SSH key that will be injected to the application pod.
     type: string
+  security_context:
+    description: Enables the security context of the pods
+    type: boolean
+    default: false
index 02c8186..345a87f 100755 (executable)
@@ -51,6 +51,8 @@ class ConfigModel(ModelValidator):
     mongodb_uri: Optional[str]
     mysql_uri: Optional[str]
     image_pull_policy: str
+    debug_mode: bool
+    security_context: bool
 
     @validator("log_level")
     def validate_log_level(cls, v):
@@ -130,8 +132,14 @@ class PolCharm(CharmedOsmBase):
         # Check relations
         self._check_missing_dependencies(config)
 
+        security_context_enabled = (
+            config.security_context if not config.debug_mode else False
+        )
+
         # Create Builder for the PodSpec
-        pod_spec_builder = PodSpecV3Builder()
+        pod_spec_builder = PodSpecV3Builder(
+            enable_security_context=security_context_enabled
+        )
 
         # Add secrets to the pod
         mongodb_secret_name = f"{self.app.name}-mongodb-secret"
@@ -150,7 +158,10 @@ class PolCharm(CharmedOsmBase):
 
         # Build Container
         container_builder = ContainerV3Builder(
-            self.app.name, image_info, config.image_pull_policy
+            self.app.name,
+            image_info,
+            config.image_pull_policy,
+            run_as_non_root=security_context_enabled,
         )
         container_builder.add_port(name=self.app.name, port=PORT)
         container_builder.add_envs(
index 6ce1613..6db6a60 100644 (file)
@@ -71,3 +71,7 @@ options:
       ImagePullPolicy configuration for the pod.
       Possible values: always, ifnotpresent, never
     default: always
+  security_context:
+    description: Enables the security context of the pods
+    type: boolean
+    default: false
index e79de69..61589e2 100755 (executable)
@@ -61,6 +61,7 @@ class ConfigModel(ModelValidator):
     tls_secret_name: Optional[str]
     enable_web_admin_api: bool
     image_pull_policy: str
+    security_context: bool
 
     @validator("web_subpath")
     def validate_web_subpath(cls, v):
@@ -159,7 +160,9 @@ class PrometheusCharm(CharmedOsmBase):
         # Validate config
         config = ConfigModel(**dict(self.config))
         # Create Builder for the PodSpec
-        pod_spec_builder = PodSpecV3Builder()
+        pod_spec_builder = PodSpecV3Builder(
+            enable_security_context=config.security_context
+        )
 
         # Build Backup Container
         backup_image = OCIImageResource(self, "backup-image")
@@ -171,7 +174,10 @@ class PrometheusCharm(CharmedOsmBase):
 
         # Build Container
         container_builder = ContainerV3Builder(
-            self.app.name, image_info, config.image_pull_policy
+            self.app.name,
+            image_info,
+            config.image_pull_policy,
+            run_as_non_root=config.security_context,
         )
         container_builder.add_port(name=self.app.name, port=PORT)
         container_builder.add_http_readiness_probe(
index 9828438..ab4cd5d 100644 (file)
@@ -80,9 +80,14 @@ options:
     description: |
       If true, debug mode is activated. It means that the service will not run,
       and instead, the command for the container will be a `sleep infinity`.
+      Note: If enabled, security_context will be disabled.
     type: boolean
     default: false
   debug_pubkey:
     description: |
       Public SSH key that will be injected to the application pod.
     type: string
+  security_context:
+    description: Enables the security context of the pods
+    type: boolean
+    default: false
index 3b6b7e2..2a8c110 100755 (executable)
@@ -79,6 +79,8 @@ class ConfigModel(ModelValidator):
     openmano_tenant: str
     certificates: Optional[str]
     image_pull_policy: str
+    debug_mode: bool
+    security_context: bool
 
     @validator("log_level")
     def validate_log_level(cls, v):
@@ -216,12 +218,21 @@ class RoCharm(CharmedOsmBase):
         # Check relations
         self._check_missing_dependencies(config)
 
+        security_context_enabled = (
+            config.security_context if not config.debug_mode else False
+        )
+
         # Create Builder for the PodSpec
-        pod_spec_builder = PodSpecV3Builder()
+        pod_spec_builder = PodSpecV3Builder(
+            enable_security_context=security_context_enabled
+        )
 
         # Build Container
         container_builder = ContainerV3Builder(
-            self.app.name, image_info, config.image_pull_policy
+            self.app.name,
+            image_info,
+            config.image_pull_policy,
+            run_as_non_root=security_context_enabled,
         )
         certs_files = self._build_cert_files(config)
 
index d9b89a4..149d388 100644 (file)
@@ -87,3 +87,7 @@ options:
       For example, the minimum session timeout will be two ticks.
     type: int
     default: 2000
+  security_context:
+    description: Enables the security context of the pods
+    type: boolean
+    default: false
index 6e4588c..c2acf0b 100755 (executable)
@@ -52,6 +52,7 @@ class ConfigModel(ModelValidator):
     sync_limit: int
     init_limit: int
     tick_time: int
+    security_context: bool
 
     @validator("log_level")
     def validate_log_level(cls, v):
@@ -99,7 +100,7 @@ class ZookeeperCharm(CharmedOsmBase):
         Args:
             event (EventBase): Zookeeper Cluster relation event.
         """
-        self._publish_zookeeper_info(event)
+        self._publish_info(event)
         self.configure_pod()
 
     def _publish_info(self, event: EventBase):
@@ -120,11 +121,16 @@ class ZookeeperCharm(CharmedOsmBase):
         config = ConfigModel(**dict(self.config))
 
         # Create Builder for the PodSpec
-        pod_spec_builder = PodSpecV3Builder()
+        pod_spec_builder = PodSpecV3Builder(
+            enable_security_context=config.security_context
+        )
 
         # Build Container
         container_builder = ContainerV3Builder(
-            self.app.name, image_info, config.image_pull_policy
+            self.app.name,
+            image_info,
+            config.image_pull_policy,
+            run_as_non_root=config.security_context,
         )
 
         container_builder.add_port(name="client", port=CLIENT_PORT)