This PS adds the security context macros to the grafana chart,
and moves the default to read-only-rootfs for all containers
Change-Id: Ie79e3bfc6af07b16cd53eddae17eceac3d9f8613
This PS updates the create-mysql-user.sh to display the error
if the exporter user was not created successfully.
Change-Id: I03505b5fb569cda199c2803086b77206b810ea3f
This updates the ceph-rgw chart to include the pod
security context on the pod template
This also adds the container security context
Change-Id: Ic75a1decfe156e1e8aa2ebe38238f6b77abb71f8
This PS remvoes the stable helm repo, if present, to improve the
build time of patches.
Change-Id: Id6ec86e5ff426994b12adf4ca8e80eda2e52f147
Signed-off-by: Pete Birley <pete@port.direct>
This adds '|| true' to the curl command for gathering metrics from
prometheus exporters in the postrun job. After the move to
minikube for single node jobs, the headless services for the
kubernetes components no longer work as intended. The addition of
'|| true' allows the post run job to continue through the list
of services tied to the prometheus exporters without the task
failing outright
Change-Id: I56f0f56b799c3df9b2bd66a2c2044d71473606e3
This updates the registry chart to include the pod
security context on the pod template
This also adds the container security context
Change-Id: I36b6a2cf291dda2f991843c07ba116f3bf936d03
This PS adds the security context macros to the ceph-client chart,
and moves the default to read-only-rootfs for all containers.
Change-Id: I2fe03f31cc59e1cda2bf0396ae6e3aca5c440a16
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates the ceph charts to make /etc/ceph an emptydir
uniformly across all charts, both ensuring no default config is loaded,
and also permitting read-only filesystems to back the containers.
Additionally /run is uniformly applied across all long running pods
as a memory backed emptydir.
Change-Id: I00d1b15758b7eb4476fb950ddcb38db9a5149ad0
Signed-off-by: Pete Birley <pete@port.direct>
This PS fixes the use of the security context macros for the
calico chart.
Change-Id: I2ed8a5e994726b625d76a2c308895441c7d174a9
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates to use security context macros from HTK, in line
with other charts.
Change-Id: I5ca0af17eccc4856baef871cf199554aad075ebe
Signed-off-by: Pete Birley <pete@port.direct>
This adds a security context to the postgresql exporter, which
changes the pod's user from root to the nobody user instead
This also adds the container security context to set
allowPrivilegeEscalation to false and readOnlyRootFilesystem to true
Change-Id: Ibe49f77ed2d0a588b5abe175318edd1c82a57cca
This PS improves the securityu options for the ovs-db pod
by specifying running as a non-root user, using read only
filesystems for the containers and also preventing
privilege escalation. A subsequent ps will move to use the
helm toolkit functions that allow the control of these params.
Change-Id: I94fbf5b851be68f6fb4a1f9809ad12776e8a80b3
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates the helm test script to remove the rally user by
default following a test run.
Change-Id: I5a28244f8f8bd8ef485cb45cc922601d631adff1
Depends-On: https://review.openstack.org/#/c/643206/
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.
Additionally some yaml indent issues are resolved.
Change-Id: I8b7f1614da059783254aa6efc09facf23fca3cad
Signed-off-by: Pete Birley <pete@port.direct>
This updates the post-run pod logs task to gather logs from any
failed containers, allowing for identifying issues associated with
pods that fail to start in the gate jobs
Change-Id: I9195f319a064f84f62d2aa558df05f8f81b9abea
This updates the prometheus chart to include the pod
security context on the pod template. This changes the pod's
user from root to the nobody user instead
This also adds the container security context to explicitly set
allowPrivilegeEscalation to false and readOnlyRootFilesystem to true
Change-Id: I2a3a4b77d9b25c086dc23b4fd66dca92872c422d
This reverts commit 244f177ecb2574e8984b8590655af491e49420b4.
removing readOnlyRootFilesystem flag since pods are running to "crashLoopBackOff" state by implementing HTK functionality
when we have set the readOnly flag at pod without HTK functionality the changes were not effected. That is why it passed the gate.
Change-Id: I6920956b881fa358a37003d21a7b76602e2ac61c
