Skip to content

Commit

Permalink
Unprivileged Minion, Updated Core (#40)
Browse files Browse the repository at this point in the history 
* adding initial support for OpenShift

* update scc and statefulset

* fix references to OpenShift

* remove hardcoded values

* add Openshift support for OPG

* update Sentinel

* disable hardcoded routerCanonicalHostname and fix end of file

* fix logics and detect other container types

* clean up logic

* remove html formatting from Notes file

* modify readme file

* add a file listing known issues and limitations

* Add options to control creation of ClusterRole and ClusterRoleBinding

* Allow disabling ServiceAccount

* clean up statefulset

* initial fix

* code clean up

* Ability to enable and disable ports

* update minion

* enable ports by default

* update readme files

* tweak readme for minion

* bump chart-testing to v2.6.1

* Update chart version

* clean up

* remove known issues and limitations

* use latest release

* fix postgress datasource username
  • Loading branch information
@mershad-manesh
mershad-manesh authored Nov 10, 2023
1 parent 5656b24 commit 86d8c8e
Show file tree
Hide file tree
Showing 16 changed files with 222 additions and 53 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/lint-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
git diff --exit-code */README.md
- name: Set up chart-testing
uses: helm/chart-testing-action@v2.4.0
uses: helm/chart-testing-action@v2.6.1

- name: Run chart-testing (list-changed)
id: list-changed
Expand Down
2 changes: 1 addition & 1 deletion docs/antora.yml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: opennmshelmcharts
version: '1.1.1'
version: '1.1.2-beta'
title: Helm Charts (Kubernetes)
nav:
- modules/ROOT/nav.adoc
4 changes: 2 additions & 2 deletions horizon/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,13 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 1.1.1
version: 1.1.2

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "32.0.4"
appVersion: "32.0.5"

maintainers:
- name: The OpenNMS Group Inc.
Expand Down
6 changes: 6 additions & 0 deletions horizon/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,12 @@ helm install monms opennms/horizon --set domain=domain1.com --create-namespace
| core.configuration.http.restPassword | string | `"admin"` | |
| core.configuration.http.restUsername | string | `"opennms"` | |
| core.configuration.nodeSelector | string | `nil` | |
| core.configuration.ports.karaf.enabled | bool | `true` | |
| core.configuration.ports.karaf.externalPort | int | `8101` | |
| core.configuration.ports.syslog.enabled | bool | `true` | |
| core.configuration.ports.syslog.externalPort | int | `10514` | |
| core.configuration.ports.trapd.enabled | bool | `true` | |
| core.configuration.ports.trapd.externalPort | int | `1162` | |
| core.configuration.rras[0] | string | `"RRA:AVERAGE:0.5:1:2016"` | |
| core.configuration.rras[1] | string | `"RRA:AVERAGE:0.5:12:1488"` | |
| core.configuration.rras[2] | string | `"RRA:AVERAGE:0.5:288:366"` | |
Expand Down
5 changes: 4 additions & 1 deletion horizon/scripts/onms-core-init.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,9 @@ if [[ "$PKG" == *"meridian"* ]]; then
if (( $MAJOR > 2021 )); then
USE_TWIN=true
fi
elif [[ "$PKG" == *"opennms"* ]] && [[ $MAJOR > 2021 ]];then
echo "OpenNMS Core $MAJOR detected"
USE_TWIN=true
else
echo "OpenNMS Core $MAJOR detected"
if (( $MAJOR > 28 )); then
Expand Down Expand Up @@ -330,7 +333,7 @@ cat <<EOF >> ${CONFIG_DIR_OVERLAY}/opennms-datasources.xml
database-name="postgres"
class-name="org.postgresql.Driver"
url="jdbc:postgresql://${POSTGRES_HOST}:${POSTGRES_PORT}/postgres?sslmode=${POSTGRES_SSL_MODE}&amp;sslfactory=${POSTGRES_SSL_FACTORY}"
user-name="${POSTGRES_PASSWORD}"
user-name="${POSTGRES_USER}"
password="${POSTGRES_PASSWORD}">
<connection-pool idleTimeout="600"
minPool="0"
Expand Down
15 changes: 12 additions & 3 deletions horizon/templates/opennms-core.service.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,23 @@ spec:
ports:
- port: 8980
name: http
- port: 8101
{{- if .Values.core.configuration.ports.karaf.enabled }}
- port: {{ .Values.core.configuration.ports.karaf.externalPort | default 8101 }}
name: karaf
- port: 1116
targetPort: 8101
{{- end }}
{{- if .Values.core.configuration.ports.trapd.enabled }}
- port: {{ .Values.core.configuration.ports.trapd.externalPort | default 1162 }}
name: trapd
protocol: UDP
- port: 10514
targetPort: 1162
{{- end }}
{{- if .Values.core.configuration.ports.syslog.enabled }}
- port: {{ .Values.core.configuration.ports.syslog.externalPort | default 10514 }}
name: syslog
protocol: UDP
targetPort: 10514
{{- end }}
selector:
app: onms-core
{{- include "core.selectorLabels" . | nindent 4 }}
38 changes: 20 additions & 18 deletions horizon/templates/opennms-core.statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,18 +37,16 @@ spec:
serviceAccountName: {{ (.Values.dependencies.securitycontext).serviceaccount.name | quote }}
{{- end }}
securityContext:
sysctls:
- name: net.ipv4.ping_group_range
value: "0 2147483647"
{{- if eq (include "onOpenShift" .) "true" }}
{{- if eq ((.Values.dependencies.securitycontext).allowPrivilegeEscalation) true }}
fsGroup: 10001
{{- end }}
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
capabilities:
{{- if has "CAP_NET_RAW" (.Values.dependencies.securitycontext).allowedCapabilities }}
add:
- CAP_NET_RAW
{{- else }}
drop:
- ALL
{{- end }}
{{- else }}
fsGroup: 10001
{{- end }}
Expand Down Expand Up @@ -96,16 +94,12 @@ spec:
securityContext:
{{- if eq (include "onOpenShift" .) "true" }}
runAsNonRoot: true
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
{{- if has "CAP_NET_RAW" (.Values.dependencies.securitycontext).allowedCapabilities }}
add:
- CAP_NET_RAW
{{- else }}
drop:
- ALL
{{- end }}
{{- else }}
fsGroup: 10001
{{- end }}
Expand Down Expand Up @@ -139,6 +133,7 @@ spec:
securityContext:
{{- if eq (include "onOpenShift" .) "true" }}
runAsNonRoot: true
allowPrivilegeEscalation: {{ (.Values.dependencies.securitycontext).allowPrivilegeEscalation }}
seccompProfile:
type: RuntimeDefault
capabilities:
Expand All @@ -152,17 +147,24 @@ spec:
{{- else }}
fsGroup: 10001
{{- end }}
sysctls:
- name: net.ipv4.ping_group_range
value: 0 429496729
imagePullPolicy: {{ .Values.core.image.pullPolicy }}
args:
- -s
ports:
{{- if .Values.core.configuration.ports.syslog.enabled }}
- containerPort: 8101
name: karaf
{{- end}}
- containerPort: 8980
name: http
{{- if .Values.core.configuration.ports.trapd.enabled }}
- containerPort: 1162
name: trapd
{{- end}}
{{- if .Values.core.configuration.ports.syslog.enabled }}
- containerPort: 10514
name: syslog
{{- end}}
envFrom:
- configMapRef:
name: app-settings
Expand Down Expand Up @@ -192,7 +194,7 @@ spec:
subPath: postgresql-ca.crt
env:
{{- if eq (include "onOpenShift" .) "true" }}
{{- if or (not (has "CAP_NET_RAW" ((.Values.dependencies).securitycontext).allowedCapabilities)) (not ((.Values.dependencies).securitycontext).allowPrivilegeEscalation ) }}
{{- if or (not (has "CAP_NET_RAW" ((.Values.dependencies).securitycontext).allowedCapabilities)) (eq (.Values.dependencies).securitycontext.allowPrivilegeEscalation false) }}
- name: JAVA_HOME
value: /usr/lib/jvm/java-nocap
{{- end }}
Expand All @@ -215,7 +217,7 @@ spec:
{{- else }}
- name: JAVA_OPTS
value: {{ $opt }}
{{- end }}
{{- end }}
startupProbe:
httpGet:
path: /opennms/login.jsp
Expand Down
54 changes: 49 additions & 5 deletions horizon/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,50 @@
"null"
],
"default": null
},
"ports": {
"type": "object",
"properties": {
"trapd": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"default": false
},
"externalPort": {
"type": "integer",
"default": 1162
}
}
},
"syslog": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"default": false
},
"externalPort": {
"type": "integer",
"default": 10514
}
}
},
"karaf": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"default": false
},
"externalPort": {
"type": "integer",
"default": 8101
}
}
}
}
}
},
"postConfigJob": {
Expand Down Expand Up @@ -263,9 +307,9 @@
"form": true,
"title": "Security Context",
"properties": {
"allowedCapabilities":{
"allowedCapabilities": {
"type": "array",
"description": "(Red Hat OpenShift only) Capabilities a container is allowed to use " ,
"description": "(Red Hat OpenShift only) Capabilities a container is allowed to use ",
"items": {
"type": "string",
"default": [
Expand All @@ -274,10 +318,10 @@
]
}
},
"allowPrivilegeEscalation":{
"allowPrivilegeEscalation": {
"type": "boolean",
"default": true,
"description": "(Red Hat OpenShift only) Controls whether a process can gain more privileges than its parent process "
"description": "(Red Hat OpenShift only) Controls whether a process can gain more privileges than its parent process "
},
"securitycontextconstraints": {
"type": "object",
Expand Down Expand Up @@ -818,4 +862,4 @@
}
}
}
}
}
10 changes: 10 additions & 0 deletions horizon/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,16 @@ core:
nodeSelector: null
affinity: null
tolerations: null
ports:
trapd:
enabled: true
externalPort: 1162
syslog:
enabled: true
externalPort: 10514
karaf:
enabled: true
externalPort: 8101
postConfigJob:
ttlSecondsAfterFinished: 300

Expand Down
4 changes: 2 additions & 2 deletions minion/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,13 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 1.1.1
version: 1.1.2

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "32.0.4"
appVersion: "32.0.5"

maintainers:
- name: The OpenNMS Group Inc.
Expand Down
10 changes: 10 additions & 0 deletions minion/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,12 @@ This template can be used to bring up a minion and connect it to a OpenNMS core.
| core.instanceID | string | `"monms"` | |
| createNamespace | bool | `false` | |
| imagePullSecrets | list | `[]` | |
| minion.configuration.ports.karaf.enabled | bool | `true` | |
| minion.configuration.ports.karaf.externalPort | int | `8201` | |
| minion.configuration.ports.syslog.enabled | bool | `true` | |
| minion.configuration.ports.syslog.externalPort | int | `1514` | |
| minion.configuration.ports.trapd.enabled | bool | `true` | |
| minion.configuration.ports.trapd.externalPort | int | `1162` | |
| minion.configuration.storage.dataFolder | string | `"5Gi"` | |
| minion.image.pullPolicy | string | `"IfNotPresent"` | |
| minion.image.repository | string | `"opennms/minion"` | |
Expand All @@ -27,6 +33,10 @@ This template can be used to bring up a minion and connect it to a OpenNMS core.
| minion.kafkaBroker.username | string | `""` | |
| minion.location | string | `"pod"` | |
| minion.name | string | `"myminion"` | |
| minion.resources.limits.cpu | string | `"2"` | |
| minion.resources.limits.memory | string | `"8Gi"` | |
| minion.resources.requests.cpu | string | `"2"` | |
| minion.resources.requests.memory | string | `"4Gi"` | |
| securitycontext.allowPrivilegeEscalation | bool | `true` | |
| securitycontext.allowedCapabilities[0] | string | `"NET_BIND_SERVICE"` | |
| securitycontext.allowedCapabilities[1] | string | `"CAP_NET_RAW"` | |
Expand Down
2 changes: 1 addition & 1 deletion minion/templates/minion-configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ data:
ipc:
kafka:
bootstrap.servers: {{ .Values.minion.kafkaBroker.address }}
{{- if .Values.truststore.content }}
{{- if or (.Values.truststore.content) (and .Values.minion.kafkaBroker.username .Values.minion.kafkaBroker.password) }}
security.protocol: SASL_SSL
sasl.mechanism: SCRAM-SHA-512
sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="{{.Values.minion.kafkaBroker.username}}" password="{{.Values.minion.kafkaBroker.password}}";
Expand Down
Loading

0 comments on commit 86d8c8e

Please sign in to comment.