summaryrefslogtreecommitdiffstats
path: root/roles/ands_kaas/templates
diff options
context:
space:
mode:
authorSuren A. Chilingaryan <csa@suren.me>2018-02-20 15:10:45 +0100
committerSuren A. Chilingaryan <csa@suren.me>2018-02-20 15:10:45 +0100
commite4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe (patch)
tree3a8a420d8d26e616491f31b322a006dd2b3e0e1c /roles/ands_kaas/templates
parent96ced00e05b50f276841a9212ae89e018de4d92d (diff)
downloadands-e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe.tar.gz
ands-e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe.tar.bz2
ands-e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe.tar.xz
ands-e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe.zip
Handling GlusterFS storage security in OpenShift containers
Diffstat (limited to 'roles/ands_kaas/templates')
-rw-r--r--roles/ands_kaas/templates/0-gfs-volumes.yml.j29
-rw-r--r--roles/ands_kaas/templates/6-kaas-pods.yml.j235
2 files changed, 34 insertions, 10 deletions
diff --git a/roles/ands_kaas/templates/0-gfs-volumes.yml.j2 b/roles/ands_kaas/templates/0-gfs-volumes.yml.j2
index a162c8b..8e5842a 100644
--- a/roles/ands_kaas/templates/0-gfs-volumes.yml.j2
+++ b/roles/ands_kaas/templates/0-gfs-volumes.yml.j2
@@ -7,10 +7,11 @@ metadata:
descriptions: "KATRIN Volumes"
objects:
{% for name, vol in (kaas_project_config.volumes | default(kaas_openshift_volumes)).iteritems() %}
+{% set oc_name = vol.name | default(name) | regex_replace('_','-') %}
- apiVersion: v1
kind: PersistentVolume
metadata:
- name: {{ vol.name | default(name) }}
+ name: {{ oc_name }}
spec:
persistentVolumeReclaimPolicy: Retain
glusterfs:
@@ -22,14 +23,14 @@ objects:
capacity:
storage: {{ vol.capacity | default(kaas_default_volume_capacity) }}
claimRef:
- name: {{ vol.name | default(name) }}
+ name: {{ oc_name }}
namespace: {{ kaas_project }}
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
- name: {{ vol.name | default(name) }}
+ name: {{ oc_name }}
spec:
- volumeName: {{ vol.name | default(name) }}
+ volumeName: {{ oc_name }}
accessModes:
- {{ vol.access | default('ReadWriteMany') }}
resources:
diff --git a/roles/ands_kaas/templates/6-kaas-pods.yml.j2 b/roles/ands_kaas/templates/6-kaas-pods.yml.j2
index 479b343..d5418d3 100644
--- a/roles/ands_kaas/templates/6-kaas-pods.yml.j2
+++ b/roles/ands_kaas/templates/6-kaas-pods.yml.j2
@@ -36,7 +36,7 @@ objects:
- apiVersion: v1
kind: Route
metadata:
- name: kaas
+ name: {{ pod.name | default(name) }}
spec:
host: {{ pod.service.host }}
to:
@@ -66,7 +66,7 @@ objects:
- apiVersion: v1
kind: DeploymentConfig
metadata:
- name: kaas
+ name: {{ pod.name | default(name) }}
spec:
replicas: {{ pod.sched.replicas | default(1) }}
selector:
@@ -93,12 +93,33 @@ objects:
{% for img in pod.images %}
{% set imgidx = loop.index %}
{% for vol in img.mappings %}
+ {% set oc_name = vol.name | default(name) | regex_replace('_','-') %}
- name: vol-{{imgidx}}-{{loop.index}}
persistentVolumeClaim:
- claimName: {{ vol.name }}
+ claimName: {{ oc_name }}
{% endfor %}
{% endfor %}
{% endif %}
+ {% if (pod.groups is defined) or (pod.run_as is defined) %}
+ securityContext:
+ {% if (pod.run_as is defined) %}
+ {% if (kaas_project_config.uids | default(kaas_openshift_uids))[pod.run_as] is defined %}
+ - {{ (kaas_project_config.uids | default(kaas_openshift_uids))[pod.run_as].id }}
+ {% else %}
+ - pod.run_as
+ {% endif %}
+ {% endif %}
+ {% if (pod.groups is defined) %}
+ supplementalGroups:
+ {% for group in pod.groups %}
+ {% if (kaas_project_config.gids | default(kaas_openshift_gids))[group] is defined %}
+ - {{ (kaas_project_config.gids | default(kaas_openshift_gids))[group].id }}
+ {% else %}
+ - group
+ {% endif %}
+ {% endfor %}
+ {% endif %}
+ {% endif %}
containers:
{% for img in pod.images %}
{% set imgidx = loop.index %}
@@ -118,10 +139,12 @@ objects:
{% endif %}
{% if img.env is defined %}
env:
- {% for env_name, env_val in img.env.iteritems() %}
+ {% for env_item in img.env %}
+ {% set env_name = env_item.name %}
+ {% set env_val = env_item.value %}
{% set env_parts = (env_val | string).split('@') %}
+ - name: "{{ env_name }}"
{% if env_parts[0] == "secret" %}
- - name: {{ env_name }}
{% set env_sec = (env_parts[1] | string).split('/') %}
valueFrom:
secretKeyRef:
@@ -134,7 +157,7 @@ objects:
name: {{ env_cm[0] }}
key: {{ env_cm[1] }}
{% else %}
- value: {{ env_val }}
+ value: "{{ env_val }}"
{% endif %}
{% endfor %}
{% endif %}