feat: dynamix selinux label

Signed-off-by: sebastien.heurtematte <[email protected]>
eclipse-cbi · Jan 16, 2025 · f7196b3 · f7196b3
1 parent 4b3d96e
commit f7196b3
Show file tree

Hide file tree

Showing 5 changed files with 61 additions and 6 deletions.
diff --git a/build/gen-config.sh b/build/gen-config.sh
@@ -37,7 +37,17 @@ mkdir -p "$(dirname "${config}")"
 mkdir -p "$(dirname "${config}")/k8s"
 mkdir -p "$(dirname "${config}")/.secrets/k8s"
 
-jsonnet -m "${target}" "${instance}/jiro.jsonnet"
+uid="$(kubectl get namespace "${instance##*.}" -o jsonpath='{.metadata.annotations.openshift\.io/sa\.scc\.uid-range}')"
+seLinuxLevel="$(kubectl get namespace "${instance##*.}" -o jsonpath='{.metadata.annotations.openshift\.io/sa\.scc\.mcs}')"
+
+JSONNET_PARAM=(
+  "--ext-str" "uid=${uid%%/*}" \
+  "--ext-str" "seLinuxLevel=${seLinuxLevel}"
+)
+
+echo "Jsonnet Params: uid=${uid%%/*}, seLinuxLevel=${seLinuxLevel}"
+
+jsonnet -m "${target}" "${instance}/jiro.jsonnet" "${JSONNET_PARAM[@]}"
 
 "${SCRIPT_FOLDER}/gen-mvn-settings.sh" "${instance}"
 "${SCRIPT_FOLDER}/gen-gradle-properties.sh" "${instance}"
@@ -47,7 +57,7 @@ jsonnet -m "${target}" "${instance}/jiro.jsonnet"
 # (to override some defaults in this phase)
 if [[ -f "${instance}/jiro_phase2.jsonnet" ]]; then
   # note the -J as we will need to import config.json as generated by phase 1
-  jsonnet -m "${target}" -J "${instance}/target" "${instance}/jiro_phase2.jsonnet"
+  jsonnet -m "${target}" -J "${instance}/target" "${instance}/jiro_phase2.jsonnet" 
 else 
   # otherwise, take the one from the templates.
   # note the -J as we will need to import config.json as generated by phase 1

diff --git a/build/gen-dockerconfig-secrets.sh b/build/gen-dockerconfig-secrets.sh
@@ -100,8 +100,14 @@ deploy_secret() {
   oc secrets link "${serviceAccount}" "${secretName}" -n "${namespace}" --for="${type}"
 }
 
-. "${SCRIPT_FOLDER}/k8s-set-context.sh" "$(jsonnet "${JIRO}" | jq -r '.["config.json"].deployment.cluster')"
+# otherwise raised an error
+JSONNET_PARAM=(
+  "--ext-str" "uid=" \
+  "--ext-str" "seLinuxLevel="
+)
 
-for SECRET_NAME in $(jsonnet "${JIRO}" | jq -cr '.["config.json"].secrets.dockerconfigjson | keys[]'); do
-  deploy_secret "${SECRET_NAME}" "$(jsonnet "${JIRO}" | jq '.["config.json"].secrets.dockerconfigjson["'"${SECRET_NAME}"'"]')"
+. "${SCRIPT_FOLDER}/k8s-set-context.sh" "$(jsonnet "${JIRO}" "${JSONNET_PARAM[@]}" | jq -r '.["config.json"].deployment.cluster')"
+
+for SECRET_NAME in $(jsonnet "${JIRO}" "${JSONNET_PARAM[@]}" | jq -cr '.["config.json"].secrets.dockerconfigjson | keys[]'); do
+  deploy_secret "${SECRET_NAME}" "$(jsonnet "${JIRO}" "${JSONNET_PARAM[@]}" | jq '.["config.json"].secrets.dockerconfigjson["'"${SECRET_NAME}"'"]')"
 done
diff --git a/build/k8s-deploy.sh b/build/k8s-deploy.sh
@@ -32,6 +32,38 @@ fi
 
 . "${SCRIPT_FOLDER}/k8s-set-context.sh" "$(jq -r '.deployment.cluster' "${instance}/target/config.json")"
 
+scc_tmp="$(mktemp)"
+
+question() {
+  local message="${1:-}"
+  local action="${2:-}"
+  read -rp "Do you want to ${message}? (Y)es, (N)o, E(x)it: " yn
+  case $yn in
+    [Yy]* ) ${action};;
+    [Nn]* ) return ;;
+    [Xx]* ) exit 0;;
+        * ) echo "Please answer (Y)es, (N)o, E(x)it"; question "${message}" "${action}";
+  esac
+}
+
+apply_scc() {
+  oc apply -f "${scc_tmp}"
+}
+
+update_scc(){
+  SHORTNAME="${instance##*.}"
+  if oc get scc restricted-v2-selinux-scc -o json | jq -r '.users[]' | grep "${SHORTNAME}:${SHORTNAME}" > /dev/null; then 
+    echo "SCC already contains user for project ${SHORTNAME}. Skipping..."
+  else
+    echo "Update SCC for project ${SHORTNAME}"
+    oc get scc restricted-v2-selinux-scc -o json | jq ".users += [\"system:serviceaccount:${SHORTNAME}:${SHORTNAME}\"]" > "${scc_tmp}"
+    jq '.users[]' "${scc_tmp}"
+    question "apply the changes to the SCC" apply_scc
+  fi
+}
+
+update_scc
+
 oc apply -f "${instance}/target/k8s/namespace.json"
 
 oc apply -f "${instance}/target/k8s/configmap-jenkins-config.yml"

diff --git a/templates/config.libsonnet b/templates/config.libsonnet
@@ -78,6 +78,8 @@ local clouds = import "clouds.libsonnet";
   },
   kubernetes: {
     master: {
+      uid: std.extVar('uid'),
+      seLinuxLevel: std.extVar('seLinuxLevel'),
       defaultJnlpAgentLabel: "basic",
       namespace: $.project.shortName,
       stsName: $.project.shortName,

diff --git a/templates/k8s/statefulset.libsonnet b/templates/k8s/statefulset.libsonnet
@@ -128,7 +128,12 @@ local Kube = import "kube.libsonnet";
                     "level": config.seLinuxLevel,
                     "type": "spc_t",
                   },
-                } else {},
+                } else {
+                   "seLinuxOptions": {
+                    "level": config.kubernetes.master.seLinuxLevel,
+                    "type": "spc_t",
+                  },
+                },
               env: [
                 {
                   name: "JAVA_OPTS",