initla version for openshift

Signed-off-by: Krzysztof Pudłowski <[email protected]>

Author: djkormo

README-agent-local.md

@@ -0,0 +1,79 @@
+
+Based on  https://litmuschaos.github.io/litmus/experiments/concepts/security/openshift-scc/
+
+
+```
+helm search repo litmus-agent
+```
+<pre>
+NAME                            CHART VERSION   APP VERSION     DESCRIPTION
+litmuschaos/litmus-agent        3.18.0          3.18.0          A Helm chart to install litmus agen
+</pre>
+
+```
+helm search repo litmus-agent --versions
+```
+<pre>
+NAME                            CHART VERSION   APP VERSION     DESCRIPTION
+litmuschaos/litmus-agent        3.18.0          3.18.0          A Helm chart to install litmus agent
+litmuschaos/litmus-agent        3.16.0          3.16.0          A Helm chart to install litmus agent
+litmuschaos/litmus-agent        3.15.0          3.15.0          A Helm chart to install litmus agent
+</pre>
+
+
+
+### origin helm chart
+```
+helm template litmus charts/litmus-agent  --namespace litmus-system --version 3.18 --values charts/litmus-agent/values.yaml
+helm template litmus charts/litmus-agent  --namespace litmus-system --version 3.18  --values charts/litmus-agent/values.yaml | grep "image: "
+```
+
+```
+helm install litmus-agent litmuschaos/litmus-agent \
+  --namespace litmus-system --create-namespace \
+  --version 3.18 \
+  --set "INFRA_NAME=helm-agent" \
+  --set "INFRA_DESCRIPTION=My first agent deployed with helm !" \
+  --set "LITMUS_URL=https://chaos-center.domain.com" \ # FOR REMOTE AGENT (INGRESS)
+  --set "LITMUS_URL=http://litmusportal-frontend-service.litmus.svc.cluster.local:9091" \ # FOR SELF AGENT (SVC)
+  --set "LITMUS_BACKEND_URL=http://litmusportal-server-service.litmus.svc.cluster.local:9002" \ # FOR SELF AGENT (SVC)
+  --set "LITMUS_USERNAME=admin" \
+  --set "LITMUS_PASSWORD=litmus" \
+  --set "LITMUS_PROJECT_ID=69395cb3-0231-4262-8990-78056c8adb4c" \
+  --set "LITMUS_ENVIRONMENT_ID=nameofenvironment"
+
+```
+
+
+### local checks
+```
+helm template litmus charts/litmus-agent  --namespace litmus-system   --version 3.18 --values values-agent-local-3-18-0.yaml
+helm template litmus charts/litmus-agent  --namespace litmus-system   --version 3.18 --values values-agent-local-3-18-0.yaml > all-litmus-agent-3-18-0-manifests.yaml.out
+helm template litmus charts/litmus-agent  --namespace litmus-system   --version 3.18 --values values-agent-local-3-18-0.yaml | grep "image: "
+helm template litmus charts/litmus-agent  --namespace litmus-system   --version 3.18 --values values-agent-local-3-18-0.yaml | grep "runAsUser: " -C 10
+helm template litmus charts/litmus-agent  --namespace litmus-system   --version 3.18 --values values-agent-local-3-18-0.yaml | grep "serviceAccountName:"
+```
+
+
+### spliting template manifest by the resource kind
+```
+yq -s '"split-agent-3-18-0"+(.kind | downcase) + "-" + .metadata.name +"-"+ $index' all-litmus-agent-3-18-0-manifests.yaml.out
+```
+
+### checking values file
+```
+yq eval . values-agent-local-3-18-0.yaml
+```
+### testing  with local cluster
+```
+kubectl apply -f all-litmus-agent-3-18-0-manifests.yaml.out -n litmus-system --dry-run=client
+kubectl apply -f all-litmus-agent-3-18-0-manifests.yaml.out -n litmus-system --dry-run=server
+```
+### cleaniing up
+```
+rm all-litmus-*-manifests.yaml.out
+rm split*.y*ml
+```
+
+
+

charts/litmus-agent/templates/openshift-rbac.yaml

@@ -0,0 +1,83 @@
+{{- if and .Values.openshift.enabled (not .Values.openshift.anyuid) (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: {{ .Values.openshift.sccName }}
+  labels:
+    app.kubernetes.io/name: {{ .Values.openshift.sccName }}
+
+allowHostIPC: false
+allowHostNetwork: false
+# To run fault injection on a target container using pid namespace.
+# It is used in stress, network, dns and http experiments. 
+allowHostPID: true
+allowHostPorts: false
+allowHostDirVolumePlugin: true
+# To run some privileged modules in dns, stress and network chaos
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: true
+allowedCapabilities:
+- 'NET_ADMIN'
+- 'SYS_ADMIN'
+defaultAddCapabilities: null
+readOnlyRootFilesystem: false
+requiredDropCapabilities: null
+
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny # Valid value for seLinuxContext.type
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+readOnlyRootFilesystem: true
+volumes:
+# To allow configmaps mounts on upload scripts or envs.
+  - configMap
+# used for chaos injection like io chaos.
+  - emptyDir
+  - hostPath
+  - projected
+  - persistentVolumeClaim
+# To derive the experiment pod name in the experimemnt.
+  - downwardAPI
+# To authenticate with different cloud providers
+  - secret
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.openshift.sccName }}-clusterrole
+  labels:
+    app.kubernetes.io/name: {{ .Values.openshift.sccName }}-clusterrole
+rules:
+- apiGroups:
+  - security.openshift.io 
+  resourceNames:
+  - {{ .Values.openshift.sccName }}
+  resources:
+  - securitycontextconstraints 
+  verbs: 
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.openshift.sccName }}-binding
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Values.openshift.sccName }}-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.openshift.sccName }}-clusterrole
+subjects:
+  - kind: ServiceAccount
+    name: default # TODO
+    namespace: {{ .Release.Namespace }}
+{{- end  }} 
+
+

values-agent-local-3-18-0.yaml

@@ -0,0 +1,94 @@
+global:
+  infraConfigName: subscriber-config
+  infraSecretName: subscriber-secret
+  podAnnotations: {}
+  customLabels: {}
+  # INFRA_MODE: cluster, namespace
+  INFRA_MODE: "cluster"
+# Default values for litmus-agent.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+INFRA_NAME: "helm-infrastructure"
+INFRA_DESCRIPTION: "chaos infrastructure deployed with helm"
+
+INFRA_NODE_SELECTOR: ""
+SA_EXISTS: true
+NS_EXISTS: true
+INFRA_TYPE: "external"
+# For compatibility with ChaosCenter, Version has to be same
+APP_VERSION: "3.18.0"
+SKIP_SSL: "false"
+
+# PLATFORM_NAME: AWS, GKE, Openshift, Rancher, Others
+PLATFORM_NAME: "Openshift"
+
+LITMUS_URL: "https://my-domain.com"
+LITMUS_BACKEND_URL: ""
+LITMUS_USERNAME: "admin"
+LITMUS_PASSWORD: "litmus"
+LITMUS_PROJECT_ID: ""
+# -- ID of the litmus environment where the infrastructure will be added
+LITMUS_ENVIRONMENT_ID: ""
+
+image:
+  repository: litmuschaos.docker.scarf.sh/litmuschaos/litmus-helm-agent
+  pullPolicy: Always
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: "latest"
+
+crds:
+  create: true
+
+openshift:
+  enabled: true # default false for vanilla kubernetes
+  sccName: litmus-agent-scc # name of scc to be used
+  serviceAccountName: litmus-admin # name of service account to be used
+
+podAnnotations: {}
+
+resources:
+  limits:
+    cpu: 100m
+    memory: 128Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi
+
+# Existing Secret name should be:
+# `{{ include "subscriber.fullname" . }}-hook`
+# I.E. `name: litmus-agent-hook`
+# -- Use an existing hook Secret instead of creating one with the chart, ref. to templates/secret.yaml
+useExistingHookSecret: false
+
+# Existing ConfigMap name should be equal to .global.infraConfigName
+# I.E. `name: subscriber-config`
+# -- Use an existing infra ConfigMap instead of creating one with the chart, ref. to templates/infra-config-map.yaml
+useExistingInfraConfigMap: false
+
+# Existing Secret name should be equal to .global.infraSecretName
+# I.E. `name: subscriber-secret`
+# -- Use an existing infra Secret instead of creating one with the chart, ref. to templates/infra-secret.yaml
+useExistingInfraSecret: false
+
+# Existing ConfigMap name should be:
+# `{{ index .Values "workflow-controller" "appSettings" "configmapName" }}`
+# -- Use an existing infra ConfigMap instead of creating one with the chart, ref. to templates/infra-config-map-workflow.yaml
+useExistingWorkflowControllerConfigMap: false
+
+chaos-operator:
+  enabled: true
+
+chaos-exporter:
+  enabled: true
+
+event-tracker:
+  enabled: true
+
+subscriber:
+  enabled: true
+
+workflow-controller:
+  enabled: true
+  crds:
+    create: true