initial version version for openshift litmus-agent

README-agent-local.md

@@ -0,0 +1,79 @@
+
+Based on  https://litmuschaos.github.io/litmus/experiments/concepts/security/openshift-scc/
+
+
+```
+helm search repo litmus-agent
+```
+<pre>
+NAME                            CHART VERSION   APP VERSION     DESCRIPTION
+litmuschaos/litmus-agent        3.18.0          3.18.0          A Helm chart to install litmus agen
+</pre>
+
+```
+helm search repo litmus-agent --versions
+```
+<pre>
+NAME                            CHART VERSION   APP VERSION     DESCRIPTION
+litmuschaos/litmus-agent        3.18.0          3.18.0          A Helm chart to install litmus agent
+litmuschaos/litmus-agent        3.16.0          3.16.0          A Helm chart to install litmus agent
+litmuschaos/litmus-agent        3.15.0          3.15.0          A Helm chart to install litmus agent
+</pre>
+
+
+
+### origin helm chart
+```
+helm template litmus charts/litmus-agent  --namespace litmus-system --version 3.18 --values charts/litmus-agent/values.yaml
+helm template litmus charts/litmus-agent  --namespace litmus-system --version 3.18  --values charts/litmus-agent/values.yaml | grep "image: "
+```
+
+```
+helm install litmus-agent litmuschaos/litmus-agent \
+  --namespace litmus-system --create-namespace \
+  --version 3.18 \
+  --set "INFRA_NAME=helm-agent" \
+  --set "INFRA_DESCRIPTION=My first agent deployed with helm !" \
+  --set "LITMUS_URL=https://chaos-center.domain.com" \ # FOR REMOTE AGENT (INGRESS)
+  --set "LITMUS_URL=http://litmusportal-frontend-service.litmus.svc.cluster.local:9091" \ # FOR SELF AGENT (SVC)
+  --set "LITMUS_BACKEND_URL=http://litmusportal-server-service.litmus.svc.cluster.local:9002" \ # FOR SELF AGENT (SVC)
+  --set "LITMUS_USERNAME=admin" \
+  --set "LITMUS_PASSWORD=litmus" \
+  --set "LITMUS_PROJECT_ID=69395cb3-0231-4262-8990-78056c8adb4c" \
+  --set "LITMUS_ENVIRONMENT_ID=nameofenvironment"
+
+```
+
+
+### local checks
+```
+helm template litmus charts/litmus-agent  --namespace litmus-system   --version 3.18 --values values-agent-local-3-18-0.yaml
+helm template litmus charts/litmus-agent  --namespace litmus-system   --version 3.18 --values values-agent-local-3-18-0.yaml > all-litmus-agent-3-18-0-manifests.yaml.out
+helm template litmus charts/litmus-agent  --namespace litmus-system   --version 3.18 --values values-agent-local-3-18-0.yaml | grep "image: "
+helm template litmus charts/litmus-agent  --namespace litmus-system   --version 3.18 --values values-agent-local-3-18-0.yaml | grep "runAsUser: " -C 10
+helm template litmus charts/litmus-agent  --namespace litmus-system   --version 3.18 --values values-agent-local-3-18-0.yaml | grep "serviceAccountName:"
+```
+
+
+### spliting template manifest by the resource kind
+```
+yq -s '"split-agent-3-18-0"+(.kind | downcase) + "-" + .metadata.name +"-"+ $index' all-litmus-agent-3-18-0-manifests.yaml.out
+```
+
+### checking values file
+```
+yq eval . values-agent-local-3-18-0.yaml
+```
+### testing  with local cluster
+```
+kubectl apply -f all-litmus-agent-3-18-0-manifests.yaml.out -n litmus-system --dry-run=client
+kubectl apply -f all-litmus-agent-3-18-0-manifests.yaml.out -n litmus-system --dry-run=server
+```
+### cleaniing up
+```
+rm all-litmus-*-manifests.yaml.out
+rm split*.y*ml
+```
+
+
+

charts/litmus-agent/README.md

@@ -80,6 +80,9 @@ $ helm install litmus-agent litmuschaos/litmus-agent \
 | image.pullPolicy | string | `"Always"` |  |
 | image.repository | string | `"litmuschaos.docker.scarf.sh/litmuschaos/litmus-helm-agent"` |  |
 | image.tag | string | `"latest"` |  |
+| openshift.enabled | bool | `false` |  |
+| openshift.sccName | string | `"litmus-agent-scc"` |  |
+| openshift.serviceAccountName | string | `"litmus-admin"` |  |
 | podAnnotations | object | `{}` |  |
 | resources.limits.cpu | string | `"100m"` |  |
 | resources.limits.memory | string | `"128Mi"` |  |

charts/litmus-agent/templates/openshift-rbac.yaml

@@ -0,0 +1,83 @@
+{{- if and .Values.openshift.enabled (not .Values.openshift.anyuid) (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: {{ .Values.openshift.sccName }}
+  labels:
+    app.kubernetes.io/name: {{ .Values.openshift.sccName }}
+
+allowHostIPC: false
+allowHostNetwork: false
+# To run fault injection on a target container using pid namespace.
+# It is used in stress, network, dns and http experiments. 
+allowHostPID: true
+allowHostPorts: false
+allowHostDirVolumePlugin: true
+# To run some privileged modules in dns, stress and network chaos
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: true
+allowedCapabilities:
+- 'NET_ADMIN'
+- 'SYS_ADMIN'
+defaultAddCapabilities: null
+readOnlyRootFilesystem: false
+requiredDropCapabilities: null
+
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny # Valid value for seLinuxContext.type
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+readOnlyRootFilesystem: true
+volumes:
+# To allow configmaps mounts on upload scripts or envs.
+  - configMap
+# used for chaos injection like io chaos.
+  - emptyDir
+  - hostPath
+  - projected
+  - persistentVolumeClaim
+# To derive the experiment pod name in the experimemnt.
+  - downwardAPI
+# To authenticate with different cloud providers
+  - secret
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.openshift.sccName }}-clusterrole
+  labels:
+    app.kubernetes.io/name: {{ .Values.openshift.sccName }}-clusterrole
+rules:
+- apiGroups:
+  - security.openshift.io 
+  resourceNames:
+  - {{ .Values.openshift.sccName }}
+  resources:
+  - securitycontextconstraints 
+  verbs: 
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.openshift.sccName }}-binding
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Values.openshift.sccName }}-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.openshift.sccName }}-clusterrole
+subjects:
+  - kind: ServiceAccount
+    name: default # TODO
+    namespace: {{ .Release.Namespace }}
+{{- end  }} 
+
+

charts/litmus-agent/values.yaml

@@ -40,6 +40,11 @@ image:
 crds:
   create: true
 
+openshift:
+  enabled: false # default false for vanilla kubernetes
+  sccName: litmus-agent-scc # name of scc to be used
+  serviceAccountName: litmus-admin # name of service account to be used
+
 podAnnotations: {}
 
 resources: