Run Kolla in initContainer

This change moves the kolla execution to an initContainer. This allows us to run the initContainer as UID 0, while the application container can run as a non root user. Signed-off-by: Brendan Shephard <bshephar@redhat.com>
bshephar · Feb 20, 2025 · 640e370 · 640e370
1 parent 41361ae
commit 640e370
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 10 deletions.
diff --git a/pkg/horizon/deployment.go b/pkg/horizon/deployment.go
@@ -30,7 +30,7 @@ import (
 
 const (
 	// ServiceCommand is the command used to run Kolla and launch the initial Apache process
-	ServiceCommand           = "/usr/local/bin/kolla_start"
+	KollaServiceCommand      = "/usr/local/bin/kolla_start"
 	horizonDashboardURL      = "/dashboard/auth/login/?next=/dashboard/"
 	horizonContainerPortName = "horizon"
 )
@@ -47,8 +47,8 @@ func Deployment(
 
 	var runAsNonRoot bool = true
 	var runAsUserGroup int64 = 8443
-
-	args := []string{"-c", ServiceCommand}
+	var runApacheCommand = []string{"/usr/sbin/httpd"}
+	var runApacheArgs = []string{"-DFOREGROUND"}
 
 	containerPort := corev1.ContainerPort{
 		Name:          horizonContainerPortName,
@@ -57,7 +57,6 @@ func Deployment(
 	}
 
 	envVars := map[string]env.Setter{}
-	envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS")
 	envVars["ENABLE_DESIGNATE"] = env.SetValue("yes")
 	envVars["ENABLE_HEAT"] = env.SetValue("yes")
 	envVars["ENABLE_IRONIC"] = env.SetValue("yes")
@@ -110,13 +109,13 @@ func Deployment(
 				},
 				Spec: corev1.PodSpec{
 					ServiceAccountName: instance.RbacResourceName(),
+					InitContainers:     horizonInitContainer(instance, volumeMounts, configHash),
 					Containers: []corev1.Container{
 						{
-							Name: ServiceName,
-							Command: []string{
-								"/bin/bash"},
-							Args:  args,
-							Image: instance.Spec.ContainerImage,
+							Name:    ServiceName,
+							Command: runApacheCommand,
+							Args:    runApacheArgs,
+							Image:   instance.Spec.ContainerImage,
 							SecurityContext: &corev1.SecurityContext{
 								RunAsUser:    &runAsUserGroup,
 								RunAsNonRoot: &runAsNonRoot,
@@ -204,3 +203,31 @@ func formatStartupProbe() *corev1.Probe {
 		},
 	}
 }
+
+func horizonInitContainer(instance *horizonv1.Horizon, volumeMounts []corev1.VolumeMount, configHash string) []corev1.Container {
+
+	var kollaEnv = make(map[string]env.Setter)
+	var runAsUser int64 = 0
+
+	kollaEnv["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS")
+	kollaEnv["CONFIG_HASH"] = env.SetValue(configHash)
+
+	return []corev1.Container{
+		{
+			Name:  "init",
+			Image: instance.Spec.ContainerImage,
+			SecurityContext: &corev1.SecurityContext{
+				RunAsUser: &runAsUser,
+			},
+			Command: []string{
+				"/bin/bash",
+			},
+			Args: []string{
+				"-c",
+				KollaServiceCommand,
+			},
+			Env:          env.MergeEnvs([]corev1.EnvVar{}, kollaEnv),
+			VolumeMounts: volumeMounts,
+		},
+	}
+}
diff --git a/templates/horizon/config/horizon.json b/templates/horizon/config/horizon.json
@@ -1,5 +1,5 @@
 {
-    "command": "/usr/sbin/httpd -DFOREGROUND",
+    "command": "exit",
     "config_files": [
         {
             "source": "/var/lib/config-data/default/httpd.conf",