Add Phases for deploying network policy

This PatchSet adds phases and executor definitions for managing calico v3 network policies using airshipctl phase run command. Closes: #119 Change-Id: I7942548720c4b8037b7b0c2de348fe45df73b8f7
2021-04-09 16:25:22 -04:00 · 2021-04-09 16:25:22 -04:00 · 8a7f428c5b
commit 8a7f428c5b
parent fddf27242e
18 changed files with 146 additions and 40 deletions
--- a/manifests/function/network-policy/calico/hosts_ingress.yaml
+++ b/manifests/function/network-policy/calico/hosts_ingress.yaml
@ -6,15 +6,15 @@ spec:
  order: 0
  selector: all()
  ingress:
-  action: Allow
-  protocol: TCP
-  source:
-    nets:
-    - 192.0.1.52/32
-  destination:
-    ports:
-    - 80
-    - 443
+  - action: Allow
+    protocol: TCP
+    source:
+      nets:
+      - 192.0.1.52/32
+    destination:
+      ports:
+      - 80
+      - 443
  doNotTrack: false
  preDNAT: false
  applyOnForward: true
--- a/manifests/function/network-policy/calico/replacements/network-policy.yaml
+++ b/manifests/function/network-policy/calico/replacements/network-policy.yaml
@ -16,7 +16,7 @@ replacements:
    objref:
      kind: GlobalNetworkPolicy
      name: hosts-ingress-rule
-    fieldrefs: ["{.spec.source.nets[0]}"]
+    fieldrefs: [".spec.ingress[action=Allow].source.nets[0]"]
 - source:
    objref:
      kind: VariableCatalogue
@ -26,4 +26,4 @@ replacements:
    objref:
      kind: GlobalNetworkPolicy
      name: hosts-ingress-rule
-    fieldrefs: ["{.spec.destination.ports}"]
+    fieldrefs: [".spec.ingress[action=Allow].destination.ports"]
--- a/manifests/function/phase-helper/calicoctl/apply/calicoctl-apply.sh
+++ b/manifests/function/phase-helper/calicoctl/apply/calicoctl-apply.sh
@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -xe
+
+echo applying network policy with calicoctl >&2
+
+echo ${RENDERED_BUNDLE_PATH} >&2
+# apply the policy
+calicoctl apply -f ${RENDERED_BUNDLE_PATH} --context $KCTL_CONTEXT >&2
--- a/manifests/function/phase-helper/calicoctl/apply/kustomization.yaml
+++ b/manifests/function/phase-helper/calicoctl/apply/kustomization.yaml
@ -0,0 +1,6 @@
+configMapGenerator:
+- name: calicoctl-apply
+  options:
+    disableNameSuffixHash: true
+  files:
+  - script=calicoctl-apply.sh
--- a/manifests/function/phase-helper/calicoctl/delete/calicoctl-delete.sh
+++ b/manifests/function/phase-helper/calicoctl/delete/calicoctl-delete.sh
@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -xe
+
+echo deleting network policy with calicoctl >&2
+
+# delete policy
+calicoctl delete --skip-not-exists -f ${RENDERED_BUNDLE_PATH} --context $KCTL_CONTEXT >&2
--- a/manifests/function/phase-helper/calicoctl/delete/kustomization.yaml
+++ b/manifests/function/phase-helper/calicoctl/delete/kustomization.yaml
@ -0,0 +1,6 @@
+configMapGenerator:
+- name: calicoctl-delete
+  options:
+    disableNameSuffixHash: true
+  files:
+  - script=calicoctl-delete.sh
--- a/manifests/function/phase-helper/calicoctl/kustomization.yaml
+++ b/manifests/function/phase-helper/calicoctl/kustomization.yaml
@ -0,0 +1,3 @@
+resources:
+  - apply
+  - delete
--- a/manifests/function/phase-helper/kustomization.yaml
+++ b/manifests/function/phase-helper/kustomization.yaml
@ -0,0 +1,2 @@
+resources:
+- calicoctl
--- a/manifests/function/treasuremap-base-catalogues/networking-ha.yaml
+++ b/manifests/function/treasuremap-base-catalogues/networking-ha.yaml
@ -13,7 +13,7 @@ vrrp:
  ingress:
    interface: bond.51
    virtual_ipaddress: 10.23.25.102
-    oam_cidr: 10.23.25.151
+    oam_cidr: 10.23.25.151/32
    destination:
      ports:
      - 2378
--- a/manifests/site/virtual-network-cloud/target/workload/network-policy/hosts_ingress_dest_port_patch.json
+++ b/manifests/site/virtual-network-cloud/target/workload/network-policy/hosts_ingress_dest_port_patch.json
@ -1,12 +0,0 @@
-[
-    { "op": "add","path": "/spec/destination/ports/-","value": 2378 },
-    { "op": "add","path": "/spec/destination/ports/-","value": 4149 },
-    { "op": "add","path": "/spec/destination/ports/-","value": 6443 },
-    { "op": "add","path": "/spec/destination/ports/-","value": 6553 },
-    { "op": "add","path": "/spec/destination/ports/-","value": 6666 },
-    { "op": "add","path": "/spec/destination/ports/-","value": 6667 },
-    { "op": "add","path": "/spec/destination/ports/-","value": 9099 },
-    { "op": "add","path": "/spec/destination/ports/-","value": 10250 },
-    { "op": "add","path": "/spec/destination/ports/-","value": 10255 },
-    { "op": "add","path": "/spec/destination/ports/-","value": 10256 }
-]
--- a/manifests/site/virtual-network-cloud/target/workload/network-policy/kustomization.yaml
+++ b/manifests/site/virtual-network-cloud/target/workload/network-policy/kustomization.yaml
@ -1,2 +1,2 @@
 resources:
-  - ../../../../../type/airship-core/target/workload/network-policy
+  - ../../../../../type/multi-tenant/target/workload/network-policy
--- a/manifests/type/multi-tenant/phases/README.md
+++ b/manifests/type/multi-tenant/phases/README.md
@ -0,0 +1,19 @@
+# Phases for multi-tenant type
+
+Phases defined in multi-tenant are available for use by sites
+that inherit type mulit-tenant.
+
+## Airshipctl phase command
+
+For deploying calico network v3 policies, a phase named
+`deliver-network-policy` is defined with its executor and configMap settings.
+
+To deploy network policy using `airshipctl`, do
+
+`airshipctl phase run deliver-network-policy` where `deliver-network-policy` is the phase name.
+
+For deleting network policy, a phase named `delete-network-policy` is defined with its executor and configMap settings.
+
+To delete network policy using `airshipctl`, do
+
+`airshipctl phase run delete-network-policy` where `delete-network-policy` is the phase name.
--- a/manifests/type/multi-tenant/phases/executors.yaml
+++ b/manifests/type/multi-tenant/phases/executors.yaml
@ -0,0 +1,27 @@
+apiVersion: airshipit.org/v1alpha1
+kind: GenericContainer
+metadata:
+  name: calicoctl-apply
+  labels:
+    airshipit.org/deploy-k8s: "false"
+spec:
+  image: quay.io/airshipit/toolbox:latest
+  hostNetwork: true
+configRef:
+  kind: ConfigMap
+  name: calicoctl-apply
+  apiVersion: v1
+---
+apiVersion: airshipit.org/v1alpha1
+kind: GenericContainer
+metadata:
+  name: calicoctl-delete
+  labels:
+    airshipit.org/deploy-k8s: "false"
+spec:
+  image: quay.io/airshipit/toolbox:latest
+  hostNetwork: true
+configRef:
+  kind: ConfigMap
+  name: calicoctl-delete
+  apiVersion: v1
--- a/manifests/type/multi-tenant/phases/kustomization.yaml
+++ b/manifests/type/multi-tenant/phases/kustomization.yaml
@ -2,5 +2,8 @@ resources:
  - ../../airship-core/phases
  - ../sub-clusters/wordpress/phases
  - workload-config.yaml
+  - phases.yaml
+  - executors.yaml
+  - ../../../function/phase-helper
 patchesStrategicMerge:
  - cluster_map_patch.yaml
--- a/manifests/type/multi-tenant/phases/phases.yaml
+++ b/manifests/type/multi-tenant/phases/phases.yaml
@ -0,0 +1,23 @@
+apiVersion: airshipit.org/v1alpha1
+kind: Phase
+metadata:
+  name: deliver-network-policy
+  clusterName: target-cluster
+config:
+  executorRef:
+    apiVersion: airshipit.org/v1alpha1
+    kind: GenericContainer
+    name: calicoctl-apply
+  documentEntryPoint: target/workload/network-policy
+---
+apiVersion: airshipit.org/v1alpha1
+kind: Phase
+metadata:
+  name: delete-network-policy
+  clusterName: target-cluster
+config:
+  executorRef:
+    apiVersion: airshipit.org/v1alpha1
+    kind: GenericContainer
+    name: calicoctl-delete
+  documentEntryPoint: target/workload/network-policy
--- a/manifests/type/multi-tenant/target/workload/kustomization.yaml
+++ b/manifests/type/multi-tenant/target/workload/kustomization.yaml
@ -3,4 +3,3 @@ resources:
  - ../../../../function/sip
  - ../../../../function/synclabeller
  - ../../../../function/vino
-  #- network-policy
--- a/manifests/type/multi-tenant/target/workload/network-policy/kustomization.yaml
+++ b/manifests/type/multi-tenant/target/workload/network-policy/kustomization.yaml
@ -3,7 +3,9 @@ kind: Kustomization
 resources:
  - ../../../../../function/network-policy
  - ../../../../../function/treasuremap-base-catalogues
+  - netpol.yaml

 transformers:
  - ../../../../../function/network-policy/calico/replacements
+  - ../../../../../function/treasuremap-cleanup

--- a/tools/deployment/40_deploy_network_policies.sh
+++ b/tools/deployment/40_deploy_network_policies.sh
@ -14,17 +14,4 @@

 set -ex

-TMP=$(mktemp -d)
-
-MANIFEST_FILE="$TMP/network-policy.yaml"
-export SITE=${SITE:="test-site"}
-
-export KUBECONFIG=${KUBECONFIG:="$HOME/.airship/kubeconfig"}
-export KUBECONFIG_TARGET_CONTEXT=${KUBECONFIG_TARGET_CONTEXT:="target-cluster"}
-: ${TREASUREMAP_PROJECT:="${PWD}"}
-
-#Generate all of the policies and deploy using calicoctl
-kustomize build --enable_alpha_plugins $TREASUREMAP_PROJECT/manifests/site/$SITE/target/network-policies -o ${MANIFEST_FILE}
-
-#What about per node basis. Also usage of calico apply/replace
-DATASTORE_TYPE=kubernetes calicoctl apply -f ${MANIFEST_FILE}
+airshipctl phase run deliver-network-policy