Add Phases for deploying network policy

This PatchSet adds phases and executor definitions for managing calico v3 network policies using airshipctl phase run command. Closes: #119 Change-Id: I7942548720c4b8037b7b0c2de348fe45df73b8f7
2021-04-09 16:25:22 -04:00 · 2021-04-09 16:25:22 -04:00 · 8a7f428c5b
commit 8a7f428c5b
parent fddf27242e
18 changed files with 146 additions and 40 deletions
--- a/manifests/function/network-policy/calico/hosts_ingress.yaml
+++ b/manifests/function/network-policy/calico/hosts_ingress.yaml
@ -6,15 +6,15 @@ spec:
  order: 0
  selector: all()
  ingress:
-  action: Allow
+  - action: Allow
-  protocol: TCP
+    protocol: TCP
-  source:
+    source:
-    nets:
+      nets:
-    - 192.0.1.52/32
+      - 192.0.1.52/32
-  destination:
+    destination:
-    ports:
+      ports:
-    - 80
+      - 80
-    - 443
+      - 443
  doNotTrack: false
  preDNAT: false
  applyOnForward: true
--- a/manifests/function/network-policy/calico/replacements/network-policy.yaml
+++ b/manifests/function/network-policy/calico/replacements/network-policy.yaml
@ -16,7 +16,7 @@ replacements:
    objref:
      kind: GlobalNetworkPolicy
      name: hosts-ingress-rule
-    fieldrefs: ["{.spec.source.nets[0]}"]
+    fieldrefs: [".spec.ingress[action=Allow].source.nets[0]"]
 - source:
    objref:
      kind: VariableCatalogue
@ -26,4 +26,4 @@ replacements:
    objref:
      kind: GlobalNetworkPolicy
      name: hosts-ingress-rule
-    fieldrefs: ["{.spec.destination.ports}"]
+    fieldrefs: [".spec.ingress[action=Allow].destination.ports"]
--- a/manifests/function/phase-helper/calicoctl/apply/calicoctl-apply.sh
+++ b/manifests/function/phase-helper/calicoctl/apply/calicoctl-apply.sh
@ -0,0 +1,21 @@
 #!/bin/sh
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 set -xe
 echo applying network policy with calicoctl >&2
 echo ${RENDERED_BUNDLE_PATH} >&2
 # apply the policy
 calicoctl apply -f ${RENDERED_BUNDLE_PATH} --context $KCTL_CONTEXT >&2
--- a/manifests/function/phase-helper/calicoctl/apply/kustomization.yaml
+++ b/manifests/function/phase-helper/calicoctl/apply/kustomization.yaml
@ -0,0 +1,6 @@
 configMapGenerator:
 - name: calicoctl-apply
  options:
    disableNameSuffixHash: true
  files:
  - script=calicoctl-apply.sh
--- a/manifests/function/phase-helper/calicoctl/delete/calicoctl-delete.sh
+++ b/manifests/function/phase-helper/calicoctl/delete/calicoctl-delete.sh
@ -0,0 +1,20 @@
 #!/bin/sh
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 set -xe
 echo deleting network policy with calicoctl >&2
 # delete policy
 calicoctl delete --skip-not-exists -f ${RENDERED_BUNDLE_PATH} --context $KCTL_CONTEXT >&2
--- a/manifests/function/phase-helper/calicoctl/delete/kustomization.yaml
+++ b/manifests/function/phase-helper/calicoctl/delete/kustomization.yaml
@ -0,0 +1,6 @@
 configMapGenerator:
 - name: calicoctl-delete
  options:
    disableNameSuffixHash: true
  files:
  - script=calicoctl-delete.sh
--- a/manifests/function/phase-helper/calicoctl/kustomization.yaml
+++ b/manifests/function/phase-helper/calicoctl/kustomization.yaml
@ -0,0 +1,3 @@
 resources:
  - apply
  - delete
--- a/manifests/function/phase-helper/kustomization.yaml
+++ b/manifests/function/phase-helper/kustomization.yaml
@ -0,0 +1,2 @@
 resources:
 - calicoctl
--- a/manifests/function/treasuremap-base-catalogues/networking-ha.yaml
+++ b/manifests/function/treasuremap-base-catalogues/networking-ha.yaml
@ -13,7 +13,7 @@ vrrp:
  ingress:
    interface: bond.51
    virtual_ipaddress: 10.23.25.102
-    oam_cidr: 10.23.25.151
+    oam_cidr: 10.23.25.151/32
    destination:
      ports:
      - 2378
--- a/manifests/site/virtual-network-cloud/target/workload/network-policy/hosts_ingress_dest_port_patch.json
+++ b/manifests/site/virtual-network-cloud/target/workload/network-policy/hosts_ingress_dest_port_patch.json
@ -1,12 +0,0 @@
 [
    { "op": "add","path": "/spec/destination/ports/-","value": 2378 },
    { "op": "add","path": "/spec/destination/ports/-","value": 4149 },
    { "op": "add","path": "/spec/destination/ports/-","value": 6443 },
    { "op": "add","path": "/spec/destination/ports/-","value": 6553 },
    { "op": "add","path": "/spec/destination/ports/-","value": 6666 },
    { "op": "add","path": "/spec/destination/ports/-","value": 6667 },
    { "op": "add","path": "/spec/destination/ports/-","value": 9099 },
    { "op": "add","path": "/spec/destination/ports/-","value": 10250 },
    { "op": "add","path": "/spec/destination/ports/-","value": 10255 },
    { "op": "add","path": "/spec/destination/ports/-","value": 10256 }
 ]
--- a/manifests/site/virtual-network-cloud/target/workload/network-policy/kustomization.yaml
+++ b/manifests/site/virtual-network-cloud/target/workload/network-policy/kustomization.yaml
@ -1,2 +1,2 @@
 resources:
-  - ../../../../../type/airship-core/target/workload/network-policy
+  - ../../../../../type/multi-tenant/target/workload/network-policy
--- a/manifests/type/multi-tenant/phases/README.md
+++ b/manifests/type/multi-tenant/phases/README.md
@ -0,0 +1,19 @@
 # Phases for multi-tenant type
 Phases defined in multi-tenant are available for use by sites
 that inherit type mulit-tenant.
 ## Airshipctl phase command
 For deploying calico network v3 policies, a phase named
 `deliver-network-policy` is defined with its executor and configMap settings.
 To deploy network policy using `airshipctl`, do
 `airshipctl phase run deliver-network-policy` where `deliver-network-policy` is the phase name.
 For deleting network policy, a phase named `delete-network-policy` is defined with its executor and configMap settings.
 To delete network policy using `airshipctl`, do
 `airshipctl phase run delete-network-policy` where `delete-network-policy` is the phase name.
--- a/manifests/type/multi-tenant/phases/executors.yaml
+++ b/manifests/type/multi-tenant/phases/executors.yaml
@ -0,0 +1,27 @@
 apiVersion: airshipit.org/v1alpha1
 kind: GenericContainer
 metadata:
  name: calicoctl-apply
  labels:
    airshipit.org/deploy-k8s: "false"
 spec:
  image: quay.io/airshipit/toolbox:latest
  hostNetwork: true
 configRef:
  kind: ConfigMap
  name: calicoctl-apply
  apiVersion: v1
 ---
 apiVersion: airshipit.org/v1alpha1
 kind: GenericContainer
 metadata:
  name: calicoctl-delete
  labels:
    airshipit.org/deploy-k8s: "false"
 spec:
  image: quay.io/airshipit/toolbox:latest
  hostNetwork: true
 configRef:
  kind: ConfigMap
  name: calicoctl-delete
  apiVersion: v1
--- a/manifests/type/multi-tenant/phases/kustomization.yaml
+++ b/manifests/type/multi-tenant/phases/kustomization.yaml
@ -2,5 +2,8 @@ resources:
  - ../../airship-core/phases
  - ../sub-clusters/wordpress/phases
  - workload-config.yaml
  - phases.yaml
  - executors.yaml
  - ../../../function/phase-helper
 patchesStrategicMerge:
  - cluster_map_patch.yaml
--- a/manifests/type/multi-tenant/phases/phases.yaml
+++ b/manifests/type/multi-tenant/phases/phases.yaml
@ -0,0 +1,23 @@
 apiVersion: airshipit.org/v1alpha1
 kind: Phase
 metadata:
  name: deliver-network-policy
  clusterName: target-cluster
 config:
  executorRef:
    apiVersion: airshipit.org/v1alpha1
    kind: GenericContainer
    name: calicoctl-apply
  documentEntryPoint: target/workload/network-policy
 ---
 apiVersion: airshipit.org/v1alpha1
 kind: Phase
 metadata:
  name: delete-network-policy
  clusterName: target-cluster
 config:
  executorRef:
    apiVersion: airshipit.org/v1alpha1
    kind: GenericContainer
    name: calicoctl-delete
  documentEntryPoint: target/workload/network-policy
--- a/manifests/type/multi-tenant/target/workload/kustomization.yaml
+++ b/manifests/type/multi-tenant/target/workload/kustomization.yaml
@ -3,4 +3,3 @@ resources:
  - ../../../../function/sip
  - ../../../../function/synclabeller
  - ../../../../function/vino
  #- network-policy
--- a/manifests/type/multi-tenant/target/workload/network-policy/kustomization.yaml
+++ b/manifests/type/multi-tenant/target/workload/network-policy/kustomization.yaml
@ -3,7 +3,9 @@ kind: Kustomization
 resources:
  - ../../../../../function/network-policy
  - ../../../../../function/treasuremap-base-catalogues
  - netpol.yaml
 transformers:
  - ../../../../../function/network-policy/calico/replacements
  - ../../../../../function/treasuremap-cleanup
--- a/tools/deployment/40_deploy_network_policies.sh
+++ b/tools/deployment/40_deploy_network_policies.sh
@ -14,17 +14,4 @@
 set -ex
-TMP=$(mktemp -d)
+airshipctl phase run deliver-network-policy
 MANIFEST_FILE="$TMP/network-policy.yaml"
 export SITE=${SITE:="test-site"}
 export KUBECONFIG=${KUBECONFIG:="$HOME/.airship/kubeconfig"}
 export KUBECONFIG_TARGET_CONTEXT=${KUBECONFIG_TARGET_CONTEXT:="target-cluster"}
 : ${TREASUREMAP_PROJECT:="${PWD}"}
 #Generate all of the policies and deploy using calicoctl
 kustomize build --enable_alpha_plugins $TREASUREMAP_PROJECT/manifests/site/$SITE/target/network-policies -o ${MANIFEST_FILE}
 #What about per node basis. Also usage of calico apply/replace
 DATASTORE_TYPE=kubernetes calicoctl apply -f ${MANIFEST_FILE}
`@ -1,2 +1,2 @@`
	`resources:`	`resources:`
	`- ../../../../../type/airship-core/target/workload/network-policy`	`- ../../../../../type/multi-tenant/target/workload/network-policy`