Add ingress network policy to kube-state-metrics and openstack-exporter

This adds ingress network policies to kube-state-metrics and
openstack-exporter using the helm-toolikit template. It also
add openstack-exporter to the network policy jobs.

Change-Id: I3bfc2f1e8a35c09e577a046ebd52346de95e5745
This commit is contained in:
Meg Heisler 2019-02-18 10:17:24 -06:00 committed by MegHeisler
parent e836707ad0
commit 2d36d5f7ce
8 changed files with 161 additions and 2 deletions

View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. */}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "kube-state-metrics" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

View File

@ -155,6 +155,7 @@ manifests:
configmap_bin: true configmap_bin: true
deployment: true deployment: true
job_image_repo_sync: true job_image_repo_sync: true
network_policy: false
service_kube_state_metrics: true service_kube_state_metrics: true
service_controller_manager: true service_controller_manager: true
service_scheduler: true service_scheduler: true

View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. */}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "prometheus-openstack-exporter" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

View File

@ -198,5 +198,6 @@ manifests:
deployment: true deployment: true
job_image_repo_sync: true job_image_repo_sync: true
job_ks_user: true job_ks_user: true
network_policy: false
secret_keystone: true secret_keystone: true
service: true service: true

View File

@ -1 +0,0 @@
../common/070-kube-state-metrics.sh

View File

@ -0,0 +1,56 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make prometheus-kube-state-metrics
tee /tmp/kube-state-metrics.yaml << EOF
manifests:
network_policy: true
network_policy:
kube-state-metrics:
ingress:
- from:
- podSelector:
matchLabels:
application: kube-state-metrics
- namespaceSelector:
matchLabels:
name: osh-infra
podSelector:
matchLabels:
application: prometheus
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 8080
- protocol: TCP
port: 443
EOF
#NOTE: Deploy command
helm upgrade --install prometheus-kube-state-metrics \
./prometheus-kube-state-metrics --namespace=kube-system \
--values=/tmp/kube-state-metrics.yaml
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh kube-system
#NOTE: Validate Deployment info
helm status prometheus-kube-state-metrics

View File

@ -54,6 +54,7 @@ test_netpol osh-infra mariadb server elasticsearch.osh-infra.svc.cluster.local f
test_netpol osh-infra mariadb server nagios.osh-infra.svc.cluster.local fail test_netpol osh-infra mariadb server nagios.osh-infra.svc.cluster.local fail
test_netpol osh-infra mariadb server prometheus.osh-infra.svc.cluster.local fail test_netpol osh-infra mariadb server prometheus.osh-infra.svc.cluster.local fail
test_netpol osh-infra mariadb server nagios.osh-infra.svc.cluster.local fail test_netpol osh-infra mariadb server nagios.osh-infra.svc.cluster.local fail
test_netpol osh-infra mariadb server openstack-metrics.openstack.svc.cluster.local:9103 fail
# Doing positive tests # Doing positive tests
test_netpol osh-infra grafana dashboard mariadb.osh-infra.svc.cluster.local:3306 success test_netpol osh-infra grafana dashboard mariadb.osh-infra.svc.cluster.local:3306 success

View File

@ -0,0 +1,61 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make prometheus-openstack-exporter
tee /tmp/prometheus-openstack-exporter.yaml << EOF
manifests:
job_ks_user: false
network_policy: true
dependencies:
static:
prometheus_openstack_exporter:
jobs: null
services: null
network_policy:
prometheus-openstack-exporter:
ingress:
- from:
- podSelector:
matchLabels:
application: prometheus-openstack-exporter
- namespaceSelector:
matchLabels:
name: osh-infra
podSelector:
matchLabels:
application: prometheus
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 9103
EOF
#NOTE: Deploy command
helm upgrade --install prometheus-openstack-exporter \
./prometheus-openstack-exporter \
--namespace=openstack \
--values=/tmp/prometheus-openstack-exporter.yaml
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh openstack
#NOTE: Validate Deployment info
helm status prometheus-openstack-exporter

View File

@ -190,8 +190,10 @@
- ./tools/deployment/network-policy/120-elasticsearch.sh - ./tools/deployment/network-policy/120-elasticsearch.sh
- ./tools/deployment/network-policy/130-fluent-logging.sh - ./tools/deployment/network-policy/130-fluent-logging.sh
- ./tools/deployment/network-policy/140-kibana.sh - ./tools/deployment/network-policy/140-kibana.sh
- ./tools/deployment/network-policy/openstack-exporter.sh
- ./tools/deployment/network-policy/901-test-networkpolicy.sh - ./tools/deployment/network-policy/901-test-networkpolicy.sh
- job: - job:
name: openstack-helm-infra-openstack-support name: openstack-helm-infra-openstack-support
parent: openstack-helm-infra-functional parent: openstack-helm-infra-functional