openstack/openstack-helm-infra
Code Issues Proposed changes

Add RabbitMQ ingress Network Policy rules

Browse Source 
The patch adds Network Policy ingress rules for RabbitMQ
and Prometheus RabbitMQ exporter.

It also fixes name generation for network policies,
to make sure they do not contain a prohibited '_' symbol,
which may appear in some label names.

Change-Id: I9821983b61d90e73e62c5ac669eefeb4ba9999d2
This commit is contained in:
Evgeny L 2019-09-16 21:20:26 +00:00 committed by Tin Lam
parent 81d2d687c8
commit 762dc76b5c
3 changed files with 108 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
rabbitmq/templates/monitoring/prometheus/exporter-network-policy.yaml Normal file
View File

@ -0,0 +1,20 @@
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.monitoring.prometheus.network_policy_exporter .Values.monitoring.prometheus.enabled -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "prometheus_rabbitmq_exporter" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

6
rabbitmq/values.yaml
View File

@ -319,6 +319,11 @@ endpoints:
protocol: UDP
network_policy:
prometheus_rabbitmq_exporter:
ingress:
- {}
egress:
- {}
rabbitmq:
ingress:
- {}
@ -346,6 +351,7 @@ manifests:
configmap_bin: true
deployment_exporter: true
service_exporter: true
network_policy_exporter: false
network_policy: false
secret_erlang_cookie: true
secret_admin_user: true

82
rabbitmq/values_overrides/netpol.yaml
View File

@ -1,2 +1,84 @@
network_policy:
rabbitmq:
ingress:
- from:
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: aodh
- podSelector:
matchLabels:
application: congress
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ceilometer
- podSelector:
matchLabels:
application: designate
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: senlin
- podSelector:
matchLabels:
application: placement
- podSelector:
matchLabels:
application: rabbitmq
- podSelector:
matchLabels:
application: prometheus_rabbitmq_exporter
ports:
# AMQP port
- protocol: TCP
port: 5672
# HTTP API ports
- protocol: TCP
port: 15672
- protocol: TCP
port: 80
- from:
- podSelector:
matchLabels:
application: rabbitmq
ports:
# Clustering port AMQP + 20000
- protocol: TCP
port: 25672
# Erlang Port Mapper Daemon (epmd)
- protocol: TCP
port: 4369
manifests:
monitoring:
prometheus:
network_policy_exporter: true
network_policy: true