Merge "Add RabbitMQ ingress Network Policy rules"

rabbitmq/templates/monitoring/prometheus/exporter-network-policy.yaml

@@ -0,0 +1,20 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.monitoring.prometheus.network_policy_exporter .Values.monitoring.prometheus.enabled -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "prometheus_rabbitmq_exporter" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}

rabbitmq/values.yaml

@@ -319,6 +319,11 @@ endpoints:
         protocol: UDP
 
 network_policy:
+  prometheus_rabbitmq_exporter:
+    ingress:
+      - {}
+    egress:
+      - {}
   rabbitmq:
     ingress:
       - {}
@@ -346,6 +351,7 @@ manifests:
       configmap_bin: true
       deployment_exporter: true
       service_exporter: true
+      network_policy_exporter: false
   network_policy: false
   secret_erlang_cookie: true
   secret_admin_user: true

rabbitmq/values_overrides/netpol.yaml

@@ -1,2 +1,84 @@
+network_policy:
+  rabbitmq:
+    ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: keystone
+        - podSelector:
+            matchLabels:
+              application: heat
+        - podSelector:
+            matchLabels:
+              application: glance
+        - podSelector:
+            matchLabels:
+              application: cinder
+        - podSelector:
+            matchLabels:
+              application: aodh
+        - podSelector:
+            matchLabels:
+              application: congress
+        - podSelector:
+            matchLabels:
+              application: barbican
+        - podSelector:
+            matchLabels:
+              application: ceilometer
+        - podSelector:
+            matchLabels:
+              application: designate
+        - podSelector:
+            matchLabels:
+              application: ironic
+        - podSelector:
+            matchLabels:
+              application: magnum
+        - podSelector:
+            matchLabels:
+              application: mistral
+        - podSelector:
+            matchLabels:
+              application: nova
+        - podSelector:
+            matchLabels:
+              application: neutron
+        - podSelector:
+            matchLabels:
+              application: senlin
+        - podSelector:
+            matchLabels:
+              application: placement
+        - podSelector:
+            matchLabels:
+              application: rabbitmq
+        - podSelector:
+            matchLabels:
+              application: prometheus_rabbitmq_exporter
+        ports:
+          # AMQP port
+          - protocol: TCP
+            port: 5672
+          # HTTP API ports
+          - protocol: TCP
+            port: 15672
+          - protocol: TCP
+            port: 80
+      - from:
+        - podSelector:
+            matchLabels:
+              application: rabbitmq
+        ports:
+          # Clustering port AMQP + 20000
+          - protocol: TCP
+            port: 25672
+          # Erlang Port Mapper Daemon (epmd)
+          - protocol: TCP
+            port: 4369
+
 manifests:
+  monitoring:
+    prometheus:
+      network_policy_exporter: true
   network_policy: true