openstack/openstack-helm
Code Issues Proposed changes

Enable network policy enforcement

Browse Source 
This patch set updates the gate to by default uses network policy
for all components and enforces them in Openstack-helm.

Change-Id: I70c90b5808075797f02670f21481a4f968205325
Depends-On: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
This commit is contained in:
Tin Lam 2018-09-25 09:16:33 -05:00 committed by Pete Birley
parent 6a9c12c910
commit 29f32a07ac
48 changed files with 930 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
barbican/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "barbican" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

20
barbican/values.yaml
View File

@ -177,6 +177,25 @@ network:
enabled: false
port: 39486
network_policy:
barbican:
ingress:
- from:
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: horizon
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 9311
bootstrap:
enabled: false
ks_user: barbican
@ -651,6 +670,7 @@ manifests:
pdb_api: true
pod_test: true
secret_db: true
network_policy: false
secret_ingress_tls: true
secret_keystone: true
secret_rabbitmq: true

18
ceilometer/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ceilometer" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

6
ceilometer/values.yaml
View File

@ -2061,6 +2061,11 @@ pod:
memory: "1024Mi"
cpu: "2000m"
network_policy:
ceilometer:
ingress:
- {}
manifests:
configmap_bin: true
configmap_etc: true
@ -2082,6 +2087,7 @@ manifests:
job_rabbit_init: true
pdb_api: true
pod_rally_test: true
network_policy: false
secret_db: true
secret_keystone: true
secret_mongodb: true

18
cinder/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "cinder" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

6
cinder/values.yaml
View File

@ -1244,6 +1244,11 @@ endpoints:
metrics:
default: 24220
network_policy:
cinder:
ingress:
- {}
manifests:
configmap_bin: true
configmap_etc: true
@ -1268,6 +1273,7 @@ manifests:
pdb_api: true
pod_rally_test: true
pvc_backup: true
network_policy: false
secret_db: true
secret_ingress_tls: true
secret_keystone: true

18
congress/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "congress" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

6
congress/values.yaml
View File

@ -343,6 +343,11 @@ policy:
- nova
poll_time: 120
network_policy:
congress:
ingress:
- {}
conf:
congress:
DEFAULT:
@ -609,6 +614,7 @@ manifests:
job_ks_endpoints: true
job_ks_service: true
job_ks_user: true
network_policy: false
secret_db: true
secret_keystone: true
service_api: true

18
glance/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "glance" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

31
glance/values.yaml
View File

@ -83,6 +83,36 @@ ceph_client:
configmap: ceph-etc
user_secret_name: pvc-ceph-client-key
network_policy:
glance:
ingress:
- from:
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: ironic
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 9191
- protocol: TCP
port: 9292
conf:
rally_tests:
run_tempest: false
@ -887,6 +917,7 @@ manifests:
pdb_registry: false
pod_rally_test: true
pvc_images: true
network_policy: false
secret_db: true
secret_ingress_tls: true
secret_keystone: true

18
heat/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "heat" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

24
heat/values.yaml
View File

@ -1116,6 +1116,29 @@ pod:
memory: "1024Mi"
cpu: "2000m"
network_policy:
heat:
ingress:
- from:
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: horizon
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 8000
- protocol: TCP
port: 8003
- protocol: TCP
port: 8004
manifests:
configmap_bin: true
configmap_etc: true
@ -1142,6 +1165,7 @@ manifests:
pdb_cfn: true
pdb_cloudwatch: false
pod_rally_test: true
network_policy: false
secret_db: true
secret_ingress_tls: true
secret_keystone: true

18
horizon/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "horizon" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

15
horizon/values.yaml
View File

@ -2061,6 +2061,20 @@ endpoints:
mysql:
default: 3306
network_policy:
horizon:
ingress:
- from:
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ingress
- namespaceSelector:
matchLabels:
name: kube-system
manifests:
configmap_bin: true
configmap_etc: true
@ -2071,6 +2085,7 @@ manifests:
job_db_drop: false
job_image_repo_sync: true
pdb: true
network_policy: false
secret_db: true
secret_ingress_tls: true
service_ingress: true

18
ironic/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ironic" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

6
ironic/values.yaml
View File

@ -652,6 +652,11 @@ pod:
memory: "1024Mi"
cpu: "2000m"
network_policy:
ironic:
ingress:
- {}
manifests:
configmap_bin: true
configmap_etc: true
@ -668,6 +673,7 @@ manifests:
job_manage_cleaning_network: true
job_rabbit_init: true
pdb_api: true
network_policy: false
secret_db: true
secret_keystone: true
secret_rabbitmq: true

18
keystone/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "keystone" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

66
keystone/values.yaml
View File

@ -340,6 +340,71 @@ jobs:
success: 3
failed: 1
network_policy:
keystone:
ingress:
- from:
- podSelector:
matchLabels:
application: ceph
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: congress
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ceilometer
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: senlin
- podSelector:
matchLabels:
application: placement
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
- protocol: TCP
port: 5000
- protocol: TCP
port: 35357
conf:
keystone:
DEFAULT:
@ -1068,6 +1133,7 @@ manifests:
job_rabbit_init: true
pdb_api: true
pod_rally_test: true
network_policy: false
secret_credential_keys: true
secret_db: true
secret_fernet_keys: true

18
magnum/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "magnum" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

24
magnum/values.yaml
View File

@ -601,6 +601,29 @@ pod:
memory: "1024Mi"
cpu: "2000m"
network_policy:
magnum:
ingress:
- from:
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: heat
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 9511
manifests:
configmap_bin: true
configmap_etc: true
@ -617,6 +640,7 @@ manifests:
job_ks_user: true
job_rabbit_init: true
pdb_api: true
network_policy: false
secret_db: true
secret_keystone: true
secret_rabbitmq: true

18
mistral/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "mistral" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

23
mistral/values.yaml
View File

@ -675,6 +675,28 @@ pod:
memory: "1024Mi"
cpu: "2000m"
network_policy:
mistral:
ingress:
- from:
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: heat
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 8989
manifests:
configmap_bin: true
configmap_etc: true
@ -692,6 +714,7 @@ manifests:
job_rabbit_init: true
pdb_api: true
pod_rally_test: true
network_policy: false
secret_db: true
secret_keystone: true
secret_rabbitmq: true

18
neutron/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "neutron" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

7
neutron/values.yaml
View File

@ -1858,6 +1858,12 @@ endpoints:
metrics:
default: 24220
network_policy:
neutron:
# TODO(lamt): Need to tighten this ingress for security.
ingress:
- {}
manifests:
configmap_bin: true
configmap_etc: true
@ -1880,6 +1886,7 @@ manifests:
job_rabbit_init: true
pdb_server: true
pod_rally_test: true
network_policy: false
secret_db: true
secret_ingress_tls: true
secret_keystone: true

22
nova/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,22 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "nova" }}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "placement" }}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

11
nova/values.yaml
View File

@ -2234,6 +2234,16 @@ pod:
memory: "1024Mi"
cpu: "2000m"
network_policy:
nova:
# TODO(lamt): Need to tighten this ingress for security.
ingress:
- {}
placement:
# TODO(lamt): Need to tighten this ingress for security.
ingress:
- {}
manifests:
configmap_bin: true
configmap_etc: true
@ -2270,6 +2280,7 @@ manifests:
pdb_placement: true
pdb_osapi: true
pod_rally_test: true
network_policy: false
secret_db_api: true
secret_db: true
secret_ingress_tls: true

18
senlin/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "senlin" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

6
senlin/values.yaml
View File

@ -633,6 +633,11 @@ pod:
memory: "1024Mi"
cpu: "2000m"
network_policy:
senlin:
ingress:
- {}
manifests:
configmap_bin: true
configmap_etc: true
@ -651,6 +656,7 @@ manifests:
job_rabbit_init: true
pdb_api: true
pod_test: true
network_policy: false
secret_db: true
secret_keystone: true
secret_rabbitmq: true

1
tools/deployment/baremetal/110-compute-kit.sh
View File

@ -69,6 +69,7 @@ EOF
helm upgrade --install neutron ./neutron \
--namespace=openstack \
--values=/tmp/neutron.yaml \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_NEUTRON}

55
tools/deployment/common/memcached.sh
View File

@ -20,10 +20,65 @@ set -xe
: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
make -C ${OSH_INFRA_PATH} memcached
tee /tmp/memcached.yaml <<EOF
manifests:
network_policy: true
network_policy:
memcached:
ingress:
- from:
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: congress
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ceilometer
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: senlin
ports:
- protocol: TCP
port: 11211
EOF
#NOTE: Deploy command
: ${OSH_EXTRA_HELM_ARGS:=""}
helm upgrade --install memcached ${OSH_INFRA_PATH}/memcached \
--namespace=openstack \
--values=/tmp/memcached.yaml \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_MEMCACHED}

50
tools/deployment/common/test-networkpolicy.sh Executable file
View File

@ -0,0 +1,50 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
# test_netpol(namespace, component, target_host, expected_result{fail,success})
function test_netpol {
NS=$1
COMPONENT=$2
HOST=$3
STATUS=$4
echo Testing connection from $COMPONENT to host $HOST with namespace $NS
POD=$(kubectl -n $NS get pod | grep $COMPONENT | grep Running | awk '{print $1}')
PID=$(sudo docker inspect --format '{{ .State.Pid }}' $(kubectl get pods --namespace $NS $POD -o jsonpath='{.status.containerStatuses[0].containerID}' | cut -c 10-21))
if [ "x${STATUS}" == "xfail" ]; then
if ! sudo nsenter -t $PID -n wget --spider --timeout=5 --tries=1 $HOST ; then
echo "Connection timed out; as expected by policy."
else
exit 1
fi
else
sudo nsenter -t $PID -n wget --spider --timeout=5 --tries=1 $HOST
fi
}
# Doing negative tests
test_netpol openstack keystone-api heat-api.openstack.svc.cluster.local fail
test_netpol openstack keystone-api glance-api.openstack.svc.cluster.local fail
test_netpol openstack mariadb-server rabbitmq.openstack.svc.cluster.local:5672 fail
test_netpol openstack rabbitmq-rabbitmq memcached.openstack.svc.cluster.local:11211 fail
test_netpol openstack memcached mariadb.openstack.svc.cluster.local:3306 fail
# Doing positive tests
test_netpol openstack keystone-api mariadb.openstack.svc.cluster.local:3306 success
test_netpol openstack keystone-api rabbitmq.openstack.svc.cluster.local:5672 success
test_netpol openstack heat-api mariadb.openstack.svc.cluster.local:3306 success
test_netpol openstack glance-api mariadb.openstack.svc.cluster.local:3306 success
echo Test successfully

1
tools/deployment/developer/ceph/120-glance.sh
View File

@ -46,6 +46,7 @@ fi
helm upgrade --install glance ./glance \
--namespace=openstack \
--values=/tmp/glance.yaml \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_GLANCE}

1
tools/deployment/developer/ceph/130-cinder.sh
View File

@ -36,6 +36,7 @@ EOF
helm upgrade --install cinder ./cinder \
--namespace=openstack \
--values=/tmp/cinder.yaml \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_CINDER}

10
tools/deployment/developer/ceph/150-libvirt.sh
View File

@ -19,10 +19,20 @@ set -xe
: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
make -C ${OSH_INFRA_PATH} libvirt
tee /tmp/libvirt.yaml <<EOF
manifests:
network_policy: true
network_policy:
libvirt:
ingress:
- {}
EOF
#NOTE: Deploy command
: ${OSH_EXTRA_HELM_ARGS:=""}
helm upgrade --install libvirt ${OSH_INFRA_PATH}/libvirt \
--namespace=openstack \
--values=/tmp/libvirt.yaml \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_LIBVIRT}

3
tools/deployment/developer/ceph/160-compute-kit.sh
View File

@ -25,6 +25,7 @@ if [ "x$(systemd-detect-virt)" == "xnone" ]; then
echo 'OSH is not being deployed in virtualized environment'
helm upgrade --install nova ./nova \
--namespace=openstack \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_NOVA}
else
@ -33,6 +34,7 @@ else
--namespace=openstack \
--set conf.nova.libvirt.virt_type=qemu \
--set conf.nova.libvirt.cpu_mode=none \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_NOVA}
fi
@ -68,6 +70,7 @@ EOF
helm upgrade --install neutron ./neutron \
--namespace=openstack \
--values=/tmp/neutron.yaml \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_NEUTRON}

82
tools/deployment/developer/common/030-ingress.sh
View File

@ -20,6 +20,57 @@ set -xe
: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
make -C ${OSH_INFRA_PATH} ingress
tee /tmp/ingress.yaml <<EOF
manifests:
network_policy: true
network_policy:
ingress:
ingress:
- from:
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: congress
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ceilometer
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: senlin
EOF
#NOTE: Deploy command
: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
: ${OSH_EXTRA_HELM_ARGS:=""}
@ -43,15 +94,26 @@ helm upgrade --install ingress-kube-system ${OSH_INFRA_PATH}/ingress \
helm status ingress-kube-system
#NOTE: Deploy namespace ingress
for NAMESPACE in openstack ceph; do
helm upgrade --install ingress-${NAMESPACE} ${OSH_INFRA_PATH}/ingress \
--namespace=${NAMESPACE} \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_INGRESS_OPENSTACK}
helm upgrade --install ingress-openstack ${OSH_INFRA_PATH}/ingress \
--namespace=openstack \
--values=/tmp/ingress.yaml \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_INGRESS_OPENSTACK}
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh ${NAMESPACE}
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh openstack
#NOTE: Display info
helm status ingress-${NAMESPACE}
done
#NOTE: Display info
helm status ingress-openstack
helm upgrade --install ingress-ceph ${OSH_INFRA_PATH}/ingress \
--namespace=ceph \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_INGRESS_OPENSTACK}
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh ceph
#NOTE: Display info
helm status ingress-ceph

33
tools/deployment/developer/common/049-lockdown.sh Executable file
View File

@ -0,0 +1,33 @@
#!/bin/bash
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make lockdown
#NOTE: Deploy command
: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
: ${OSH_EXTRA_HELM_ARGS:=""}
helm upgrade --install lockdown ${OSH_INFRA_PATH}/lockdown \
--namespace=openstack \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_LOCKDOWN}
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh openstack
#NOTE: Validate Deployment info
helm status lockdown

62
tools/deployment/developer/common/050-mariadb.sh
View File

@ -20,10 +20,72 @@ set -xe
: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
make -C ${OSH_INFRA_PATH} mariadb
tee /tmp/mariadb.yaml <<EOF
manifests:
network_policy: true
network_policy:
mariadb:
ingress:
- from:
- podSelector:
matchLabels:
application: mariadb
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: congress
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ceilometer
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: senlin
ports:
- protocol: TCP
port: 3306
- protocol: TCP
port: 4567
- protocol: TCP
port: 80
EOF
#NOTE: Deploy command
: ${OSH_EXTRA_HELM_ARGS:=""}
helm upgrade --install mariadb ${OSH_INFRA_PATH}/mariadb \
--namespace=openstack \
--values=/tmp/mariadb.yaml \
--set pod.replicas.server=1 \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_MARIADB}

62
tools/deployment/developer/common/060-rabbitmq.sh
View File

@ -20,10 +20,72 @@ set -xe
: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
make -C ${OSH_INFRA_PATH} rabbitmq
tee /tmp/rabbitmq.yaml <<EOF
manifests:
network_policy: true
network_policy:
rabbitmq:
ingress:
- from:
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: congress
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ceilometer
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: senlin
ports:
- protocol: TCP
port: 5672
- protocol: TCP
port: 15672
- protocol: TCP
port: 25672
- protocol: TCP
port: 20000
EOF
#NOTE: Deploy command
: ${OSH_EXTRA_HELM_ARGS:=""}
helm upgrade --install rabbitmq ${OSH_INFRA_PATH}/rabbitmq \
--namespace=openstack \
--values=/tmp/rabbitmq.yaml \
--set pod.replicas.server=1 \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_RABBITMQ}

1
tools/deployment/developer/common/080-keystone.sh
View File

@ -23,6 +23,7 @@ make keystone
: ${OSH_EXTRA_HELM_ARGS:=""}
helm upgrade --install keystone ./keystone \
--namespace=openstack \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_KEYSTONE}

1
tools/deployment/developer/common/090-heat.sh
View File

@ -22,6 +22,7 @@ make heat
: ${OSH_EXTRA_HELM_ARGS:=""}
helm upgrade --install heat ./heat \
--namespace=openstack \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_HEAT}

1
tools/deployment/developer/common/100-horizon.sh
View File

@ -25,6 +25,7 @@ helm upgrade --install horizon ./horizon \
--namespace=openstack \
--set network.node_port.enabled=true \
--set network.node_port.port=31000 \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_HORIZON}

10
tools/deployment/developer/common/140-openvswitch.sh
View File

@ -19,10 +19,20 @@ set -xe
: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
make -C ${OSH_INFRA_PATH} openvswitch
tee /tmp/openvswitch.yaml <<EOF
manifests:
network_policy: true
network_policy:
openvswitch:
ingress:
- {}
EOF
#NOTE: Deploy command
: ${OSH_EXTRA_HELM_ARGS:=""}
helm upgrade --install openvswitch ${OSH_INFRA_PATH}/openvswitch \
--namespace=openstack \
--values=/tmp/openvswitch.yaml \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_OPENVSWITCH}

24
tools/deployment/developer/ldap/080-keystone.sh
View File

@ -19,10 +19,33 @@ set -xe
#NOTE: Deploy command
: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
: ${OSH_EXTRA_HELM_ARGS:=""}
tee /tmp/ldap.yaml <<EOF
manifests:
network_policy: true
network_policy:
ldap:
ingress:
- from:
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: ldap
- podSelector:
matchLabels:
application: ingress
ports:
- protocol: TCP
port: 389
EOF
helm upgrade --install ldap ${OSH_INFRA_PATH}/ldap \
--namespace=openstack \
--set pod.replicas.server=1 \
--set bootstrap.enabled=true \
--values=/tmp/ldap.yaml \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_LDAP}
@ -40,6 +63,7 @@ make pull-images keystone
helm upgrade --install keystone ./keystone \
--namespace=openstack \
--values=./tools/overrides/keystone/ldap_domain_config.yaml \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_KEYSTONE}

1
tools/deployment/developer/nfs/120-glance.sh
View File

@ -45,6 +45,7 @@ fi
helm upgrade --install glance ./glance \
--namespace=openstack \
--values=/tmp/glance.yaml \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_GLANCE}

10
tools/deployment/developer/nfs/150-libvirt.sh
View File

@ -19,11 +19,21 @@ set -xe
: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
make -C ${OSH_INFRA_PATH} libvirt
tee /tmp/libvirt.yaml <<EOF
manifests:
network_policy: true
network_policy:
libvirt:
ingress:
- {}
EOF
#NOTE: Deploy command
: ${OSH_EXTRA_HELM_ARGS:=""}
helm upgrade --install libvirt ${OSH_INFRA_PATH}/libvirt \
--namespace=openstack \
--set conf.ceph.enabled=false \
--values=/tmp/libvirt.yaml \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_LIBVIRT}

3
tools/deployment/developer/nfs/160-compute-kit.sh
View File

@ -26,6 +26,7 @@ if [ "x$(systemd-detect-virt)" == "xnone" ]; then
helm upgrade --install nova ./nova \
--namespace=openstack \
--set conf.ceph.enabled=false \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_NOVA}
else
@ -35,6 +36,7 @@ else
--set conf.ceph.enabled=false \
--set conf.nova.libvirt.virt_type=qemu \
--set conf.nova.libvirt.cpu_mode=none \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_NOVA}
fi
@ -68,6 +70,7 @@ EOF
helm upgrade --install neutron ./neutron \
--namespace=openstack \
--values=/tmp/neutron.yaml \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_NEUTRON}

22
tools/gate/playbooks/dev-deploy-nfs.yaml
View File

@ -69,6 +69,17 @@
./tools/deployment/developer/nfs/040-nfs-provisioner.sh
args:
chdir: "{{ zuul_osh_relative_path | default(zuul.project.src_dir) }}"
- name: Lockdown all the ingress
environment:
OSH_OPENSTACK_RELEASE: "{{ osh_openstack_release }}"
OSH_EXTRA_HELM_ARGS: "{{ zuul_osh_extra_helm_args_relative_path | default('') }}"
OSH_INFRA_PATH: "{{ zuul_osh_infra_relative_path | default('') }}"
zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
shell: |
set -xe;
./tools/deployment/developer/common/049-lockdown.sh
args:
chdir: "{{ zuul_osh_relative_path | default(zuul.project.src_dir) }}"
- name: Deploy Mariadb
environment:
OSH_OPENSTACK_RELEASE: "{{ osh_openstack_release }}"
@ -215,3 +226,14 @@
./tools/deployment/developer/nfs/900-use-it.sh
args:
chdir: "{{ zuul_osh_relative_path | default(zuul.project.src_dir) }}"
- name: Test network policy
environment:
OSH_OPENSTACK_RELEASE: "{{ osh_openstack_release }}"
OSH_EXTRA_HELM_ARGS: "{{ zuul_osh_extra_helm_args_relative_path | default('') }}"
OSH_INFRA_PATH: "{{ zuul_osh_infra_relative_path | default('') }}"
zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
shell: |
set -xe;
./tools/deployment/common/test-networkpolicy.sh
args:
chdir: "{{ zuul_osh_relative_path | default(zuul.project.src_dir) }}"