openstack/openstack-helm
Code Issues Proposed changes

Enable network policy enforcement

Browse Source 
This patch set updates the gate to by default uses network policy
for all components and enforces them in Openstack-helm.

Change-Id: I70c90b5808075797f02670f21481a4f968205325
Depends-On: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
This commit is contained in:
Tin Lam 2018-09-25 09:16:33 -05:00 committed by Pete Birley
parent 6a9c12c910
commit 29f32a07ac
48 changed files with 930 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
barbican/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "barbican" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

20
barbican/values.yaml
View File

@ -177,6 +177,25 @@ network:
enabled: false enabled: false
port: 39486 port: 39486
network_policy:
barbican:
ingress:
- from:
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: horizon
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 9311
bootstrap: bootstrap:
enabled: false enabled: false
ks_user: barbican ks_user: barbican
@ -651,6 +670,7 @@ manifests:
pdb_api: true pdb_api: true
pod_test: true pod_test: true
secret_db: true secret_db: true
network_policy: false
secret_ingress_tls: true secret_ingress_tls: true
secret_keystone: true secret_keystone: true
secret_rabbitmq: true secret_rabbitmq: true

18
ceilometer/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ceilometer" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

6
ceilometer/values.yaml
View File

@ -2061,6 +2061,11 @@ pod:
memory: "1024Mi" memory: "1024Mi"
cpu: "2000m" cpu: "2000m"
network_policy:
ceilometer:
ingress:
- {}
manifests: manifests:
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
@ -2082,6 +2087,7 @@ manifests:
job_rabbit_init: true job_rabbit_init: true
pdb_api: true pdb_api: true
pod_rally_test: true pod_rally_test: true
network_policy: false
secret_db: true secret_db: true
secret_keystone: true secret_keystone: true
secret_mongodb: true secret_mongodb: true

18
cinder/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "cinder" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

6
cinder/values.yaml
View File

@ -1244,6 +1244,11 @@ endpoints:
metrics: metrics:
default: 24220 default: 24220
network_policy:
cinder:
ingress:
- {}
manifests: manifests:
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
@ -1268,6 +1273,7 @@ manifests:
pdb_api: true pdb_api: true
pod_rally_test: true pod_rally_test: true
pvc_backup: true pvc_backup: true
network_policy: false
secret_db: true secret_db: true
secret_ingress_tls: true secret_ingress_tls: true
secret_keystone: true secret_keystone: true

18
congress/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "congress" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

6
congress/values.yaml
View File

@ -343,6 +343,11 @@ policy:
- nova - nova
poll_time: 120 poll_time: 120
network_policy:
congress:
ingress:
- {}
conf: conf:
congress: congress:
DEFAULT: DEFAULT:
@ -609,6 +614,7 @@ manifests:
job_ks_endpoints: true job_ks_endpoints: true
job_ks_service: true job_ks_service: true
job_ks_user: true job_ks_user: true
network_policy: false
secret_db: true secret_db: true
secret_keystone: true secret_keystone: true
service_api: true service_api: true

18
glance/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "glance" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

31
glance/values.yaml
View File

@ -83,6 +83,36 @@ ceph_client:
configmap: ceph-etc configmap: ceph-etc
user_secret_name: pvc-ceph-client-key user_secret_name: pvc-ceph-client-key
network_policy:
glance:
ingress:
- from:
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: ironic
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 9191
- protocol: TCP
port: 9292
conf: conf:
rally_tests: rally_tests:
run_tempest: false run_tempest: false
@ -887,6 +917,7 @@ manifests:
pdb_registry: false pdb_registry: false
pod_rally_test: true pod_rally_test: true
pvc_images: true pvc_images: true
network_policy: false
secret_db: true secret_db: true
secret_ingress_tls: true secret_ingress_tls: true
secret_keystone: true secret_keystone: true

18
heat/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "heat" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

24
heat/values.yaml
View File

@ -1116,6 +1116,29 @@ pod:
memory: "1024Mi" memory: "1024Mi"
cpu: "2000m" cpu: "2000m"
network_policy:
heat:
ingress:
- from:
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: horizon
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 8000
- protocol: TCP
port: 8003
- protocol: TCP
port: 8004
manifests: manifests:
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
@ -1142,6 +1165,7 @@ manifests:
pdb_cfn: true pdb_cfn: true
pdb_cloudwatch: false pdb_cloudwatch: false
pod_rally_test: true pod_rally_test: true
network_policy: false
secret_db: true secret_db: true
secret_ingress_tls: true secret_ingress_tls: true
secret_keystone: true secret_keystone: true

18
horizon/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "horizon" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

15
horizon/values.yaml
View File

@ -2061,6 +2061,20 @@ endpoints:
mysql: mysql:
default: 3306 default: 3306
network_policy:
horizon:
ingress:
- from:
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ingress
- namespaceSelector:
matchLabels:
name: kube-system
manifests: manifests:
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
@ -2071,6 +2085,7 @@ manifests:
job_db_drop: false job_db_drop: false
job_image_repo_sync: true job_image_repo_sync: true
pdb: true pdb: true
network_policy: false
secret_db: true secret_db: true
secret_ingress_tls: true secret_ingress_tls: true
service_ingress: true service_ingress: true

18
ironic/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ironic" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

6
ironic/values.yaml
View File

@ -652,6 +652,11 @@ pod:
memory: "1024Mi" memory: "1024Mi"
cpu: "2000m" cpu: "2000m"
network_policy:
ironic:
ingress:
- {}
manifests: manifests:
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
@ -668,6 +673,7 @@ manifests:
job_manage_cleaning_network: true job_manage_cleaning_network: true
job_rabbit_init: true job_rabbit_init: true
pdb_api: true pdb_api: true
network_policy: false
secret_db: true secret_db: true
secret_keystone: true secret_keystone: true
secret_rabbitmq: true secret_rabbitmq: true

18
keystone/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "keystone" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

66
keystone/values.yaml
View File

@ -340,6 +340,71 @@ jobs:
success: 3 success: 3
failed: 1 failed: 1
network_policy:
keystone:
ingress:
- from:
- podSelector:
matchLabels:
application: ceph
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: congress
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ceilometer
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: senlin
- podSelector:
matchLabels:
application: placement
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
- protocol: TCP
port: 5000
- protocol: TCP
port: 35357
conf: conf:
keystone: keystone:
DEFAULT: DEFAULT:
@ -1068,6 +1133,7 @@ manifests:
job_rabbit_init: true job_rabbit_init: true
pdb_api: true pdb_api: true
pod_rally_test: true pod_rally_test: true
network_policy: false
secret_credential_keys: true secret_credential_keys: true
secret_db: true secret_db: true
secret_fernet_keys: true secret_fernet_keys: true

18
magnum/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "magnum" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

24
magnum/values.yaml
View File

@ -601,6 +601,29 @@ pod:
memory: "1024Mi" memory: "1024Mi"
cpu: "2000m" cpu: "2000m"
network_policy:
magnum:
ingress:
- from:
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: heat
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 9511
manifests: manifests:
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
@ -617,6 +640,7 @@ manifests:
job_ks_user: true job_ks_user: true
job_rabbit_init: true job_rabbit_init: true
pdb_api: true pdb_api: true
network_policy: false
secret_db: true secret_db: true
secret_keystone: true secret_keystone: true
secret_rabbitmq: true secret_rabbitmq: true

18
mistral/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "mistral" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

23
mistral/values.yaml
View File

@ -675,6 +675,28 @@ pod:
memory: "1024Mi" memory: "1024Mi"
cpu: "2000m" cpu: "2000m"
network_policy:
mistral:
ingress:
- from:
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: heat
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 8989
manifests: manifests:
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
@ -692,6 +714,7 @@ manifests:
job_rabbit_init: true job_rabbit_init: true
pdb_api: true pdb_api: true
pod_rally_test: true pod_rally_test: true
network_policy: false
secret_db: true secret_db: true
secret_keystone: true secret_keystone: true
secret_rabbitmq: true secret_rabbitmq: true

18
neutron/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "neutron" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

7
neutron/values.yaml
View File

@ -1858,6 +1858,12 @@ endpoints:
metrics: metrics:
default: 24220 default: 24220
network_policy:
neutron:
# TODO(lamt): Need to tighten this ingress for security.
ingress:
- {}
manifests: manifests:
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
@ -1880,6 +1886,7 @@ manifests:
job_rabbit_init: true job_rabbit_init: true
pdb_server: true pdb_server: true
pod_rally_test: true pod_rally_test: true
network_policy: false
secret_db: true secret_db: true
secret_ingress_tls: true secret_ingress_tls: true
secret_keystone: true secret_keystone: true

22
nova/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,22 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "nova" }}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "placement" }}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

11
nova/values.yaml
View File

@ -2234,6 +2234,16 @@ pod:
memory: "1024Mi" memory: "1024Mi"
cpu: "2000m" cpu: "2000m"
network_policy:
nova:
# TODO(lamt): Need to tighten this ingress for security.
ingress:
- {}
placement:
# TODO(lamt): Need to tighten this ingress for security.
ingress:
- {}
manifests: manifests:
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
@ -2270,6 +2280,7 @@ manifests:
pdb_placement: true pdb_placement: true
pdb_osapi: true pdb_osapi: true
pod_rally_test: true pod_rally_test: true
network_policy: false
secret_db_api: true secret_db_api: true
secret_db: true secret_db: true
secret_ingress_tls: true secret_ingress_tls: true

18
senlin/templates/network_policy.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.network_policy -}}
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "senlin" -}}
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
{{- end -}}

6
senlin/values.yaml
View File

@ -633,6 +633,11 @@ pod:
memory: "1024Mi" memory: "1024Mi"
cpu: "2000m" cpu: "2000m"
network_policy:
senlin:
ingress:
- {}
manifests: manifests:
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
@ -651,6 +656,7 @@ manifests:
job_rabbit_init: true job_rabbit_init: true
pdb_api: true pdb_api: true
pod_test: true pod_test: true
network_policy: false
secret_db: true secret_db: true
secret_keystone: true secret_keystone: true
secret_rabbitmq: true secret_rabbitmq: true

1
tools/deployment/baremetal/110-compute-kit.sh
View File

@ -69,6 +69,7 @@ EOF
helm upgrade --install neutron ./neutron \ helm upgrade --install neutron ./neutron \
--namespace=openstack \ --namespace=openstack \
--values=/tmp/neutron.yaml \ --values=/tmp/neutron.yaml \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_NEUTRON} ${OSH_EXTRA_HELM_ARGS_NEUTRON}

55
tools/deployment/common/memcached.sh
View File

@ -20,10 +20,65 @@ set -xe
: ${OSH_INFRA_PATH:="../openstack-helm-infra"} : ${OSH_INFRA_PATH:="../openstack-helm-infra"}
make -C ${OSH_INFRA_PATH} memcached make -C ${OSH_INFRA_PATH} memcached
tee /tmp/memcached.yaml <<EOF
manifests:
network_policy: true
network_policy:
memcached:
ingress:
- from:
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: congress
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ceilometer
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: senlin
ports:
- protocol: TCP
port: 11211
EOF
#NOTE: Deploy command #NOTE: Deploy command
: ${OSH_EXTRA_HELM_ARGS:=""} : ${OSH_EXTRA_HELM_ARGS:=""}
helm upgrade --install memcached ${OSH_INFRA_PATH}/memcached \ helm upgrade --install memcached ${OSH_INFRA_PATH}/memcached \
--namespace=openstack \ --namespace=openstack \
--values=/tmp/memcached.yaml \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_MEMCACHED} ${OSH_EXTRA_HELM_ARGS_MEMCACHED}

50
tools/deployment/common/test-networkpolicy.sh Executable file
View File

@ -0,0 +1,50 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
# test_netpol(namespace, component, target_host, expected_result{fail,success})
function test_netpol {
NS=$1
COMPONENT=$2
HOST=$3
STATUS=$4
echo Testing connection from $COMPONENT to host $HOST with namespace $NS
POD=$(kubectl -n $NS get pod | grep $COMPONENT | grep Running | awk '{print $1}')
PID=$(sudo docker inspect --format '{{ .State.Pid }}' $(kubectl get pods --namespace $NS $POD -o jsonpath='{.status.containerStatuses[0].containerID}' | cut -c 10-21))
if [ "x${STATUS}" == "xfail" ]; then
if ! sudo nsenter -t $PID -n wget --spider --timeout=5 --tries=1 $HOST ; then
echo "Connection timed out; as expected by policy."
else
exit 1
fi
else
sudo nsenter -t $PID -n wget --spider --timeout=5 --tries=1 $HOST
fi
}
# Doing negative tests
test_netpol openstack keystone-api heat-api.openstack.svc.cluster.local fail
test_netpol openstack keystone-api glance-api.openstack.svc.cluster.local fail
test_netpol openstack mariadb-server rabbitmq.openstack.svc.cluster.local:5672 fail
test_netpol openstack rabbitmq-rabbitmq memcached.openstack.svc.cluster.local:11211 fail
test_netpol openstack memcached mariadb.openstack.svc.cluster.local:3306 fail
# Doing positive tests
test_netpol openstack keystone-api mariadb.openstack.svc.cluster.local:3306 success
test_netpol openstack keystone-api rabbitmq.openstack.svc.cluster.local:5672 success
test_netpol openstack heat-api mariadb.openstack.svc.cluster.local:3306 success
test_netpol openstack glance-api mariadb.openstack.svc.cluster.local:3306 success
echo Test successfully

1
tools/deployment/developer/ceph/120-glance.sh
View File

@ -46,6 +46,7 @@ fi
helm upgrade --install glance ./glance \ helm upgrade --install glance ./glance \
--namespace=openstack \ --namespace=openstack \
--values=/tmp/glance.yaml \ --values=/tmp/glance.yaml \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_GLANCE} ${OSH_EXTRA_HELM_ARGS_GLANCE}

1
tools/deployment/developer/ceph/130-cinder.sh
View File

@ -36,6 +36,7 @@ EOF
helm upgrade --install cinder ./cinder \ helm upgrade --install cinder ./cinder \
--namespace=openstack \ --namespace=openstack \
--values=/tmp/cinder.yaml \ --values=/tmp/cinder.yaml \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_CINDER} ${OSH_EXTRA_HELM_ARGS_CINDER}

10
tools/deployment/developer/ceph/150-libvirt.sh
View File

@ -19,10 +19,20 @@ set -xe
: ${OSH_INFRA_PATH:="../openstack-helm-infra"} : ${OSH_INFRA_PATH:="../openstack-helm-infra"}
make -C ${OSH_INFRA_PATH} libvirt make -C ${OSH_INFRA_PATH} libvirt
tee /tmp/libvirt.yaml <<EOF
manifests:
network_policy: true
network_policy:
libvirt:
ingress:
- {}
EOF
#NOTE: Deploy command #NOTE: Deploy command
: ${OSH_EXTRA_HELM_ARGS:=""} : ${OSH_EXTRA_HELM_ARGS:=""}
helm upgrade --install libvirt ${OSH_INFRA_PATH}/libvirt \ helm upgrade --install libvirt ${OSH_INFRA_PATH}/libvirt \
--namespace=openstack \ --namespace=openstack \
--values=/tmp/libvirt.yaml \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_LIBVIRT} ${OSH_EXTRA_HELM_ARGS_LIBVIRT}

3
tools/deployment/developer/ceph/160-compute-kit.sh
View File

@ -25,6 +25,7 @@ if [ "x$(systemd-detect-virt)" == "xnone" ]; then
echo 'OSH is not being deployed in virtualized environment' echo 'OSH is not being deployed in virtualized environment'
helm upgrade --install nova ./nova \ helm upgrade --install nova ./nova \
--namespace=openstack \ --namespace=openstack \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_NOVA} ${OSH_EXTRA_HELM_ARGS_NOVA}
else else
@ -33,6 +34,7 @@ else
--namespace=openstack \ --namespace=openstack \
--set conf.nova.libvirt.virt_type=qemu \ --set conf.nova.libvirt.virt_type=qemu \
--set conf.nova.libvirt.cpu_mode=none \ --set conf.nova.libvirt.cpu_mode=none \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_NOVA} ${OSH_EXTRA_HELM_ARGS_NOVA}
fi fi
@ -68,6 +70,7 @@ EOF
helm upgrade --install neutron ./neutron \ helm upgrade --install neutron ./neutron \
--namespace=openstack \ --namespace=openstack \
--values=/tmp/neutron.yaml \ --values=/tmp/neutron.yaml \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_NEUTRON} ${OSH_EXTRA_HELM_ARGS_NEUTRON}

82
tools/deployment/developer/common/030-ingress.sh
View File

@ -20,6 +20,57 @@ set -xe
: ${OSH_INFRA_PATH:="../openstack-helm-infra"} : ${OSH_INFRA_PATH:="../openstack-helm-infra"}
make -C ${OSH_INFRA_PATH} ingress make -C ${OSH_INFRA_PATH} ingress
tee /tmp/ingress.yaml <<EOF
manifests:
network_policy: true
network_policy:
ingress:
ingress:
- from:
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: congress
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ceilometer
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: senlin
EOF
#NOTE: Deploy command #NOTE: Deploy command
: ${OSH_INFRA_PATH:="../openstack-helm-infra"} : ${OSH_INFRA_PATH:="../openstack-helm-infra"}
: ${OSH_EXTRA_HELM_ARGS:=""} : ${OSH_EXTRA_HELM_ARGS:=""}
@ -43,15 +94,26 @@ helm upgrade --install ingress-kube-system ${OSH_INFRA_PATH}/ingress \
helm status ingress-kube-system helm status ingress-kube-system
#NOTE: Deploy namespace ingress #NOTE: Deploy namespace ingress
for NAMESPACE in openstack ceph; do helm upgrade --install ingress-openstack ${OSH_INFRA_PATH}/ingress \
helm upgrade --install ingress-${NAMESPACE} ${OSH_INFRA_PATH}/ingress \ --namespace=openstack \
--namespace=${NAMESPACE} \ --values=/tmp/ingress.yaml \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_INGRESS_OPENSTACK} ${OSH_EXTRA_HELM_ARGS_INGRESS_OPENSTACK}
#NOTE: Wait for deploy #NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh ${NAMESPACE} ./tools/deployment/common/wait-for-pods.sh openstack
#NOTE: Display info #NOTE: Display info
helm status ingress-${NAMESPACE} helm status ingress-openstack
done
helm upgrade --install ingress-ceph ${OSH_INFRA_PATH}/ingress \
--namespace=ceph \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_INGRESS_OPENSTACK}
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh ceph
#NOTE: Display info
helm status ingress-ceph

33
tools/deployment/developer/common/049-lockdown.sh Executable file
View File

@ -0,0 +1,33 @@
#!/bin/bash
# Copyright 2017-2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Lint and package chart
make lockdown
#NOTE: Deploy command
: ${OSH_INFRA_PATH:="../openstack-helm-infra"}
: ${OSH_EXTRA_HELM_ARGS:=""}
helm upgrade --install lockdown ${OSH_INFRA_PATH}/lockdown \
--namespace=openstack \
${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_LOCKDOWN}
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh openstack
#NOTE: Validate Deployment info
helm status lockdown

62
tools/deployment/developer/common/050-mariadb.sh
View File

@ -20,10 +20,72 @@ set -xe
: ${OSH_INFRA_PATH:="../openstack-helm-infra"} : ${OSH_INFRA_PATH:="../openstack-helm-infra"}
make -C ${OSH_INFRA_PATH} mariadb make -C ${OSH_INFRA_PATH} mariadb
tee /tmp/mariadb.yaml <<EOF
manifests:
network_policy: true
network_policy:
mariadb:
ingress:
- from:
- podSelector:
matchLabels:
application: mariadb
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: congress
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ceilometer
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: senlin
ports:
- protocol: TCP
port: 3306
- protocol: TCP
port: 4567
- protocol: TCP
port: 80
EOF
#NOTE: Deploy command #NOTE: Deploy command
: ${OSH_EXTRA_HELM_ARGS:=""} : ${OSH_EXTRA_HELM_ARGS:=""}
helm upgrade --install mariadb ${OSH_INFRA_PATH}/mariadb \ helm upgrade --install mariadb ${OSH_INFRA_PATH}/mariadb \
--namespace=openstack \ --namespace=openstack \
--values=/tmp/mariadb.yaml \
--set pod.replicas.server=1 \ --set pod.replicas.server=1 \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_MARIADB} ${OSH_EXTRA_HELM_ARGS_MARIADB}

62
tools/deployment/developer/common/060-rabbitmq.sh
View File

@ -20,10 +20,72 @@ set -xe
: ${OSH_INFRA_PATH:="../openstack-helm-infra"} : ${OSH_INFRA_PATH:="../openstack-helm-infra"}
make -C ${OSH_INFRA_PATH} rabbitmq make -C ${OSH_INFRA_PATH} rabbitmq
tee /tmp/rabbitmq.yaml <<EOF
manifests:
network_policy: true
network_policy:
rabbitmq:
ingress:
- from:
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: congress
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ceilometer
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: senlin
ports:
- protocol: TCP
port: 5672
- protocol: TCP
port: 15672
- protocol: TCP
port: 25672
- protocol: TCP
port: 20000
EOF
#NOTE: Deploy command #NOTE: Deploy command
: ${OSH_EXTRA_HELM_ARGS:=""} : ${OSH_EXTRA_HELM_ARGS:=""}
helm upgrade --install rabbitmq ${OSH_INFRA_PATH}/rabbitmq \ helm upgrade --install rabbitmq ${OSH_INFRA_PATH}/rabbitmq \
--namespace=openstack \ --namespace=openstack \
--values=/tmp/rabbitmq.yaml \
--set pod.replicas.server=1 \ --set pod.replicas.server=1 \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_RABBITMQ} ${OSH_EXTRA_HELM_ARGS_RABBITMQ}

1
tools/deployment/developer/common/080-keystone.sh
View File

@ -23,6 +23,7 @@ make keystone
: ${OSH_EXTRA_HELM_ARGS:=""} : ${OSH_EXTRA_HELM_ARGS:=""}
helm upgrade --install keystone ./keystone \ helm upgrade --install keystone ./keystone \
--namespace=openstack \ --namespace=openstack \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_KEYSTONE} ${OSH_EXTRA_HELM_ARGS_KEYSTONE}

1
tools/deployment/developer/common/090-heat.sh
View File

@ -22,6 +22,7 @@ make heat
: ${OSH_EXTRA_HELM_ARGS:=""} : ${OSH_EXTRA_HELM_ARGS:=""}
helm upgrade --install heat ./heat \ helm upgrade --install heat ./heat \
--namespace=openstack \ --namespace=openstack \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_HEAT} ${OSH_EXTRA_HELM_ARGS_HEAT}

1
tools/deployment/developer/common/100-horizon.sh
View File

@ -25,6 +25,7 @@ helm upgrade --install horizon ./horizon \
--namespace=openstack \ --namespace=openstack \
--set network.node_port.enabled=true \ --set network.node_port.enabled=true \
--set network.node_port.port=31000 \ --set network.node_port.port=31000 \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_HORIZON} ${OSH_EXTRA_HELM_ARGS_HORIZON}

10
tools/deployment/developer/common/140-openvswitch.sh
View File

@ -19,10 +19,20 @@ set -xe
: ${OSH_INFRA_PATH:="../openstack-helm-infra"} : ${OSH_INFRA_PATH:="../openstack-helm-infra"}
make -C ${OSH_INFRA_PATH} openvswitch make -C ${OSH_INFRA_PATH} openvswitch
tee /tmp/openvswitch.yaml <<EOF
manifests:
network_policy: true
network_policy:
openvswitch:
ingress:
- {}
EOF
#NOTE: Deploy command #NOTE: Deploy command
: ${OSH_EXTRA_HELM_ARGS:=""} : ${OSH_EXTRA_HELM_ARGS:=""}
helm upgrade --install openvswitch ${OSH_INFRA_PATH}/openvswitch \ helm upgrade --install openvswitch ${OSH_INFRA_PATH}/openvswitch \
--namespace=openstack \ --namespace=openstack \
--values=/tmp/openvswitch.yaml \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_OPENVSWITCH} ${OSH_EXTRA_HELM_ARGS_OPENVSWITCH}

24
tools/deployment/developer/ldap/080-keystone.sh
View File

@ -19,10 +19,33 @@ set -xe
#NOTE: Deploy command #NOTE: Deploy command
: ${OSH_INFRA_PATH:="../openstack-helm-infra"} : ${OSH_INFRA_PATH:="../openstack-helm-infra"}
: ${OSH_EXTRA_HELM_ARGS:=""} : ${OSH_EXTRA_HELM_ARGS:=""}
tee /tmp/ldap.yaml <<EOF
manifests:
network_policy: true
network_policy:
ldap:
ingress:
- from:
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: ldap
- podSelector:
matchLabels:
application: ingress
ports:
- protocol: TCP
port: 389
EOF
helm upgrade --install ldap ${OSH_INFRA_PATH}/ldap \ helm upgrade --install ldap ${OSH_INFRA_PATH}/ldap \
--namespace=openstack \ --namespace=openstack \
--set pod.replicas.server=1 \ --set pod.replicas.server=1 \
--set bootstrap.enabled=true \ --set bootstrap.enabled=true \
--values=/tmp/ldap.yaml \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_LDAP} ${OSH_EXTRA_HELM_ARGS_LDAP}
@ -40,6 +63,7 @@ make pull-images keystone
helm upgrade --install keystone ./keystone \ helm upgrade --install keystone ./keystone \
--namespace=openstack \ --namespace=openstack \
--values=./tools/overrides/keystone/ldap_domain_config.yaml \ --values=./tools/overrides/keystone/ldap_domain_config.yaml \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_KEYSTONE} ${OSH_EXTRA_HELM_ARGS_KEYSTONE}

1
tools/deployment/developer/nfs/120-glance.sh
View File

@ -45,6 +45,7 @@ fi
helm upgrade --install glance ./glance \ helm upgrade --install glance ./glance \
--namespace=openstack \ --namespace=openstack \
--values=/tmp/glance.yaml \ --values=/tmp/glance.yaml \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_GLANCE} ${OSH_EXTRA_HELM_ARGS_GLANCE}

10
tools/deployment/developer/nfs/150-libvirt.sh
View File

@ -19,11 +19,21 @@ set -xe
: ${OSH_INFRA_PATH:="../openstack-helm-infra"} : ${OSH_INFRA_PATH:="../openstack-helm-infra"}
make -C ${OSH_INFRA_PATH} libvirt make -C ${OSH_INFRA_PATH} libvirt
tee /tmp/libvirt.yaml <<EOF
manifests:
network_policy: true
network_policy:
libvirt:
ingress:
- {}
EOF
#NOTE: Deploy command #NOTE: Deploy command
: ${OSH_EXTRA_HELM_ARGS:=""} : ${OSH_EXTRA_HELM_ARGS:=""}
helm upgrade --install libvirt ${OSH_INFRA_PATH}/libvirt \ helm upgrade --install libvirt ${OSH_INFRA_PATH}/libvirt \
--namespace=openstack \ --namespace=openstack \
--set conf.ceph.enabled=false \ --set conf.ceph.enabled=false \
--values=/tmp/libvirt.yaml \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_LIBVIRT} ${OSH_EXTRA_HELM_ARGS_LIBVIRT}

3
tools/deployment/developer/nfs/160-compute-kit.sh
View File

@ -26,6 +26,7 @@ if [ "x$(systemd-detect-virt)" == "xnone" ]; then
helm upgrade --install nova ./nova \ helm upgrade --install nova ./nova \
--namespace=openstack \ --namespace=openstack \
--set conf.ceph.enabled=false \ --set conf.ceph.enabled=false \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_NOVA} ${OSH_EXTRA_HELM_ARGS_NOVA}
else else
@ -35,6 +36,7 @@ else
--set conf.ceph.enabled=false \ --set conf.ceph.enabled=false \
--set conf.nova.libvirt.virt_type=qemu \ --set conf.nova.libvirt.virt_type=qemu \
--set conf.nova.libvirt.cpu_mode=none \ --set conf.nova.libvirt.cpu_mode=none \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_NOVA} ${OSH_EXTRA_HELM_ARGS_NOVA}
fi fi
@ -68,6 +70,7 @@ EOF
helm upgrade --install neutron ./neutron \ helm upgrade --install neutron ./neutron \
--namespace=openstack \ --namespace=openstack \
--values=/tmp/neutron.yaml \ --values=/tmp/neutron.yaml \
--set manifests.network_policy=true \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_NEUTRON} ${OSH_EXTRA_HELM_ARGS_NEUTRON}

22
tools/gate/playbooks/dev-deploy-nfs.yaml
View File

@ -69,6 +69,17 @@
./tools/deployment/developer/nfs/040-nfs-provisioner.sh ./tools/deployment/developer/nfs/040-nfs-provisioner.sh
args: args:
chdir: "{{ zuul_osh_relative_path | default(zuul.project.src_dir) }}" chdir: "{{ zuul_osh_relative_path | default(zuul.project.src_dir) }}"
- name: Lockdown all the ingress
environment:
OSH_OPENSTACK_RELEASE: "{{ osh_openstack_release }}"
OSH_EXTRA_HELM_ARGS: "{{ zuul_osh_extra_helm_args_relative_path | default('') }}"
OSH_INFRA_PATH: "{{ zuul_osh_infra_relative_path | default('') }}"
zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
shell: |
set -xe;
./tools/deployment/developer/common/049-lockdown.sh
args:
chdir: "{{ zuul_osh_relative_path | default(zuul.project.src_dir) }}"
- name: Deploy Mariadb - name: Deploy Mariadb
environment: environment:
OSH_OPENSTACK_RELEASE: "{{ osh_openstack_release }}" OSH_OPENSTACK_RELEASE: "{{ osh_openstack_release }}"
@ -215,3 +226,14 @@
./tools/deployment/developer/nfs/900-use-it.sh ./tools/deployment/developer/nfs/900-use-it.sh
args: args:
chdir: "{{ zuul_osh_relative_path | default(zuul.project.src_dir) }}" chdir: "{{ zuul_osh_relative_path | default(zuul.project.src_dir) }}"
- name: Test network policy
environment:
OSH_OPENSTACK_RELEASE: "{{ osh_openstack_release }}"
OSH_EXTRA_HELM_ARGS: "{{ zuul_osh_extra_helm_args_relative_path | default('') }}"
OSH_INFRA_PATH: "{{ zuul_osh_infra_relative_path | default('') }}"
zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
shell: |
set -xe;
./tools/deployment/common/test-networkpolicy.sh
args:
chdir: "{{ zuul_osh_relative_path | default(zuul.project.src_dir) }}"