From 313fe0ca3e4b259698d31321b86fe9d6237f1019 Mon Sep 17 00:00:00 2001
From: "Huang, Sophie (sh879n)" <sh879n@att.com>
Date: Thu, 12 Sep 2019 17:06:05 -0500
Subject: [PATCH] Add keystone ingress netpol

Change-Id: I75874b475039c1f7469f11e02e2231254cc9d8ca
Signed-off-by: Huang, Sophie (sh879n) <sh879n@att.com>
---
 keystone/values_overrides/netpol.yaml         | 131 +++++++++---------
 tools/deployment/common/test-networkpolicy.sh |  13 ++
 zuul.d/jobs-openstack-helm.yaml               |   1 +
 3 files changed, 77 insertions(+), 68 deletions(-)

diff --git a/keystone/values_overrides/netpol.yaml b/keystone/values_overrides/netpol.yaml
index d80d31bed2..b26f9b5291 100644
--- a/keystone/values_overrides/netpol.yaml
+++ b/keystone/values_overrides/netpol.yaml
@@ -1,73 +1,68 @@
 manifests:
   network_policy: true
-#NOTE(gagehugo): Test the below whitelist after netpol gate works
-#network_policy:
-#  keystone:
-#    ingress:
-#      - from:
-#        - podSelector:
-#            matchLabels:
-#              application: ceph
-#        - podSelector:
-#            matchLabels:
-#              application: ingress
-#        - podSelector:
-#            matchLabels:
-#              application: keystone
-#        - podSelector:
-#            matchLabels:
-#              application: heat
-#        - podSelector:
-#            matchLabels:
-#              application: glance
-#        - podSelector:
-#            matchLabels:
-#              application: cinder
-#        - podSelector:
-#            matchLabels:
-#              application: congress
-#        - podSelector:
-#            matchLabels:
-#              application: barbican
-#        - podSelector:
-#            matchLabels:
-#              application: ceilometer
-#        - podSelector:
-#            matchLabels:
-#              application: horizon
-#        - podSelector:
-#            matchLabels:
-#              application: ironic
-#        - podSelector:
-#            matchLabels:
-#              application: magnum
-#        - podSelector:
-#            matchLabels:
-#              application: mistral
-#        - podSelector:
-#            matchLabels:
-#              application: nova
-#        - podSelector:
-#            matchLabels:
-#              application: neutron
-#        - podSelector:
-#            matchLabels:
-#              application: senlin
-#        - podSelector:
-#            matchLabels:
-#              application: placement
-#        - podSelector:
-#            matchLabels:
-#              application: prometheus-openstack-exporter
-#        ports:
-#        - protocol: TCP
-#          port: 80
-#        - protocol: TCP
-#          port: 443
-#        - protocol: TCP
-#          port: 5000
-#        - protocol: TCP
-#          port: 35357
+network_policy:
+  keystone:
+    ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: ceph
+        - podSelector:
+            matchLabels:
+              application: ingress
+        - podSelector:
+            matchLabels:
+              application: keystone
+        - podSelector:
+            matchLabels:
+              application: heat
+        - podSelector:
+            matchLabels:
+              application: glance
+        - podSelector:
+            matchLabels:
+              application: cinder
+        - podSelector:
+            matchLabels:
+              application: congress
+        - podSelector:
+            matchLabels:
+              application: barbican
+        - podSelector:
+            matchLabels:
+              application: ceilometer
+        - podSelector:
+            matchLabels:
+              application: horizon
+        - podSelector:
+            matchLabels:
+              application: ironic
+        - podSelector:
+            matchLabels:
+              application: magnum
+        - podSelector:
+            matchLabels:
+              application: mistral
+        - podSelector:
+            matchLabels:
+              application: nova
+        - podSelector:
+            matchLabels:
+              application: neutron
+        - podSelector:
+            matchLabels:
+              application: senlin
+        - podSelector:
+            matchLabels:
+              application: placement
+        - podSelector:
+            matchLabels:
+              application: prometheus-openstack-exporter
+        ports:
+        - protocol: TCP
+          port: 5000
+        - protocol: TCP
+          port: 35357
 #    egress:
 #      - to:
 #        - namespaceSelector:
diff --git a/tools/deployment/common/test-networkpolicy.sh b/tools/deployment/common/test-networkpolicy.sh
index b7f5db7759..d971404477 100755
--- a/tools/deployment/common/test-networkpolicy.sh
+++ b/tools/deployment/common/test-networkpolicy.sh
@@ -43,15 +43,22 @@ function test_netpol {
 #test_netpol openstack mariadb server rabbitmq.openstack.svc.cluster.local:5672 fail
 #test_netpol openstack rabbitmq-rabbitmq server memcached.openstack.svc.cluster.local:11211 fail
 #test_netpol openstack memcached server mariadb.openstack.svc.cluster.local:3306 fail
+test_netpol openstack mariadb server keystone-api.openstack.svc.cluster.local:5000 fail
+test_netpol openstack mariadb ingress keystone-api.openstack.svc.cluster.local:5000 fail
+test_netpol openstack memcached server keystone-api.openstack.svc.cluster.local:5000 fail
+test_netpol openstack rabbitmq server keystone-api.openstack.svc.cluster.local:5000 fail
 # Doing positive tests
 test_netpol openstack keystone api mariadb.openstack.svc.cluster.local:3306 success
 test_netpol openstack keystone api rabbitmq.openstack.svc.cluster.local:5672 success
+test_netpol openstack ingress server keystone-api.openstack.svc.cluster.local:5000 success
+test_netpol openstack prometheus-openstack-exporter exporter keystone-api.openstack.svc.cluster.local:5000 success
 
 if kubectl -n openstack get pod -l application=cinder | grep Running ; then
 # Negative Cinder Tests
   #test_netpol openstack keystone api cinder-api.openstack.svc.cluster.local fail
 # Positive Cinder Tests
   test_netpol openstack cinder api rabbitmq.openstack.svc.cluster.local:5672 success
+  test_netpol openstack cinder api keystone-api.openstack.svc.cluster.local:5000 success
 else
 # Negative Compute-Kit Tests
   #test_netpol openstack keystone api heat-api.openstack.svc.cluster.local fail
@@ -59,6 +66,12 @@ else
 # Positive Compute-Kit Tests
   test_netpol openstack heat api mariadb.openstack.svc.cluster.local:3306 success
   test_netpol openstack glance api mariadb.openstack.svc.cluster.local:3306 success
+  test_netpol openstack heat api keystone-api.openstack.svc.cluster.local:5000 success
+  test_netpol openstack glance api keystone-api.openstack.svc.cluster.local:5000 success
+  test_netpol openstack horizon server keystone-api.openstack.svc.cluster.local:5000 success
+  test_netpol openstack nova os-api keystone-api.openstack.svc.cluster.local:5000 success
+  test_netpol openstack nova compute keystone-api.openstack.svc.cluster.local:5000 success
+  test_netpol openstack neutron l3-agent keystone-api.openstack.svc.cluster.local:5000 success
 fi
 
 echo Test Success
diff --git a/zuul.d/jobs-openstack-helm.yaml b/zuul.d/jobs-openstack-helm.yaml
index ed21a9cdc7..88c0505c8e 100644
--- a/zuul.d/jobs-openstack-helm.yaml
+++ b/zuul.d/jobs-openstack-helm.yaml
@@ -289,6 +289,7 @@
         - ./tools/deployment/component/nfs-provisioner/nfs-provisioner.sh
         - ./tools/deployment/component/keystone/keystone.sh
         - ./tools/deployment/component/heat/heat.sh
+        - ./tools/deployment/component/horizon/horizon.sh
         - ./tools/deployment/component/glance/glance.sh
         - ./tools/deployment/component/compute-kit/openvswitch.sh
         - ./tools/deployment/component/compute-kit/libvirt.sh