Merge "Add Glance ingress network policy overrides"

2020-01-13 21:07:29 +00:00 · 2020-01-13 21:07:29 +00:00 · 9ded66d17f
commit 9ded66d17f
parent ca3f9ca997 6c65d21e94
2 changed files with 37 additions and 31 deletions
--- a/glance/values_overrides/netpol.yaml
+++ b/glance/values_overrides/netpol.yaml
@ -1,38 +1,35 @@
 manifests:
  network_policy: true
-#NOTE(gagehugo): Test this whitelist when the netpol gate works
 network_policy:
  glance:
-#    ingress:
-#      - from:
-#        - podSelector:
-#            matchLabels:
-#              application: glance
-#        - podSelector:
-#            matchLabels:
-#              application: nova
-#        - podSelector:
-#            matchLabels:
-#              application: horizon
-#        - podSelector:
-#            matchLabels:
-#              application: ingress
-#        - podSelector:
-#            matchLabels:
-#              application: heat
-#        - podSelector:
-#            matchLabels:
-#              application: ironic
-#        - podSelector:
-#            matchLabels:
-#              application: cinder
-#        ports:
-#        - protocol: TCP
-#          port: 80
-#        - protocol: TCP
-#          port: 9191
-#        - protocol: TCP
-#          port: 9292
+    ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: glance
+        - podSelector:
+            matchLabels:
+              application: nova
+        - podSelector:
+            matchLabels:
+              application: horizon
+        - podSelector:
+            matchLabels:
+              application: ingress
+        - podSelector:
+            matchLabels:
+              application: heat
+        - podSelector:
+            matchLabels:
+              application: ironic
+        - podSelector:
+            matchLabels:
+              application: cinder
+        ports:
+        - protocol: TCP
+          port: 9191
+        - protocol: TCP
+          port: 9292
    egress:
      - to:
        ports:
--- a/tools/deployment/common/test-networkpolicy.sh
+++ b/tools/deployment/common/test-networkpolicy.sh
@ -69,6 +69,10 @@ else
 # Negative Compute-Kit Tests
  #test_netpol openstack keystone api heat-api.openstack.svc.cluster.local fail
  #test_netpol openstack keystone api glance-api.openstack.svc.cluster.local fail
+  test_netpol openstack mariadb server glance-api.openstack.svc.cluster.local:9292 fail
+  test_netpol openstack memcached server glance-api.openstack.svc.cluster.local:9292 fail
+  test_netpol openstack keystone api glance-api.openstack.svc.cluster.local:9292 fail
+
 # Positive Compute-Kit Tests
  test_netpol openstack heat api mariadb.openstack.svc.cluster.local:3306 success
  test_netpol openstack glance api mariadb.openstack.svc.cluster.local:3306 success
@ -78,6 +82,11 @@ else
  test_netpol openstack nova os-api keystone-api.openstack.svc.cluster.local:5000 success
  test_netpol openstack nova compute keystone-api.openstack.svc.cluster.local:5000 success
  test_netpol openstack neutron l3-agent keystone-api.openstack.svc.cluster.local:5000 success
+  test_netpol openstack ingress server glance-api.openstack.svc.cluster.local:9292 success
+  test_netpol openstack nova os-api glance-api.openstack.svc.cluster.local:9292 success
+  test_netpol openstack nova compute glance-api.openstack.svc.cluster.local:9292 success
+  test_netpol openstack heat api glance-api.openstack.svc.cluster.local:9292 success
+  test_netpol openstack horizon server glance-api.openstack.svc.cluster.local:9292 success
 fi

 echo Test Success