Implements egress network policy

This patch set adds in the egress policy for core OpenStack Services.

Depends-On: https://review.opendev.org/#/c/679853/

Change-Id: I585ddabcbd640db784520c913af8eddecaee3843
Signed-off-by: Tin Lam <tlam@omegaprime.dev>

barbican/values.yaml

@@ -662,6 +662,30 @@ endpoints:
         default: 24224
       metrics:
         default: 24220
+  # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
+  # They are using to enable the Egress K8s network policy.
+  kube_dns:
+    namespace: kube-system
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns:
+        default: 53
+        protocol: UDP
+  ingress:
+    namespace: null
+    name: ingress
+    hosts:
+      default: ingress
+    port:
+      ingress:
+        default: 80
 
 manifests:
   configmap_bin: true

cinder/values.yaml

@@ -1408,19 +1408,28 @@ endpoints:
         default: 24224
       metrics:
         default: 24220
-  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
-  # They are using to enable the Egress K8s network policy.
-  k8s:
-    port:
-      api:
-        default: 6443
-        internal: 5000
-  default:
-    namespace: default
-  kube_system:
+  kube_dns:
     namespace: kube-system
-  kube_public:
-    namespace: kube-public
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns:
+        default: 53
+        protocol: UDP
+  ingress:
+    namespace: null
+    name: ingress
+    hosts:
+      default: ingress
+    port:
+      ingress:
+        default: 80
 
 network_policy:
   cinder:

cinder/values_overrides/netpol.yaml

@@ -1,2 +1,17 @@
 manifests:
   network_policy: true
+network_policy:
+  cinder:
+    egress:
+      - to:
+        - ipBlock:
+            cidr: 172.17.0.1/16
+      - to:
+        - ipBlock:
+            cidr: $API_ADDR/16
+      - to:
+        - ipBlock:
+            cidr: $API_ADDR/32
+        ports:
+          - protocol: TCP
+            port: $API_PORT

glance/values.yaml

@@ -774,21 +774,6 @@ endpoints:
         default: 24224
       metrics:
         default: 24220
-  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
-  # They are using to enable the Egress K8s network policy.
-  k8s:
-    port:
-      api:
-        default: 6443
-        internal: 5000
-      http:
-        default: 80
-  default:
-    namespace: default
-  kube_system:
-    namespace: kube-system
-  kube_public:
-    namespace: kube-public
   dashboard:
     name: horizon
     hosts:
@@ -812,6 +797,30 @@ endpoints:
       web:
         default: 80
         public: 443
+  # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
+  # They are using to enable the Egress K8s network policy.
+  kube_dns:
+    namespace: kube-system
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns:
+        default: 53
+        protocol: UDP
+  ingress:
+    namespace: null
+    name: ingress
+    hosts:
+      default: ingress
+    port:
+      ingress:
+        default: 80
 
 pod:
   security_context:

glance/values_overrides/netpol.yaml

@@ -1,8 +1,8 @@
 manifests:
   network_policy: true
 #NOTE(gagehugo): Test this whitelist when the netpol gate works
-#network_policy:
-#  glance:
+network_policy:
+  glance:
 #    ingress:
 #      - from:
 #        - podSelector:
@@ -33,3 +33,16 @@ manifests:
 #          port: 9191
 #        - protocol: TCP
 #          port: 9292
+    egress:
+      - to:
+        ports:
+          - protocol: TCP
+            port: 80
+          - protocol: TCP
+            port: 443
+      - to:
+        - ipBlock:
+            cidr: $API_ADDR/32
+        ports:
+          - protocol: TCP
+            port: $API_PORT

heat/values.yaml

@@ -1002,21 +1002,30 @@ endpoints:
         default: 24224
       metrics:
         default: 24220
-  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
   # They are using to enable the Egress K8s network policy.
-  k8s:
-    port:
-      api:
-        default: 6443
-        internal: 5000
-      http:
-        default: 80
-  default:
-    namespace: default
-  kube_system:
+  kube_dns:
     namespace: kube-system
-  kube_public:
-    namespace: kube-public
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns:
+        default: 53
+        protocol: UDP
+  ingress:
+    namespace: null
+    name: ingress
+    hosts:
+      default: ingress
+    port:
+      ingress:
+        default: 80
 
 pod:
   security_context:

heat/values_overrides/netpol.yaml

@@ -1,8 +1,8 @@
 manifests:
   network_policy: true
 #NOTE(gagehugo): Test these once the netpol gate works
-#network_policy:
-#  heat:
+network_policy:
+  heat:
 #    ingress:
 #      - from:
 #        - podSelector:
@@ -23,17 +23,26 @@ manifests:
 #          port: 8003
 #        - protocol: TCP
 #          port: 8004
-#    egress:
-#      - to:
-#        - podSelector:
-#            matchLabels:
-#              application: neutron
-#        - podSelector:
-#            matchLabels:
-#              application: nova
-#        - podSelector:
-#            matchLabels:
-#              application: glance
-#        - podSelector:
-#            matchLabels:
-#              application: cinder
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              application: neutron
+      - to:
+        - podSelector:
+            matchLabels:
+              application: nova
+      - to:
+        - podSelector:
+            matchLabels:
+              application: glance
+      - to:
+        - podSelector:
+            matchLabels:
+              application: cinder
+      - to:
+        - ipBlock:
+            cidr: $API_ADDR/32
+        ports:
+          - protocol: TCP
+            port: $API_PORT

horizon/values.yaml

@@ -2219,19 +2219,30 @@ endpoints:
     port:
       mysql:
         default: 3306
-  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
   # They are using to enable the Egress K8s network policy.
-  k8s:
-    port:
-      api:
-        default: 6443
-        internal: 5000
-  default:
-    namespace: default
-  kube_system:
+  kube_dns:
     namespace: kube-system
-  kube_public:
-    namespace: kube-public
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns:
+        default: 53
+        protocol: UDP
+  ingress:
+    namespace: null
+    name: ingress
+    hosts:
+      default: ingress
+    port:
+      ingress:
+        default: 80
 
 network_policy:
   horizon:

horizon/values_overrides/netpol.yaml

@@ -20,3 +20,34 @@ network_policy:
             protocol: TCP
           - port: 443
             protocol: TCP
+    egress:
+      - to:
+        - podSelector:
+            matchLabels:
+              application: neutron
+      - to:
+        - podSelector:
+            matchLabels:
+              application: nova
+      - to:
+        - podSelector:
+            matchLabels:
+              application: glance
+      - to:
+        - podSelector:
+            matchLabels:
+              application: cinder
+      - to:
+        - podSelector:
+            matchLabels:
+              application: keystone
+      - to:
+        - podSelector:
+            matchLabels:
+              application: heat
+      - to:
+        - ipBlock:
+            cidr: $API_ADDR/32
+        ports:
+          - protocol: TCP
+            port: $API_PORT

keystone/values.yaml

@@ -1210,19 +1210,30 @@ endpoints:
         default: 24224
       metrics:
         default: 24220
-  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
   # They are using to enable the Egress K8s network policy.
-  k8s:
-    port:
-      api:
-        default: 6443
-        internal: 5000
-  default:
-    namespace: default
-  kube_system:
+  kube_dns:
     namespace: kube-system
-  kube_public:
-    namespace: kube-public
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns:
+        default: 53
+        protocol: UDP
+  ingress:
+    namespace: null
+    name: ingress
+    hosts:
+      default: ingress
+    port:
+      ingress:
+        default: 80
 
 manifests:
   configmap_bin: true

keystone/values_overrides/netpol.yaml

@@ -63,17 +63,10 @@ network_policy:
           port: 5000
         - protocol: TCP
           port: 35357
-#    egress:
-#      - to:
-#        - namespaceSelector:
-#            matchLabels:
-#              name: ceph
-#      - to:
-#        - podSelector:
-#            matchLabels:
-#              application: ceph
-#      - ports:
-#        - port: 53
-#          protocol: UDP
-#        - port: 53
-#          protocol: TCP
+    egress:
+      - to:
+        - ipBlock:
+            cidr: $API_ADDR/32
+        ports:
+          - protocol: TCP
+            port: $API_PORT

neutron/values.yaml

@@ -2303,20 +2303,30 @@ endpoints:
       api:
         default: 6385
         public: 80
-
-  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
   # They are using to enable the Egress K8s network policy.
-  k8s:
-    port:
-      api:
-        default: 6443
-        internal: 5000
-  default:
-    namespace: default
-  kube_system:
+  kube_dns:
     namespace: kube-system
-  kube_public:
-    namespace: kube-public
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns:
+        default: 53
+        protocol: UDP
+  ingress:
+    namespace: null
+    name: ingress
+    hosts:
+      default: ingress
+    port:
+      ingress:
+        default: 80
 
 network_policy:
   neutron:

neutron/values_overrides/netpol.yaml

@@ -1,2 +1,11 @@
 manifests:
   network_policy: true
+network_policy:
+  neutron:
+    egress:
+      - to:
+        - ipBlock:
+            cidr: $API_ADDR/32
+        ports:
+          - protocol: TCP
+            port: $API_PORT

nova/values.yaml

@@ -2122,19 +2122,30 @@ endpoints:
         default: 24224
       metrics:
         default: 24220
-  #NOTE(tp6510): these endpoints allow for things like DNS lookups and apiserver access.
+  # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
   # They are using to enable the Egress K8s network policy.
-  k8s:
-    port:
-      api:
-        default: 6443
-        internal: 5000
-  default:
-    namespace: default
-  kube_system:
+  kube_dns:
     namespace: kube-system
-  kube_public:
-    namespace: kube-public
+    name: kubernetes-dns
+    hosts:
+      default: kube-dns
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme: http
+    port:
+      dns:
+        default: 53
+        protocol: UDP
+  ingress:
+    namespace: null
+    name: ingress
+    hosts:
+      default: ingress
+    port:
+      ingress:
+        default: 80
 
 pod:
   user:

nova/values_overrides/netpol.yaml

@@ -1,2 +1,19 @@
 manifests:
   network_policy: true
+network_policy:
+  nova:
+    egress:
+      - to:
+        - ipBlock:
+            cidr: $API_ADDR/32
+        ports:
+          - protocol: TCP
+            port: $API_PORT
+  placement:
+    egress:
+      - to:
+        - ipBlock:
+            cidr: $API_ADDR/32
+        ports:
+          - protocol: TCP
+            port: $API_PORT

tools/deployment/common/env-variables.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+export API_ADDR=$(kubectl get endpoints kubernetes -o json | jq -r '.subsets[0].addresses[0].ip')
+export API_PORT=$(kubectl get endpoints kubernetes -o json | jq -r '.subsets[0].ports[0].port')

tools/deployment/common/get-values-overrides.sh

@@ -59,13 +59,15 @@ function override_file_args () {
     echoerr "We will attempt to use values-override files with the following paths:"
     for FILE in $(combination ${1//,/ } | uniq | tac); do
       FILE_PATH="${HELM_CHART_ROOT_PATH}/${HELM_CHART}/values_overrides/${FILE}.yaml"
-       if [ -f "${FILE_PATH}" ]; then
-        OVERRIDE_ARGS+=" --values=${FILE_PATH} "
-       fi
-       echoerr "${FILE_PATH}"
+      if [ -f "${FILE_PATH}" ]; then
+        envsubst < ${FILE_PATH} > /tmp/${HELM_CHART}-${FILE}.yaml
+        OVERRIDE_ARGS+=" --values=/tmp/${HELM_CHART}-${FILE}.yaml "
+      fi
+        echoerr "${FILE_PATH}"
     done
     echo "${OVERRIDE_ARGS}"
 }
 
 echoerr "We are going to deploy the service ${HELM_CHART} for the OpenStack ${OPENSTACK_RELEASE} release, using ${CONTAINER_DISTRO_NAME} (${CONTAINER_DISTRO_VERSION}) distribution containers."
+source ../openstack-helm/tools/deployment/common/env-variables.sh
 override_file_args "${OSH_FEATURE_MIX}"