From 2d36d5f7cee25b99c3b3549fc611c3e701d91fec Mon Sep 17 00:00:00 2001 From: Meg Heisler Date: Mon, 18 Feb 2019 10:17:24 -0600 Subject: [PATCH] Add ingress network policy to kube-state-metrics and openstack-exporter This adds ingress network policies to kube-state-metrics and openstack-exporter using the helm-toolikit template. It also add openstack-exporter to the network policy jobs. Change-Id: I3bfc2f1e8a35c09e577a046ebd52346de95e5745 --- .../templates/network_policy.yaml | 19 ++++++ prometheus-kube-state-metrics/values.yaml | 1 + .../templates/network_policy.yaml | 19 ++++++ prometheus-openstack-exporter/values.yaml | 1 + .../network-policy/070-kube-state-metrics.sh | 57 ++++++++++++++++- .../network-policy/901-test-networkpolicy.sh | 3 +- .../network-policy/openstack-exporter.sh | 61 +++++++++++++++++++ zuul.d/jobs.yaml | 2 + 8 files changed, 161 insertions(+), 2 deletions(-) create mode 100644 prometheus-kube-state-metrics/templates/network_policy.yaml create mode 100644 prometheus-openstack-exporter/templates/network_policy.yaml mode change 120000 => 100755 tools/deployment/network-policy/070-kube-state-metrics.sh create mode 100755 tools/deployment/network-policy/openstack-exporter.sh diff --git a/prometheus-kube-state-metrics/templates/network_policy.yaml b/prometheus-kube-state-metrics/templates/network_policy.yaml new file mode 100644 index 000000000..f0fc256be --- /dev/null +++ b/prometheus-kube-state-metrics/templates/network_policy.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. */}} + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "kube-state-metrics" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/prometheus-kube-state-metrics/values.yaml b/prometheus-kube-state-metrics/values.yaml index 628afbbd1..1f2208f3d 100644 --- a/prometheus-kube-state-metrics/values.yaml +++ b/prometheus-kube-state-metrics/values.yaml @@ -155,6 +155,7 @@ manifests: configmap_bin: true deployment: true job_image_repo_sync: true + network_policy: false service_kube_state_metrics: true service_controller_manager: true service_scheduler: true diff --git a/prometheus-openstack-exporter/templates/network_policy.yaml b/prometheus-openstack-exporter/templates/network_policy.yaml new file mode 100644 index 000000000..d957d11bc --- /dev/null +++ b/prometheus-openstack-exporter/templates/network_policy.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. */}} + +{{- if .Values.manifests.network_policy -}} +{{- $netpol_opts := dict "envAll" . "name" "application" "label" "prometheus-openstack-exporter" -}} +{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }} +{{- end -}} diff --git a/prometheus-openstack-exporter/values.yaml b/prometheus-openstack-exporter/values.yaml index 621cd524b..899d56dd8 100644 --- a/prometheus-openstack-exporter/values.yaml +++ b/prometheus-openstack-exporter/values.yaml @@ -198,5 +198,6 @@ manifests: deployment: true job_image_repo_sync: true job_ks_user: true + network_policy: false secret_keystone: true service: true diff --git a/tools/deployment/network-policy/070-kube-state-metrics.sh b/tools/deployment/network-policy/070-kube-state-metrics.sh deleted file mode 120000 index 2a18ebb8b..000000000 --- a/tools/deployment/network-policy/070-kube-state-metrics.sh +++ /dev/null @@ -1 +0,0 @@ -../common/070-kube-state-metrics.sh \ No newline at end of file diff --git a/tools/deployment/network-policy/070-kube-state-metrics.sh b/tools/deployment/network-policy/070-kube-state-metrics.sh new file mode 100755 index 000000000..ad78ebaed --- /dev/null +++ b/tools/deployment/network-policy/070-kube-state-metrics.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +set -xe + +#NOTE: Lint and package chart +make prometheus-kube-state-metrics + +tee /tmp/kube-state-metrics.yaml << EOF +manifests: + network_policy: true +network_policy: + kube-state-metrics: + ingress: + - from: + - podSelector: + matchLabels: + application: kube-state-metrics + - namespaceSelector: + matchLabels: + name: osh-infra + podSelector: + matchLabels: + application: prometheus + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 443 +EOF + +#NOTE: Deploy command +helm upgrade --install prometheus-kube-state-metrics \ + ./prometheus-kube-state-metrics --namespace=kube-system \ + --values=/tmp/kube-state-metrics.yaml + +#NOTE: Wait for deploy +./tools/deployment/common/wait-for-pods.sh kube-system + +#NOTE: Validate Deployment info +helm status prometheus-kube-state-metrics diff --git a/tools/deployment/network-policy/901-test-networkpolicy.sh b/tools/deployment/network-policy/901-test-networkpolicy.sh index 80c63e837..8ef5c909f 100755 --- a/tools/deployment/network-policy/901-test-networkpolicy.sh +++ b/tools/deployment/network-policy/901-test-networkpolicy.sh @@ -54,6 +54,7 @@ test_netpol osh-infra mariadb server elasticsearch.osh-infra.svc.cluster.local f test_netpol osh-infra mariadb server nagios.osh-infra.svc.cluster.local fail test_netpol osh-infra mariadb server prometheus.osh-infra.svc.cluster.local fail test_netpol osh-infra mariadb server nagios.osh-infra.svc.cluster.local fail +test_netpol osh-infra mariadb server openstack-metrics.openstack.svc.cluster.local:9103 fail # Doing positive tests -test_netpol osh-infra grafana dashboard mariadb.osh-infra.svc.cluster.local:3306 success \ No newline at end of file +test_netpol osh-infra grafana dashboard mariadb.osh-infra.svc.cluster.local:3306 success diff --git a/tools/deployment/network-policy/openstack-exporter.sh b/tools/deployment/network-policy/openstack-exporter.sh new file mode 100755 index 000000000..cb22d7832 --- /dev/null +++ b/tools/deployment/network-policy/openstack-exporter.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +set -xe + +#NOTE: Lint and package chart +make prometheus-openstack-exporter + +tee /tmp/prometheus-openstack-exporter.yaml << EOF +manifests: + job_ks_user: false + network_policy: true +dependencies: + static: + prometheus_openstack_exporter: + jobs: null + services: null +network_policy: + prometheus-openstack-exporter: + ingress: + - from: + - podSelector: + matchLabels: + application: prometheus-openstack-exporter + - namespaceSelector: + matchLabels: + name: osh-infra + podSelector: + matchLabels: + application: prometheus + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 9103 +EOF + +#NOTE: Deploy command +helm upgrade --install prometheus-openstack-exporter \ + ./prometheus-openstack-exporter \ + --namespace=openstack \ + --values=/tmp/prometheus-openstack-exporter.yaml + +#NOTE: Wait for deploy +./tools/deployment/common/wait-for-pods.sh openstack + +#NOTE: Validate Deployment info +helm status prometheus-openstack-exporter diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index efb958d8e..d9cab7bff 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -190,8 +190,10 @@ - ./tools/deployment/network-policy/120-elasticsearch.sh - ./tools/deployment/network-policy/130-fluent-logging.sh - ./tools/deployment/network-policy/140-kibana.sh + - ./tools/deployment/network-policy/openstack-exporter.sh - ./tools/deployment/network-policy/901-test-networkpolicy.sh + - job: name: openstack-helm-infra-openstack-support parent: openstack-helm-infra-functional