From 9b0820d1d65dca4c2d647f6e6aff435c58e84592 Mon Sep 17 00:00:00 2001
From: yhu6 <yong.hu@intel.com>
Date: Tue, 28 May 2019 03:59:11 +0000
Subject: [PATCH] add helm chart for nginx ports control

this chart is added as a part of "stx-openstack" application,
in the same chart group as openstack-ingress chart, so that
when "nginx-ingress-controller" starts working, http and https
ports are allowed for nginx which accepts http/https requests
and forwards to internal services accordingly.
In the following LP#1827246, the http request of opening console
of VM instance is sent to nginx 80 first, and then nginx forwards
the request to "nova-novncproxy" at port 6080 internally.

Closes-Bug: 1827246

Change-Id: I183f7edc92f1a9e0bdedad0afe35e3d03e20e7d5
Signed-off-by: yhu6 <yong.hu@intel.com>
---
 .../stx-openstack-helm/centos/build_srpm.data |  3 +-
 .../centos/stx-openstack-helm.spec            |  1 +
 .../manifests/manifest.yaml                   | 16 ++++++++
 .../nginx-ports-control/Chart.yaml            | 10 +++++
 .../templates/global_network_policy.yaml      | 40 +++++++++++++++++++
 .../nginx-ports-control/values.yaml           | 21 ++++++++++
 sysinv/sysinv/sysinv/setup.cfg                |  1 +
 .../sysinv/sysinv/sysinv/common/constants.py  |  1 +
 .../sysinv/sysinv/helm/nginx_ports_control.py | 35 ++++++++++++++++
 9 files changed, 127 insertions(+), 1 deletion(-)
 create mode 100644 kubernetes/helm-charts/nginx-ports-control/Chart.yaml
 create mode 100644 kubernetes/helm-charts/nginx-ports-control/templates/global_network_policy.yaml
 create mode 100644 kubernetes/helm-charts/nginx-ports-control/values.yaml
 create mode 100644 sysinv/sysinv/sysinv/sysinv/helm/nginx_ports_control.py

diff --git a/kubernetes/applications/stx-openstack/stx-openstack-helm/centos/build_srpm.data b/kubernetes/applications/stx-openstack/stx-openstack-helm/centos/build_srpm.data
index 370c81bfcb..b4bd115c0a 100644
--- a/kubernetes/applications/stx-openstack/stx-openstack-helm/centos/build_srpm.data
+++ b/kubernetes/applications/stx-openstack/stx-openstack-helm/centos/build_srpm.data
@@ -1,3 +1,4 @@
 SRC_DIR="stx-openstack-helm"
-COPY_LIST_TO_TAR="$PKG_BASE/../../../helm-charts/garbd"
+COPY_LIST_TO_TAR="$PKG_BASE/../../../helm-charts/garbd \
+    $PKG_BASE/../../../helm-charts/nginx-ports-control"
 TIS_PATCH_VER=16
diff --git a/kubernetes/applications/stx-openstack/stx-openstack-helm/centos/stx-openstack-helm.spec b/kubernetes/applications/stx-openstack/stx-openstack-helm/centos/stx-openstack-helm.spec
index f85b26c886..459dfc575d 100644
--- a/kubernetes/applications/stx-openstack/stx-openstack-helm/centos/stx-openstack-helm.spec
+++ b/kubernetes/applications/stx-openstack/stx-openstack-helm/centos/stx-openstack-helm.spec
@@ -60,6 +60,7 @@ make nova-api-proxy
 make garbd
 make keystone-api-proxy
 make fm-rest-api
+make nginx-ports-control
 
 # terminate helm server (the last backgrounded task)
 kill %1
diff --git a/kubernetes/applications/stx-openstack/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml b/kubernetes/applications/stx-openstack/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml
index 06ccc9ec7d..dc91bf87df 100644
--- a/kubernetes/applications/stx-openstack/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml
+++ b/kubernetes/applications/stx-openstack/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml
@@ -112,6 +112,21 @@ data:
     - helm-toolkit
 ---
 schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-nginx-ports-control
+data:
+  chart_name: nginx-ports-control
+  release: openstack-nginx-ports-control
+  namespace: openstack
+  values: {}
+  source:
+    type: tar
+    location: http://172.17.0.1/helm_charts/starlingx/nginx-ports-control-0.1.0.tgz
+    subpath: nginx-ports-control
+  dependencies: []
+---
+schema: armada/Chart/v1
 metadata:
   schema: metadata/Document/v1
   name: openstack-mariadb
@@ -3101,6 +3116,7 @@ data:
   sequenced: false
   chart_group:
     - openstack-ingress
+    - openstack-nginx-ports-control
 ---
 schema: armada/ChartGroup/v1
 metadata:
diff --git a/kubernetes/helm-charts/nginx-ports-control/Chart.yaml b/kubernetes/helm-charts/nginx-ports-control/Chart.yaml
new file mode 100644
index 0000000000..aa0bb695fd
--- /dev/null
+++ b/kubernetes/helm-charts/nginx-ports-control/Chart.yaml
@@ -0,0 +1,10 @@
+#
+# Copyright (c) 2019 Intel, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+apiVersion: v1
+description: Nginx Ports Control
+name: nginx-ports-control
+version: 0.1.0
diff --git a/kubernetes/helm-charts/nginx-ports-control/templates/global_network_policy.yaml b/kubernetes/helm-charts/nginx-ports-control/templates/global_network_policy.yaml
new file mode 100644
index 0000000000..46ada1c0c8
--- /dev/null
+++ b/kubernetes/helm-charts/nginx-ports-control/templates/global_network_policy.yaml
@@ -0,0 +1,40 @@
+{{/*
+Copyright (c) 2019 Intel, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.manifests.global_network_policy -}}
+{{- $http_port := .Values.global_network_policy.ingress.destination.http_port}}
+{{- $https_port := .Values.global_network_policy.ingress.destination.https_port}}
+---
+apiVersion: "crd.projectcalico.org/v1"
+kind: GlobalNetworkPolicy
+metadata:
+  name: gnp-for-nginx-ports
+  namespace: openstack
+spec:
+  selector: "has(iftype) && iftype == 'oam'"
+  order: 100
+  applyOnForward: false
+  types:
+  - Ingress
+  - Egress
+  ingress:
+  - action: Allow
+    ipVersion: {{ .Values.global_network_policy.ingress.ipVersion }}
+    protocol: {{ .Values.global_network_policy.ingress.protocol }}
+    destination:
+      ports: [{{$http_port}}, {{$https_port}}]
+  egress:
+  - action: Allow
+{{- end -}}
diff --git a/kubernetes/helm-charts/nginx-ports-control/values.yaml b/kubernetes/helm-charts/nginx-ports-control/values.yaml
new file mode 100644
index 0000000000..56405e0f65
--- /dev/null
+++ b/kubernetes/helm-charts/nginx-ports-control/values.yaml
@@ -0,0 +1,21 @@
+#
+# Copyright (c) 2019 Intel, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Default values for node-feature-discovery.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+global_network_policy:
+  ingress:
+    ipVersion: 4
+    protocol: TCP
+    destination:
+      http_port: 80
+      https_port: 443
+
+manifests:
+  global_network_policy: true
diff --git a/sysinv/sysinv/sysinv/setup.cfg b/sysinv/sysinv/sysinv/setup.cfg
index b2bcebd57f..6e3f7f0110 100644
--- a/sysinv/sysinv/sysinv/setup.cfg
+++ b/sysinv/sysinv/sysinv/setup.cfg
@@ -106,6 +106,7 @@ systemconfig.helm_plugins.stx_openstack =
     023_ceph-rgw = sysinv.helm.swift:SwiftHelm
     024_ironic = sysinv.helm.ironic:IronicHelm
     025_placement = sysinv.helm.placement:PlacementHelm
+    026_nginx-ports-control = sysinv.helm.nginx_ports_control:NginxPortsControlHelm
 
 sysinv.agent.lldp.drivers =
     lldpd = sysinv.agent.lldp.drivers.lldpd.driver:SysinvLldpdAgentDriver
diff --git a/sysinv/sysinv/sysinv/sysinv/common/constants.py b/sysinv/sysinv/sysinv/sysinv/common/constants.py
index f254b4d728..353b8855f4 100644
--- a/sysinv/sysinv/sysinv/sysinv/common/constants.py
+++ b/sysinv/sysinv/sysinv/sysinv/common/constants.py
@@ -1458,6 +1458,7 @@ HELM_CHART_CEPH_POOLS_AUDIT = 'ceph-pools-audit'
 HELM_CHART_HELM_TOOLKIT = 'helm-toolkit'
 HELM_CHART_KEYSTONE_API_PROXY = 'keystone-api-proxy'
 HELM_CHART_SWIFT = 'ceph-rgw'
+HELM_CHART_NGINX_PORTS_CONTROL = "nginx-ports-control"
 
 # Helm: Supported application (aka chart bundles)
 HELM_APP_OPENSTACK = 'stx-openstack'
diff --git a/sysinv/sysinv/sysinv/sysinv/helm/nginx_ports_control.py b/sysinv/sysinv/sysinv/sysinv/helm/nginx_ports_control.py
new file mode 100644
index 0000000000..aa74d9a03b
--- /dev/null
+++ b/sysinv/sysinv/sysinv/sysinv/helm/nginx_ports_control.py
@@ -0,0 +1,35 @@
+#
+# Copyright (c) 2019 Intel, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+from sysinv.common import constants
+from sysinv.common import exception
+from sysinv.openstack.common import log as logging
+from sysinv.helm import common
+from sysinv.helm import base
+
+LOG = logging.getLogger(__name__)
+
+
+class NginxPortsControlHelm(base.BaseHelm):
+    """Class to encapsulate helm operations for nginx-ports-control chart"""
+
+    CHART = constants.HELM_CHART_NGINX_PORTS_CONTROL
+    SUPPORTED_NAMESPACES = \
+        base.BaseHelm.SUPPORTED_NAMESPACES + [common.HELM_NS_OPENSTACK]
+
+    def get_overrides(self, namespace=None):
+        overrides = {
+            common.HELM_NS_OPENSTACK: {
+            }
+        }
+
+        if namespace in self.SUPPORTED_NAMESPACES:
+            return overrides[namespace]
+        elif namespace:
+            raise exception.InvalidHelmNamespace(chart=self.CHART,
+                                                 namespace=namespace)
+        else:
+            return overrides