From 8a7f428c5b40672743942ca605556f25d70e8693 Mon Sep 17 00:00:00 2001 From: Ratnopam Chakrabarti Date: Fri, 9 Apr 2021 16:25:22 -0400 Subject: [PATCH] Add Phases for deploying network policy This PatchSet adds phases and executor definitions for managing calico v3 network policies using airshipctl phase run command. Closes: #119 Change-Id: I7942548720c4b8037b7b0c2de348fe45df73b8f7 --- .../network-policy/calico/hosts_ingress.yaml | 18 ++++++------- .../calico/replacements/network-policy.yaml | 4 +-- .../calicoctl/apply/calicoctl-apply.sh | 21 +++++++++++++++ .../calicoctl/apply/kustomization.yaml | 6 +++++ .../calicoctl/delete/calicoctl-delete.sh | 20 ++++++++++++++ .../calicoctl/delete/kustomization.yaml | 6 +++++ .../phase-helper/calicoctl/kustomization.yaml | 3 +++ .../function/phase-helper/kustomization.yaml | 2 ++ .../networking-ha.yaml | 2 +- .../hosts_ingress_dest_port_patch.json | 12 --------- .../network-policy/kustomization.yaml | 2 +- manifests/type/multi-tenant/phases/README.md | 19 +++++++++++++ .../type/multi-tenant/phases/executors.yaml | 27 +++++++++++++++++++ .../multi-tenant/phases/kustomization.yaml | 3 +++ .../type/multi-tenant/phases/phases.yaml | 23 ++++++++++++++++ .../target/workload/kustomization.yaml | 1 - .../network-policy/kustomization.yaml | 2 ++ .../deployment/40_deploy_network_policies.sh | 15 +---------- 18 files changed, 146 insertions(+), 40 deletions(-) create mode 100644 manifests/function/phase-helper/calicoctl/apply/calicoctl-apply.sh create mode 100644 manifests/function/phase-helper/calicoctl/apply/kustomization.yaml create mode 100644 manifests/function/phase-helper/calicoctl/delete/calicoctl-delete.sh create mode 100644 manifests/function/phase-helper/calicoctl/delete/kustomization.yaml create mode 100644 manifests/function/phase-helper/calicoctl/kustomization.yaml create mode 100644 manifests/function/phase-helper/kustomization.yaml delete mode 100644 manifests/site/virtual-network-cloud/target/workload/network-policy/hosts_ingress_dest_port_patch.json create mode 100644 manifests/type/multi-tenant/phases/README.md create mode 100644 manifests/type/multi-tenant/phases/executors.yaml create mode 100644 manifests/type/multi-tenant/phases/phases.yaml diff --git a/manifests/function/network-policy/calico/hosts_ingress.yaml b/manifests/function/network-policy/calico/hosts_ingress.yaml index 97e89fe3f..034d1cb86 100644 --- a/manifests/function/network-policy/calico/hosts_ingress.yaml +++ b/manifests/function/network-policy/calico/hosts_ingress.yaml @@ -6,15 +6,15 @@ spec: order: 0 selector: all() ingress: - action: Allow - protocol: TCP - source: - nets: - - 192.0.1.52/32 - destination: - ports: - - 80 - - 443 + - action: Allow + protocol: TCP + source: + nets: + - 192.0.1.52/32 + destination: + ports: + - 80 + - 443 doNotTrack: false preDNAT: false applyOnForward: true diff --git a/manifests/function/network-policy/calico/replacements/network-policy.yaml b/manifests/function/network-policy/calico/replacements/network-policy.yaml index 06fb93fb4..5ec493ec4 100644 --- a/manifests/function/network-policy/calico/replacements/network-policy.yaml +++ b/manifests/function/network-policy/calico/replacements/network-policy.yaml @@ -16,7 +16,7 @@ replacements: objref: kind: GlobalNetworkPolicy name: hosts-ingress-rule - fieldrefs: ["{.spec.source.nets[0]}"] + fieldrefs: [".spec.ingress[action=Allow].source.nets[0]"] - source: objref: kind: VariableCatalogue @@ -26,4 +26,4 @@ replacements: objref: kind: GlobalNetworkPolicy name: hosts-ingress-rule - fieldrefs: ["{.spec.destination.ports}"] \ No newline at end of file + fieldrefs: [".spec.ingress[action=Allow].destination.ports"] diff --git a/manifests/function/phase-helper/calicoctl/apply/calicoctl-apply.sh b/manifests/function/phase-helper/calicoctl/apply/calicoctl-apply.sh new file mode 100644 index 000000000..6a8c5d55c --- /dev/null +++ b/manifests/function/phase-helper/calicoctl/apply/calicoctl-apply.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -xe + +echo applying network policy with calicoctl >&2 + +echo ${RENDERED_BUNDLE_PATH} >&2 +# apply the policy +calicoctl apply -f ${RENDERED_BUNDLE_PATH} --context $KCTL_CONTEXT >&2 diff --git a/manifests/function/phase-helper/calicoctl/apply/kustomization.yaml b/manifests/function/phase-helper/calicoctl/apply/kustomization.yaml new file mode 100644 index 000000000..865425ef0 --- /dev/null +++ b/manifests/function/phase-helper/calicoctl/apply/kustomization.yaml @@ -0,0 +1,6 @@ +configMapGenerator: +- name: calicoctl-apply + options: + disableNameSuffixHash: true + files: + - script=calicoctl-apply.sh diff --git a/manifests/function/phase-helper/calicoctl/delete/calicoctl-delete.sh b/manifests/function/phase-helper/calicoctl/delete/calicoctl-delete.sh new file mode 100644 index 000000000..43d60fdcf --- /dev/null +++ b/manifests/function/phase-helper/calicoctl/delete/calicoctl-delete.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -xe + +echo deleting network policy with calicoctl >&2 + +# delete policy +calicoctl delete --skip-not-exists -f ${RENDERED_BUNDLE_PATH} --context $KCTL_CONTEXT >&2 diff --git a/manifests/function/phase-helper/calicoctl/delete/kustomization.yaml b/manifests/function/phase-helper/calicoctl/delete/kustomization.yaml new file mode 100644 index 000000000..bebd2bee5 --- /dev/null +++ b/manifests/function/phase-helper/calicoctl/delete/kustomization.yaml @@ -0,0 +1,6 @@ +configMapGenerator: +- name: calicoctl-delete + options: + disableNameSuffixHash: true + files: + - script=calicoctl-delete.sh diff --git a/manifests/function/phase-helper/calicoctl/kustomization.yaml b/manifests/function/phase-helper/calicoctl/kustomization.yaml new file mode 100644 index 000000000..ac77f7044 --- /dev/null +++ b/manifests/function/phase-helper/calicoctl/kustomization.yaml @@ -0,0 +1,3 @@ +resources: + - apply + - delete diff --git a/manifests/function/phase-helper/kustomization.yaml b/manifests/function/phase-helper/kustomization.yaml new file mode 100644 index 000000000..542924436 --- /dev/null +++ b/manifests/function/phase-helper/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- calicoctl \ No newline at end of file diff --git a/manifests/function/treasuremap-base-catalogues/networking-ha.yaml b/manifests/function/treasuremap-base-catalogues/networking-ha.yaml index 226d9c62c..ac24b85e2 100644 --- a/manifests/function/treasuremap-base-catalogues/networking-ha.yaml +++ b/manifests/function/treasuremap-base-catalogues/networking-ha.yaml @@ -13,7 +13,7 @@ vrrp: ingress: interface: bond.51 virtual_ipaddress: 10.23.25.102 - oam_cidr: 10.23.25.151 + oam_cidr: 10.23.25.151/32 destination: ports: - 2378 diff --git a/manifests/site/virtual-network-cloud/target/workload/network-policy/hosts_ingress_dest_port_patch.json b/manifests/site/virtual-network-cloud/target/workload/network-policy/hosts_ingress_dest_port_patch.json deleted file mode 100644 index c5809b089..000000000 --- a/manifests/site/virtual-network-cloud/target/workload/network-policy/hosts_ingress_dest_port_patch.json +++ /dev/null @@ -1,12 +0,0 @@ -[ - { "op": "add","path": "/spec/destination/ports/-","value": 2378 }, - { "op": "add","path": "/spec/destination/ports/-","value": 4149 }, - { "op": "add","path": "/spec/destination/ports/-","value": 6443 }, - { "op": "add","path": "/spec/destination/ports/-","value": 6553 }, - { "op": "add","path": "/spec/destination/ports/-","value": 6666 }, - { "op": "add","path": "/spec/destination/ports/-","value": 6667 }, - { "op": "add","path": "/spec/destination/ports/-","value": 9099 }, - { "op": "add","path": "/spec/destination/ports/-","value": 10250 }, - { "op": "add","path": "/spec/destination/ports/-","value": 10255 }, - { "op": "add","path": "/spec/destination/ports/-","value": 10256 } -] \ No newline at end of file diff --git a/manifests/site/virtual-network-cloud/target/workload/network-policy/kustomization.yaml b/manifests/site/virtual-network-cloud/target/workload/network-policy/kustomization.yaml index 1f2c72b0f..c3b9ee69d 100644 --- a/manifests/site/virtual-network-cloud/target/workload/network-policy/kustomization.yaml +++ b/manifests/site/virtual-network-cloud/target/workload/network-policy/kustomization.yaml @@ -1,2 +1,2 @@ resources: - - ../../../../../type/airship-core/target/workload/network-policy + - ../../../../../type/multi-tenant/target/workload/network-policy diff --git a/manifests/type/multi-tenant/phases/README.md b/manifests/type/multi-tenant/phases/README.md new file mode 100644 index 000000000..477af9860 --- /dev/null +++ b/manifests/type/multi-tenant/phases/README.md @@ -0,0 +1,19 @@ +# Phases for multi-tenant type + +Phases defined in multi-tenant are available for use by sites +that inherit type mulit-tenant. + +## Airshipctl phase command + +For deploying calico network v3 policies, a phase named +`deliver-network-policy` is defined with its executor and configMap settings. + +To deploy network policy using `airshipctl`, do + +`airshipctl phase run deliver-network-policy` where `deliver-network-policy` is the phase name. + +For deleting network policy, a phase named `delete-network-policy` is defined with its executor and configMap settings. + +To delete network policy using `airshipctl`, do + +`airshipctl phase run delete-network-policy` where `delete-network-policy` is the phase name. diff --git a/manifests/type/multi-tenant/phases/executors.yaml b/manifests/type/multi-tenant/phases/executors.yaml new file mode 100644 index 000000000..fa1eeaf35 --- /dev/null +++ b/manifests/type/multi-tenant/phases/executors.yaml @@ -0,0 +1,27 @@ +apiVersion: airshipit.org/v1alpha1 +kind: GenericContainer +metadata: + name: calicoctl-apply + labels: + airshipit.org/deploy-k8s: "false" +spec: + image: quay.io/airshipit/toolbox:latest + hostNetwork: true +configRef: + kind: ConfigMap + name: calicoctl-apply + apiVersion: v1 +--- +apiVersion: airshipit.org/v1alpha1 +kind: GenericContainer +metadata: + name: calicoctl-delete + labels: + airshipit.org/deploy-k8s: "false" +spec: + image: quay.io/airshipit/toolbox:latest + hostNetwork: true +configRef: + kind: ConfigMap + name: calicoctl-delete + apiVersion: v1 diff --git a/manifests/type/multi-tenant/phases/kustomization.yaml b/manifests/type/multi-tenant/phases/kustomization.yaml index bea634ee6..f7b69ab84 100644 --- a/manifests/type/multi-tenant/phases/kustomization.yaml +++ b/manifests/type/multi-tenant/phases/kustomization.yaml @@ -2,5 +2,8 @@ resources: - ../../airship-core/phases - ../sub-clusters/wordpress/phases - workload-config.yaml + - phases.yaml + - executors.yaml + - ../../../function/phase-helper patchesStrategicMerge: - cluster_map_patch.yaml diff --git a/manifests/type/multi-tenant/phases/phases.yaml b/manifests/type/multi-tenant/phases/phases.yaml new file mode 100644 index 000000000..998802038 --- /dev/null +++ b/manifests/type/multi-tenant/phases/phases.yaml @@ -0,0 +1,23 @@ +apiVersion: airshipit.org/v1alpha1 +kind: Phase +metadata: + name: deliver-network-policy + clusterName: target-cluster +config: + executorRef: + apiVersion: airshipit.org/v1alpha1 + kind: GenericContainer + name: calicoctl-apply + documentEntryPoint: target/workload/network-policy +--- +apiVersion: airshipit.org/v1alpha1 +kind: Phase +metadata: + name: delete-network-policy + clusterName: target-cluster +config: + executorRef: + apiVersion: airshipit.org/v1alpha1 + kind: GenericContainer + name: calicoctl-delete + documentEntryPoint: target/workload/network-policy diff --git a/manifests/type/multi-tenant/target/workload/kustomization.yaml b/manifests/type/multi-tenant/target/workload/kustomization.yaml index 3409d584c..2b4aaa45d 100644 --- a/manifests/type/multi-tenant/target/workload/kustomization.yaml +++ b/manifests/type/multi-tenant/target/workload/kustomization.yaml @@ -3,4 +3,3 @@ resources: - ../../../../function/sip - ../../../../function/synclabeller - ../../../../function/vino - #- network-policy diff --git a/manifests/type/multi-tenant/target/workload/network-policy/kustomization.yaml b/manifests/type/multi-tenant/target/workload/network-policy/kustomization.yaml index 8ceca8fdd..0dfdb8097 100644 --- a/manifests/type/multi-tenant/target/workload/network-policy/kustomization.yaml +++ b/manifests/type/multi-tenant/target/workload/network-policy/kustomization.yaml @@ -3,7 +3,9 @@ kind: Kustomization resources: - ../../../../../function/network-policy - ../../../../../function/treasuremap-base-catalogues + - netpol.yaml transformers: - ../../../../../function/network-policy/calico/replacements + - ../../../../../function/treasuremap-cleanup diff --git a/tools/deployment/40_deploy_network_policies.sh b/tools/deployment/40_deploy_network_policies.sh index 043391d92..ce67770cf 100755 --- a/tools/deployment/40_deploy_network_policies.sh +++ b/tools/deployment/40_deploy_network_policies.sh @@ -14,17 +14,4 @@ set -ex -TMP=$(mktemp -d) - -MANIFEST_FILE="$TMP/network-policy.yaml" -export SITE=${SITE:="test-site"} - -export KUBECONFIG=${KUBECONFIG:="$HOME/.airship/kubeconfig"} -export KUBECONFIG_TARGET_CONTEXT=${KUBECONFIG_TARGET_CONTEXT:="target-cluster"} -: ${TREASUREMAP_PROJECT:="${PWD}"} - -#Generate all of the policies and deploy using calicoctl -kustomize build --enable_alpha_plugins $TREASUREMAP_PROJECT/manifests/site/$SITE/target/network-policies -o ${MANIFEST_FILE} - -#What about per node basis. Also usage of calico apply/replace -DATASTORE_TYPE=kubernetes calicoctl apply -f ${MANIFEST_FILE} +airshipctl phase run deliver-network-policy