Create network policy for subcluster

Added sample calico v3 global network policy and hostendpoint for controlling
traffic flow between sub-clusters.

Also, adds Calico hostendpoints with labels for oam, ksn and vm-infra-bridge.

Relates-To: #131
Closes: #131

Change-Id: I1bb0b1e450b9f78fe1ee77abb0ff12eea72873a5

manifests/function/hostendpoint-generator/host-endpoint-template.yaml

@@ -0,0 +1,34 @@
+apiVersion: airshipit.org/v1alpha1
+kind: Templater
+metadata:
+  name: host-endpoint-worker-template
+  annotations:
+    config.kubernetes.io/function: |
+      container:
+        image: quay.io/airshipit/templater:v2
+values:
+  hep:
+  interfaces:
+  - name: vib
+    link: vm-infra-bridge
+  - name: oam
+    link: bond0.61
+  - name: ksn
+    link: bond0.64
+template: |
+  {{ range $host:= .hep }}
+  {{- $hostname := $host.name }}
+  {{ range $interface := $.interfaces }}
+  ---
+  apiVersion: projectcalico.org/v3
+  kind: HostEndpoint
+  metadata:
+    name: {{ $hostname }}-{{ $interface.name }}
+    labels:
+      host: {{ $host.type  }}
+      intf-alias: {{ $interface.name }}
+  spec:
+    interfaceName: {{ $interface.link }}
+    node: {{ $hostname }}
+  {{ end }}
+  {{ end }}

manifests/function/hostendpoint-generator/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - host-endpoint-template.yaml

manifests/function/hostendpoint-generator/replacements/host-endpoints.yaml

@@ -0,0 +1,41 @@
+# These rules inject host information from the `host-generation-catalogue`
+# into the hostendpoint-generator function's Template plugin config.
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: host-endpoints
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: quay.io/airshipit/replacement-transformer:v2
+replacements:
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: host-generation-catalogue
+    fieldref: "{.hosts.m3}"
+  target:
+    objref:
+      kind: Templater
+      name: host-endpoint-worker-template
+    fieldrefs: ["{.values.hep}"]
+- source:
+    objref:
+      kind: NetworkCatalogue
+      name: networking
+    fieldref: "{.spec.commonHostNetworking.networks[?(.id == 'oam-ipv4')].link}"
+  target:
+    objref:
+      kind: Templater
+      name: host-endpoint-worker-template
+    fieldrefs: ["{.values.interfaces[?(.name == 'oam')].link}"]
+- source:
+    objref:
+      kind: NetworkCatalogue
+      name: networking
+    fieldref: "{.spec.commonHostNetworking.networks[?(.id == 'calico-ipv4')].link}"
+  target:
+    objref:
+      kind: Templater
+      name: host-endpoint-worker-template
+    fieldrefs: ["{.values.interfaces[?(.name == 'ksn')].link}"]

manifests/function/hostendpoint-generator/replacements/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - host-endpoints.yaml

manifests/site/reference-multi-tenant/target/workload/network-policy/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - network-policy.yaml
+  - ../../../../../type/multi-tenant/target/workload/network-policy
+generators:
+  - network-policy-gen/

manifests/site/reference-multi-tenant/target/workload/network-policy/network-policy-gen/host-list.yaml

@@ -0,0 +1,21 @@
+apiVersion: airshipit.org/v1alpha1
+kind: VariableCatalogue
+metadata:
+  name: host-generation-catalogue
+hosts:
+  m3:
+    # Note: this list should be kept up to date with
+    # the full list of hosts in the cluster
+    ## NEWSITE_CHANGEME: list of all the hosts
+    - name: stl3r01s01
+      type: control
+    - name: stl3r01s03
+      type: control
+    - name: stl3r01s04
+      type: control
+    - name: stl3r01s05
+      type: control
+    - name: stl3r01s02
+      type: compute
+    - name: stl3r01s06
+      type: compute

manifests/site/reference-multi-tenant/target/workload/network-policy/network-policy-gen/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - host-list.yaml
+  - ../../../catalogues
+  - ../../../../../../function/hostendpoint-generator
+
+transformers:
+  - ../../../../../../function/hostendpoint-generator/replacements
+  - ../../../../../../function/treasuremap-cleanup

manifests/site/reference-multi-tenant/target/workload/network-policy/network-policy.yaml

@@ -0,0 +1,26 @@
+apiVersion: projectcalico.org/v3
+kind: GlobalNetworkPolicy
+metadata:
+  name: subcluster-ingress-rule
+spec:
+  order: 1
+  selector: host in { 'control', 'compute' } && intf-alias == 'vib'
+  ingress:
+  - action: Allow
+    protocol: TCP
+    source:
+      nets:
+      - 192.168.112.0/20
+    destination:
+      nets:
+      - 192.168.96.0/20
+      ports:
+      - "11020:11039"
+  - action: Allow
+    protocol: ICMP
+    icmp:
+      type: 0
+      code: 0
+  doNotTrack: false
+  preDNAT: false
+  applyOnForward: true

manifests/type/multi-tenant/target/workload/network-policy/kustomization.yaml

@@ -3,8 +3,6 @@ kind: Kustomization
 resources:
   - ../../../../../function/network-policy
   - ../../../../../function/treasuremap-base-catalogues
-  - netpol.yaml
-
 transformers:
   - ../../../../../function/network-policy/calico/replacements
   - ../../../../../function/treasuremap-cleanup