Merge "ceph-rgw: Add network policy for ceph-rgw pods"

2019-03-06 15:21:22 +00:00 · 2019-03-06 15:21:22 +00:00 · 07c005909b
parent 8fb2c7f07c babe91b75e
commit 07c005909b
4 changed files with 40 additions and 1 deletions
--- a/ceph-rgw/templates/network_policy.yaml
+++ b/ceph-rgw/templates/network_policy.yaml
@ -0,0 +1,18 @@
+# Copyright 2017-2018 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ceph" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
--- a/ceph-rgw/templates/pod-helm-tests.yaml
+++ b/ceph-rgw/templates/pod-helm-tests.yaml
@ -25,7 +25,7 @@ kind: Pod
 metadata:
  name: {{ $serviceAccountName }}
  labels:
-{{ tuple $envAll "ceph-rgw" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{ tuple $envAll "ceph" "rgw-test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
  annotations:
    "helm.sh/hook": test-success
 spec:
--- a/ceph-rgw/values.yaml
+++ b/ceph-rgw/values.yaml
@ -118,6 +118,11 @@ pod:
          memory: "1024Mi"
          cpu: "2000m"

+network_policy:
+  ceph:
+    ingress:
+      - {}
+
 ceph_client:
  configmap: ceph-etc

@ -507,3 +512,4 @@ manifests:
  service_ingress_rgw: true
  service_rgw: true
  helm_tests: true
+  network_policy: false
--- a/tools/deployment/multinode/115-radosgw-osh-infra.sh
+++ b/tools/deployment/multinode/115-radosgw-osh-infra.sh
@ -45,6 +45,21 @@ conf:
    enabled: false
  rgw_s3:
    enabled: true
+network_policy:
+  ceph:
+    ingress:
+      - from:
+        - podSelector:
+            matchLabels:
+              application: elasticsearch
+        - podSelector:
+            matchLabels:
+              application: ceph
+        ports:
+        - protocol: TCP
+          port: 8088
+manifests:
+  network_policy: true
 EOF
 helm upgrade --install radosgw-osh-infra ./ceph-rgw \
  --namespace=osh-infra \