Add ingress network policy to kube-state-metrics and openstack-exporter
This adds ingress network policies to kube-state-metrics and openstack-exporter using the helm-toolikit template. It also add openstack-exporter to the network policy jobs. Change-Id: I3bfc2f1e8a35c09e577a046ebd52346de95e5745
This commit is contained in:
parent
e836707ad0
commit
2d36d5f7ce
19
prometheus-kube-state-metrics/templates/network_policy.yaml
Normal file
19
prometheus-kube-state-metrics/templates/network_policy.yaml
Normal file
@ -0,0 +1,19 @@
|
||||
{{/*
|
||||
Copyright 2017-2018 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License. */}}
|
||||
|
||||
{{- if .Values.manifests.network_policy -}}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "kube-state-metrics" -}}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- end -}}
|
@ -155,6 +155,7 @@ manifests:
|
||||
configmap_bin: true
|
||||
deployment: true
|
||||
job_image_repo_sync: true
|
||||
network_policy: false
|
||||
service_kube_state_metrics: true
|
||||
service_controller_manager: true
|
||||
service_scheduler: true
|
||||
|
19
prometheus-openstack-exporter/templates/network_policy.yaml
Normal file
19
prometheus-openstack-exporter/templates/network_policy.yaml
Normal file
@ -0,0 +1,19 @@
|
||||
{{/*
|
||||
Copyright 2017-2018 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License. */}}
|
||||
|
||||
{{- if .Values.manifests.network_policy -}}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "prometheus-openstack-exporter" -}}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- end -}}
|
@ -198,5 +198,6 @@ manifests:
|
||||
deployment: true
|
||||
job_image_repo_sync: true
|
||||
job_ks_user: true
|
||||
network_policy: false
|
||||
secret_keystone: true
|
||||
service: true
|
||||
|
@ -1 +0,0 @@
|
||||
../common/070-kube-state-metrics.sh
|
56
tools/deployment/network-policy/070-kube-state-metrics.sh
Executable file
56
tools/deployment/network-policy/070-kube-state-metrics.sh
Executable file
@ -0,0 +1,56 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
set -xe
|
||||
|
||||
#NOTE: Lint and package chart
|
||||
make prometheus-kube-state-metrics
|
||||
|
||||
tee /tmp/kube-state-metrics.yaml << EOF
|
||||
manifests:
|
||||
network_policy: true
|
||||
network_policy:
|
||||
kube-state-metrics:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: kube-state-metrics
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
name: osh-infra
|
||||
podSelector:
|
||||
matchLabels:
|
||||
application: prometheus
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
- protocol: TCP
|
||||
port: 8080
|
||||
- protocol: TCP
|
||||
port: 443
|
||||
EOF
|
||||
|
||||
#NOTE: Deploy command
|
||||
helm upgrade --install prometheus-kube-state-metrics \
|
||||
./prometheus-kube-state-metrics --namespace=kube-system \
|
||||
--values=/tmp/kube-state-metrics.yaml
|
||||
|
||||
#NOTE: Wait for deploy
|
||||
./tools/deployment/common/wait-for-pods.sh kube-system
|
||||
|
||||
#NOTE: Validate Deployment info
|
||||
helm status prometheus-kube-state-metrics
|
@ -54,6 +54,7 @@ test_netpol osh-infra mariadb server elasticsearch.osh-infra.svc.cluster.local f
|
||||
test_netpol osh-infra mariadb server nagios.osh-infra.svc.cluster.local fail
|
||||
test_netpol osh-infra mariadb server prometheus.osh-infra.svc.cluster.local fail
|
||||
test_netpol osh-infra mariadb server nagios.osh-infra.svc.cluster.local fail
|
||||
test_netpol osh-infra mariadb server openstack-metrics.openstack.svc.cluster.local:9103 fail
|
||||
|
||||
# Doing positive tests
|
||||
test_netpol osh-infra grafana dashboard mariadb.osh-infra.svc.cluster.local:3306 success
|
61
tools/deployment/network-policy/openstack-exporter.sh
Executable file
61
tools/deployment/network-policy/openstack-exporter.sh
Executable file
@ -0,0 +1,61 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
set -xe
|
||||
|
||||
#NOTE: Lint and package chart
|
||||
make prometheus-openstack-exporter
|
||||
|
||||
tee /tmp/prometheus-openstack-exporter.yaml << EOF
|
||||
manifests:
|
||||
job_ks_user: false
|
||||
network_policy: true
|
||||
dependencies:
|
||||
static:
|
||||
prometheus_openstack_exporter:
|
||||
jobs: null
|
||||
services: null
|
||||
network_policy:
|
||||
prometheus-openstack-exporter:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: prometheus-openstack-exporter
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
name: osh-infra
|
||||
podSelector:
|
||||
matchLabels:
|
||||
application: prometheus
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
- protocol: TCP
|
||||
port: 9103
|
||||
EOF
|
||||
|
||||
#NOTE: Deploy command
|
||||
helm upgrade --install prometheus-openstack-exporter \
|
||||
./prometheus-openstack-exporter \
|
||||
--namespace=openstack \
|
||||
--values=/tmp/prometheus-openstack-exporter.yaml
|
||||
|
||||
#NOTE: Wait for deploy
|
||||
./tools/deployment/common/wait-for-pods.sh openstack
|
||||
|
||||
#NOTE: Validate Deployment info
|
||||
helm status prometheus-openstack-exporter
|
@ -190,8 +190,10 @@
|
||||
- ./tools/deployment/network-policy/120-elasticsearch.sh
|
||||
- ./tools/deployment/network-policy/130-fluent-logging.sh
|
||||
- ./tools/deployment/network-policy/140-kibana.sh
|
||||
- ./tools/deployment/network-policy/openstack-exporter.sh
|
||||
- ./tools/deployment/network-policy/901-test-networkpolicy.sh
|
||||
|
||||
|
||||
- job:
|
||||
name: openstack-helm-infra-openstack-support
|
||||
parent: openstack-helm-infra-functional
|
||||
|
Loading…
Reference in New Issue
Block a user