Add network policy toolkit function
This patch set implements the helm toolkit function to generate a kubernetes network policy manifest based on overrideable values. This also adds a chart that shuts down all the ingress and egress traffics in the namespace. This can be used to ensure the whitelisted network policy works as intended. Additionally, implementation is done for some infrastructure charts. Change-Id: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8 Co-Authored-By: Mike Pham <tp6510@att.com> Signed-off-by: Tin Lam <tin@irrational.io>
This commit is contained in:
parent
be7dbf6c28
commit
92e68d33ea
|
@ -0,0 +1,20 @@
|
|||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.network_policy -}}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "elasticsearch" -}}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- end -}}
|
|
@ -635,6 +635,7 @@ manifests:
|
|||
configmap_bin_exporter: true
|
||||
deployment_exporter: true
|
||||
service_exporter: true
|
||||
network_policy: false
|
||||
service_data: true
|
||||
service_discovery: true
|
||||
service_ingress: true
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
{{/*
|
||||
Copyright 2017-2018 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License. */}}
|
||||
|
||||
{{- if .Values.manifests.network_policy -}}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "fluentbit" }}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluentd" }}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluent" }}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{ $netpol_opts := dict "envAll" . "name" "application" "label" "fluent-logging" }}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- end -}}
|
|
@ -568,6 +568,7 @@ manifests:
|
|||
configmap_bin: true
|
||||
deployment_exporter: true
|
||||
service_exporter: true
|
||||
network_policy: false
|
||||
secret_elasticsearch: true
|
||||
service_fluentd: true
|
||||
job_elasticsearch_template: true
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.network_policy -}}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "grafana" -}}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- end -}}
|
|
@ -311,6 +311,7 @@ manifests:
|
|||
job_db_init_session: true
|
||||
job_db_session_sync: true
|
||||
job_image_repo_sync: true
|
||||
network_policy: false
|
||||
secret_db: true
|
||||
secret_db_session: true
|
||||
secret_admin_creds: true
|
||||
|
|
|
@ -0,0 +1,86 @@
|
|||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Creates a network policy manifest for services.
|
||||
values: |
|
||||
network_policy:
|
||||
myLabel:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: keystone
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
usage: |
|
||||
{{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
return: |
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: RELEASE-NAME
|
||||
namespace: NAMESPACE
|
||||
spec:
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
podSelector:
|
||||
matchLabels:
|
||||
application: myLabel
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: keystone
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
egress:
|
||||
- {}
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $name := index . "name" -}}
|
||||
{{- $label := index . "label" -}}
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ $label }}-netpol
|
||||
namespace: {{ $envAll.Release.Namespace }}
|
||||
spec:
|
||||
policyTypes:
|
||||
- Egress
|
||||
{{- if hasKey (index $envAll.Values "network_policy") $label }}
|
||||
{{- if index $envAll.Values.network_policy $label "ingress" }}
|
||||
- Ingress
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{ $name }}: {{ $label }}
|
||||
egress:
|
||||
- {}
|
||||
{{- if hasKey (index $envAll.Values "network_policy") $label }}
|
||||
{{- if index $envAll.Values.network_policy $label "ingress" }}
|
||||
ingress:
|
||||
{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -0,0 +1,20 @@
|
|||
{{/*
|
||||
Copyright 2017-2018 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.network_policy -}}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ingress" -}}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- end -}}
|
|
@ -175,6 +175,27 @@ endpoints:
|
|||
port:
|
||||
metrics:
|
||||
default: 10254
|
||||
kube_dns:
|
||||
namespace: kube-system
|
||||
name: kubernetes-dns
|
||||
hosts:
|
||||
default: kube-dns
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
path:
|
||||
default: null
|
||||
scheme: http
|
||||
port:
|
||||
dns_tcp:
|
||||
default: 53
|
||||
dns:
|
||||
default: 53
|
||||
protocol: UDP
|
||||
|
||||
network_policy:
|
||||
ingress:
|
||||
ingress:
|
||||
- {}
|
||||
|
||||
conf:
|
||||
controller:
|
||||
|
@ -209,3 +230,4 @@ manifests:
|
|||
monitoring:
|
||||
prometheus:
|
||||
service_exporter: true
|
||||
network_policy: false
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.network_policy -}}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "kibana" -}}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- end -}}
|
|
@ -318,6 +318,7 @@ manifests:
|
|||
deployment: true
|
||||
ingress: true
|
||||
job_image_repo_sync: true
|
||||
network_policy: false
|
||||
secret_elasticsearch: true
|
||||
secret_ingress_tls: true
|
||||
service: true
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
{{/*
|
||||
Copyright 2017-2018 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
{{- if .Values.manifests.network_policy -}}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "ldap" -}}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- end -}}
|
|
@ -147,6 +147,11 @@ endpoints:
|
|||
ldap:
|
||||
default: 389
|
||||
|
||||
network_policy:
|
||||
ldap:
|
||||
ingress:
|
||||
- {}
|
||||
|
||||
data:
|
||||
sample: |
|
||||
dn: ou=People,dc=cluster,dc=local
|
||||
|
@ -231,6 +236,8 @@ manifests:
|
|||
configmap_bin: true
|
||||
configmap_etc: true
|
||||
job_bootstrap: true
|
||||
network_policy: false
|
||||
job_image_repo_sync: true
|
||||
network_policy: false
|
||||
statefulset: true
|
||||
service: true
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
{{/*
|
||||
Copyright 2017-2018 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.network_policy -}}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "libvirt" -}}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- end -}}
|
|
@ -58,6 +58,11 @@ endpoints:
|
|||
registry:
|
||||
node: 5000
|
||||
|
||||
network_policy:
|
||||
libvirt:
|
||||
ingress:
|
||||
- {}
|
||||
|
||||
ceph_client:
|
||||
configmap: ceph-etc
|
||||
user_secret_name: pvc-ceph-client-key
|
||||
|
@ -163,3 +168,4 @@ manifests:
|
|||
configmap_etc: true
|
||||
daemonset_libvirt: true
|
||||
job_image_repo_sync: true
|
||||
network_policy: false
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
# Copyright 2017-2018 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
apiVersion: v1
|
||||
appVersion: "1.0"
|
||||
description: |
|
||||
A helm chart used to lockdown all ingress and egress for a namespace
|
||||
name: lockdown
|
||||
version: 0.1.0
|
|
@ -0,0 +1,27 @@
|
|||
{{/*
|
||||
Copyright 2017-2018 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: deny-all
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
policyTypes:
|
||||
- Egress
|
||||
- Ingress
|
||||
podSelector: {}
|
||||
egress: []
|
||||
ingress: []
|
|
@ -0,0 +1,17 @@
|
|||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# Default values for lockdown chart.
|
||||
# This is a YAML-formatted file.
|
||||
# Declare variables to be passed into your templates.
|
|
@ -0,0 +1,19 @@
|
|||
{{/*
|
||||
Copyright 2017-2018 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
{{- if .Values.manifests.network_policy -}}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "mariadb" -}}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- end -}}
|
|
@ -264,6 +264,27 @@ endpoints:
|
|||
default: 3306
|
||||
wsrep:
|
||||
default: 4567
|
||||
kube_dns:
|
||||
namespace: kube-system
|
||||
name: kubernetes-dns
|
||||
hosts:
|
||||
default: kube-dns
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
path:
|
||||
default: null
|
||||
scheme: http
|
||||
port:
|
||||
dns_tcp:
|
||||
default: 53
|
||||
dns:
|
||||
default: 53
|
||||
protocol: UDP
|
||||
|
||||
network_policy:
|
||||
mariadb:
|
||||
ingress:
|
||||
- {}
|
||||
|
||||
manifests:
|
||||
configmap_bin: true
|
||||
|
@ -280,6 +301,7 @@ manifests:
|
|||
secret_etc: true
|
||||
service_exporter: true
|
||||
pdb_server: true
|
||||
network_policy: false
|
||||
secret_db: true
|
||||
secret_etc: true
|
||||
service_discovery: true
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
{{/*
|
||||
Copyright 2017-2018 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
{{- if .Values.manifests.network_policy -}}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "memcached" -}}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- end -}}
|
|
@ -82,6 +82,27 @@ endpoints:
|
|||
port:
|
||||
metrics:
|
||||
default: 9150
|
||||
kube_dns:
|
||||
namespace: kube-system
|
||||
name: kubernetes-dns
|
||||
hosts:
|
||||
default: kube-dns
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
path:
|
||||
default: null
|
||||
scheme: http
|
||||
port:
|
||||
dns_tcp:
|
||||
default: 53
|
||||
dns:
|
||||
default: 53
|
||||
protocol: UDP
|
||||
|
||||
network_policy:
|
||||
memcached:
|
||||
ingress:
|
||||
- {}
|
||||
|
||||
monitoring:
|
||||
prometheus:
|
||||
|
@ -114,6 +135,7 @@ manifests:
|
|||
configmap_bin: true
|
||||
deployment: true
|
||||
job_image_repo_sync: true
|
||||
network_policy: false
|
||||
service: true
|
||||
monitoring:
|
||||
prometheus:
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.network_policy -}}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "nagios" -}}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- end -}}
|
|
@ -213,6 +213,7 @@ manifests:
|
|||
deployment: true
|
||||
ingress: true
|
||||
job_image_repo_sync: true
|
||||
network_policy: false
|
||||
secret_nagios: true
|
||||
secret_ingress_tls: true
|
||||
service: true
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
{{/*
|
||||
Copyright 2017-2018 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.network_policy -}}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "openvswitch" -}}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- end -}}
|
|
@ -104,6 +104,11 @@ endpoints:
|
|||
registry:
|
||||
node: 5000
|
||||
|
||||
network_policy:
|
||||
openvswitch:
|
||||
ingress:
|
||||
- {}
|
||||
|
||||
dependencies:
|
||||
dynamic:
|
||||
common:
|
||||
|
@ -126,3 +131,4 @@ manifests:
|
|||
daemonset_ovs_db: true
|
||||
daemonset_ovs_vswitchd: true
|
||||
job_image_repo_sync: true
|
||||
network_policy: false
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
{{/*
|
||||
Copyright 2017-2018 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License. */}}
|
||||
|
||||
{{- if .Values.manifests.network_policy -}}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "alertmanager" -}}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- end -}}
|
|
@ -169,6 +169,7 @@ manifests:
|
|||
configmap_etc: true
|
||||
ingress: true
|
||||
job_image_repo_sync: true
|
||||
network_policy: false
|
||||
secret_ingress_tls: true
|
||||
service: true
|
||||
service_discovery: true
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
{{/*
|
||||
Copyright 2017-2018 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License. */}}
|
||||
|
||||
{{- if .Values.manifests.network_policy -}}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "prometheus-process-exporter" -}}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,19 @@
|
|||
{{/*
|
||||
Copyright 2017-2018 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License. */}}
|
||||
|
||||
{{- if .Values.manifests.network_policy -}}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "prometheus" -}}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- end -}}
|
|
@ -231,6 +231,7 @@ manifests:
|
|||
ingress: true
|
||||
helm_tests: true
|
||||
job_image_repo_sync: true
|
||||
network_policy: false
|
||||
secret_ingress_tls: true
|
||||
secret_prometheus: true
|
||||
service_ingress: true
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
{{/*
|
||||
Copyright 2017-2018 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
{{- if .Values.manifests.network_policy -}}
|
||||
{{- $netpol_opts := dict "envAll" . "name" "application" "label" "rabbitmq" -}}
|
||||
{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{- end -}}
|
|
@ -249,6 +249,27 @@ endpoints:
|
|||
port:
|
||||
metrics:
|
||||
default: 9095
|
||||
kube_dns:
|
||||
namespace: kube-system
|
||||
name: kubernetes-dns
|
||||
hosts:
|
||||
default: kube-dns
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
path:
|
||||
default: null
|
||||
scheme: http
|
||||
port:
|
||||
dns_tcp:
|
||||
default: 53
|
||||
dns:
|
||||
default: 53
|
||||
protocol: UDP
|
||||
|
||||
network_policy:
|
||||
rabbitmq:
|
||||
ingress:
|
||||
- {}
|
||||
|
||||
volume:
|
||||
chown_on_start: true
|
||||
|
@ -267,6 +288,7 @@ manifests:
|
|||
configmap_bin: true
|
||||
deployment_exporter: true
|
||||
service_exporter: true
|
||||
network_policy: false
|
||||
service_discovery: true
|
||||
service_ingress_management: true
|
||||
service: true
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
set -xe
|
||||
|
||||
#NOTE: Lint and package chart
|
||||
make lockdown
|
||||
|
||||
#NOTE: Deploy command
|
||||
helm upgrade --install lockdown ./lockdown \
|
||||
--namespace=osh-infra
|
||||
|
||||
#NOTE: Wait for deploy
|
||||
./tools/deployment/common/wait-for-pods.sh openstack
|
||||
|
||||
#NOTE: Validate Deployment info
|
||||
helm status lockdown
|
|
@ -0,0 +1,60 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
set -xe
|
||||
|
||||
#NOTE: Pull images and lint chart
|
||||
make ldap
|
||||
|
||||
tee /tmp/ldap.yaml <<EOF
|
||||
manifests:
|
||||
network_policy: true
|
||||
network_policy:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: ldap
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: grafana
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: nagios
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: elasticsearch
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: kibana
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 389
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
EOF
|
||||
|
||||
#NOTE: Deploy command
|
||||
helm upgrade --install ldap ./ldap \
|
||||
--namespace=osh-infra \
|
||||
--values=/tmp/ldap.yaml \
|
||||
--set bootstrap.enabled=true
|
||||
|
||||
#NOTE: Wait for deploy
|
||||
./tools/deployment/common/wait-for-pods.sh osh-infra
|
||||
|
||||
#NOTE: Validate Deployment info
|
||||
helm status ldap
|
|
@ -0,0 +1,57 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
set -xe
|
||||
|
||||
#NOTE: Lint and package chart
|
||||
make mariadb
|
||||
|
||||
tee /tmp/mariadb.yaml <<EOF
|
||||
manifests:
|
||||
network_policy: true
|
||||
network_policy:
|
||||
mariadb:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: grafana
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: mariadb
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 3306
|
||||
- protocol: TCP
|
||||
port: 4567
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
EOF
|
||||
|
||||
#NOTE: Deploy command
|
||||
: ${OSH_INFRA_EXTRA_HELM_ARGS:=""}
|
||||
helm upgrade --install mariadb ./mariadb \
|
||||
--namespace=osh-infra \
|
||||
--values=/tmp/mariadb.yaml \
|
||||
--set pod.replicas.server=1 \
|
||||
${OSH_INFRA_EXTRA_HELM_ARGS} \
|
||||
${OSH_INFRA_EXTRA_HELM_ARGS_MARIADB}
|
||||
|
||||
#NOTE: Wait for deploy
|
||||
./tools/deployment/common/wait-for-pods.sh osh-infra
|
||||
|
||||
#NOTE: Validate Deployment info
|
||||
helm status mariadb
|
|
@ -0,0 +1,70 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
set -xe
|
||||
|
||||
#NOTE: Lint and package chart
|
||||
make prometheus
|
||||
|
||||
tee /tmp/prometheus.yaml <<EOF
|
||||
manifests:
|
||||
network_policy: true
|
||||
network_policy:
|
||||
prometheus:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: prometheus
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: elasticsearch-exporter
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: elasticsearch
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: grafana
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: nagios
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: fluentd-exporter
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: fluentd
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 9093
|
||||
- protocol: TCP
|
||||
port: 6783
|
||||
- protocol: TCP
|
||||
port: 9108
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
EOF
|
||||
|
||||
#NOTE: Deploy command
|
||||
helm upgrade --install prometheus ./prometheus \
|
||||
--namespace=osh-infra \
|
||||
--values=/tmp/prometheus.yaml
|
||||
|
||||
#NOTE: Wait for deploy
|
||||
./tools/deployment/common/wait-for-pods.sh osh-infra
|
||||
|
||||
#NOTE: Validate Deployment info
|
||||
helm status prometheus
|
|
@ -0,0 +1,51 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
set -xe
|
||||
|
||||
#NOTE: Lint and package chart
|
||||
make prometheus-alertmanager
|
||||
|
||||
tee /tmp/prometheus-alertmanager.yaml <<EOF
|
||||
manifests:
|
||||
network_policy: true
|
||||
network_policy:
|
||||
alertmanager:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: prometheus-alertmanager
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 9093
|
||||
- protocol: TCP
|
||||
port: 6783
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
EOF
|
||||
|
||||
#NOTE: Deploy command
|
||||
helm upgrade --install prometheus-alertmanager ./prometheus-alertmanager \
|
||||
--namespace=osh-infra \
|
||||
--values=/tmp/prometheus-alertmanager.yaml \
|
||||
--set pod.replicas.alertmanager=1
|
||||
|
||||
#NOTE: Wait for deploy
|
||||
./tools/deployment/common/wait-for-pods.sh osh-infra
|
||||
|
||||
#NOTE: Validate Deployment info
|
||||
helm status prometheus-alertmanager
|
|
@ -0,0 +1,30 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
set -xe
|
||||
|
||||
#NOTE: Lint and package chart
|
||||
make prometheus-kube-state-metrics
|
||||
|
||||
#NOTE: Deploy command
|
||||
helm upgrade --install prometheus-kube-state-metrics \
|
||||
./prometheus-kube-state-metrics --namespace=kube-system
|
||||
|
||||
#NOTE: Wait for deploy
|
||||
./tools/deployment/common/wait-for-pods.sh kube-system
|
||||
|
||||
#NOTE: Validate Deployment info
|
||||
helm status prometheus-kube-state-metrics
|
|
@ -0,0 +1,30 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
set -xe
|
||||
|
||||
#NOTE: Lint and package chart
|
||||
make prometheus-node-exporter
|
||||
|
||||
#NOTE: Deploy command
|
||||
helm upgrade --install prometheus-node-exporter \
|
||||
./prometheus-node-exporter --namespace=kube-system
|
||||
|
||||
#NOTE: Wait for deploy
|
||||
./tools/deployment/common/wait-for-pods.sh kube-system
|
||||
|
||||
#NOTE: Validate Deployment info
|
||||
helm status prometheus-node-exporter
|
|
@ -0,0 +1,30 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
set -xe
|
||||
|
||||
#NOTE: Lint and package chart
|
||||
make prometheus-process-exporter
|
||||
|
||||
#NOTE: Deploy command
|
||||
helm upgrade --install prometheus-process-exporter \
|
||||
./prometheus-process-exporter --namespace=kube-system
|
||||
|
||||
#NOTE: Wait for deploy
|
||||
./tools/deployment/common/wait-for-pods.sh kube-system
|
||||
|
||||
#NOTE: Validate Deployment info
|
||||
helm status prometheus-process-exporter
|
|
@ -0,0 +1,48 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
set -xe
|
||||
|
||||
#NOTE: Lint and package chart
|
||||
make grafana
|
||||
|
||||
tee /tmp/grafana.yaml <<EOF
|
||||
manifests:
|
||||
network_policy: true
|
||||
network_policy:
|
||||
grafana:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: grafana
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 3000
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
EOF
|
||||
|
||||
#NOTE: Deploy command
|
||||
helm upgrade --install grafana ./grafana \
|
||||
--namespace=osh-infra \
|
||||
--values=/tmp/grafana.yaml
|
||||
|
||||
#NOTE: Wait for deploy
|
||||
./tools/deployment/common/wait-for-pods.sh osh-infra
|
||||
|
||||
#NOTE: Validate Deployment info
|
||||
helm status grafana
|
|
@ -0,0 +1,49 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
set -xe
|
||||
|
||||
#NOTE: Lint and package chart
|
||||
make nagios
|
||||
|
||||
tee /tmp/nagios.yaml <<EOF
|
||||
manifests:
|
||||
network_policy: true
|
||||
network_policy:
|
||||
nagios:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: nagios
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 8000
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
EOF
|
||||
|
||||
|
||||
#NOTE: Deploy command
|
||||
helm upgrade --install nagios ./nagios \
|
||||
--namespace=osh-infra \
|
||||
--values=/tmp/nagios.yaml
|
||||
|
||||
#NOTE: Wait for deploy
|
||||
./tools/deployment/common/wait-for-pods.sh osh-infra
|
||||
|
||||
#NOTE: Validate Deployment info
|
||||
helm status nagios
|
|
@ -0,0 +1,46 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
set -xe
|
||||
|
||||
#NOTE: Lint and package chart
|
||||
make elasticsearch
|
||||
|
||||
#NOTE: Deploy command
|
||||
tee /tmp/elasticsearch.yaml << EOF
|
||||
monitoring:
|
||||
prometheus:
|
||||
enabled: true
|
||||
pod:
|
||||
replicas:
|
||||
data: 1
|
||||
manifests:
|
||||
network_policy: true
|
||||
network_policy:
|
||||
elasticsearch:
|
||||
ingress:
|
||||
- from:
|
||||
EOF
|
||||
|
||||
helm upgrade --install elasticsearch ./elasticsearch \
|
||||
--namespace=osh-infra \
|
||||
--values=/tmp/elasticsearch.yaml
|
||||
|
||||
#NOTE: Wait for deploy
|
||||
./tools/deployment/common/wait-for-pods.sh osh-infra
|
||||
|
||||
#NOTE: Validate Deployment info
|
||||
helm status elasticsearch
|
|
@ -0,0 +1,91 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
set -xe
|
||||
|
||||
ELASTICSEARCH_ENDPOINT="elasticsearch-logging.osh-infra"
|
||||
|
||||
#NOTE: Create index with specified LDAP user
|
||||
function create_index () {
|
||||
index_result=$(curl -K- <<< "--user $1:$2" \
|
||||
-XPUT "${ELASTICSEARCH_ENDPOINT}/$1_index?pretty" -H 'Content-Type: application/json' -d'
|
||||
{
|
||||
"settings" : {
|
||||
"index" : {
|
||||
"number_of_shards" : 3,
|
||||
"number_of_replicas" : 2
|
||||
}
|
||||
}
|
||||
}
|
||||
' | python -c "import sys, json; print json.load(sys.stdin)['acknowledged']")
|
||||
if [ "$index_result" == "True" ];
|
||||
then
|
||||
echo "$1's index successfully created!";
|
||||
else
|
||||
echo "$1's index not created!";
|
||||
exit 1;
|
||||
fi
|
||||
}
|
||||
|
||||
#NOTE: Insert test data with specified LDAP user
|
||||
function insert_test_data () {
|
||||
insert_result=$(curl -K- <<< "--user $1:$2" \
|
||||
-XPUT "${ELASTICSEARCH_ENDPOINT}/$1_index/sample_type/123/_create?pretty" -H 'Content-Type: application/json' -d'
|
||||
{
|
||||
"name" : "Elasticsearch",
|
||||
"message" : "Test data text entry"
|
||||
}
|
||||
' | python -c "import sys, json; print json.load(sys.stdin)['result']")
|
||||
if [ "$insert_result" == "created" ]; then
|
||||
sleep 20
|
||||
echo "Test data inserted into $1's index!";
|
||||
else
|
||||
echo "Test data not inserted into $1's index!";
|
||||
exit 1;
|
||||
fi
|
||||
}
|
||||
|
||||
#NOTE: Check hits on test data in specified LDAP user's index
|
||||
function check_hits () {
|
||||
total_hits=$(curl -K- <<< "--user $1:$2" \
|
||||
"${ELASTICSEARCH_ENDPOINT}/_search?pretty" -H 'Content-Type: application/json' -d'
|
||||
{
|
||||
"query" : {
|
||||
"bool": {
|
||||
"must": [
|
||||
{ "match": { "name": "Elasticsearch" }},
|
||||
{ "match": { "message": "Test data text entry" }}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
' | python -c "import sys, json; print json.load(sys.stdin)['hits']['total']")
|
||||
if [ "$total_hits" -gt 0 ]; then
|
||||
echo "Successful hits on test data query on $1's index!"
|
||||
else
|
||||
echo "No hits on query for test data on $1's index!";
|
||||
exit 1;
|
||||
fi
|
||||
}
|
||||
|
||||
create_index bob password
|
||||
create_index alice password
|
||||
|
||||
insert_test_data bob password
|
||||
insert_test_data alice password
|
||||
|
||||
check_hits bob password
|
||||
check_hits alice password
|
|
@ -0,0 +1,51 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
set -xe
|
||||
|
||||
#NOTE: Lint and package chart
|
||||
make fluent-logging
|
||||
|
||||
tee /tmp/fluent-logging.yaml <<EOF
|
||||
manifests:
|
||||
network_policy: true
|
||||
network_policy:
|
||||
fluentbit:
|
||||
ingress:
|
||||
- from:
|
||||
fluentd:
|
||||
ingress:
|
||||
- from:
|
||||
fluent:
|
||||
ingress:
|
||||
- from:
|
||||
fluent-logging:
|
||||
ingress:
|
||||
- from:
|
||||
EOF
|
||||
|
||||
|
||||
#NOTE: Deploy command
|
||||
helm upgrade --install fluent-logging ./fluent-logging \
|
||||
--namespace=osh-infra \
|
||||
--values=/tmp/fluent-logging.yaml \
|
||||
--set pod.replicas.fluentd=1
|
||||
|
||||
#NOTE: Wait for deploy
|
||||
./tools/deployment/common/wait-for-pods.sh osh-infra
|
||||
|
||||
#NOTE: Validate Deployment info
|
||||
helm status fluent-logging
|
|
@ -0,0 +1,47 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
set -xe
|
||||
|
||||
#NOTE: Lint and package chart
|
||||
make kibana
|
||||
|
||||
tee /tmp/kibana.yaml <<EOF
|
||||
manifests:
|
||||
network_policy: true
|
||||
network_policy:
|
||||
kibana:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: kibana
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 5601
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
EOF
|
||||
|
||||
#NOTE: Deploy command
|
||||
helm upgrade --install kibana ./kibana \
|
||||
--namespace=osh-infra \
|
||||
--values=/tmp/kibana.yaml
|
||||
#NOTE: Wait for deploy
|
||||
./tools/deployment/common/wait-for-pods.sh osh-infra
|
||||
|
||||
#NOTE: Validate Deployment info
|
||||
helm status kibana
|
|
@ -0,0 +1,48 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
set -xe
|
||||
|
||||
# test_netpol(namespace, component, target_host, expected_result{fail,success})
|
||||
function test_netpol {
|
||||
NS=$1
|
||||
COMPONENT=$2
|
||||
HOST=$3
|
||||
STATUS=$4
|
||||
echo Testing connection from $COMPONENT to host $HOST with namespace $NS
|
||||
POD=$(kubectl -n $NS get pod | grep $COMPONENT | grep Running | awk '{print $1}')
|
||||
PID=$(sudo docker inspect --format '{{ .State.Pid }}' $(kubectl get pods --namespace $NS $POD -o jsonpath='{.status.containerStatuses[0].containerID}' | cut -c 10-21))
|
||||
if [ "x${STATUS}" == "xfail" ]; then
|
||||
if ! sudo nsenter -t $PID -n wget --spider --timeout=5 --tries=1 $HOST ; then
|
||||
echo "Connection timed out; as expected by policy."
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
sudo nsenter -t $PID -n wget --spider --timeout=10 --tries=1 $HOST
|
||||
fi
|
||||
}
|
||||
# Doing negative tests
|
||||
test_netpol osh-infra mariadb-server elasticsearch.osh-infra.svc.cluster.local fail
|
||||
test_netpol osh-infra mariadb-server nagios.osh-infra.svc.cluster.local fail
|
||||
test_netpol osh-infra mariadb-server prometheus.osh-infra.svc.cluster.local fail
|
||||
|
||||
# Doing positive tests
|
||||
test_netpol osh-infra grafana mariadb.osh-infra.svc.cluster.local:3306 success
|
||||
|
||||
echo Test successfully
|
||||
|
||||
|
|
@ -139,6 +139,37 @@
|
|||
- ./tools/deployment/developer/nfs/130-fluent-logging.sh
|
||||
- ./tools/deployment/developer/nfs/140-kibana.sh
|
||||
|
||||
- job:
|
||||
name: openstack-helm-infra-dev-deploy-nfs-networkpolicy
|
||||
parent: openstack-helm-functional
|
||||
timeout: 7200
|
||||
pre-run: playbooks/osh-infra-upgrade-host.yaml
|
||||
run: playbooks/osh-infra-gate-runner.yaml
|
||||
post-run: playbooks/osh-infra-collect-logs.yaml
|
||||
nodeset: openstack-helm-single-node
|
||||
vars:
|
||||
gate_scripts:
|
||||
- ./tools/deployment/developer/nfs/000-install-packages.sh
|
||||
- ./tools/deployment/developer/nfs/005-deploy-k8s.sh
|
||||
- ./tools/deployment/developer/nfs/010-deploy-docker-registry.sh
|
||||
- ./tools/deployment/developer/nfs/020-ingress.sh
|
||||
- ./tools/deployment/developer/nfs/030-nfs-provisioner.sh
|
||||
- ./tools/deployment/developer/netpol/039-lockdown.sh
|
||||
- ./tools/deployment/developer/netpol/040-ldap.sh
|
||||
- ./tools/deployment/developer/netpol/045-mariadb.sh
|
||||
- ./tools/deployment/developer/netpol/050-prometheus.sh
|
||||
- ./tools/deployment/developer/netpol/060-alertmanager.sh
|
||||
- ./tools/deployment/developer/netpol/070-kube-state-metrics.sh
|
||||
- ./tools/deployment/developer/netpol/080-node-exporter.sh
|
||||
- ./tools/deployment/developer/netpol/090-process-exporter.sh
|
||||
- ./tools/deployment/developer/netpol/100-grafana.sh
|
||||
- ./tools/deployment/developer/netpol/110-nagios.sh
|
||||
- ./tools/deployment/developer/netpol/120-elasticsearch.sh
|
||||
- ./tools/deployment/developer/netpol/125-elasticsearch-ldap.sh
|
||||
- ./tools/deployment/developer/netpol/130-fluent-logging.sh
|
||||
- ./tools/deployment/developer/netpol/140-kibana.sh
|
||||
- ./tools/deployment/developer/netpol/901-test-networkpolicy.sh
|
||||
|
||||
- job:
|
||||
name: openstack-helm-infra-openstack-support
|
||||
parent: openstack-helm-functional
|
||||
|
|
|
@ -28,6 +28,8 @@
|
|||
#NOTE(srwilkers): Changing the dev-deploy-nfs job to nonvoting until
|
||||
# we can agree on the proper services to deploy with this job
|
||||
voting: false
|
||||
- openstack-helm-infra-dev-deploy-nfs-networkpolicy:
|
||||
voting: false
|
||||
- openstack-helm-infra-openstack-support
|
||||
- openstack-helm-infra-kubernetes-keystone-auth
|
||||
gate:
|
||||
|
|
Loading…
Reference in New Issue