add helm chart for nginx ports control

this chart is added as a part of "stx-openstack" application,
in the same chart group as openstack-ingress chart, so that
when "nginx-ingress-controller" starts working, http and https
ports are allowed for nginx which accepts http/https requests
and forwards to internal services accordingly.
In the following LP#1827246, the http request of opening console
of VM instance is sent to nginx 80 first, and then nginx forwards
the request to "nova-novncproxy" at port 6080 internally.

Closes-Bug: 1827246

Change-Id: I183f7edc92f1a9e0bdedad0afe35e3d03e20e7d5
Signed-off-by: yhu6 <yong.hu@intel.com>

stx-openstack-helm/centos/build_srpm.data

@@ -1,3 +1,4 @@
 SRC_DIR="stx-openstack-helm"
-COPY_LIST_TO_TAR="$PKG_BASE/../../../helm-charts/garbd"
+COPY_LIST_TO_TAR="$PKG_BASE/../../../helm-charts/garbd \
+    $PKG_BASE/../../../helm-charts/nginx-ports-control"
 TIS_PATCH_VER=16

stx-openstack-helm/centos/stx-openstack-helm.spec

@@ -60,6 +60,7 @@ make nova-api-proxy
 make garbd
 make keystone-api-proxy
 make fm-rest-api
+make nginx-ports-control
 
 # terminate helm server (the last backgrounded task)
 kill %1

stx-openstack-helm/stx-openstack-helm/helm-charts/nginx-ports-control/Chart.yaml

@@ -0,0 +1,10 @@
+#
+# Copyright (c) 2019 Intel, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+apiVersion: v1
+description: Nginx Ports Control
+name: nginx-ports-control
+version: 0.1.0

stx-openstack-helm/stx-openstack-helm/helm-charts/nginx-ports-control/templates/global_network_policy.yaml

@@ -0,0 +1,40 @@
+{{/*
+Copyright (c) 2019 Intel, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.manifests.global_network_policy -}}
+{{- $http_port := .Values.global_network_policy.ingress.destination.http_port}}
+{{- $https_port := .Values.global_network_policy.ingress.destination.https_port}}
+---
+apiVersion: "crd.projectcalico.org/v1"
+kind: GlobalNetworkPolicy
+metadata:
+  name: gnp-for-nginx-ports
+  namespace: openstack
+spec:
+  selector: "has(iftype) && iftype == 'oam'"
+  order: 100
+  applyOnForward: false
+  types:
+  - Ingress
+  - Egress
+  ingress:
+  - action: Allow
+    ipVersion: {{ .Values.global_network_policy.ingress.ipVersion }}
+    protocol: {{ .Values.global_network_policy.ingress.protocol }}
+    destination:
+      ports: [{{$http_port}}, {{$https_port}}]
+  egress:
+  - action: Allow
+{{- end -}}

stx-openstack-helm/stx-openstack-helm/helm-charts/nginx-ports-control/values.yaml

@@ -0,0 +1,21 @@
+#
+# Copyright (c) 2019 Intel, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Default values for node-feature-discovery.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+global_network_policy:
+  ingress:
+    ipVersion: 4
+    protocol: TCP
+    destination:
+      http_port: 80
+      https_port: 443
+
+manifests:
+  global_network_policy: true

stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml

@@ -112,6 +112,21 @@ data:
     - helm-toolkit
 ---
 schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: openstack-nginx-ports-control
+data:
+  chart_name: nginx-ports-control
+  release: openstack-nginx-ports-control
+  namespace: openstack
+  values: {}
+  source:
+    type: tar
+    location: http://172.17.0.1/helm_charts/starlingx/nginx-ports-control-0.1.0.tgz
+    subpath: nginx-ports-control
+  dependencies: []
+---
+schema: armada/Chart/v1
 metadata:
   schema: metadata/Document/v1
   name: openstack-mariadb
@@ -3101,6 +3116,7 @@ data:
   sequenced: false
   chart_group:
     - openstack-ingress
+    - openstack-nginx-ports-control
 ---
 schema: armada/ChartGroup/v1
 metadata: