Etcd network policy

This PS adds etcd network policy for clusters with enabled ones. Also bumped up Helm version to 3.15.4. Change-Id: Id1da6c7f0511d6c3e4f211295f2af7fccd46203e
2024-09-28 01:23:33 +00:00 · 2024-09-28 01:23:33 +00:00 · afd97decf2
commit afd97decf2
parent 6769e5ce09
14 changed files with 89 additions and 12 deletions
--- a/charts/etcd/Chart.yaml
+++ b/charts/etcd/Chart.yaml
@ -15,4 +15,4 @@
 apiVersion: v1
 description: A chart for a DaemonSet-based etcd deployment.
 name: etcd
-version: 0.1.4
+version: 0.1.5
--- a/charts/etcd/templates/networkpolicy.yaml
+++ b/charts/etcd/templates/networkpolicy.yaml
@ -0,0 +1,48 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.networkPolicy.enabled }}
+  {{- $envAll := . }}
+  {{- $applicationName := .Values.service.name | replace "-etcd" "" }}
+  {{- $namespace := "default" }}  # Assign "default" initially
+  {{- if .Release }}
+    {{- $namespace = .Release.Namespace | default "default" }}  # Override if .Release.Namespace is set
+  {{- end }}
+{{- range .Values.networkPolicy.policies }}
+  {{- $policyName := (keys . | first) }}  # Get the key name (etcd or auxiliary-etcd)
+  {{- $policy := index . $policyName }}   # Get the value (the policy details)
+  {{- $labels := tuple $envAll $applicationName $policyName | include "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-{{ $policyName }}
+  namespace: {{ $namespace }}
+  labels:
+{{ $labels | indent 4 }}
+  annotations:
+    {{ tuple $ | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  policyTypes:
+    - Ingress
+    - Egress
+  podSelector:
+    matchLabels:
+{{ $labels | indent 6 }}
+{{ toYaml $policy | indent 2 }}
+---
+{{- end }}
+{{- end }}
--- a/charts/etcd/values.yaml
+++ b/charts/etcd/values.yaml
@ -128,6 +128,9 @@ network:
    target_port: 2380
    enable_node_port: false

+networkPolicy:
+  enabled: false
+
 service:
  # requires override for a specific use case e.g. calico-etcd or kubernetes-etcd
  name: example-etcd
--- a/charts/etcd/values_override/network_policies.yaml
+++ b/charts/etcd/values_override/network_policies.yaml
@ -0,0 +1,26 @@
+---
+networkPolicy:
+  enabled: true
+  policies:
+    - etcd:
+        ingress:
+          - ports:
+              - protocol: TCP
+                port: 2379
+              - protocol: TCP
+                port: 2380
+        egress:
+          - {}
+    - auxiliary-etcd:
+        ingress:
+          - ports:
+              - protocol: TCP
+                port: 12379
+              - protocol: TCP
+                port: 12380
+              - protocol: TCP
+                port: 22379
+              - protocol: TCP
+                port: 22380
+        egress:
+          - {}
--- a/doc/source/configuration/host-system.rst
+++ b/doc/source/configuration/host-system.rst
@ -22,7 +22,7 @@ Sample Document to run containers in Docker runtime
      images:
        haproxy: haproxy:2.4
        helm:
-          helm: lachlanevenson/k8s-helm:v3.10.2
+          helm: lachlanevenson/k8s-helm:v3.15.4
        monitoring_image: busybox:1.28.3
      packages:
        repositories:
@ -121,7 +121,7 @@ Sample Document to run containers in Containerd runtime
      images:
        haproxy: haproxy:2.4
        helm:
-          helm: lachlanevenson/k8s-helm:v3.10.2
+          helm: lachlanevenson/k8s-helm:v3.15.4
        monitoring_image: busybox:1.28.3
      packages:
        additional:
--- a/examples/basic/HostSystem.yaml
+++ b/examples/basic/HostSystem.yaml
@ -85,7 +85,7 @@ data:
    monitoring_image: &busybox busybox:1.28.3
    haproxy: haproxy:2.4
    helm:
-      helm: lachlanevenson/k8s-helm:v3.14.4
+      helm: lachlanevenson/k8s-helm:v3.15.4
  packages:
    common:
      repositories:
--- a/examples/complete/HostSystem.yaml
+++ b/examples/complete/HostSystem.yaml
@ -85,7 +85,7 @@ data:
    monitoring_image: busybox:1.28.3
    haproxy: haproxy:2.4
    helm:
-      helm: lachlanevenson/k8s-helm:v3.14.4
+      helm: lachlanevenson/k8s-helm:v3.15.4
  packages:
    common:
      repositories:
--- a/examples/containerd/HostSystem.yaml
+++ b/examples/containerd/HostSystem.yaml
@ -85,7 +85,7 @@ data:
    monitoring_image: &busybox busybox:1.28.3
    haproxy: haproxy:2.4
    helm:
-      helm: lachlanevenson/k8s-helm:v3.14.4
+      helm: lachlanevenson/k8s-helm:v3.15.4
  packages:
    common:
      additional:
--- a/examples/gate/HostSystem.yaml
+++ b/examples/gate/HostSystem.yaml
@ -85,7 +85,7 @@ data:
    monitoring_image: &busybox busybox:1.28.3
    haproxy: haproxy:2.4
    helm:
-      helm: lachlanevenson/k8s-helm:v3.14.4
+      helm: lachlanevenson/k8s-helm:v3.15.4
  packages:
    common:
      repositories:
--- a/tests/unit/api/test_validatedesign.py
+++ b/tests/unit/api/test_validatedesign.py
@ -153,7 +153,7 @@ VALID_DOCS = [
            'images': {
                'haproxy': 'haproxy:2.4',
                'helm': {
-                    'helm': 'lachlanevenson/k8s-helm:v3.14.4'
+                    'helm': 'lachlanevenson/k8s-helm:v3.15.4'
                }
            },
            'packages': {
--- a/tests/unit/builder_data/simple/HostSystem.yaml
+++ b/tests/unit/builder_data/simple/HostSystem.yaml
@ -38,7 +38,7 @@ data:
    monitoring_image: &busybox busybox:1.28.3
    haproxy: haproxy:2.4
    helm:
-      helm: lachlanevenson/k8s-helm:v3.14.4
+      helm: lachlanevenson/k8s-helm:v3.15.4
  packages:
    common:
      repositories:
--- a/tools/gate/default-config-env
+++ b/tools/gate/default-config-env
@ -9,7 +9,7 @@ IMAGE_DEP_CHECK=quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
 IMAGE_ETCD=quay.io/coreos/etcd:v3.5.12
 IMAGE_ETCDCTL=quay.io/airshipit/porthole-etcdctl-utility:latest-ubuntu_focal
 IMAGE_HAPROXY=haproxy:2.4
-IMAGE_HELM=lachlanevenson/k8s-helm:v3.14.4
+IMAGE_HELM=lachlanevenson/k8s-helm:v3.15.4
 IMAGE_APISERVER=registry.k8s.io/kube-apiserver-amd64:v1.29.4
 IMAGE_CONTROLLER_MANAGER=registry.k8s.io/kube-controller-manager-amd64:v1.29.4
 IMAGE_SCHEDULER=registry.k8s.io/kube-scheduler-amd64:v1.29.4
--- a/tools/helm_install.sh
+++ b/tools/helm_install.sh
@ -17,7 +17,7 @@
 set -x

 HELM=$1
-HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.14.4-linux-amd64.tar.gz"}
+HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz"}


 function install_helm_binary {
--- a/tools/registry/IMAGES
+++ b/tools/registry/IMAGES
@ -6,7 +6,7 @@ registry.k8s.io/kube-apiserver-amd64,v1.29.4,apiserver
 registry.k8s.io/kube-controller-manager-amd64,v1.29.4,controller-manager
 registry.k8s.io/kube-scheduler-amd64,v1.29.4,scheduler
 registry.k8s.io/kube-proxy-amd64,v1.29.4,proxy
-lachlanevenson/k8s-helm,v3.14.4,helm
+lachlanevenson/k8s-helm,v3.15.4,helm
 quay.io/airshipit/armada,master,armada
 quay.io/airshipit/armada-operator,latest,armada-operator
 quay.io/calico/cni,v3.4.0,calico-cni