From afd97decf2c0d15c8c7d5141f2c2b2b5491ee67c Mon Sep 17 00:00:00 2001
From: Sergiy Markin <smarkin@mirantis.com>
Date: Sat, 28 Sep 2024 01:23:33 +0000
Subject: [PATCH] Etcd network policy

This PS adds etcd network policy for clusters with
enabled ones.

Also bumped up Helm version to 3.15.4.

Change-Id: Id1da6c7f0511d6c3e4f211295f2af7fccd46203e
---
 charts/etcd/Chart.yaml                        |  2 +-
 charts/etcd/templates/networkpolicy.yaml      | 48 +++++++++++++++++++
 charts/etcd/values.yaml                       |  3 ++
 .../values_override/network_policies.yaml     | 26 ++++++++++
 doc/source/configuration/host-system.rst      |  4 +-
 examples/basic/HostSystem.yaml                |  2 +-
 examples/complete/HostSystem.yaml             |  2 +-
 examples/containerd/HostSystem.yaml           |  2 +-
 examples/gate/HostSystem.yaml                 |  2 +-
 tests/unit/api/test_validatedesign.py         |  2 +-
 .../unit/builder_data/simple/HostSystem.yaml  |  2 +-
 tools/gate/default-config-env                 |  2 +-
 tools/helm_install.sh                         |  2 +-
 tools/registry/IMAGES                         |  2 +-
 14 files changed, 89 insertions(+), 12 deletions(-)
 create mode 100644 charts/etcd/templates/networkpolicy.yaml
 create mode 100644 charts/etcd/values_override/network_policies.yaml

diff --git a/charts/etcd/Chart.yaml b/charts/etcd/Chart.yaml
index 5437ca20..8a41b480 100644
--- a/charts/etcd/Chart.yaml
+++ b/charts/etcd/Chart.yaml
@@ -15,4 +15,4 @@
 apiVersion: v1
 description: A chart for a DaemonSet-based etcd deployment.
 name: etcd
-version: 0.1.4
+version: 0.1.5
diff --git a/charts/etcd/templates/networkpolicy.yaml b/charts/etcd/templates/networkpolicy.yaml
new file mode 100644
index 00000000..a3df3510
--- /dev/null
+++ b/charts/etcd/templates/networkpolicy.yaml
@@ -0,0 +1,48 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.networkPolicy.enabled }}
+  {{- $envAll := . }}
+  {{- $applicationName := .Values.service.name | replace "-etcd" "" }}
+  {{- $namespace := "default" }}  # Assign "default" initially
+  {{- if .Release }}
+    {{- $namespace = .Release.Namespace | default "default" }}  # Override if .Release.Namespace is set
+  {{- end }}
+{{- range .Values.networkPolicy.policies }}
+  {{- $policyName := (keys . | first) }}  # Get the key name (etcd or auxiliary-etcd)
+  {{- $policy := index . $policyName }}   # Get the value (the policy details)
+  {{- $labels := tuple $envAll $applicationName $policyName | include "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-{{ $policyName }}
+  namespace: {{ $namespace }}
+  labels:
+{{ $labels | indent 4 }}
+  annotations:
+    {{ tuple $ | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  policyTypes:
+    - Ingress
+    - Egress
+  podSelector:
+    matchLabels:
+{{ $labels | indent 6 }}
+{{ toYaml $policy | indent 2 }}
+---
+{{- end }}
+{{- end }}
diff --git a/charts/etcd/values.yaml b/charts/etcd/values.yaml
index 17470ec1..fc924d21 100644
--- a/charts/etcd/values.yaml
+++ b/charts/etcd/values.yaml
@@ -128,6 +128,9 @@ network:
     target_port: 2380
     enable_node_port: false
 
+networkPolicy:
+  enabled: false
+
 service:
   # requires override for a specific use case e.g. calico-etcd or kubernetes-etcd
   name: example-etcd
diff --git a/charts/etcd/values_override/network_policies.yaml b/charts/etcd/values_override/network_policies.yaml
new file mode 100644
index 00000000..4b5d15de
--- /dev/null
+++ b/charts/etcd/values_override/network_policies.yaml
@@ -0,0 +1,26 @@
+---
+networkPolicy:
+  enabled: true
+  policies:
+    - etcd:
+        ingress:
+          - ports:
+              - protocol: TCP
+                port: 2379
+              - protocol: TCP
+                port: 2380
+        egress:
+          - {}
+    - auxiliary-etcd:
+        ingress:
+          - ports:
+              - protocol: TCP
+                port: 12379
+              - protocol: TCP
+                port: 12380
+              - protocol: TCP
+                port: 22379
+              - protocol: TCP
+                port: 22380
+        egress:
+          - {}
diff --git a/doc/source/configuration/host-system.rst b/doc/source/configuration/host-system.rst
index 54d667de..827fde3a 100644
--- a/doc/source/configuration/host-system.rst
+++ b/doc/source/configuration/host-system.rst
@@ -22,7 +22,7 @@ Sample Document to run containers in Docker runtime
       images:
         haproxy: haproxy:2.4
         helm:
-          helm: lachlanevenson/k8s-helm:v3.10.2
+          helm: lachlanevenson/k8s-helm:v3.15.4
         monitoring_image: busybox:1.28.3
       packages:
         repositories:
@@ -121,7 +121,7 @@ Sample Document to run containers in Containerd runtime
       images:
         haproxy: haproxy:2.4
         helm:
-          helm: lachlanevenson/k8s-helm:v3.10.2
+          helm: lachlanevenson/k8s-helm:v3.15.4
         monitoring_image: busybox:1.28.3
       packages:
         additional:
diff --git a/examples/basic/HostSystem.yaml b/examples/basic/HostSystem.yaml
index d40dc39d..e488cc09 100644
--- a/examples/basic/HostSystem.yaml
+++ b/examples/basic/HostSystem.yaml
@@ -85,7 +85,7 @@ data:
     monitoring_image: &busybox busybox:1.28.3
     haproxy: haproxy:2.4
     helm:
-      helm: lachlanevenson/k8s-helm:v3.14.4
+      helm: lachlanevenson/k8s-helm:v3.15.4
   packages:
     common:
       repositories:
diff --git a/examples/complete/HostSystem.yaml b/examples/complete/HostSystem.yaml
index 995971d2..71046802 100644
--- a/examples/complete/HostSystem.yaml
+++ b/examples/complete/HostSystem.yaml
@@ -85,7 +85,7 @@ data:
     monitoring_image: busybox:1.28.3
     haproxy: haproxy:2.4
     helm:
-      helm: lachlanevenson/k8s-helm:v3.14.4
+      helm: lachlanevenson/k8s-helm:v3.15.4
   packages:
     common:
       repositories:
diff --git a/examples/containerd/HostSystem.yaml b/examples/containerd/HostSystem.yaml
index 04e94c30..d71571f0 100644
--- a/examples/containerd/HostSystem.yaml
+++ b/examples/containerd/HostSystem.yaml
@@ -85,7 +85,7 @@ data:
     monitoring_image: &busybox busybox:1.28.3
     haproxy: haproxy:2.4
     helm:
-      helm: lachlanevenson/k8s-helm:v3.14.4
+      helm: lachlanevenson/k8s-helm:v3.15.4
   packages:
     common:
       additional:
diff --git a/examples/gate/HostSystem.yaml b/examples/gate/HostSystem.yaml
index b928c0f8..5d68bc35 100644
--- a/examples/gate/HostSystem.yaml
+++ b/examples/gate/HostSystem.yaml
@@ -85,7 +85,7 @@ data:
     monitoring_image: &busybox busybox:1.28.3
     haproxy: haproxy:2.4
     helm:
-      helm: lachlanevenson/k8s-helm:v3.14.4
+      helm: lachlanevenson/k8s-helm:v3.15.4
   packages:
     common:
       repositories:
diff --git a/tests/unit/api/test_validatedesign.py b/tests/unit/api/test_validatedesign.py
index ba74905c..8d16bb52 100644
--- a/tests/unit/api/test_validatedesign.py
+++ b/tests/unit/api/test_validatedesign.py
@@ -153,7 +153,7 @@ VALID_DOCS = [
             'images': {
                 'haproxy': 'haproxy:2.4',
                 'helm': {
-                    'helm': 'lachlanevenson/k8s-helm:v3.14.4'
+                    'helm': 'lachlanevenson/k8s-helm:v3.15.4'
                 }
             },
             'packages': {
diff --git a/tests/unit/builder_data/simple/HostSystem.yaml b/tests/unit/builder_data/simple/HostSystem.yaml
index e5f3a867..75df04d5 100644
--- a/tests/unit/builder_data/simple/HostSystem.yaml
+++ b/tests/unit/builder_data/simple/HostSystem.yaml
@@ -38,7 +38,7 @@ data:
     monitoring_image: &busybox busybox:1.28.3
     haproxy: haproxy:2.4
     helm:
-      helm: lachlanevenson/k8s-helm:v3.14.4
+      helm: lachlanevenson/k8s-helm:v3.15.4
   packages:
     common:
       repositories:
diff --git a/tools/gate/default-config-env b/tools/gate/default-config-env
index 351ac071..a378dd40 100644
--- a/tools/gate/default-config-env
+++ b/tools/gate/default-config-env
@@ -9,7 +9,7 @@ IMAGE_DEP_CHECK=quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
 IMAGE_ETCD=quay.io/coreos/etcd:v3.5.12
 IMAGE_ETCDCTL=quay.io/airshipit/porthole-etcdctl-utility:latest-ubuntu_focal
 IMAGE_HAPROXY=haproxy:2.4
-IMAGE_HELM=lachlanevenson/k8s-helm:v3.14.4
+IMAGE_HELM=lachlanevenson/k8s-helm:v3.15.4
 IMAGE_APISERVER=registry.k8s.io/kube-apiserver-amd64:v1.29.4
 IMAGE_CONTROLLER_MANAGER=registry.k8s.io/kube-controller-manager-amd64:v1.29.4
 IMAGE_SCHEDULER=registry.k8s.io/kube-scheduler-amd64:v1.29.4
diff --git a/tools/helm_install.sh b/tools/helm_install.sh
index 708cd570..77171564 100755
--- a/tools/helm_install.sh
+++ b/tools/helm_install.sh
@@ -17,7 +17,7 @@
 set -x
 
 HELM=$1
-HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.14.4-linux-amd64.tar.gz"}
+HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz"}
 
 
 function install_helm_binary {
diff --git a/tools/registry/IMAGES b/tools/registry/IMAGES
index f16577a3..09f782d3 100644
--- a/tools/registry/IMAGES
+++ b/tools/registry/IMAGES
@@ -6,7 +6,7 @@ registry.k8s.io/kube-apiserver-amd64,v1.29.4,apiserver
 registry.k8s.io/kube-controller-manager-amd64,v1.29.4,controller-manager
 registry.k8s.io/kube-scheduler-amd64,v1.29.4,scheduler
 registry.k8s.io/kube-proxy-amd64,v1.29.4,proxy
-lachlanevenson/k8s-helm,v3.14.4,helm
+lachlanevenson/k8s-helm,v3.15.4,helm
 quay.io/airshipit/armada,master,armada
 quay.io/airshipit/armada-operator,latest,armada-operator
 quay.io/calico/cni,v3.4.0,calico-cni