airship/promenade
Code Issues Proposed changes

Etcd network policy

Browse Source 
This PS adds etcd network policy for clusters with
enabled ones.

Also bumped up Helm version to 3.15.4.

Change-Id: Id1da6c7f0511d6c3e4f211295f2af7fccd46203e
This commit is contained in:
Sergiy Markin 2024-09-28 01:23:33 +00:00
parent 6769e5ce09
commit afd97decf2
14 changed files with 89 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/etcd/Chart.yaml
View File

@ -15,4 +15,4 @@
apiVersion: v1 apiVersion: v1
description: A chart for a DaemonSet-based etcd deployment. description: A chart for a DaemonSet-based etcd deployment.
name: etcd name: etcd
version: 0.1.4 version: 0.1.5

48
charts/etcd/templates/networkpolicy.yaml Normal file
View File

@ -0,0 +1,48 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.networkPolicy.enabled }}
{{- $envAll := . }}
{{- $applicationName := .Values.service.name | replace "-etcd" "" }}
{{- $namespace := "default" }} # Assign "default" initially
{{- if .Release }}
{{- $namespace = .Release.Namespace | default "default" }} # Override if .Release.Namespace is set
{{- end }}
{{- range .Values.networkPolicy.policies }}
{{- $policyName := (keys . | first) }} # Get the key name (etcd or auxiliary-etcd)
{{- $policy := index . $policyName }} # Get the value (the policy details)
{{- $labels := tuple $envAll $applicationName $policyName | include "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-{{ $policyName }}
namespace: {{ $namespace }}
labels:
{{ $labels | indent 4 }}
annotations:
{{ tuple $ | include "helm-toolkit.snippets.release_uuid" }}
spec:
policyTypes:
- Ingress
- Egress
podSelector:
matchLabels:
{{ $labels | indent 6 }}
{{ toYaml $policy | indent 2 }}
---
{{- end }}
{{- end }}

3
charts/etcd/values.yaml
View File

@ -128,6 +128,9 @@ network:
target_port: 2380 target_port: 2380
enable_node_port: false enable_node_port: false
networkPolicy:
enabled: false
service: service:
# requires override for a specific use case e.g. calico-etcd or kubernetes-etcd # requires override for a specific use case e.g. calico-etcd or kubernetes-etcd
name: example-etcd name: example-etcd

26
charts/etcd/values_override/network_policies.yaml Normal file
View File

@ -0,0 +1,26 @@
---
networkPolicy:
enabled: true
policies:
- etcd:
ingress:
- ports:
- protocol: TCP
port: 2379
- protocol: TCP
port: 2380
egress:
- {}
- auxiliary-etcd:
ingress:
- ports:
- protocol: TCP
port: 12379
- protocol: TCP
port: 12380
- protocol: TCP
port: 22379
- protocol: TCP
port: 22380
egress:
- {}

4
doc/source/configuration/host-system.rst
View File

@ -22,7 +22,7 @@ Sample Document to run containers in Docker runtime
images: images:
haproxy: haproxy:2.4 haproxy: haproxy:2.4
helm: helm:
helm: lachlanevenson/k8s-helm:v3.10.2 helm: lachlanevenson/k8s-helm:v3.15.4
monitoring_image: busybox:1.28.3 monitoring_image: busybox:1.28.3
packages: packages:
repositories: repositories:
@ -121,7 +121,7 @@ Sample Document to run containers in Containerd runtime
images: images:
haproxy: haproxy:2.4 haproxy: haproxy:2.4
helm: helm:
helm: lachlanevenson/k8s-helm:v3.10.2 helm: lachlanevenson/k8s-helm:v3.15.4
monitoring_image: busybox:1.28.3 monitoring_image: busybox:1.28.3
packages: packages:
additional: additional:

2
examples/basic/HostSystem.yaml
View File

@ -85,7 +85,7 @@ data:
monitoring_image: &busybox busybox:1.28.3 monitoring_image: &busybox busybox:1.28.3
haproxy: haproxy:2.4 haproxy: haproxy:2.4
helm: helm:
helm: lachlanevenson/k8s-helm:v3.14.4 helm: lachlanevenson/k8s-helm:v3.15.4
packages: packages:
common: common:
repositories: repositories:

2
examples/complete/HostSystem.yaml
View File

@ -85,7 +85,7 @@ data:
monitoring_image: busybox:1.28.3 monitoring_image: busybox:1.28.3
haproxy: haproxy:2.4 haproxy: haproxy:2.4
helm: helm:
helm: lachlanevenson/k8s-helm:v3.14.4 helm: lachlanevenson/k8s-helm:v3.15.4
packages: packages:
common: common:
repositories: repositories:

2
examples/containerd/HostSystem.yaml
View File

@ -85,7 +85,7 @@ data:
monitoring_image: &busybox busybox:1.28.3 monitoring_image: &busybox busybox:1.28.3
haproxy: haproxy:2.4 haproxy: haproxy:2.4
helm: helm:
helm: lachlanevenson/k8s-helm:v3.14.4 helm: lachlanevenson/k8s-helm:v3.15.4
packages: packages:
common: common:
additional: additional:

2
examples/gate/HostSystem.yaml
View File

@ -85,7 +85,7 @@ data:
monitoring_image: &busybox busybox:1.28.3 monitoring_image: &busybox busybox:1.28.3
haproxy: haproxy:2.4 haproxy: haproxy:2.4
helm: helm:
helm: lachlanevenson/k8s-helm:v3.14.4 helm: lachlanevenson/k8s-helm:v3.15.4
packages: packages:
common: common:
repositories: repositories:

2
tests/unit/api/test_validatedesign.py
View File

@ -153,7 +153,7 @@ VALID_DOCS = [
'images': { 'images': {
'haproxy': 'haproxy:2.4', 'haproxy': 'haproxy:2.4',
'helm': { 'helm': {
'helm': 'lachlanevenson/k8s-helm:v3.14.4' 'helm': 'lachlanevenson/k8s-helm:v3.15.4'
} }
}, },
'packages': { 'packages': {

2
tests/unit/builder_data/simple/HostSystem.yaml
View File

@ -38,7 +38,7 @@ data:
monitoring_image: &busybox busybox:1.28.3 monitoring_image: &busybox busybox:1.28.3
haproxy: haproxy:2.4 haproxy: haproxy:2.4
helm: helm:
helm: lachlanevenson/k8s-helm:v3.14.4 helm: lachlanevenson/k8s-helm:v3.15.4
packages: packages:
common: common:
repositories: repositories:

2
tools/gate/default-config-env
View File

@ -9,7 +9,7 @@ IMAGE_DEP_CHECK=quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
IMAGE_ETCD=quay.io/coreos/etcd:v3.5.12 IMAGE_ETCD=quay.io/coreos/etcd:v3.5.12
IMAGE_ETCDCTL=quay.io/airshipit/porthole-etcdctl-utility:latest-ubuntu_focal IMAGE_ETCDCTL=quay.io/airshipit/porthole-etcdctl-utility:latest-ubuntu_focal
IMAGE_HAPROXY=haproxy:2.4 IMAGE_HAPROXY=haproxy:2.4
IMAGE_HELM=lachlanevenson/k8s-helm:v3.14.4 IMAGE_HELM=lachlanevenson/k8s-helm:v3.15.4
IMAGE_APISERVER=registry.k8s.io/kube-apiserver-amd64:v1.29.4 IMAGE_APISERVER=registry.k8s.io/kube-apiserver-amd64:v1.29.4
IMAGE_CONTROLLER_MANAGER=registry.k8s.io/kube-controller-manager-amd64:v1.29.4 IMAGE_CONTROLLER_MANAGER=registry.k8s.io/kube-controller-manager-amd64:v1.29.4
IMAGE_SCHEDULER=registry.k8s.io/kube-scheduler-amd64:v1.29.4 IMAGE_SCHEDULER=registry.k8s.io/kube-scheduler-amd64:v1.29.4

2
tools/helm_install.sh
View File

@ -17,7 +17,7 @@
set -x set -x
HELM=$1 HELM=$1
HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.14.4-linux-amd64.tar.gz"} HELM_ARTIFACT_URL=${HELM_ARTIFACT_URL:-"https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz"}
function install_helm_binary { function install_helm_binary {

2
tools/registry/IMAGES
View File

@ -6,7 +6,7 @@ registry.k8s.io/kube-apiserver-amd64,v1.29.4,apiserver
registry.k8s.io/kube-controller-manager-amd64,v1.29.4,controller-manager registry.k8s.io/kube-controller-manager-amd64,v1.29.4,controller-manager
registry.k8s.io/kube-scheduler-amd64,v1.29.4,scheduler registry.k8s.io/kube-scheduler-amd64,v1.29.4,scheduler
registry.k8s.io/kube-proxy-amd64,v1.29.4,proxy registry.k8s.io/kube-proxy-amd64,v1.29.4,proxy
lachlanevenson/k8s-helm,v3.14.4,helm lachlanevenson/k8s-helm,v3.15.4,helm
quay.io/airshipit/armada,master,armada quay.io/airshipit/armada,master,armada
quay.io/airshipit/armada-operator,latest,armada-operator quay.io/airshipit/armada-operator,latest,armada-operator
quay.io/calico/cni,v3.4.0,calico-cni quay.io/calico/cni,v3.4.0,calico-cni