From 24d02eaf7c389cde0b4c63d646002fcfa10dd8c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=ADas=20Charri=C3=A8re?= Date: Wed, 17 Apr 2024 11:35:05 +0200 Subject: [PATCH] Move extraPolicies from cilium to network-policies-app (#549) * disable extraPolicies Signed-off-by: Matias Charriere * Add provider integration configs for netpol Signed-off-by: Matias Charriere * update schema Signed-off-by: Matias Charriere * update schema Signed-off-by: Matias Charriere * update docs Signed-off-by: Matias Charriere * update network-policies Signed-off-by: Matias Charriere * update netpol value Signed-off-by: Matias Charriere * update cluster dep and remove extraPolicies from cilium-app Signed-off-by: Matias Charriere * update docs Signed-off-by: Matias Charriere * update changelog Signed-off-by: Matias Charriere * fix changelog Signed-off-by: Matias Charriere * restore .gitignore Signed-off-by: Matias Charriere * fix docs Signed-off-by: Matias Charriere --------- Signed-off-by: Matias Charriere --- .gitignore | 2 ++ CHANGELOG.md | 2 ++ helm/cluster-aws/README.md | 9 ++++++++- .../templates/_cilium_helmrelease_config.yaml | 6 ++++-- .../_network-policies_helmrelease_config.yaml | 10 ++++++++++ helm/cluster-aws/values.schema.json | 9 +++++++++ helm/cluster-aws/values.yaml | 3 +++ 7 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 .gitignore create mode 100644 helm/cluster-aws/templates/_network-policies_helmrelease_config.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..e8bba1cd --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +helm/cluster-aws/charts +helm/rendered diff --git a/CHANGELOG.md b/CHANGELOG.md index 46e62045..36d041a3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Update cluster chart to v0.18.0. This updates teleport node labels and will roll nodes. - Update instanceWarmup to 10' to be on pair with Vintage +- Enable extraPolicies from network-policies-app. +- Disable and remove extraPolicies from cilium-app. ## [0.70.0] - 2024-04-15 diff --git a/helm/cluster-aws/README.md b/helm/cluster-aws/README.md index 17cde8b2..b28745e5 100644 --- a/helm/cluster-aws/README.md +++ b/helm/cluster-aws/README.md @@ -59,6 +59,13 @@ Configuration of apps that are part of the cluster. | `global.apps.coreDns.extraConfigs[*].name` | **Name** - Name of the config map or secret. The object must exist in the same namespace as the cluster App.|**Type:** `string`
| | `global.apps.coreDns.extraConfigs[*].optional` | **Optional** - Optional marks this ValuesReference as optional. When set, a not found error for the values reference is ignored, but any ValuesKey, TargetPath or transient error will still result in a reconciliation failure.|**Type:** `boolean`
| | `global.apps.coreDns.values` | **Values** - Values to be passed to the app. Values will have higher priority than values from configmaps.|**Type:** `object`
| +| `global.apps.networkPolicies` | **App** - Configuration of an default app that is part of the cluster.|**Type:** `object`
| +| `global.apps.networkPolicies.extraConfigs` | **Extra config maps or secrets** - Extra config maps or secrets that will be used to customize to the app. The desired values must be under configmap or secret key 'values'. The values are merged in the order given, with the later values overwriting earlier, and then inline values overwriting those. Resources must be in the same namespace as the cluster.|**Type:** `array`
| +| `global.apps.networkPolicies.extraConfigs[*]` | **Config map or secret**|**Type:** `object`
| +| `global.apps.networkPolicies.extraConfigs[*].kind` | **Kind** - Specifies whether the resource is a config map or a secret.|**Type:** `string`
| +| `global.apps.networkPolicies.extraConfigs[*].name` | **Name** - Name of the config map or secret. The object must exist in the same namespace as the cluster App.|**Type:** `string`
| +| `global.apps.networkPolicies.extraConfigs[*].optional` | **Optional** - Optional marks this ValuesReference as optional. When set, a not found error for the values reference is ignored, but any ValuesKey, TargetPath or transient error will still result in a reconciliation failure.|**Type:** `boolean`
| +| `global.apps.networkPolicies.values` | **Values** - Values to be passed to the app. Values will have higher priority than values from configmaps.|**Type:** `object`
| | `global.apps.verticalPodAutoscalerCrd` | **App** - Configuration of an default app that is part of the cluster.|**Type:** `object`
| | `global.apps.verticalPodAutoscalerCrd.extraConfigs` | **Extra config maps or secrets** - Extra config maps or secrets that will be used to customize to the app. The desired values must be under configmap or secret key 'values'. The values are merged in the order given, with the later values overwriting earlier, and then inline values overwriting those. Resources must be in the same namespace as the cluster.|**Type:** `array`
| | `global.apps.verticalPodAutoscalerCrd.extraConfigs[*]` | **Config map or secret**|**Type:** `object`
| @@ -251,7 +258,7 @@ Properties within the `.global.podSecurityStandards` object | **Property** | **Description** | **More Details** | | :----------- | :-------------- | :--------------- | | `baseDomain` | **Base DNS domain**|**Type:** `string`
| -| `cluster` | **Cluster** - Helm values for the provider-independent cluster chart|**Type:** `object`
**Default:** `{"providerIntegration":{"apps":{"cilium":{"configTemplateName":"awsCiliumHelmValues"},"coredns":{"configTemplateName":"awsCorednsHelmValues"}},"clusterAnnotationsTemplateName":"awsConnectivityLabels","components":{"systemd":{"timesyncd":{"ntp":["169.254.169.123"]}}},"connectivity":{"proxy":{"noProxy":{"templateName":"awsNoProxyList","value":["elb.amazonaws.com","169.254.169.254"]}}},"controlPlane":{"kubeadmConfig":{"clusterConfiguration":{"apiServer":{"apiAudiences":{"templateName":"awsApiServerApiAudiences"},"featureGates":[{"enabled":true,"name":"CronJobTimeZone"}],"serviceAccountIssuer":{"templateName":"awsIrsaServiceAccountIssuer"}}},"files":[{"contentFrom":{"secret":{"key":"99-unmanaged-devices.network","name":"provider-specific-files","prependClusterNameAsPrefix":true}},"path":"/etc/systemd/network/99-unmanaged-devices.network","permissions":"0644"}],"ignition":{"containerLinuxConfig":{"additionalConfig":{"storage":{"filesystems":[{"mount":{"device":"/dev/xvdc","format":"xfs","label":"etcd","wipeFilesystem":true},"name":"etcd"},{"mount":{"device":"/dev/xvdd","format":"xfs","label":"containerd","wipeFilesystem":true},"name":"containerd"},{"mount":{"device":"/dev/xvde","format":"xfs","label":"kubelet","wipeFilesystem":true},"name":"kubelet"}]},"systemd":{"units":[{"contents":{"install":{"wantedBy":["local-fs-pre.target"]},"mount":{"type":"xfs","what":"/dev/disk/by-label/etcd","where":"/var/lib/etcd"},"unit":{"defaultDependencies":false,"description":"etcd volume"}},"enabled":true,"name":"var-lib-etcd.mount"},{"contents":{"install":{"wantedBy":["local-fs-pre.target"]},"mount":{"type":"xfs","what":"/dev/disk/by-label/kubelet","where":"/var/lib/kubelet"},"unit":{"defaultDependencies":false,"description":"kubelet volume"}},"enabled":true,"name":"var-lib-kubelet.mount"},{"contents":{"install":{"wantedBy":["local-fs-pre.target"]},"mount":{"type":"xfs","what":"/dev/disk/by-label/containerd","where":"/var/lib/containerd"},"unit":{"defaultDependencies":false,"description":"containerd volume"}},"enabled":true,"name":"var-lib-containerd.mount"}]}}}}},"resources":{"infrastructureMachineTemplate":{"group":"infrastructure.cluster.x-k8s.io","kind":"AWSMachineTemplate","version":"v1beta1"},"infrastructureMachineTemplateSpecTemplateName":"controlplane-awsmachinetemplate-spec"}},"pauseProperties":{"global.connectivity.vpcMode":"private"},"provider":"aws","registry":{"templateName":"awsContainerImageRegistry"},"resourcesApi":{"bastionResourceEnabled":false,"ciliumHelmReleaseResourceEnabled":true,"cleanupHelmReleaseResourcesEnabled":true,"clusterResourceEnabled":true,"controlPlaneResourceEnabled":true,"coreDnsHelmReleaseResourceEnabled":true,"helmRepositoryResourcesEnabled":true,"infrastructureCluster":{"group":"infrastructure.cluster.x-k8s.io","kind":"AWSCluster","version":"v1beta1"},"infrastructureMachinePool":{"group":"infrastructure.cluster.x-k8s.io","kind":"AWSMachinePool","version":"v1beta1"},"machineHealthCheckResourceEnabled":true,"machinePoolResourcesEnabled":true,"networkPoliciesHelmReleaseResourceEnabled":true,"nodePoolKind":"MachinePool","verticalPodAutoscalerCrdHelmReleaseResourceEnabled":true},"workers":{"defaultNodePools":{"def00":{"customNodeLabels":["label=default"],"instanceType":"r6i.xlarge","instanceWarmup":600,"maxSize":3,"minHealthyPercentage":90,"minSize":3}},"kubeadmConfig":{"files":[{"contentFrom":{"secret":{"key":"99-unmanaged-devices.network","name":"provider-specific-files","prependClusterNameAsPrefix":true}},"path":"/etc/systemd/network/99-unmanaged-devices.network","permissions":"0644"}]}}}}`| +| `cluster` | **Cluster** - Helm values for the provider-independent cluster chart|**Type:** `object`
**Default:** `{"providerIntegration":{"apps":{"cilium":{"configTemplateName":"awsCiliumHelmValues"},"coredns":{"configTemplateName":"awsCorednsHelmValues"},"networkPolicies":{"configTemplateName":"awsNetworkPoliciesHelmValues"}},"clusterAnnotationsTemplateName":"awsConnectivityLabels","components":{"systemd":{"timesyncd":{"ntp":["169.254.169.123"]}}},"connectivity":{"proxy":{"noProxy":{"templateName":"awsNoProxyList","value":["elb.amazonaws.com","169.254.169.254"]}}},"controlPlane":{"kubeadmConfig":{"clusterConfiguration":{"apiServer":{"apiAudiences":{"templateName":"awsApiServerApiAudiences"},"featureGates":[{"enabled":true,"name":"CronJobTimeZone"}],"serviceAccountIssuer":{"templateName":"awsIrsaServiceAccountIssuer"}}},"files":[{"contentFrom":{"secret":{"key":"99-unmanaged-devices.network","name":"provider-specific-files","prependClusterNameAsPrefix":true}},"path":"/etc/systemd/network/99-unmanaged-devices.network","permissions":"0644"}],"ignition":{"containerLinuxConfig":{"additionalConfig":{"storage":{"filesystems":[{"mount":{"device":"/dev/xvdc","format":"xfs","label":"etcd","wipeFilesystem":true},"name":"etcd"},{"mount":{"device":"/dev/xvdd","format":"xfs","label":"containerd","wipeFilesystem":true},"name":"containerd"},{"mount":{"device":"/dev/xvde","format":"xfs","label":"kubelet","wipeFilesystem":true},"name":"kubelet"}]},"systemd":{"units":[{"contents":{"install":{"wantedBy":["local-fs-pre.target"]},"mount":{"type":"xfs","what":"/dev/disk/by-label/etcd","where":"/var/lib/etcd"},"unit":{"defaultDependencies":false,"description":"etcd volume"}},"enabled":true,"name":"var-lib-etcd.mount"},{"contents":{"install":{"wantedBy":["local-fs-pre.target"]},"mount":{"type":"xfs","what":"/dev/disk/by-label/kubelet","where":"/var/lib/kubelet"},"unit":{"defaultDependencies":false,"description":"kubelet volume"}},"enabled":true,"name":"var-lib-kubelet.mount"},{"contents":{"install":{"wantedBy":["local-fs-pre.target"]},"mount":{"type":"xfs","what":"/dev/disk/by-label/containerd","where":"/var/lib/containerd"},"unit":{"defaultDependencies":false,"description":"containerd volume"}},"enabled":true,"name":"var-lib-containerd.mount"}]}}}}},"resources":{"infrastructureMachineTemplate":{"group":"infrastructure.cluster.x-k8s.io","kind":"AWSMachineTemplate","version":"v1beta1"},"infrastructureMachineTemplateSpecTemplateName":"controlplane-awsmachinetemplate-spec"}},"pauseProperties":{"global.connectivity.vpcMode":"private"},"provider":"aws","registry":{"templateName":"awsContainerImageRegistry"},"resourcesApi":{"bastionResourceEnabled":false,"ciliumHelmReleaseResourceEnabled":true,"cleanupHelmReleaseResourcesEnabled":true,"clusterResourceEnabled":true,"controlPlaneResourceEnabled":true,"coreDnsHelmReleaseResourceEnabled":true,"helmRepositoryResourcesEnabled":true,"infrastructureCluster":{"group":"infrastructure.cluster.x-k8s.io","kind":"AWSCluster","version":"v1beta1"},"infrastructureMachinePool":{"group":"infrastructure.cluster.x-k8s.io","kind":"AWSMachinePool","version":"v1beta1"},"machineHealthCheckResourceEnabled":true,"machinePoolResourcesEnabled":true,"networkPoliciesHelmReleaseResourceEnabled":true,"nodePoolKind":"MachinePool","verticalPodAutoscalerCrdHelmReleaseResourceEnabled":true},"workers":{"defaultNodePools":{"def00":{"customNodeLabels":["label=default"],"instanceType":"r6i.xlarge","instanceWarmup":600,"maxSize":3,"minHealthyPercentage":90,"minSize":3}},"kubeadmConfig":{"files":[{"contentFrom":{"secret":{"key":"99-unmanaged-devices.network","name":"provider-specific-files","prependClusterNameAsPrefix":true}},"path":"/etc/systemd/network/99-unmanaged-devices.network","permissions":"0644"}]}}}}`| | `cluster-shared` | **Library chart**|**Type:** `object`
| | `managementCluster` | **Management cluster** - Name of the Cluster API cluster managing this workload cluster.|**Type:** `string`
| | `provider` | **Cluster API provider name**|**Type:** `string`
| diff --git a/helm/cluster-aws/templates/_cilium_helmrelease_config.yaml b/helm/cluster-aws/templates/_cilium_helmrelease_config.yaml index c3b25190..006f483f 100644 --- a/helm/cluster-aws/templates/_cilium_helmrelease_config.yaml +++ b/helm/cluster-aws/templates/_cilium_helmrelease_config.yaml @@ -50,10 +50,12 @@ defaultPolicies: - key: CriticalAddonsOnly operator: Exists extraPolicies: + remove: true + allowEgressToCoreDNS: - enabled: true + enabled: false allowEgressToProxy: - enabled: {{ $.Values.global.connectivity.proxy.enabled }} + enabled: false httpProxy: {{ $.Values.global.connectivity.proxy.httpProxy | quote }} httpsProxy: {{ $.Values.global.connectivity.proxy.httpsProxy | quote }} {{- end }} diff --git a/helm/cluster-aws/templates/_network-policies_helmrelease_config.yaml b/helm/cluster-aws/templates/_network-policies_helmrelease_config.yaml new file mode 100644 index 00000000..b2582945 --- /dev/null +++ b/helm/cluster-aws/templates/_network-policies_helmrelease_config.yaml @@ -0,0 +1,10 @@ +{{/* AWS-specific network-policies Helm values*/}} +{{/* https://github.com/giantswarm/network-policies-app/blob/main/helm/network-policies/values.yaml*/}} +{{- define "awsNetworkPoliciesHelmValues" }} +allowEgressToDNS: + enabled: true +allowEgressToProxy: + enabled: {{ $.Values.global.connectivity.proxy.enabled }} + httpProxy: {{ $.Values.global.connectivity.proxy.httpProxy | quote }} + httpsProxy: {{ $.Values.global.connectivity.proxy.httpsProxy | quote }} +{{- end }} diff --git a/helm/cluster-aws/values.schema.json b/helm/cluster-aws/values.schema.json index 23088975..7dbfca24 100644 --- a/helm/cluster-aws/values.schema.json +++ b/helm/cluster-aws/values.schema.json @@ -204,6 +204,9 @@ }, "coredns": { "configTemplateName": "awsCorednsHelmValues" + }, + "networkPolicies": { + "configTemplateName": "awsNetworkPoliciesHelmValues" } }, "clusterAnnotationsTemplateName": "awsConnectivityLabels", @@ -475,6 +478,12 @@ "title": "CoreDNS", "description": "Configuration of coredns-app. For all available values see https://github.com/giantswarm/coredns-app." }, + "networkPolicies": { + "$ref": "#/$defs/app", + "type": "object", + "title": "NetworkPolicies", + "description": "Configuration of network-policies-app. For all available values see https://github.com/giantswarm/network-policies-app." + }, "verticalPodAutoscalerCrd": { "$ref": "#/$defs/app", "type": "object", diff --git a/helm/cluster-aws/values.yaml b/helm/cluster-aws/values.yaml index 45830722..2c6bccd5 100644 --- a/helm/cluster-aws/values.yaml +++ b/helm/cluster-aws/values.yaml @@ -7,6 +7,8 @@ cluster: configTemplateName: awsCiliumHelmValues coredns: configTemplateName: awsCorednsHelmValues + networkPolicies: + configTemplateName: awsNetworkPoliciesHelmValues clusterAnnotationsTemplateName: awsConnectivityLabels components: systemd: @@ -160,6 +162,7 @@ global: awsEbsCsiDriver: {} cilium: {} coreDns: {} + networkPolicies: {} verticalPodAutoscalerCrd: {} components: containerd: