Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Redis Sentinel NetworkPolicy Rules #42

Merged
merged 10 commits into from
Feb 9, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,15 @@ Also check this project's [releases](https://github.com/powerhome/redis-operator

## Unreleased

## [v2.0.1] - 2024-02-09

### Fixed
- [Sentinels shoud only be allowed to talk to pods belonging to their RedisFailover Custom Resource](https://github.com/powerhome/redis-operator/pull/42).

Update notes:

This update modifies how the operator generates network policies. In version v2.0.0, there were two separate network policies: one for Redis and another for Redis Sentinels. From version v2.0.1 onwards, the operator will only generate a network policy for Sentinels. It is crucial to be aware that following the upgrade to this version, the existing network policy for Redis instances will persist and must be deleted manually.

## [v2.0.0] - 2024-01-18

### Added
Expand Down
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
VERSION := v2.0.0
VERSION := v2.0.1

# Name of this service/application
SERVICE_NAME := redis-operator
Expand Down
14 changes: 0 additions & 14 deletions mocks/operator/redisfailover/service/RedisFailoverClient.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 0 additions & 3 deletions operator/redisfailover/ensurer.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,6 @@ func (w *RedisFailoverHandler) Ensure(rf *redisfailoverv1.RedisFailover, labels
}

if !(len(rf.Spec.NetworkPolicyNsList) == 0) {
if err := w.rfService.EnsureRedisNetworkPolicy(rf, labels, or); err != nil {
return err
}
if err := w.rfService.EnsureSentinelNetworkPolicy(rf, labels, or); err != nil {
return err
}
Expand Down
9 changes: 0 additions & 9 deletions operator/redisfailover/service/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ type RedisFailoverClient interface {
EnsureHAProxyRedisMasterConfigmap(rFailover *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) error
EnsureHAProxyRedisMasterService(rFailover *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) error
EnsureRedisHeadlessService(rFailover *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) error
EnsureRedisNetworkPolicy(rFailover *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) error
EnsureSentinelNetworkPolicy(rFailover *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) error
EnsureSentinelService(rFailover *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) error
EnsureSentinelConfigMap(rFailover *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) error
Expand Down Expand Up @@ -87,14 +86,6 @@ func generateComponentLabel(componentType string) map[string]string {
}
}

// EnsureRedisNetworkPolicy makes sure the redis network policy exists
func (r *RedisFailoverKubeClient) EnsureRedisNetworkPolicy(rf *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) error {
svc := generateRedisNetworkPolicy(rf, labels, ownerRefs)
err := r.K8SService.CreateOrUpdateNetworkPolicy(rf.Namespace, svc)
r.setEnsureOperationMetrics(svc.Namespace, svc.Name, "EnsureRedisNetworkPolicy", rf.Name, err)
return err
}

// EnsureSentinelNetworkPolicy makes sure the redis network policy exists
func (r *RedisFailoverKubeClient) EnsureSentinelNetworkPolicy(rf *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) error {
svc := generateSentinelNetworkPolicy(rf, labels, ownerRefs)
Expand Down
72 changes: 14 additions & 58 deletions operator/redisfailover/service/generator.go
Original file line number Diff line number Diff line change
Expand Up @@ -456,63 +456,6 @@ func generateHAProxyRedisSlaveService(rf *redisfailoverv1.RedisFailover, labels
}
}

func generateRedisNetworkPolicy(rf *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) *np.NetworkPolicy {
name := GetRedisNetworkPolicyName(rf)
namespace := rf.Namespace

networkPolicyNsList := rf.Spec.NetworkPolicyNsList

selectorLabels := generateSelectorLabels(redisRoleName, rf.Name)
labels = util.MergeLabels(labels, selectorLabels)

metricsTargetPort := intstr.FromInt(9121)
redisTargetPort := intstr.FromInt(int(rf.Spec.Redis.Port))

peers := []np.NetworkPolicyPeer{}

for _, inputPeer := range networkPolicyNsList {

labelKey := inputPeer.MatchLabelKey
labelValue := inputPeer.MatchLabelValue

peers = append(peers, np.NetworkPolicyPeer{
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{labelKey: labelValue},
},
})
}

ports := make([]np.NetworkPolicyPort, 0)
ports = append(ports, np.NetworkPolicyPort{
Port: &redisTargetPort,
}, np.NetworkPolicyPort{
Port: &metricsTargetPort,
})

return &np.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Labels: labels,
OwnerReferences: ownerRefs,
},
Spec: np.NetworkPolicySpec{
PodSelector: metav1.LabelSelector{
MatchLabels: util.MergeLabels(
map[string]string{"redisfailovers.databases.spotahome.com/name": rf.Name},
generateComponentLabel("redis"),
),
},
Ingress: []np.NetworkPolicyIngressRule{
np.NetworkPolicyIngressRule{
From: peers,
Ports: ports,
},
},
},
}
}

func generateSentinelNetworkPolicy(rf *redisfailoverv1.RedisFailover, labels map[string]string, ownerRefs []metav1.OwnerReference) *np.NetworkPolicy {
name := GetSentinelNetworkPolicyName(rf)
namespace := rf.Namespace
Expand Down Expand Up @@ -543,6 +486,8 @@ func generateSentinelNetworkPolicy(rf *redisfailoverv1.RedisFailover, labels map
Port: &sentinelTargetPort,
})

redisfailoverLabels := map[string]string{"redisfailovers.databases.spotahome.com/name": rf.Name}

return &np.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Expand All @@ -553,7 +498,7 @@ func generateSentinelNetworkPolicy(rf *redisfailoverv1.RedisFailover, labels map
Spec: np.NetworkPolicySpec{
PodSelector: metav1.LabelSelector{
MatchLabels: util.MergeLabels(
map[string]string{"redisfailovers.databases.spotahome.com/name": rf.Name},
redisfailoverLabels,
generateComponentLabel("sentinel"),
),
},
Expand All @@ -563,6 +508,17 @@ func generateSentinelNetworkPolicy(rf *redisfailoverv1.RedisFailover, labels map
Ports: ports,
},
},
Egress: []np.NetworkPolicyEgressRule{
np.NetworkPolicyEgressRule{
To: []np.NetworkPolicyPeer{
np.NetworkPolicyPeer{
PodSelector: &metav1.LabelSelector{
MatchLabels: redisfailoverLabels,
},
},
},
},
},
},
}
}
Expand Down
Loading
Loading