feat: add cilium network policy with alerts and deprecate network policy

f8118655 · Zamir Martins · f5a5a44e · f8118655 · f8118655 · f8118655
Verified Commit f8118655 authored 4 years ago by Zamir Martins 💬
--- a/assets/auto-deploy-app/CONTRIBUTING.md
+++ b/assets/auto-deploy-app/CONTRIBUTING.md
@@ -51,3 +51,7 @@ helm dependency build .               # required any time the dependencies chang
 cd test
 GO111MODULE=auto go test ./...        # required for every change to the tests or the template
 ```
+
+### Windows users
+
+Some of the dependencies might not be available on Windows (e.g., `github.com/sirupsen/logrus/hooks/syslog`). Therefore we recommend running tests on docker, vagrant boxes or similar virtualization tools.
\ No newline at end of file
--- a/assets/auto-deploy-app/Chart.yaml
+++ b/assets/auto-deploy-app/Chart.yaml
 apiVersion: v1
 description: GitLab's Auto-deploy Helm Chart
 name: auto-deploy-app
-version: 2.5.0
+version: 2.6.0
 icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.png
--- a/assets/auto-deploy-app/README.md
+++ b/assets/auto-deploy-app/README.md
@@ -70,5 +70,8 @@
 | podDisruptionBudget.maxUnavailable |             | `1`                            |
 | podDisruptionBudget.minAvailable | If present, this variable will configure minAvailable in the PodDisruptionBudget. :warning: if you have `replicaCount: 1` and `podDisruptionBudget.minAvailable: 1` `kubectl drain` will be blocked.              | `nil`                            |
 | prometheus.metrics            | Annotates the service for prometheus auto-discovery. Also denies access to the `/metrics` endpoint from external addresses with Ingress. | `false` |
-| networkPolicy.enabled         | Enable container network policy | `false` |
-| networkPolicy.spec            | [Network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) definition | `{ podSelector: { matchLabels: {} }, ingress: [{ from: [{ podSelector: { matchLabels: {} } }, { namespaceSelector: { matchLabels: { app.gitlab.com/managed_by: gitlab } } }] }] }` |
+| networkPolicy.enabled(**DEPRECATED**)         | Enable container network policy | `false` |
+| networkPolicy.spec(**DEPRECATED**)            | [Network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) definition | `{ podSelector: { matchLabels: {} }, ingress: [{ from: [{ podSelector: { matchLabels: {} } }, { namespaceSelector: { matchLabels: { app.gitlab.com/managed_by: gitlab } } }] }] }` |
+| ciliumNetworkPolicy.enabled         | Enable container cilium network policy | `false` |
+| ciliumNetworkPolicy.alerts.enabled         | Enable alert generation for container cilium network policy | `false` |
+| ciliumNetworkPolicy.spec            | [Cilium network policy](https://docs.cilium.io/en/v1.8/concepts/kubernetes/policy/#ciliumnetworkpolicy/) definition | `{ endpointSelector: {}, ingress: [{ fromEndpoints: [{ matchLabels: { app.gitlab.com/managed_by: gitlab } }] }] }` |
--- a/assets/auto-deploy-app/templates/cilium-network-policy.yaml
+++ b/assets/auto-deploy-app/templates/cilium-network-policy.yaml
+{{- if .Values.ciliumNetworkPolicy.enabled -}}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ template "fullname" . }}
+{{- if .Values.ciliumNetworkPolicy.alerts.enabled }}
+  annotations:
+    "app.gitlab.com/alert": "true"
+{{- end }}
+  labels:
+    app.gitlab.com/proj: {{ .Values.gitlab.proj | quote }}
+{{ include "sharedlabels" . | indent 4}}
+spec:
+{{ toYaml .Values.ciliumNetworkPolicy.spec | indent 2 }}
+{{- end -}}
--- a/assets/auto-deploy-app/test/go.mod
+++ b/assets/auto-deploy-app/test/go.mod
@@ -3,8 +3,11 @@ module gitlab.com/gitlab-org/charts/auto-deploy-app/test
 go 1.15

 require (
+	github.com/cilium/cilium v1.8.1
 	github.com/gruntwork-io/terratest v0.32.1
 	github.com/stretchr/testify v1.6.1
 	k8s.io/api v0.19.7
 	k8s.io/apimachinery v0.19.7
 )
+
+replace github.com/optiopay/kafka => github.com/cilium/kafka v0.0.0-20180809090225-01ce283b732b
--- a/assets/auto-deploy-app/test/go.sum
+++ b/assets/auto-deploy-app/test/go.sum
--- a/assets/auto-deploy-app/test/templates/ciliumnetworkpolicy_test.go
+++ b/assets/auto-deploy-app/test/templates/ciliumnetworkpolicy_test.go
+package main
+
+import (
+	"regexp"
+	"testing"
+
+	v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
+	slim_metav1 "github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1"
+	"github.com/cilium/cilium/pkg/policy/api"
+	"github.com/gruntwork-io/terratest/modules/helm"
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestCiliumNetworkPolicy(t *testing.T) {
+	releaseName := "cilium-network-policy-test"
+	templates := []string{"templates/cilium-network-policy.yaml"}
+	expectedLabels := map[string]string{
+		"app":                          releaseName,
+		"chart":                        chartName,
+		"release":                      releaseName,
+		"heritage":                     "Helm",
+		"app.kubernetes.io/name":       releaseName,
+		"helm.sh/chart":                chartName,
+		"app.kubernetes.io/managed-by": "Helm",
+		"app.kubernetes.io/instance":   releaseName,
+		"app.gitlab.com/proj":          "91",
+	}
+
+	tcs := []struct {
+		name       string
+		valueFiles []string
+		values     map[string]string
+
+		expectedErrorRegexp *regexp.Regexp
+
+		meta             metav1.ObjectMeta
+		endpointSelector api.EndpointSelector
+		ingress          []api.IngressRule
+		egress           []api.EgressRule
+	}{
+		{
+			name:                "disabled by default",
+			expectedErrorRegexp: regexp.MustCompile("Error: could not find template templates/cilium-network-policy.yaml in chart"),
+		},
+		{
+			name:   "with default policy",
+			values: map[string]string{"ciliumNetworkPolicy.enabled": "true", "gitlab.proj": "91"},
+			meta:   metav1.ObjectMeta{Name: releaseName + "-auto-deploy", Labels: expectedLabels},
+			endpointSelector: api.EndpointSelector{
+				LabelSelector: &slim_metav1.LabelSelector{MatchLabels: map[string]string(nil)},
+			},
+			ingress: []api.IngressRule{
+				{
+					FromEndpoints: []api.EndpointSelector{
+						{LabelSelector: &slim_metav1.LabelSelector{
+							MatchLabels: map[string]string{"any.app.gitlab.com/managed_by": "gitlab"},
+						}},
+					},
+				},
+			},
+		},
+		{
+			name:       "with custom policy without alerts",
+			valueFiles: []string{"../testdata/custom-cilium-policy.yaml"},
+			values:     map[string]string{"ciliumNetworkPolicy.enabled": "true", "gitlab.proj": "91", "ciliumNetworkPolicy.alerts.enabled": "false"},
+			meta:       metav1.ObjectMeta{Name: releaseName + "-auto-deploy", Labels: expectedLabels},
+			endpointSelector: api.EndpointSelector{
+				LabelSelector: &slim_metav1.LabelSelector{MatchLabels: map[string]string(nil)},
+			},
+			ingress: []api.IngressRule{
+				{
+					FromEndpoints: []api.EndpointSelector{
+						{LabelSelector: &slim_metav1.LabelSelector{
+							MatchLabels: map[string]string{"any.app.gitlab.com/managed_by": "gitlab"},
+						}},
+					},
+				},
+			},
+		},
+		{
+			name:       "with custom policy with alerts",
+			valueFiles: []string{"../testdata/custom-cilium-policy.yaml"},
+			values:     map[string]string{"ciliumNetworkPolicy.enabled": "true", "gitlab.proj": "91"},
+			meta:       metav1.ObjectMeta{Name: releaseName + "-auto-deploy", Labels: expectedLabels, Annotations: map[string]string{"app.gitlab.com/alert": "true"}},
+			endpointSelector: api.EndpointSelector{
+				LabelSelector: &slim_metav1.LabelSelector{MatchLabels: map[string]string(nil)},
+			},
+			ingress: []api.IngressRule{
+				{
+					FromEndpoints: []api.EndpointSelector{
+						{LabelSelector: &slim_metav1.LabelSelector{
+							MatchLabels: map[string]string{"any.app.gitlab.com/managed_by": "gitlab"},
+						}},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tc := range tcs {
+		t.Run(tc.name, func(t *testing.T) {
+			opts := &helm.Options{
+				ValuesFiles: tc.valueFiles,
+				SetValues:   tc.values,
+			}
+			output, err := helm.RenderTemplateE(t, opts, helmChartPath, releaseName, templates)
+
+			if tc.expectedErrorRegexp != nil {
+				require.Regexp(t, tc.expectedErrorRegexp, err.Error())
+				return
+			}
+			if err != nil {
+				t.Error(err)
+				return
+			}
+
+			policy := new(v2.CiliumNetworkPolicy)
+			helm.UnmarshalK8SYaml(t, output, policy)
+
+			require.Equal(t, tc.meta, policy.ObjectMeta)
+			require.Equal(t, tc.endpointSelector.LabelSelector, policy.Spec.EndpointSelector.LabelSelector)
+			require.Equal(t, tc.ingress[0].FromEndpoints[0].LabelSelector, policy.Spec.Ingress[0].FromEndpoints[0].LabelSelector)
+			require.Equal(t, len(tc.ingress), len(policy.Spec.Ingress))
+			require.Equal(t, len(tc.ingress[0].FromEndpoints), len(policy.Spec.Ingress[0].FromEndpoints))
+		})
+	}
+}
--- a/assets/auto-deploy-app/test/templates/test_helpers.go
+++ b/assets/auto-deploy-app/test/templates/test_helpers.go
@@ -13,7 +13,7 @@ import (
 )

 const (
-	chartName     = "auto-deploy-app-2.5.0"
+	chartName     = "auto-deploy-app-2.6.0"
 	helmChartPath = "../.."
 )


--- a/assets/auto-deploy-app/test/testdata/custom-cilium-policy.yaml
+++ b/assets/auto-deploy-app/test/testdata/custom-cilium-policy.yaml
+ciliumNetworkPolicy:
+  enabled: true
+  alerts: 
+    enabled: true
+  spec:
+    endpointSelector: {}
+    ingress:
+    - fromEndpoints:
+      - matchLabels:
+          app.gitlab.com/managed_by: gitlab
--- a/assets/auto-deploy-app/values.yaml
+++ b/assets/auto-deploy-app/values.yaml
@@ -112,6 +112,17 @@ networkPolicy:
          matchLabels:
            app.gitlab.com/managed_by: gitlab

+ciliumNetworkPolicy:
+  enabled: false
+  alerts: 
+    enabled: false
+  spec:
+    endpointSelector: {}
+    ingress:
+    - fromEndpoints:
+      - matchLabels:
+          app.gitlab.com/managed_by: gitlab
+
 workers: {}
  # worker:
  #   replicaCount: 1

--- a/src/bin/auto-deploy
+++ b/src/bin/auto-deploy
@@ -303,6 +303,7 @@ channel 1 database.'
      --set gitlab.env="$CI_ENVIRONMENT_SLUG" \
      --set gitlab.envName="$CI_ENVIRONMENT_NAME" \
      --set gitlab.envURL="$CI_ENVIRONMENT_URL" \
+      --set gitlab.proj="$CI_PROJECT_ID" \
      --set releaseOverride="$RELEASE_NAME" \
      --set image.repository="$image_repository" \
      --set-string image.tag="$image_tag" \
@@ -337,6 +338,7 @@ channel 1 database.'
    --set gitlab.env="$CI_ENVIRONMENT_SLUG" \
    --set gitlab.envName="$CI_ENVIRONMENT_NAME" \
    --set gitlab.envURL="$CI_ENVIRONMENT_URL" \
+    --set gitlab.proj="$CI_PROJECT_ID" \
    --set releaseOverride="$RELEASE_NAME" \
    --set image.repository="$image_repository" \
    --set-string image.tag="$image_tag" \