Skip to content

Commit 1c9d3c2

Browse files
committed
apps sc: Update rclone network policy configuration
1 parent f23637e commit 1c9d3c2

File tree

8 files changed

+113
-101
lines changed

8 files changed

+113
-101
lines changed

bin/update-ips.bash

Lines changed: 14 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -109,10 +109,12 @@ swift_enabled() {
109109
return 1
110110
}
111111

112-
# Determine if Rsync is enabled in the configuration.
113-
rsync_enabled() {
114-
[ "$(yq_read "sc" '.objectStorage.sync.enabled' "false")" = "true" ] && \
115-
[ "$(yq_read "sc" '.networkPolicies.rcloneSync.enabled' "false")" = "true" ]
112+
# Determine if rclone is enabled in the configuration.
113+
rclone_enabled() {
114+
[ "$(yq_read "sc" '.networkPolicies.rclone.enabled' "false")" = "true" ] || return 1
115+
[ "$(yq_read "sc" '.objectStorage.restore.enabled' "false")" = "true" ] && return 0
116+
[ "$(yq_read "sc" '.objectStorage.sync.enabled' "false")" = "true" ] && return 0
117+
return 1
116118
}
117119

118120
# Fetch the InternalIP, Calico tunnel IP and Wireguard IP of Kubernetes
@@ -215,6 +217,9 @@ get_swift_url() {
215217
}
216218
}
217219
}' "${auth_url}/auth/tokens")
220+
else
221+
log_error "Could not find Swift credentials in ${swift_config_option}"
222+
exit 1
218223
fi
219224

220225
os_token=$(echo "${response}" | grep -oP "x-subject-token:\s+\K\S+")
@@ -545,7 +550,7 @@ validate_config() {
545550
fi
546551
fi
547552

548-
rsync_enabled || return 0
553+
rclone_enabled || return 0
549554

550555
local destination_s3=false
551556
local destination_swift=false
@@ -611,10 +616,10 @@ if [[ "${check_cluster}" =~ ^(wc|both)$ ]]; then
611616
allow_nodes "wc" '.networkPolicies.global.wcNodes.ips' ""
612617
fi
613618

614-
if rsync_enabled; then
615-
sync_rclone '.objectStorage.sync.s3.regionEndpoint' '.networkPolicies.rcloneSync.destinationObjectStorageS3'
616-
sync_swift '.objectStorage.sync.swift' '.networkPolicies.rcloneSync.destinationObjectStorageSwift'
617-
sync_rclone '.objectStorage.sync.secondaryUrl' '.networkPolicies.rcloneSync.secondaryUrl'
619+
if rclone_enabled; then
620+
sync_rclone '.objectStorage.sync.s3.regionEndpoint' '.networkPolicies.rclone.sync.objectStorage'
621+
sync_swift '.objectStorage.sync.swift' '.networkPolicies.rclone.sync.objectStorageSwift'
622+
sync_rclone '.objectStorage.sync.secondaryUrl' '.networkPolicies.rclone.sync.secondaryUrl'
618623
fi
619624

620625
exit ${has_diff}

config/config/sc-config.yaml

Lines changed: 17 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1258,23 +1258,24 @@ networkPolicies:
12581258
fluentd:
12591259
enabled: true
12601260

1261-
rcloneSync:
1261+
rclone:
12621262
enabled: true
1263-
destinationObjectStorageS3:
1264-
ips:
1265-
- "set-me-if-objectStorage.sync.enabled-and-type-is-s3"
1266-
ports:
1267-
- 443
1268-
destinationObjectStorageSwift:
1269-
ips:
1270-
- "set-me-if-objectStorage.sync.enabled-type-is-swift-or-harbor-thanos-use-swift"
1271-
ports:
1272-
- 5000
1273-
secondaryUrl:
1274-
ips:
1275-
- "set-me-if-secondaryUrl-has-an-url"
1276-
ports:
1277-
- 443
1263+
# Restore reuses network policy rules set for .global.objectStorage and .rclone.sync.objectStorage
1264+
sync:
1265+
objectStorage:
1266+
ips: set-me-if-objectStorage.sync.enabled
1267+
ports:
1268+
- 443
1269+
objectStorageSwift:
1270+
ips: set-me-if-objectStorage.sync.enabled-and-any-target-use-swift-as-destination
1271+
ports:
1272+
- 5000
1273+
secondaryUrl:
1274+
ips:
1275+
- set-me-if-objectStorage.sync.secondaryUrl-has-an-url
1276+
ports:
1277+
- 443
1278+
12781279
s3Exporter:
12791280
enabled: true
12801281

helmfile.d/stacks/rclone.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ templates:
1212
inherit:
1313
- template: rclone
1414
- template: networkpolicies
15-
installed: {{ and (.Values | get "networkPolicies.rcloneSync.enabled" false) (or (.Values | get "objectStorage.restore.enabled" false) (.Values | get "objectStorage.sync.enabled" false)) }}
15+
installed: {{ and (.Values | get "networkPolicies.rclone.enabled" false) (or (.Values | get "objectStorage.restore.enabled" false) (.Values | get "objectStorage.sync.enabled" false)) }}
1616
labels:
1717
netpol: rclone
1818
needs:

helmfile.d/values/networkpolicies/service/rclone.yaml.gotmpl

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,11 +10,11 @@ rules:
1010
egress-rule-object-storage-main-swift:
1111
{{- include "old-style.rule.gen" $netpol.global.objectStorageSwift | nindent 4 }}
1212
egress-rule-object-storage-sync:
13-
{{- include "old-style.rule.gen" $netpol.rcloneSync.destinationObjectStorageS3 | nindent 4 }}
13+
{{- include "old-style.rule.gen" $netpol.rclone.sync.objectStorage | nindent 4 }}
1414
egress-rule-object-storage-sync-swift:
15-
{{- include "old-style.rule.gen" $netpol.rcloneSync.destinationObjectStorageSwift | nindent 4 }}
15+
{{- include "old-style.rule.gen" $netpol.rclone.sync.objectStorageSwift | nindent 4 }}
1616
egress-rule-object-storage-sync-secondary:
17-
{{- include "old-style.rule.gen" $netpol.rcloneSync.secondaryUrl | nindent 4 }}
17+
{{- include "old-style.rule.gen" $netpol.rclone.sync.secondaryUrl | nindent 4 }}
1818

1919
{{- $main := .Values.objectStorage }}
2020

tests/common/lib/update-ips.bash

Lines changed: 21 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,7 @@ update_ips.mock_maximal() {
9191
update_ips.mock_rclone_s3() {
9292
update_ips.mock_minimal
9393

94-
mock_set_output "${mock_dig}" "127.0.0.4" 4 # .networkPolicies.rcloneSync.destinationObjectStorageS3.ips
94+
mock_set_output "${mock_dig}" "127.0.0.4" 4 # .networkPolicies.rclone.sync.objectStorage.ips
9595
}
9696

9797
update_ips.mock_rclone_s3_and_swift() {
@@ -101,8 +101,8 @@ update_ips.mock_rclone_s3_and_swift() {
101101
mock_set_output "${mock_curl}" '\n\n\n\n\n\n\n\n\n\n\n\n\n\n[{"catalog":[{"type": "object-store", "name": "swift", "endpoints": [{"interface":"public", "region": "swift-region", "url": "https://swift.foo.dev-ck8s.com"}]}]}]' 1
102102
mock_set_output "${mock_curl}" "" 2 # DELETE /auth/tokens
103103

104-
mock_set_output "${mock_dig}" "127.0.0.5" 5 # networkPolicies.rcloneSync.destinationObjectStorageSwift.ips keystone endpoint
105-
mock_set_output "${mock_dig}" "127.0.0.6" 6 # networkPolicies.rcloneSync.destinationObjectStorageSwift.ips swift endpoint
104+
mock_set_output "${mock_dig}" "127.0.0.5" 5 # networkPolicies.rclone.sync.objectStorageSwift.ips keystone endpoint
105+
mock_set_output "${mock_dig}" "127.0.0.6" 6 # networkPolicies.rclone.sync.objectStorageSwift.ips swift endpoint
106106
}
107107

108108
update_ips.mock_rclone_swift() {
@@ -112,8 +112,8 @@ update_ips.mock_rclone_swift() {
112112
mock_set_output "${mock_curl}" '\n\n\n\n\n\n\n\n\n\n\n\n\n\n[{"catalog":[{"type": "object-store", "name": "swift", "endpoints": [{"interface":"public", "region": "swift-region", "url": "https://swift.foo.dev-ck8s.com"}]}]}]' 1
113113
mock_set_output "${mock_curl}" "" 2 # DELETE /auth/tokens
114114

115-
mock_set_output "${mock_dig}" "127.0.0.5" 4 # networkPolicies.rcloneSync.destinationObjectStorageSwift.ips keystone endpoint
116-
mock_set_output "${mock_dig}" "127.0.0.6" 5 # networkPolicies.rcloneSync.destinationObjectStorageSwift.ips swift endpoint
115+
mock_set_output "${mock_dig}" "127.0.0.5" 4 # networkPolicies.rclone.sync.objectStorageSwift.ips keystone endpoint
116+
mock_set_output "${mock_dig}" "127.0.0.6" 5 # networkPolicies.rclone.sync.objectStorageSwift.ips swift endpoint
117117
}
118118

119119
update_ips.mock_swift() {
@@ -149,14 +149,14 @@ update_ips.populate_maximal() {
149149
yq_set sc .networkPolicies.global.objectStorageSwift.ips '["127.1.0.4/32", "127.1.0.5/32"]'
150150
yq_set sc .networkPolicies.global.objectStorageSwift.ports '[5678, 91011]'
151151

152-
yq_set sc .networkPolicies.rcloneSync.destinationObjectStorageS3.ips '["127.1.0.6/32"]'
153-
yq_set sc .networkPolicies.rcloneSync.destinationObjectStorageS3.ports '[1234]'
152+
yq_set sc .networkPolicies.rclone.sync.objectStorage.ips '["127.1.0.6/32"]'
153+
yq_set sc .networkPolicies.rclone.sync.objectStorage.ports '[1234]'
154154

155-
yq_set sc .networkPolicies.rcloneSync.destinationObjectStorageSwift.ips '["127.1.0.7/32", "127.1.0.8/32"]'
156-
yq_set sc .networkPolicies.rcloneSync.destinationObjectStorageSwift.ports '[443, 5678]'
155+
yq_set sc .networkPolicies.rclone.sync.objectStorageSwift.ips '["127.1.0.7/32", "127.1.0.8/32"]'
156+
yq_set sc .networkPolicies.rclone.sync.objectStorageSwift.ports '[443, 5678]'
157157

158-
yq_set sc .networkPolicies.rcloneSync.secondaryUrl.ips '["127.1.0.9/32"]'
159-
yq_set sc .networkPolicies.rcloneSync.secondaryUrl.ports '[1234]'
158+
yq_set sc .networkPolicies.rclone.sync.secondaryUrl.ips '["127.1.0.9/32"]'
159+
yq_set sc .networkPolicies.rclone.sync.secondaryUrl.ports '[1234]'
160160
}
161161

162162
# --- asserts ----------------------------------------------------------------------------------------------------------
@@ -195,33 +195,33 @@ update_ips.assert_swift() {
195195
}
196196

197197
update_ips.assert_rclone_s3() {
198-
assert_equal "$(yq_dig sc '.networkPolicies.rcloneSync.destinationObjectStorageS3.ips | . style="flow"')" "[127.0.0.4/32]"
199-
assert_equal "$(yq_dig sc '.networkPolicies.rcloneSync.destinationObjectStorageS3.ports | . style="flow"')" "[1234]"
198+
assert_equal "$(yq_dig sc '.networkPolicies.rclone.sync.objectStorage.ips | . style="flow"')" "[127.0.0.4/32]"
199+
assert_equal "$(yq_dig sc '.networkPolicies.rclone.sync.objectStorage.ports | . style="flow"')" "[1234]"
200200

201-
assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageSwift' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
201+
assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorageSwift' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
202202

203203
assert_equal "$(mock_get_call_num "${mock_dig}")" 4
204204
assert_equal "$(mock_get_call_num "${mock_kubectl}")" 16
205205
assert_equal "$(mock_get_call_num "${mock_curl}")" 0
206206
}
207207

208208
update_ips.assert_rclone_s3_and_swift() {
209-
assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageS3 | .ips style="flow" | .ips' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[127.0.0.4/32]"
210-
assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageS3 | .ports style="flow" | .ports' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[1234]"
209+
assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorage | .ips style="flow" | .ips' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[127.0.0.4/32]"
210+
assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorage | .ports style="flow" | .ports' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[1234]"
211211

212-
assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageSwift | .ips style="flow" | .ips' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[127.0.0.5/32, 127.0.0.6/32]"
213-
assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageSwift | .ports style="flow" | .ports' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[443, 5678]"
212+
assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorageSwift | .ips style="flow" | .ips' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[127.0.0.5/32, 127.0.0.6/32]"
213+
assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorageSwift | .ports style="flow" | .ports' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[443, 5678]"
214214

215215
assert_equal "$(mock_get_call_num "${mock_dig}")" 6
216216
assert_equal "$(mock_get_call_num "${mock_kubectl}")" 16
217217
assert_equal "$(mock_get_call_num "${mock_curl}")" 2
218218
}
219219

220220
update_ips.assert_rclone_swift() {
221-
assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageSwift | .ips style="flow" | .ips' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[127.0.0.5/32, 127.0.0.6/32]"
222-
assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageSwift | .ports style="flow" | .ports' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[443, 5678]"
221+
assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorageSwift | .ips style="flow" | .ips' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[127.0.0.5/32, 127.0.0.6/32]"
222+
assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorageSwift | .ports style="flow" | .ports' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[443, 5678]"
223223

224-
assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageS3' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
224+
assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorage' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
225225

226226
# GET /auth/tokens
227227
mock_set_output "${mock_curl}" '\n\n\n\n\n\n\n\n\n\n\n\n\n\n[{"catalog":[{"type": "object-store", "name": "swift", "endpoints": [{"interface":"public", "region": "swift-region", "url": "https://swift.foo.dev-ck8s.com"}]}]}]' 1

tests/unit/bin/update-ips/main.bats

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -186,7 +186,7 @@ _configure_maximal() {
186186
sops --set '["objectStorage"]["swift"]["username"] "swift-username"' "${CK8S_CONFIG_PATH}/secrets.yaml"
187187

188188
yq_set sc .objectStorage.sync.enabled 'true'
189-
yq_set sc .networkPolicies.rcloneSync.enabled 'true'
189+
yq_set sc .networkPolicies.rclone.enabled 'true'
190190
yq_set sc .objectStorage.sync.s3.regionEndpoint '"https://s3.foo.dev-ck8s.com:1234"'
191191
yq_set sc .objectStorage.sync.swift.authUrl '"https://keystone.foo.dev-ck8s.com:5678"'
192192
yq_set sc .objectStorage.sync.swift.region '"swift-region"'

tests/unit/bin/update-ips/rclone.bats

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ setup_file() {
2727
yq_set sc .objectStorage.sync.destinationType '"none"'
2828
yq_set sc .objectStorage.sync.syncDefaultBuckets 'false'
2929

30-
yq_set sc .networkPolicies.rcloneSync.enabled 'true'
30+
yq_set sc .networkPolicies.rclone.enabled 'true'
3131

3232
env.cache_create
3333
}
@@ -150,12 +150,12 @@ _test_apply_rclone_sync_s3() {
150150
_test_apply_rclone_sync_s3_remove_swift() {
151151
_setup_s3 "${1}"
152152

153-
yq_set sc .networkPolicies.rcloneSync.destinationObjectStorageSwift.ips '["127.0.0.5/32"]'
154-
yq_set sc .networkPolicies.rcloneSync.destinationObjectStorageSwift.ports '[5678]'
153+
yq_set sc .networkPolicies.rclone.sync.objectStorageSwift.ips '["127.0.0.5/32"]'
154+
yq_set sc .networkPolicies.rclone.sync.objectStorageSwift.ports '[5678]'
155155

156156
run ck8s update-ips both apply
157157

158-
assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageSwift' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
158+
assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorageSwift' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
159159

160160
update_ips.assert_rclone_s3
161161
}
@@ -241,12 +241,12 @@ _test_apply_rclone_sync_swift() {
241241
_test_apply_rclone_sync_swift_remove_s3() {
242242
_setup_swift "${1}"
243243

244-
yq_set sc .networkPolicies.rcloneSync.destinationObjectStorageS3.ips '["127.0.0.5/32"]'
245-
yq_set sc .networkPolicies.rcloneSync.destinationObjectStorageS3.ports '[5678]'
244+
yq_set sc .networkPolicies.rclone.sync.objectStorage.ips '["127.0.0.5/32"]'
245+
yq_set sc .networkPolicies.rclone.sync.objectStorage.ports '[5678]'
246246

247247
run ck8s update-ips both apply
248248

249-
assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageS3' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
249+
assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorage' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
250250

251251
update_ips.assert_rclone_swift
252252
}
@@ -364,22 +364,22 @@ _test_apply_rclone_sync_s3_and_swift() {
364364

365365
run ck8s update-ips both apply
366366

367-
assert_equal "$(yq_dig sc '.networkPolicies.rcloneSync.secondaryUrl.ips | . style="flow"')" "[127.0.0.4/32]"
368-
assert_equal "$(yq_dig sc '.networkPolicies.rcloneSync.secondaryUrl.ports | . style="flow"')" "[1234]"
367+
assert_equal "$(yq_dig sc '.networkPolicies.rclone.sync.secondaryUrl.ips | . style="flow"')" "[127.0.0.4/32]"
368+
assert_equal "$(yq_dig sc '.networkPolicies.rclone.sync.secondaryUrl.ports | . style="flow"')" "[1234]"
369369

370370
assert_equal "$(mock_get_call_num "${mock_dig}")" 4
371371
assert_equal "$(mock_get_call_num "${mock_kubectl}")" 16
372372
assert_equal "$(mock_get_call_num "${mock_curl}")" 0
373373
}
374374

375375
@test "rclone sync - secondary remove" {
376-
yq_set sc .networkPolicies.rcloneSync.secondaryUrl.ips '["127.0.0.4"]'
377-
yq_set sc .networkPolicies.rcloneSync.secondaryUrl.ports '[1234]'
376+
yq_set sc .networkPolicies.rclone.sync.secondaryUrl.ips '["127.0.0.4"]'
377+
yq_set sc .networkPolicies.rclone.sync.secondaryUrl.ports '[1234]'
378378

379379
update_ips.mock_minimal
380380
run ck8s update-ips both apply
381381

382-
assert_equal "$(yq4 '.networkPolicies.rcloneSync.secondaryUrl' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
382+
assert_equal "$(yq4 '.networkPolicies.rclone.sync.secondaryUrl' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
383383

384384
assert_equal "$(mock_get_call_num "${mock_dig}")" 3
385385
assert_equal "$(mock_get_call_num "${mock_kubectl}")" 16

0 commit comments

Comments
 (0)