apps sc: Update rclone network policy configuration

Author: aarnq

bin/update-ips.bash

@@ -109,10 +109,12 @@ swift_enabled() {
   return 1
 }
 
-# Determine if Rsync is enabled in the configuration.
-rsync_enabled() {
-  [ "$(yq_read "sc" '.objectStorage.sync.enabled' "false")" = "true" ] && \
-    [ "$(yq_read "sc" '.networkPolicies.rcloneSync.enabled' "false")" = "true" ]
+# Determine if rclone is enabled in the configuration.
+rclone_enabled() {
+  [ "$(yq_read "sc" '.networkPolicies.rclone.enabled' "false")" = "true" ] || return 1
+  [ "$(yq_read "sc" '.objectStorage.restore.enabled' "false")" = "true" ] && return 0
+  [ "$(yq_read "sc" '.objectStorage.sync.enabled' "false")" = "true" ] && return 0
+  return 1
 }
 
 # Fetch the InternalIP, Calico tunnel IP and Wireguard IP of Kubernetes
@@ -215,6 +217,9 @@ get_swift_url() {
             }
           }
         }' "${auth_url}/auth/tokens")
+  else
+    log_error "Could not find Swift credentials in ${swift_config_option}"
+    exit 1
   fi
 
   os_token=$(echo "${response}" | grep -oP "x-subject-token:\s+\K\S+")
@@ -545,7 +550,7 @@ validate_config() {
     fi
   fi
 
-  rsync_enabled || return 0
+  rclone_enabled || return 0
 
   local destination_s3=false
   local destination_swift=false
@@ -611,10 +616,10 @@ if [[ "${check_cluster}" =~ ^(wc|both)$ ]]; then
   allow_nodes "wc" '.networkPolicies.global.wcNodes.ips' ""
 fi
 
-if rsync_enabled; then
-  sync_rclone '.objectStorage.sync.s3.regionEndpoint' '.networkPolicies.rcloneSync.destinationObjectStorageS3'
-  sync_swift '.objectStorage.sync.swift' '.networkPolicies.rcloneSync.destinationObjectStorageSwift'
-  sync_rclone '.objectStorage.sync.secondaryUrl' '.networkPolicies.rcloneSync.secondaryUrl'
+if rclone_enabled; then
+  sync_rclone '.objectStorage.sync.s3.regionEndpoint' '.networkPolicies.rclone.sync.objectStorage'
+  sync_swift '.objectStorage.sync.swift' '.networkPolicies.rclone.sync.objectStorageSwift'
+  sync_rclone '.objectStorage.sync.secondaryUrl' '.networkPolicies.rclone.sync.secondaryUrl'
 fi
 
 exit ${has_diff}

config/config/sc-config.yaml

@@ -1258,23 +1258,24 @@ networkPolicies:
   fluentd:
     enabled: true
 
-  rcloneSync:
+  rclone:
     enabled: true
-    destinationObjectStorageS3:
-      ips:
-        - "set-me-if-objectStorage.sync.enabled-and-type-is-s3"
-      ports:
-        - 443
-    destinationObjectStorageSwift:
-      ips:
-        - "set-me-if-objectStorage.sync.enabled-type-is-swift-or-harbor-thanos-use-swift"
-      ports:
-        - 5000
-    secondaryUrl:
-      ips:
-        - "set-me-if-secondaryUrl-has-an-url"
-      ports:
-        - 443
+    # Restore reuses network policy rules set for .global.objectStorage and .rclone.sync.objectStorage
+    sync:
+      objectStorage:
+        ips: set-me-if-objectStorage.sync.enabled
+        ports:
+          - 443
+      objectStorageSwift:
+        ips: set-me-if-objectStorage.sync.enabled-and-any-target-use-swift-as-destination
+        ports:
+          - 5000
+      secondaryUrl:
+        ips:
+          - set-me-if-objectStorage.sync.secondaryUrl-has-an-url
+        ports:
+          - 443
+
   s3Exporter:
     enabled: true
 

helmfile.d/stacks/rclone.yaml

@@ -12,7 +12,7 @@ templates:
     inherit:
       - template: rclone
       - template: networkpolicies
-    installed: {{ and (.Values | get "networkPolicies.rcloneSync.enabled" false) (or (.Values | get "objectStorage.restore.enabled" false) (.Values | get "objectStorage.sync.enabled" false)) }}
+    installed: {{ and (.Values | get "networkPolicies.rclone.enabled" false) (or (.Values | get "objectStorage.restore.enabled" false) (.Values | get "objectStorage.sync.enabled" false)) }}
     labels:
       netpol: rclone
     needs:

helmfile.d/values/networkpolicies/service/rclone.yaml.gotmpl

@@ -10,11 +10,11 @@ rules:
   egress-rule-object-storage-main-swift:
     {{- include "old-style.rule.gen" $netpol.global.objectStorageSwift | nindent 4 }}
   egress-rule-object-storage-sync:
-    {{- include "old-style.rule.gen" $netpol.rcloneSync.destinationObjectStorageS3 | nindent 4 }}
+    {{- include "old-style.rule.gen" $netpol.rclone.sync.objectStorage | nindent 4 }}
   egress-rule-object-storage-sync-swift:
-    {{- include "old-style.rule.gen" $netpol.rcloneSync.destinationObjectStorageSwift | nindent 4 }}
+    {{- include "old-style.rule.gen" $netpol.rclone.sync.objectStorageSwift | nindent 4 }}
   egress-rule-object-storage-sync-secondary:
-    {{- include "old-style.rule.gen" $netpol.rcloneSync.secondaryUrl | nindent 4 }}
+    {{- include "old-style.rule.gen" $netpol.rclone.sync.secondaryUrl | nindent 4 }}
 
 {{- $main := .Values.objectStorage }}
 

tests/common/lib/update-ips.bash

@@ -91,7 +91,7 @@ update_ips.mock_maximal() {
 update_ips.mock_rclone_s3() {
   update_ips.mock_minimal
 
-  mock_set_output "${mock_dig}" "127.0.0.4" 4 # .networkPolicies.rcloneSync.destinationObjectStorageS3.ips
+  mock_set_output "${mock_dig}" "127.0.0.4" 4 # .networkPolicies.rclone.sync.objectStorage.ips
 }
 
 update_ips.mock_rclone_s3_and_swift() {
@@ -101,8 +101,8 @@ update_ips.mock_rclone_s3_and_swift() {
   mock_set_output "${mock_curl}" '\n\n\n\n\n\n\n\n\n\n\n\n\n\n[{"catalog":[{"type": "object-store", "name": "swift", "endpoints": [{"interface":"public", "region": "swift-region", "url": "https://swift.foo.dev-ck8s.com"}]}]}]' 1
   mock_set_output "${mock_curl}" "" 2 # DELETE /auth/tokens
 
-  mock_set_output "${mock_dig}" "127.0.0.5" 5 # networkPolicies.rcloneSync.destinationObjectStorageSwift.ips keystone endpoint
-  mock_set_output "${mock_dig}" "127.0.0.6" 6 # networkPolicies.rcloneSync.destinationObjectStorageSwift.ips swift endpoint
+  mock_set_output "${mock_dig}" "127.0.0.5" 5 # networkPolicies.rclone.sync.objectStorageSwift.ips keystone endpoint
+  mock_set_output "${mock_dig}" "127.0.0.6" 6 # networkPolicies.rclone.sync.objectStorageSwift.ips swift endpoint
 }
 
 update_ips.mock_rclone_swift() {
@@ -112,8 +112,8 @@ update_ips.mock_rclone_swift() {
   mock_set_output "${mock_curl}" '\n\n\n\n\n\n\n\n\n\n\n\n\n\n[{"catalog":[{"type": "object-store", "name": "swift", "endpoints": [{"interface":"public", "region": "swift-region", "url": "https://swift.foo.dev-ck8s.com"}]}]}]' 1
   mock_set_output "${mock_curl}" "" 2 # DELETE /auth/tokens
 
-  mock_set_output "${mock_dig}" "127.0.0.5" 4 # networkPolicies.rcloneSync.destinationObjectStorageSwift.ips keystone endpoint
-  mock_set_output "${mock_dig}" "127.0.0.6" 5 # networkPolicies.rcloneSync.destinationObjectStorageSwift.ips swift endpoint
+  mock_set_output "${mock_dig}" "127.0.0.5" 4 # networkPolicies.rclone.sync.objectStorageSwift.ips keystone endpoint
+  mock_set_output "${mock_dig}" "127.0.0.6" 5 # networkPolicies.rclone.sync.objectStorageSwift.ips swift endpoint
 }
 
 update_ips.mock_swift() {
@@ -149,14 +149,14 @@ update_ips.populate_maximal() {
   yq_set sc .networkPolicies.global.objectStorageSwift.ips '["127.1.0.4/32", "127.1.0.5/32"]'
   yq_set sc .networkPolicies.global.objectStorageSwift.ports '[5678, 91011]'
 
-  yq_set sc .networkPolicies.rcloneSync.destinationObjectStorageS3.ips '["127.1.0.6/32"]'
-  yq_set sc .networkPolicies.rcloneSync.destinationObjectStorageS3.ports '[1234]'
+  yq_set sc .networkPolicies.rclone.sync.objectStorage.ips '["127.1.0.6/32"]'
+  yq_set sc .networkPolicies.rclone.sync.objectStorage.ports '[1234]'
 
-  yq_set sc .networkPolicies.rcloneSync.destinationObjectStorageSwift.ips '["127.1.0.7/32", "127.1.0.8/32"]'
-  yq_set sc .networkPolicies.rcloneSync.destinationObjectStorageSwift.ports '[443, 5678]'
+  yq_set sc .networkPolicies.rclone.sync.objectStorageSwift.ips '["127.1.0.7/32", "127.1.0.8/32"]'
+  yq_set sc .networkPolicies.rclone.sync.objectStorageSwift.ports '[443, 5678]'
 
-  yq_set sc .networkPolicies.rcloneSync.secondaryUrl.ips '["127.1.0.9/32"]'
-  yq_set sc .networkPolicies.rcloneSync.secondaryUrl.ports '[1234]'
+  yq_set sc .networkPolicies.rclone.sync.secondaryUrl.ips '["127.1.0.9/32"]'
+  yq_set sc .networkPolicies.rclone.sync.secondaryUrl.ports '[1234]'
 }
 
 # --- asserts ----------------------------------------------------------------------------------------------------------
@@ -195,33 +195,33 @@ update_ips.assert_swift() {
 }
 
 update_ips.assert_rclone_s3() {
-  assert_equal "$(yq_dig sc '.networkPolicies.rcloneSync.destinationObjectStorageS3.ips | . style="flow"')" "[127.0.0.4/32]"
-  assert_equal "$(yq_dig sc '.networkPolicies.rcloneSync.destinationObjectStorageS3.ports | . style="flow"')" "[1234]"
+  assert_equal "$(yq_dig sc '.networkPolicies.rclone.sync.objectStorage.ips | . style="flow"')" "[127.0.0.4/32]"
+  assert_equal "$(yq_dig sc '.networkPolicies.rclone.sync.objectStorage.ports | . style="flow"')" "[1234]"
 
-  assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageSwift' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
+  assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorageSwift' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
 
   assert_equal "$(mock_get_call_num "${mock_dig}")" 4
   assert_equal "$(mock_get_call_num "${mock_kubectl}")" 16
   assert_equal "$(mock_get_call_num "${mock_curl}")" 0
 }
 
 update_ips.assert_rclone_s3_and_swift() {
-  assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageS3 | .ips style="flow" | .ips' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[127.0.0.4/32]"
-  assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageS3 | .ports style="flow" | .ports' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[1234]"
+  assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorage | .ips style="flow" | .ips' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[127.0.0.4/32]"
+  assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorage | .ports style="flow" | .ports' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[1234]"
 
-  assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageSwift | .ips style="flow" | .ips' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[127.0.0.5/32, 127.0.0.6/32]"
-  assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageSwift | .ports style="flow" | .ports' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[443, 5678]"
+  assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorageSwift | .ips style="flow" | .ips' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[127.0.0.5/32, 127.0.0.6/32]"
+  assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorageSwift | .ports style="flow" | .ports' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[443, 5678]"
 
   assert_equal "$(mock_get_call_num "${mock_dig}")" 6
   assert_equal "$(mock_get_call_num "${mock_kubectl}")" 16
   assert_equal "$(mock_get_call_num "${mock_curl}")" 2
 }
 
 update_ips.assert_rclone_swift() {
-  assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageSwift | .ips style="flow" | .ips' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[127.0.0.5/32, 127.0.0.6/32]"
-  assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageSwift | .ports style="flow" | .ports' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[443, 5678]"
+  assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorageSwift | .ips style="flow" | .ips' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[127.0.0.5/32, 127.0.0.6/32]"
+  assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorageSwift | .ports style="flow" | .ports' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "[443, 5678]"
 
-  assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageS3' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
+  assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorage' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
 
   # GET /auth/tokens
   mock_set_output "${mock_curl}" '\n\n\n\n\n\n\n\n\n\n\n\n\n\n[{"catalog":[{"type": "object-store", "name": "swift", "endpoints": [{"interface":"public", "region": "swift-region", "url": "https://swift.foo.dev-ck8s.com"}]}]}]' 1

tests/unit/bin/update-ips/main.bats

@@ -186,7 +186,7 @@ _configure_maximal() {
   sops --set '["objectStorage"]["swift"]["username"] "swift-username"' "${CK8S_CONFIG_PATH}/secrets.yaml"
 
   yq_set sc .objectStorage.sync.enabled 'true'
-  yq_set sc .networkPolicies.rcloneSync.enabled 'true'
+  yq_set sc .networkPolicies.rclone.enabled 'true'
   yq_set sc .objectStorage.sync.s3.regionEndpoint '"https://s3.foo.dev-ck8s.com:1234"'
   yq_set sc .objectStorage.sync.swift.authUrl '"https://keystone.foo.dev-ck8s.com:5678"'
   yq_set sc .objectStorage.sync.swift.region '"swift-region"'

tests/unit/bin/update-ips/rclone.bats

@@ -27,7 +27,7 @@ setup_file() {
   yq_set sc .objectStorage.sync.destinationType '"none"'
   yq_set sc .objectStorage.sync.syncDefaultBuckets 'false'
 
-  yq_set sc .networkPolicies.rcloneSync.enabled 'true'
+  yq_set sc .networkPolicies.rclone.enabled 'true'
 
   env.cache_create
 }
@@ -150,12 +150,12 @@ _test_apply_rclone_sync_s3() {
 _test_apply_rclone_sync_s3_remove_swift() {
   _setup_s3 "${1}"
 
-  yq_set sc .networkPolicies.rcloneSync.destinationObjectStorageSwift.ips '["127.0.0.5/32"]'
-  yq_set sc .networkPolicies.rcloneSync.destinationObjectStorageSwift.ports '[5678]'
+  yq_set sc .networkPolicies.rclone.sync.objectStorageSwift.ips '["127.0.0.5/32"]'
+  yq_set sc .networkPolicies.rclone.sync.objectStorageSwift.ports '[5678]'
 
   run ck8s update-ips both apply
 
-  assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageSwift' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
+  assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorageSwift' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
 
   update_ips.assert_rclone_s3
 }
@@ -241,12 +241,12 @@ _test_apply_rclone_sync_swift() {
 _test_apply_rclone_sync_swift_remove_s3() {
   _setup_swift "${1}"
 
-  yq_set sc .networkPolicies.rcloneSync.destinationObjectStorageS3.ips '["127.0.0.5/32"]'
-  yq_set sc .networkPolicies.rcloneSync.destinationObjectStorageS3.ports '[5678]'
+  yq_set sc .networkPolicies.rclone.sync.objectStorage.ips '["127.0.0.5/32"]'
+  yq_set sc .networkPolicies.rclone.sync.objectStorage.ports '[5678]'
 
   run ck8s update-ips both apply
 
-  assert_equal "$(yq4 '.networkPolicies.rcloneSync.destinationObjectStorageS3' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
+  assert_equal "$(yq4 '.networkPolicies.rclone.sync.objectStorage' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
 
   update_ips.assert_rclone_swift
 }
@@ -364,22 +364,22 @@ _test_apply_rclone_sync_s3_and_swift() {
 
   run ck8s update-ips both apply
 
-  assert_equal "$(yq_dig sc '.networkPolicies.rcloneSync.secondaryUrl.ips | . style="flow"')" "[127.0.0.4/32]"
-  assert_equal "$(yq_dig sc '.networkPolicies.rcloneSync.secondaryUrl.ports | . style="flow"')" "[1234]"
+  assert_equal "$(yq_dig sc '.networkPolicies.rclone.sync.secondaryUrl.ips | . style="flow"')" "[127.0.0.4/32]"
+  assert_equal "$(yq_dig sc '.networkPolicies.rclone.sync.secondaryUrl.ports | . style="flow"')" "[1234]"
 
   assert_equal "$(mock_get_call_num "${mock_dig}")" 4
   assert_equal "$(mock_get_call_num "${mock_kubectl}")" 16
   assert_equal "$(mock_get_call_num "${mock_curl}")" 0
 }
 
 @test "rclone sync - secondary remove" {
-  yq_set sc .networkPolicies.rcloneSync.secondaryUrl.ips '["127.0.0.4"]'
-  yq_set sc .networkPolicies.rcloneSync.secondaryUrl.ports '[1234]'
+  yq_set sc .networkPolicies.rclone.sync.secondaryUrl.ips '["127.0.0.4"]'
+  yq_set sc .networkPolicies.rclone.sync.secondaryUrl.ports '[1234]'
 
   update_ips.mock_minimal
   run ck8s update-ips both apply
 
-  assert_equal "$(yq4 '.networkPolicies.rcloneSync.secondaryUrl' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
+  assert_equal "$(yq4 '.networkPolicies.rclone.sync.secondaryUrl' "${CK8S_CONFIG_PATH}/sc-config.yaml")" "null"
 
   assert_equal "$(mock_get_call_num "${mock_dig}")" 3
   assert_equal "$(mock_get_call_num "${mock_kubectl}")" 16