MLE-15992: Implementation for networkPolicy (#25)

* implementation for networkPolicy

Author: barkhachoithani

api/v1alpha1/common_types.go

@@ -2,6 +2,8 @@ package v1alpha1
 
 import (
 	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 type ContainerProbe struct {
@@ -64,6 +66,13 @@ type LogFilesConfig struct {
 	AuditLogs   bool `json:"auditLogs,omitempty"`
 }
 
+type NetworkPolicy struct {
+	Enabled     bool                                    `json:"enabled,omitempty"`
+	PolicyTypes []networkingv1.PolicyType               `json:"policyTypes,omitempty"`
+	PodSelector metav1.LabelSelector                    `json:"podSelector,omitempty"`
+	Ingress     []networkingv1.NetworkPolicyIngressRule `json:"ingress,omitempty"`
+	Egress      []networkingv1.NetworkPolicyEgressRule  `json:"egress,omitempty"`
+
 type HAProxyConfig struct {
 	Enabled bool `json:"enabled,omitempty"`
 	// +kubebuilder:default:=1

api/v1alpha1/marklogicgroup_types.go

@@ -19,7 +19,6 @@ package v1alpha1
 import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -48,7 +47,7 @@ type MarklogicGroupSpec struct {
 	// +kubebuilder:validation:Enum=OnDelete;RollingUpdate
 	// +kubebuilder:default:="OnDelete"
 	UpdateStrategy appsv1.StatefulSetUpdateStrategyType `json:"updateStrategy,omitempty"`
-	NetworkPolicy  *networkingv1.NetworkPolicy          `json:"networkPolicy,omitempty"`
+	NetworkPolicy  NetworkPolicy                        `json:"networkPolicy,omitempty"`
 	// +kubebuilder:default:={fsGroup: 2, fsGroupChangePolicy: "OnRootMismatch"}
 	PodSecurityContext *corev1.PodSecurityContext `json:"podSecurityContext,omitempty"`
 	// +kubebuilder:default:={runAsUser: 1000, runAsNonRoot: true, allowPrivilegeEscalation: false}

api/v1alpha1/zz_generated.deepcopy.go

@@ -62,6 +62,34 @@ spec:
           http_user admin
           http_passwd admin
   
+  ## To configure networkPolicy, set enabled: true and uncomment the following lines 
+  ## Below is an example of networkPolicy, update it as per your requirements
+  ## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies
+  networkPolicy:
+    enabled: false
+  #   policyTypes:
+  #     - Ingress
+  #     - Egress
+  #   podSelector: {}
+  #   ingress:
+  #     - from:
+  #         - podSelector:
+  #             matchLabels:
+  #               app.kubernetes.io/name: marklogic
+  #               app.kubernetes.io/instance: marklogic
+  #       ports:
+  #         - protocol: TCP
+  #           port: 8000
+  #   egress:
+  #     - to:
+  #         - podSelector:
+  #             matchLabels:
+  #               app.kubernetes.io/name: marklogic
+  #               app.kubernetes.io/instance: marklogicgroup
+  #       ports:
+  #         - protocol: TCP
+  #           port: 8000
+
   ## Configuration for the HAProxy load balancer
   ## An out of box load balancer with configured to handle cookie based session affinity that required by most MarkLogic applications.
   ## It also support multi-statement transaction and ODBC connections.  

config/crd/bases/database.marklogic.com_marklogicclusters.yaml

@@ -25,6 +25,7 @@ import (
 	. "github.com/onsi/gomega"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -50,6 +51,7 @@ var runAsUser = int64(1000)
 var runAsNonRoot bool = true
 var allowPrivilegeEscalation bool = false
 var typeNamespaceName = types.NamespacedName{Name: Name, Namespace: Namespace}
+var policy = []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress}
 
 const resourceCpuValue = int64(1)
 const resourceMemoryValue = int64(268435456)
@@ -59,6 +61,8 @@ const resourceHugepageValue = int64(104857600)
 
 var svcName = Name + "-cluster"
 var typeNamespaceNameSvc = types.NamespacedName{Name: svcName, Namespace: Namespace}
+var netPolicyName = Name + "-network-policy"
+var typeNsNameNetPolicy = types.NamespacedName{Name: netPolicyName, Namespace: Namespace}
 
 const fluentBitImage = "fluent/fluent-bit:3.1.1"
 
@@ -115,6 +119,23 @@ var _ = Describe("MarkLogicGroup controller", func() {
 						AllowPrivilegeEscalation: &allowPrivilegeEscalation,
 					},
 					LogCollection: &databasev1alpha1.LogCollection{Enabled: true, Image: "fluent/fluent-bit:3.1.1", Files: databasev1alpha1.LogFilesConfig{ErrorLogs: true, AccessLogs: true, RequestLogs: true, CrashLogs: true, AuditLogs: true}, Outputs: "stdout"},
+					NetworkPolicy: databasev1alpha1.NetworkPolicy{
+						Enabled:     true,
+						PolicyTypes: policy,
+						PodSelector: metav1.LabelSelector{MatchLabels: map[string]string{"app.kubernetes.io/name": "marklogic", "app.kubernetes.io/instance": "dnode"}},
+						Ingress: []networkingv1.NetworkPolicyIngressRule{
+							{From: []networkingv1.NetworkPolicyPeer{{
+								PodSelector: &metav1.LabelSelector{
+									MatchLabels: map[string]string{
+										"app.kubernetes.io/name":     "marklogic",
+										"app.kubernetes.io/instance": "dnode",
+									},
+								},
+							}},
+								Ports: []networkingv1.NetworkPolicyPort{{Port: &intstr.IntOrString{IntVal: 8000}}},
+							},
+						},
+					},
 					HAProxyConfig: databasev1alpha1.HAProxyConfig{
 						Enabled:          true,
 						ReplicaCount:     1,
@@ -201,6 +222,18 @@ var _ = Describe("MarkLogicGroup controller", func() {
 			}, timeout, interval).Should(BeTrue())
 			Expect(createdClusterSrv.Name).Should(Equal(svcName))
 			Expect(createdClusterSrv.Spec.Type).Should(Equal(corev1.ServiceTypeClusterIP))
+
+			// Validating if NetworkPolicy is created successfully
+			createdNetPolicy := &networkingv1.NetworkPolicy{}
+			Eventually(func() bool {
+				err := k8sClient.Get(ctx, typeNsNameNetPolicy, createdNetPolicy)
+				return err == nil
+			}, timeout, interval).Should(BeTrue())
+			Expect(createdNetPolicy.Name).Should(Equal(netPolicyName))
+			Expect(createdNetPolicy.Spec.PolicyTypes).Should(Equal(policy))
+			Expect(createdNetPolicy.Spec.PodSelector).Should(Equal(metav1.LabelSelector{MatchLabels: map[string]string{"app.kubernetes.io/name": "marklogic", "app.kubernetes.io/instance": "dnode"}}))
+			Expect(createdNetPolicy.Spec.Ingress[0].From[0].PodSelector.MatchLabels).Should(Equal(map[string]string{"app.kubernetes.io/name": "marklogic", "app.kubernetes.io/instance": "dnode"}))
+			Expect(createdNetPolicy.Spec.Ingress[0].Ports[0].Port).Should(Equal(&intstr.IntOrString{IntVal: 8000}))
 		})
 
 		It("Should create configmap for MarkLogic scripts", func() {

config/crd/bases/database.marklogic.com_marklogicgroups.yaml

@@ -26,6 +26,9 @@ func (oc *OperatorContext) ReconsileHandler() (reconcile.Result, error) {
 		}
 	}
 
+	if oc.MarklogicGroup.Spec.NetworkPolicy.Enabled {
+		if result := oc.ReconcileNetworkPolicy(); result.Completed() {
+
 	if oc.MarklogicGroup.Spec.HAProxyConfig.Enabled {
 		if result := oc.ReconcileHAProxy(); result.Completed() {
 			return result.Output()

config/samples/marklogicgroup.yaml

@@ -0,0 +1,113 @@
+package k8sutil
+
+import (
+	networkingv1 "k8s.io/api/networking/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	"github.com/cisco-open/k8s-objectmatcher/patch"
+	databasev1alpha1 "github.com/marklogic/marklogic-kubernetes-operator/api/v1alpha1"
+	"github.com/marklogic/marklogic-kubernetes-operator/pkg/result"
+)
+
+func generateNetworkPolicyDef(networkPolicyMeta metav1.ObjectMeta, ownerRef metav1.OwnerReference, cr *databasev1alpha1.MarklogicGroup) *networkingv1.NetworkPolicy {
+	networkPolicySpec := networkingv1.NetworkPolicySpec{
+		PolicyTypes: cr.Spec.NetworkPolicy.PolicyTypes,
+		PodSelector: cr.Spec.NetworkPolicy.PodSelector,
+		Ingress:     cr.Spec.NetworkPolicy.Ingress,
+		Egress:      cr.Spec.NetworkPolicy.Egress,
+	}
+	networkPolicyDef := &networkingv1.NetworkPolicy{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "NetworkPolicy",
+			APIVersion: "v1",
+		},
+		ObjectMeta: networkPolicyMeta,
+		Spec:       networkPolicySpec,
+	}
+	networkPolicyDef.SetOwnerReferences(append(networkPolicyDef.GetOwnerReferences(), ownerRef))
+	return networkPolicyDef
+}
+
+func (oc *OperatorContext) getNetworkPolicy(namespace string, networkPolicyName string) (*networkingv1.NetworkPolicy, error) {
+	logger := oc.ReqLogger
+
+	var networkPolicy *networkingv1.NetworkPolicy
+	networkPolicy = &networkingv1.NetworkPolicy{}
+	err := oc.Client.Get(oc.Ctx, types.NamespacedName{Name: networkPolicyName, Namespace: namespace}, networkPolicy)
+	if err != nil {
+		logger.Info("MarkLogic NetworkPolicy get action failed")
+		return nil, err
+	}
+	logger.Info("MarkLogic NetworkPolicy get action is successful")
+	return networkPolicy, nil
+}
+
+func generateNetworkPolicy(networkPolicyName string, cr *databasev1alpha1.MarklogicGroup) *networkingv1.NetworkPolicy {
+	labels := getMarkLogicLabels(cr.Spec.Name)
+	netObjectMeta := generateObjectMeta(networkPolicyName, cr.Namespace, labels, map[string]string{})
+	networkPolicy := generateNetworkPolicyDef(netObjectMeta, marklogicServerAsOwner(cr), cr)
+	return networkPolicy
+}
+
+func (oc *OperatorContext) ReconcileNetworkPolicy() result.ReconcileResult {
+	logger := oc.ReqLogger
+	logger.Info("NetworkPolicy::Reconciling MarkLogic NetworkPolicy")
+	client := oc.Client
+	cr := oc.MarklogicGroup
+	networkPolicyName := cr.Spec.Name
+	currentNetworkPolicy, err := oc.getNetworkPolicy(cr.Namespace, networkPolicyName)
+	networkPolicyDef := generateNetworkPolicy(networkPolicyName, cr)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			logger.Info("MarkLogic NetworkPolicy not found, creating a new one")
+			err = client.Create(oc.Ctx, networkPolicyDef)
+			if err != nil {
+				logger.Info("MarkLogic NetworkPolicy creation has failed")
+				return result.Error(err)
+			}
+			logger.Info("MarkLogic NetworkPolicy creation is successful")
+			oc.Recorder.Event(oc.MarklogicGroup, "Normal", "NetworkPolicyCreated", "MarkLogic NetworkPolicy creation is successful")
+		} else {
+			logger.Error(err, "MarkLogic NetworkPolicy creation has failed")
+			return result.Error(err)
+		}
+	} else {
+		logger.Info("MarkLogic NetworkPolicy already exists")
+		patchDiff, err := patch.DefaultPatchMaker.Calculate(currentNetworkPolicy, networkPolicyDef,
+			patch.IgnoreStatusFields(),
+			patch.IgnoreVolumeClaimTemplateTypeMetaAndStatus(),
+			patch.IgnoreField("kind"))
+		if err != nil {
+			logger.Error(err, "Error calculating patch")
+			return result.Error(err)
+		}
+		if !patchDiff.IsEmpty() {
+			logger.Info("MarkLogic NetworkPolicy spec is different from the input NetworkPolicy spec, updating the NetworkPolicy")
+			logger.Info(patchDiff.String())
+			err := oc.Client.Update(oc.Ctx, networkPolicyDef)
+			if err != nil {
+				logger.Error(err, "Error updating NetworkPolicy")
+				return result.Error(err)
+			}
+		} else {
+			logger.Info("MarkLogic NetworkPolicy spec is the same as the input NetworkPolicy spec")
+
+		}
+		logger.Info("MarkLogic NetworkPolicy is updated")
+	}
+	return result.Continue()
+}
+
+func (oc *OperatorContext) createNetworkPolicy(namespace string, networkPolicy *networkingv1.NetworkPolicy) error {
+	logger := oc.ReqLogger
+	client := oc.Client
+	err := client.Create(oc.Ctx, networkPolicy)
+	if err != nil {
+		logger.Error(err, "MarkLogic NetworkPolicy creation has failed")
+		return err
+	}
+	logger.Info("MarkLogic NetworkPolicy creation is successful")
+	return nil
+}