Merge remote-tracking branch 'upstream/main'

Author: mrnicegyu11

charts/.gitignore

@@ -2,3 +2,5 @@ values.yaml
 values.*.yaml
 k8s_hosts.ini
 helmfile.y?ml
+
+*.tgz

charts/Makefile

@@ -1,3 +1,4 @@
+# to be executed on kubernetes control nodes
 REPO_BASE_DIR := $(shell git rev-parse --show-toplevel)
 
 include ${REPO_BASE_DIR}/scripts/common.Makefile
@@ -23,40 +24,16 @@ helmfile-lint: .check-helmfile-installed helmfile.yaml ## Lints the helmfile
 	set -a; source $(REPO_CONFIG_LOCATION); set +a; \
 	helmfile lint
 
-.PHONY: .helmfile-local-post-install
-.helmfile-local-post-install: ## Post install steps for local helmfile deployment
-	@$(MAKE) -s configure-local-hosts
-	@echo "";
-	@echo "Cluster has been deployed locally: https://$(MACHINE_FQDN)";
-	@echo "    For secure connections self-signed certificates are used.";
-	@echo "";
-
 .PHONY: helmfile-apply
 helmfile-apply: .check-helmfile-installed helmfile.yaml ## Applies the helmfile configuration
 	set -a; source $(REPO_CONFIG_LOCATION); set +a; \
 	helmfile -f $(REPO_BASE_DIR)/charts/helmfile.yaml apply
 
-	@if [ "$(MACHINE_FQDN)" = "osparc.local" ]; then \
-		$(MAKE) -s .helmfile-local-post-install; \
-	fi
-
 .PHONY: helmfile-sync
 helmfile-sync: .check-helmfile-installed helmfile.yaml ## Syncs the helmfile configuration (use `helmfile-apply` to deploy the app)
 	set -a; source $(REPO_CONFIG_LOCATION); set +a; \
 	helmfile -f $(REPO_BASE_DIR)/charts/helmfile.yaml sync
 
-	@if [ "$(MACHINE_FQDN)" = "osparc.local" ]; then \
-		$(MAKE) -s .helmfile-local-post-install; \
-	fi
-
-.PHONY: configure-local-hosts
-configure-local-hosts: $(REPO_CONFIG_LOCATION) ## Adds local hosts entries for the machine
-	# "Updating /etc/hosts with k8s $(MACHINE_FQDN) hosts ..."
-	@set -a; source $(REPO_CONFIG_LOCATION); set +a; \
-	grep -q "127.0.0.1 $$K8S_MONITORING_FQDN" /etc/hosts || echo "127.0.0.1 $$K8S_MONITORING_FQDN" | sudo tee -a /etc/hosts
-	@set -a; source $(REPO_CONFIG_LOCATION); set +a; \
-	grep -q "127.0.0.1 $$K8S_PRIVATE_FQDN" /etc/hosts || echo "127.0.0.1 $$K8S_PRIVATE_FQDN" | sudo tee -a /etc/hosts
-
 .PHONY: helmfile-diff
 helmfile-diff: .check-helmfile-installed helmfile.yaml ## Shows the differences that would be applied by helmfile
 	@set -a; source $(REPO_CONFIG_LOCATION); set +a; \

charts/README.md

@@ -45,7 +45,4 @@ helmfile init
 
 ## Running k8s cluster locally
 
-```bash
-cd ./osparc-ops-environments
-./scripts/create_local_k8s_cluster.bash
-```
+Use `./local-k8s.Makefile` targets

charts/adminer/templates/deployment.yaml

@@ -13,9 +13,9 @@ spec:
       {{- include "adminer.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-      {{- with .Values.podAnnotations }}
+      {{- if .Values.podAnnotations }}
       annotations:
-        {{- toYaml . | nindent 8 }}
+        {{- tpl (toYaml .Values.podAnnotations) . | nindent 8 }}
       {{- end }}
       labels:
         {{- include "adminer.labels" . | nindent 8 }}

charts/adminer/templates/networkpolicy.yaml

@@ -0,0 +1,20 @@
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: adminer-network-policy
+  labels:
+    {{- include "adminer.labels" . | nindent 4 }}
+spec:
+  selector: app.kubernetes.io/instance == "{{ .Release.Name }}"
+  ingress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - {{ .Values.service.port }}
+  egress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - 5432

charts/adminer/values.yaml.gotmpl

@@ -25,7 +25,9 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name: ""
 
-podAnnotations: {}
+podAnnotations:
+  # automatically restart pod on network policy change (to be sure new rules are applied)
+  checksum/networkpolicy: '{{`{{ include (print $.Template.BasePath "/networkpolicy.yaml") . | sha256sum }}`}}'
 podLabels: {}
 
 podSecurityContext:

charts/calico-configuration/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/calico-configuration/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: calico-configuration
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.0.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "3.26.4"

charts/calico-configuration/README.md

@@ -0,0 +1,50 @@
+## How to add network policy (local deployment)
+
+How to discover ports / networks that are used by application
+* observe existing traffic (see `Debug network policies` below)
+* add staged policies to make sure all cases are included https://docs.tigera.io/calico/3.30/network-policy/staged-network-policies
+  - make sure deployed calico version supports it
+* based on observations, create a needed network policy
+
+## Debug network policies
+
+if calico version 3.30+ is installed
+* observe traffic and check `policies` field in whisker logs
+  - https://docs.tigera.io/calico/3.30/observability/enable-whisker
+  - https://docs.tigera.io/calico/3.30/observability/view-flow-logs
+
+if calico version <= 3.29
+* create network policy with action log (read more https://docs.tigera.io/calico/latest/network-policy/policy-rules/log-rules)
+  ```yaml
+  apiVersion: projectcalico.org/v3
+  kind: NetworkPolicy
+  metadata:
+    name: log ingress requests
+  spec:
+    selector: app == 'db'
+    ingress:
+    - action: Log
+  ```
+* apply policy and see logs via journalctl (you can grep with `calico-packet` on the node where the pod is running)
+* Note: one may implement policy step by step (allowing all traffic that is known and making last rule `Log` to see what traffic is still missing)
+
+## Known issues
+
+If network policy is created after pod, pod **MUST** be restarted for policy to take effect. Read more https://github.com/projectcalico/calico/issues/10753#issuecomment-3140717418
+* To automate this, we can add annotations with network policy checksum to pods (see https://stackoverflow.com/questions/58602311/will-helm-upgrade-restart-pods-even-if-they-are-not-affected-by-upgrade)
+
+## How to view existing policies
+
+via kubectl:
+* `kubectl get networkpolicies.crd.projectcalico.org -n adminer`
+* `kubectl describe networkpolicies.crd.projectcalico.org -n adminer default.adminer-network-policy`
+
+via calicoctl:
+* `calicoctl get networkpolicy -n adminer -o yaml`
+
+Note:
+* global network policies and network policies are separate resources for calico
+* To see all calico resources execute `kubectl get crd | grep calico` or `calicoctl get --help`
+
+Warning:
+* Network policies update are only applied to "new connections". To make them act, one may need to restart affected applications (pods)

charts/calico-configuration/templates/NOTES.txt

@@ -0,0 +1,3 @@
+This chart configures Calico but does not deploy Calico itself. Calico is deployed during the Kubernetes cluster creation.
+
+Note: to make sure network policies are applied correctly, you may need to restart targeted application pods.