From da112c1285e1a02862c3bceaa93478123a60a784 Mon Sep 17 00:00:00 2001 From: Francisc Munteanu Date: Tue, 17 Dec 2024 18:49:57 +0100 Subject: [PATCH 1/2] feat: add ingress network policy with generic sandbox label (#1086) * allow from dev sandbox managed NS --------- Co-authored-by: Devtools --- .../nstemplatetiers/appstudio-env/ns_env.yaml | 13 +++++++++++++ .../nstemplatetiers/appstudio/ns_tenant.yaml | 13 +++++++++++++ testsupport/tiers/checks.go | 19 ++++++++++++------- 3 files changed, 38 insertions(+), 7 deletions(-) diff --git a/deploy/nstemplatetiers/appstudio-env/ns_env.yaml b/deploy/nstemplatetiers/appstudio-env/ns_env.yaml index f801a2663..86898acb4 100644 --- a/deploy/nstemplatetiers/appstudio-env/ns_env.yaml +++ b/deploy/nstemplatetiers/appstudio-env/ns_env.yaml @@ -218,6 +218,19 @@ objects: podSelector: {} policyTypes: - Ingress +- apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: allow-from-dev-sandbox-managed-ns + namespace: ${SPACE_NAME}-env + spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + dev-sandbox/policy-group: ingress + policyTypes: + - Ingress parameters: - name: SPACE_NAME required: true diff --git a/deploy/nstemplatetiers/appstudio/ns_tenant.yaml b/deploy/nstemplatetiers/appstudio/ns_tenant.yaml index 8de7cf5b5..f3f26dc4a 100644 --- a/deploy/nstemplatetiers/appstudio/ns_tenant.yaml +++ b/deploy/nstemplatetiers/appstudio/ns_tenant.yaml @@ -242,6 +242,19 @@ objects: podSelector: {} policyTypes: - Ingress +- apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: allow-from-dev-sandbox-managed-ns + namespace: ${SPACE_NAME}-tenant + spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + dev-sandbox/policy-group: ingress + policyTypes: + - Ingress # ServiceAccount and RoleBindings for running Pipelines. # appstudio-pipelines-runner-clusterrole is deployed by the pipeline-service component. - apiVersion: v1 diff --git a/testsupport/tiers/checks.go b/testsupport/tiers/checks.go index e6b17df05..79856b3f0 100644 --- a/testsupport/tiers/checks.go +++ b/testsupport/tiers/checks.go @@ -161,7 +161,7 @@ func (a *baseTierChecks) GetNamespaceObjectChecks(nsType string) []namespaceObje case "stage": otherNamespaceKind = "dev" } - checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromOtherNamespace(otherNamespaceKind), numberOfNetworkPolicies(10)) + checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromOtherNamespace(otherNamespaceKind), numberOfNetworkPolicies(11)) return checks } @@ -231,7 +231,7 @@ func (a *base1nsTierChecks) GetNamespaceObjectChecks(_ string) []namespaceObject crtadminViewRoleBinding(), } checks = append(checks, commonNetworkPolicyChecks()...) - checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), numberOfNetworkPolicies(9)) + checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), numberOfNetworkPolicies(10)) return checks } @@ -381,6 +381,7 @@ func commonNetworkPolicyChecks() []namespaceObjectsCheck { networkPolicyAllowFromIngress(), networkPolicyAllowFromOlmNamespaces(), networkPolicyAllowFromConsoleNamespaces(), + networkPolicyIngressAllowFromDevSandboxPolicyGroup(), } } @@ -465,7 +466,7 @@ func (a *appstudioTierChecks) GetNamespaceObjectChecks(_ string) []namespaceObje resourceQuotaComputeBuild("120", "128Gi", "60", "64Gi"), } checks = append(checks, commonAppstudioTierChecks()...) - checks = append(checks, append(commonNetworkPolicyChecks(), networkPolicyAllowFromCRW(), numberOfNetworkPolicies(6))...) + checks = append(checks, append(commonNetworkPolicyChecks(), networkPolicyAllowFromCRW(), numberOfNetworkPolicies(7))...) return checks } @@ -558,7 +559,7 @@ func (a *appstudiolargeTierChecks) GetNamespaceObjectChecks(_ string) []namespac resourceQuotaStorage("50Gi", "400Gi", "50Gi", "180"), } checks = append(checks, commonAppstudioTierChecks()...) - checks = append(checks, append(commonNetworkPolicyChecks(), networkPolicyAllowFromCRW(), numberOfNetworkPolicies(6))...) + checks = append(checks, append(commonNetworkPolicyChecks(), networkPolicyAllowFromCRW(), numberOfNetworkPolicies(7))...) return checks } @@ -596,7 +597,7 @@ func (a *appstudioEnvTierChecks) GetNamespaceObjectChecks(_ string) []namespaceO appstudioWorkSpaceNameLabel(), } - checks = append(checks, append(commonNetworkPolicyChecks(), networkPolicyAllowFromCRW(), numberOfNetworkPolicies(6))...) + checks = append(checks, append(commonNetworkPolicyChecks(), networkPolicyAllowFromCRW(), numberOfNetworkPolicies(7))...) return checks } @@ -656,7 +657,7 @@ func (a *intelMediumTierChecks) GetNamespaceObjectChecks(_ string) []namespaceOb crtadminViewRoleBinding(), } checks = append(checks, commonNetworkPolicyChecks()...) - checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), numberOfNetworkPolicies(9)) + checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), numberOfNetworkPolicies(10)) return checks } @@ -736,7 +737,7 @@ func getNamespaceObjectChecksForIntelLarge(memoryLimit string) []namespaceObject crtadminViewRoleBinding(), } checks = append(checks, commonNetworkPolicyChecks()...) - checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), numberOfNetworkPolicies(9)) + checks = append(checks, networkPolicyAllowFromCRW(), networkPolicyAllowFromVirtualizationNamespaces(), networkPolicyAllowFromRedHatODSNamespaceToMariaDB(), networkPolicyAllowFromRedHatODSNamespaceToModelMesh(), numberOfNetworkPolicies(10)) return checks } @@ -1242,6 +1243,10 @@ func networkPolicyIngressFromPolicyGroup(name, group string) namespaceObjectsChe return assertNetworkPolicyIngressForNamespaces(name, metav1.LabelSelector{}, "network.openshift.io/policy-group", group) } +func networkPolicyIngressAllowFromDevSandboxPolicyGroup() namespaceObjectsCheck { + return assertNetworkPolicyIngressForNamespaces("allow-from-dev-sandbox-managed-ns", metav1.LabelSelector{}, "dev-sandbox/policy-group", "ingress") +} + func assertNetworkPolicyIngressForNamespaces(name string, podSelector metav1.LabelSelector, labelNameValuePairs ...string) namespaceObjectsCheck { return func(t *testing.T, ns *corev1.Namespace, memberAwait *wait.MemberAwaitility, userName string) { require.Equal(t, 0, len(labelNameValuePairs)%2, "labelNameValuePairs must be a list of key-value pairs") From d2363ade7691dc595bd701b2ed50242e3bf19741 Mon Sep 17 00:00:00 2001 From: Matous Jobanek Date: Thu, 19 Dec 2024 01:06:06 +0100 Subject: [PATCH 2/2] drop docker from docs and makefile (#1087) --- README.adoc | 4 ++-- make/docker.mk | 4 ---- quay.adoc | 2 +- required_tools.adoc | 3 +-- 4 files changed, 4 insertions(+), 9 deletions(-) delete mode 100644 make/docker.mk diff --git a/README.adoc b/README.adoc index 2ec8421f4..6158ce44c 100644 --- a/README.adoc +++ b/README.adoc @@ -61,7 +61,7 @@ There are multiple Makefile targets that will execute the e2e tests, they just d * `make test-e2e-host-local` - this target clones only the https://github.com/codeready-toolchain/member-operator[member-operator] repo and builds an image from it. For host-operator, it builds the image from `../host-operator` directory. These images deploys to OpenShift and runs e2e tests against them. The e2e tests will take care of creating all needed namespaces with random names (or see below for enforcing some specific namespace names). -It will also create all required CRDs, role and role bindings for the service accounts, build the Docker images for both operators and push them to the OpenShift container registry. Finally, it will deploy the operators and run the tests using the operator-sdk. +It will also create all required CRDs, role and role bindings for the service accounts, build the container images for both operators and push them to the OpenShift container registry. Finally, it will deploy the operators and run the tests using the operator-sdk. NOTE: you can override the default namespace names where the end-to-end tests are going to be executed - eg.: `make test-e2e HOST_NS=my-host MEMBER_NS=my-member` file. @@ -165,7 +165,7 @@ NOTE: By default, `SECOND_MEMBER_MODE` is set to false. * Get a cluster and setup the following env vars ** `export QUAY_NAMESPACE=` ** `export KUBECONFIG=` -* Run `docker login quay.io` +* Run `podman login quay.io` * Create https://github.com/codeready-toolchain/toolchain-infra/tree/master/config/oauth[IdP] * If you need to change any of the default configuration, modify the ToolchainConfig in https://github.com/codeready-toolchain/toolchain-e2e/blob/master/deploy/host-operator/dev/toolchainconfig.yaml[deploy/host-operator/dev/toolchainconfig.yaml] * To set working notification/verification secrets, modify them in https://github.com/codeready-toolchain/toolchain-e2e/blob/master/deploy/host-operator/dev/secrets.yaml[deploy/host-operator/dev/secrets.yaml] diff --git a/make/docker.mk b/make/docker.mk deleted file mode 100644 index bd2059c6b..000000000 --- a/make/docker.mk +++ /dev/null @@ -1,4 +0,0 @@ -.PHONY: docker-image -## Build the docker image locally that can be deployed (only contains bare operator) -docker-image: build - $(Q)docker build -f build/Dockerfile -t docker.io/${GO_PACKAGE_ORG_NAME}/${GO_PACKAGE_REPO_NAME}:${GIT_COMMIT_ID_SHORT} . diff --git a/quay.adoc b/quay.adoc index 9bf3541cd..8690d03ce 100644 --- a/quay.adoc +++ b/quay.adoc @@ -7,7 +7,7 @@ There is a set of images that is built and pushed to quay repositories while dep . Make sure you have set the _QUAY_NAMESPACE_ variable: + `export QUAY_NAMESPACE=` . Log in to quay.io using + -`docker login quay.io` +`podman login quay.io` * Make sure that these repositories exist on quay.io and the visibility is set to `public` for all of them: * https://quay.io/repository//host-operator * https://quay.io/repository//host-operator-bundle diff --git a/required_tools.adoc b/required_tools.adoc index 3dbe43996..e15a8509d 100644 --- a/required_tools.adoc +++ b/required_tools.adoc @@ -6,7 +6,6 @@ NOTE: Follow the installation instructions https://sdk.operatorframework.io/docs * sed * yamllint * jq -* podman + -NOTE: If you need to use docker, then run the make targets with this variable set: `IMAGE_BUILDER=docker`. +* podman * opm v1.26.3 + NOTE: To download the Operator Registry tool use either https://github.com/operator-framework/operator-registry/releases or https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/. The version should correspond with the OpenShift version you are running. To confirm that the Operator Registry tool is installed correctly: `$ opm version`