From 19558ab5e6e6cc4677b1b04dda65ea6d52519f37 Mon Sep 17 00:00:00 2001
From: hlts2 <hiroto.funakoshi.hiroto@gmail.com>
Date: Thu, 21 Sep 2023 16:46:59 +0900
Subject: [PATCH] add network policy settings and update deploy command

Signed-off-by: hlts2 <hiroto.funakoshi.hiroto@gmail.com>
---
 .../detect-docker-image-tags/action.yaml      |  1 +
 Makefile.d/k8s.mk                             |  4 ++
 .../templates/gateway/lb/networkpolicy.yaml   |  7 +++
 .../templates/gateway/mirror/configmap.yaml   |  4 +-
 .../gateway/mirror/networkpolicy.yaml         | 53 +++++++++++++++++++
 5 files changed, 67 insertions(+), 2 deletions(-)
 create mode 100644 charts/vald/templates/gateway/mirror/networkpolicy.yaml

diff --git a/.github/actions/detect-docker-image-tags/action.yaml b/.github/actions/detect-docker-image-tags/action.yaml
index 42c254a5d2..5119cb00f5 100644
--- a/.github/actions/detect-docker-image-tags/action.yaml
+++ b/.github/actions/detect-docker-image-tags/action.yaml
@@ -48,6 +48,7 @@ runs:
           ["vdaas/vald-agent-sidecar"]="agent.sidecar.image.tag"
           ["vdaas/vald-discoverer-k8s"]="discoverer.image.tag"
           ["vdaas/vald-lb-gateway"]="gateway.lb.image.tag"
+          ["vdaas/vald-mirror-gateway"]="gateway.mirror.image.tag"
           ["vdaas/vald-manager-index"]="manager.index.image.tag"
           ["vdaas/vald-helm-operator"]="image.tag"
         )
diff --git a/Makefile.d/k8s.mk b/Makefile.d/k8s.mk
index e4b42c75ff..b1b47b8936 100644
--- a/Makefile.d/k8s.mk
+++ b/Makefile.d/k8s.mk
@@ -75,6 +75,7 @@ k8s/vald/deploy:
 	    --set discoverer.image.repository=$(CRORG)/$(DISCOVERER_IMAGE) \
 	    --set gateway.filter.image.repository=$(CRORG)/$(FILTER_GATEWAY_IMAGE) \
 	    --set gateway.lb.image.repository=$(CRORG)/$(LB_GATEWAY_IMAGE) \
+	    --set gateway.mirror.image.repository=$(CRORG)/$(MIRROR_GATEWAY_IMAGE) \
 	    --set manager.index.image.repository=$(CRORG)/$(MANAGER_INDEX_IMAGE) \
 	    $(HELM_EXTRA_OPTIONS) \
 	    --output-dir $(TEMP_DIR) \
@@ -84,6 +85,7 @@ k8s/vald/deploy:
 	kubectl apply -f $(TEMP_DIR)/vald/templates/agent || true
 	kubectl apply -f $(TEMP_DIR)/vald/templates/discoverer || true
 	kubectl apply -f $(TEMP_DIR)/vald/templates/gateway/lb || true
+	kubectl apply -f $(TEMP_DIR)/vald/templates/gateway/mirror || true
 	rm -rf $(TEMP_DIR)
 	kubectl get pods -o jsonpath="{.items[*].spec.containers[*].image}" | tr " " "\n"
 
@@ -98,9 +100,11 @@ k8s/vald/delete:
 	    --set discoverer.image.repository=$(CRORG)/$(DISCOVERER_IMAGE) \
 	    --set gateway.filter.image.repository=$(CRORG)/$(FILTER_GATEWAY_IMAGE) \
 	    --set gateway.lb.image.repository=$(CRORG)/$(LB_GATEWAY_IMAGE) \
+	    --set gateway.mirror.image.repository=$(CRORG)/$(MIRROR_GATEWAY_IMAGE) \
 	    --set manager.index.image.repository=$(CRORG)/$(MANAGER_INDEX_IMAGE) \
 	    --output-dir $(TEMP_DIR) \
 	    charts/vald
+	kubectl delete -f $(TEMP_DIR)/vald/templates/gateway/mirror
 	kubectl delete -f $(TEMP_DIR)/vald/templates/gateway/lb
 	kubectl delete -f $(TEMP_DIR)/vald/templates/manager/index
 	kubectl delete -f $(TEMP_DIR)/vald/templates/discoverer
diff --git a/charts/vald/templates/gateway/lb/networkpolicy.yaml b/charts/vald/templates/gateway/lb/networkpolicy.yaml
index 05f838ad98..40201d98d7 100644
--- a/charts/vald/templates/gateway/lb/networkpolicy.yaml
+++ b/charts/vald/templates/gateway/lb/networkpolicy.yaml
@@ -17,6 +17,7 @@
 {{- $agent := .Values.agent -}}
 {{- $lb := .Values.gateway.lb -}}
 {{- $filter := .Values.gateway.filter -}}
+{{- $mirror := .Values.gateway.mirror -}}
 {{- $discoverer := .Values.discoverer -}}
 {{- if .Values.defaults.networkPolicy.enabled }}
 apiVersion: networking.k8s.io/v1
@@ -41,6 +42,12 @@ spec:
         podSelector:
           matchLabels:
             app: {{ $filter.name }}
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .Release.Namespace }}
+        podSelector:
+          matchLabels:
+            app: {{ $mirror.name }}
     {{- if .Values.defaults.networkPolicy.custom.ingress }}
     {{- toYaml .Values.defaults.networkPolicy.custom.ingress | nindent 4 }}
     {{- end }}
diff --git a/charts/vald/templates/gateway/mirror/configmap.yaml b/charts/vald/templates/gateway/mirror/configmap.yaml
index f20647ce53..b8f776996d 100644
--- a/charts/vald/templates/gateway/mirror/configmap.yaml
+++ b/charts/vald/templates/gateway/mirror/configmap.yaml
@@ -48,7 +48,7 @@ data:
       discovery_duration: {{ $gateway.gateway_config.discovery_duration }}
       colocation: {{ $gateway.gateway_config.colocation }}
       group: {{ $gateway.gateway_config.group }}
-      net: 
+      net:
       {{- toYaml $gateway.gateway_config.net | nindent 8 }}
       client:
         {{- $client := $gateway.gateway_config.client }}
@@ -69,7 +69,7 @@ data:
         {{- include "vald.grpc.client" $GRPCClient | nindent 8 }}
       self_mirror_addr:
         {{- if $gateway.ingress.enabled -}}
-        {{- $gateway.gateway_config.self_mirror_addr | indent 1 }}
+        {{- printf "%s:%d" $gateway.ingress.host 80 | indent 1 }}
         {{- else -}}
         {{- $defaultHost := printf "%s.%s.svc.cluster.local" $gateway.name .Release.Namespace }}
         {{- $defaultPort := default .Values.defaults.server_config.servers.grpc.port $gateway.server_config.servers.grpc.port }}
diff --git a/charts/vald/templates/gateway/mirror/networkpolicy.yaml b/charts/vald/templates/gateway/mirror/networkpolicy.yaml
new file mode 100644
index 0000000000..bab43b69fb
--- /dev/null
+++ b/charts/vald/templates/gateway/mirror/networkpolicy.yaml
@@ -0,0 +1,53 @@
+#
+# Copyright (C) 2019-2023 vdaas.org vald team <vald@vdaas.org>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+{{- $lb := .Values.gateway.lb -}}
+{{- $mirror := .Values.gateway.mirror -}}
+{{- if .Values.defaults.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: mirror-allow
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ $mirror.name }}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: kube-system
+    {{- if .Values.defaults.networkPolicy.custom.ingress }}
+    {{- toYaml .Values.defaults.networkPolicy.custom.ingress | nindent 4 }}
+    {{- end }}
+  egress:
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .Release.Namespace }}
+        podSelector:
+          matchLabels:
+            app: {{ $lb.name }}
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: kube-system
+    {{- if .Values.defaults.networkPolicy.custom.egress }}
+    {{- toYaml .Values.defaults.networkPolicy.custom.egress | nindent 4 }}
+    {{- end }}
+{{- end }}