search

parodos-dev / orchestrator-helm-chart

Helm chart to deploy the Orchestrator solution suite.
https://parodos.dev/orchestrator-helm-chart/
Apache License 2.0
2 stars 22 forks source link

Add a network policy to allow backstage-sonata traffic #199

Closed rgolangh closed 1 month ago

rgolangh commented 3 months ago 
Add a network policy to allow backstage-sonata traffic

When installing Sonataflow operator, also set those network policies based on
namespaces labels:
1. A policy on the workflow namespace[1] that allow ingress from sonata
   namespace and RHDH namespace
2. A policy on the Sonata namespace where the cluster services are
   running that allow ingress from workflows namespaces[2] and RHDH
   namespace

[1] workflow namespace is set as part of of hack/setup.sh script
[2] workflows namespaces are any namespaces with label key rhdh.redhat.com/workflow-namespace

Signed-off-by: Roy Golan rgolan@redhat.com

rgolangh commented 3 months ago

/hold last checks before I'm merging

rgolangh commented 3 months ago

I'm holding this work to make use of a more efficient single label selector -https://github.com/apache/incubator-kie-kogito-serverless-operator/pull/482

rgolangh commented 1 month ago

I think we may want to make this work a document instead of something the chart will set, here's why:

  1. we don't know ahead of time on which namespace workflows will be deployed.
  2. we don't know in which namespace the sonataflow services (data-index, jobs, database) will be installed. It depends if there will be a cluster platform or a namespaced platform is used. If a namespaced platform is used then the platform services are collocated with the workflows they use, hence we just need to make sure there is a network policy to isolate this namespace. By default Openshift doesn't place a default policy so the admin that installs workflow need to add that. When a cluster platform is deployed then the sonata services are deployed on a known namespace, 'sonataflow-infra' In this case a network policy can should allow traffic from all pods labled with app.kubernetes.io/component=serverless-workflow AND from backstage backend. If there is a case where a mix of cluster platform and namespaced platform is supported(is it?) , then during the namespaced platform installation the network policy to isolate the ns should will prevent ingress but will the sonataflow-infra namespace will remain open to calls from the platform namespaces.
rgolangh commented 1 month ago

After revisiting this we can rely on the installation using hack/setup.sh to create a workflow namespace with a label. So this means that the helm chart knows what is the name of all three participating namespaces - workflows, sonata, and rhdh and that is a good start. If other workflows are deployed in a different namespace then this namespace must be labelled with rhdh.redhat.com/workflow-namespace

eloycoto commented 1 month ago

should be a disallow all traffic, and after that allow that one, no? If not is not blocking at all.

rgolangh commented 1 month ago

@eloycoto according to the docs and according to my tests this works. pods outside of the specified namespaces can not reach the target namespaces

https://docs.openshift.com/container-platform/4.16/networking/network_security/network_policy/about-network-policy.html

image

rgolangh commented 1 month ago

@masayag I can't reproduce the helm lint error locally. any clue?