From 243f6c76089ea81e72bbafc659767573b2f3c385 Mon Sep 17 00:00:00 2001
From: Meg Heisler <mh783g@att.com>
Date: Mon, 25 Feb 2019 09:30:06 -0600
Subject: [PATCH] Add east-west ingress network policy to Prometheus

This adds an ingress policy to Prometheus and utilizes
the helm-toolkit used in openstack-helm

Change-Id: Ia89d42a5305c94da26337aaf716978c1defae503
---
 prometheus/values.yaml                              |  9 +++++++--
 tools/deployment/network-policy/050-prometheus.sh   | 13 +++++++------
 .../network-policy/901-test-networkpolicy.sh        |  3 ++-
 3 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/prometheus/values.yaml b/prometheus/values.yaml
index 22e1c073b..74d29bc6a 100644
--- a/prometheus/values.yaml
+++ b/prometheus/values.yaml
@@ -211,6 +211,11 @@ network:
       enabled: false
       port: 30900
 
+network_policy:
+  prometheus:
+    ingress:
+      - {}
+
 secrets:
   tls:
     monitoring:
@@ -234,7 +239,7 @@ manifests:
   ingress: true
   helm_tests: true
   job_image_repo_sync: true
-  network_policy: false
+  network_policy: true
   secret_ingress_tls: true
   secret_prometheus: true
   service_ingress: true
@@ -1193,7 +1198,7 @@ conf:
               description: Prometheus failed to scrape API server(s), or all API servers have disappeared from service discovery.
               summary: API server unreachable
           - alert: K8SApiServerLatency
-            expr: histogram_quantile(0.99, sum(apiserver_request_latencies_bucket{verb!~"CONNECT|WATCHLIST|WATCH|PROXY|DELETECOLLECTION"}) WITHOUT (instance, resource)) / 1e+06 > 1
+            expr: histogram_quantile(0.99, sum(apiserver_request_latencies_bucket{verb!~"CONNECT|WATCHLIST|WATCH|PROXY"}) WITHOUT (instance, resource)) / 1e+06 > 1
             for: 10m
             labels:
               severity: warning
diff --git a/tools/deployment/network-policy/050-prometheus.sh b/tools/deployment/network-policy/050-prometheus.sh
index 825ca34e0..3de12c70b 100755
--- a/tools/deployment/network-policy/050-prometheus.sh
+++ b/tools/deployment/network-policy/050-prometheus.sh
@@ -19,7 +19,7 @@ set -xe
 #NOTE: Lint and package chart
 make prometheus
 
-tee /tmp/prometheus.yaml <<EOF
+tee /tmp/prometheus.yaml << EOF
 manifests:
   network_policy: true
 network_policy:
@@ -43,19 +43,20 @@ network_policy:
               application: nagios
         - podSelector:
             matchLabels:
-              application: fluentd-exporter
-        - podSelector:
-            matchLabels:
-              application: fluentd
+              application: ingress
         ports:
         - protocol: TCP
           port: 9093
+        - protocol: TCP
+          port: 9090
         - protocol: TCP
           port: 6783
         - protocol: TCP
           port: 9108
         - protocol: TCP
           port: 80
+        - protocol: TCP
+          port: 443
 EOF
 
 #NOTE: Deploy command
@@ -67,4 +68,4 @@ helm upgrade --install prometheus ./prometheus \
 ./tools/deployment/common/wait-for-pods.sh osh-infra
 
 #NOTE: Validate Deployment info
-helm status prometheus
+helm status prometheus
\ No newline at end of file
diff --git a/tools/deployment/network-policy/901-test-networkpolicy.sh b/tools/deployment/network-policy/901-test-networkpolicy.sh
index fcfa15b80..a6cc20618 100755
--- a/tools/deployment/network-policy/901-test-networkpolicy.sh
+++ b/tools/deployment/network-policy/901-test-networkpolicy.sh
@@ -48,10 +48,11 @@ function test_netpol {
     fi
   fi
 }
+
 # Doing negative tests
 test_netpol osh-infra mariadb server elasticsearch.osh-infra.svc.cluster.local fail
 test_netpol osh-infra mariadb server nagios.osh-infra.svc.cluster.local fail
 test_netpol osh-infra mariadb server prometheus.osh-infra.svc.cluster.local fail
 
 # Doing positive tests
-test_netpol osh-infra grafana dashboard mariadb.osh-infra.svc.cluster.local:3306 success
+test_netpol osh-infra grafana dashboard mariadb.osh-infra.svc.cluster.local:3306 success
\ No newline at end of file