[virtual-machine] Use external IP for egress traffic for PortList method too (#1349)

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does


### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
[virtual-machine] Use external IP for egress traffic for PortList method too
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **New Features**
- Default network policies for Virtual Machine and VM Instance: ingress
from cluster/world, egress to world, optional port-based ingress when
using a port list.
  - Services now always include whole-IP annotation.
- VM workloads default to blocking external communication via
annotation.
- Tenant network policy now applies only to workloads explicitly labeled
to allow external communication.

- **Chores**
- Version bumps: Tenant 1.13.0, Virtual Machine 0.14.0, VM Instance
0.12.0.
- Updated versions map and added a migration script to advance cluster
component versions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.12.0
+version: 1.13.0

packages/apps/tenant/templates/networkpolicy.yaml

@@ -20,7 +20,11 @@ metadata:
   name: allow-external-communication
   namespace: {{ include "tenant.name" . }}
 spec:
-  endpointSelector: {}
+  endpointSelector:
+    matchExpressions:
+    - key: policy.cozystack.io/allow-external-communication
+      operator: NotIn
+      values: ["false"]
   ingress:
   - fromEntities:
       - world

packages/apps/versions_map

@@ -164,55 +164,15 @@ tcp-balancer 0.4.2 4369b031
 tcp-balancer 0.5.0 08cb7c0f
 tcp-balancer 0.5.1 c02a3818
 tcp-balancer 0.6.0 HEAD
-tenant 1.10.0 4369b031
-tenant 1.11.0 08cb7c0f
-tenant 1.11.1 28c9fcd6
-tenant 1.11.2 c02a3818
-tenant 1.12.0 HEAD
-virtual-machine 0.1.4 f2015d65
-virtual-machine 0.1.5 263e47be
-virtual-machine 0.2.0 c0685f43
-virtual-machine 0.3.0 6c5cf5bf
-virtual-machine 0.4.0 b8e33d19
-virtual-machine 0.5.0 1ec10165
-virtual-machine 0.6.0 4e68e65c
-virtual-machine 0.7.0 e23286a3
-virtual-machine 0.7.1 0ab39f20
-virtual-machine 0.8.0 3fa4dd3a
-virtual-machine 0.8.1 93c46161
-virtual-machine 0.8.2 de19450f
-virtual-machine 0.9.0 721c12a7
-virtual-machine 0.9.1 93bdf411
-virtual-machine 0.10.0 6130f43d
-virtual-machine 0.10.2 632224a3
-virtual-machine 0.11.0 4369b031
-virtual-machine 0.12.0 acd4663a
-virtual-machine 0.12.1 909208ba
-virtual-machine 0.12.2 8ddbe32e
-virtual-machine 0.12.3 c02a3818
-virtual-machine 0.13.0 HEAD
+tenant 1.13.0 HEAD
+virtual-machine 0.14.0 HEAD
 vm-disk 0.1.0 d971f2ff
 vm-disk 0.1.1 6130f43d
 vm-disk 0.1.2 632224a3
 vm-disk 0.2.0 4369b031
 vm-disk 0.3.0 c02a3818
 vm-disk 0.4.0 HEAD
-vm-instance 0.1.0 1ec10165
-vm-instance 0.2.0 84f3ccc0
-vm-instance 0.3.0 4e68e65c
-vm-instance 0.4.0 e23286a3
-vm-instance 0.4.1 0ab39f20
-vm-instance 0.5.0 3fa4dd3a
-vm-instance 0.5.1 de19450f
-vm-instance 0.6.0 721c12a7
-vm-instance 0.7.0 6130f43d
-vm-instance 0.7.2 632224a3
-vm-instance 0.8.0 4369b031
-vm-instance 0.9.0 acd4663a
-vm-instance 0.10.0 909208ba
-vm-instance 0.10.1 8ddbe32e
-vm-instance 0.10.2 c02a3818
-vm-instance 0.11.0 HEAD
+vm-instance 0.12.0 HEAD
 vpn 0.1.0 263e47be
 vpn 0.2.0 53f2365e
 vpn 0.3.0 6c5cf5bf

packages/apps/virtual-machine/Chart.yaml

@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.13.0
+version: 0.14.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 0.13.0
+appVersion: 0.14.0

packages/apps/virtual-machine/templates/service.yaml

@@ -6,14 +6,12 @@ metadata:
   name: {{ include "virtual-machine.fullname" . }}
   labels:
     {{- include "virtual-machine.labels" . | nindent 4 }}
-  {{- if eq .Values.externalMethod "WholeIP" }}
   annotations:
     networking.cozystack.io/wholeIP: "true"
-  {{- end }}
 spec:
   type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
   externalTrafficPolicy: Local
-    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
+    {{- if ((include "cozy-lib.network.disableLoadBalancerNodePorts" $) | fromYaml) }}
   allocateLoadBalancerNodePorts: false
     {{- end }}
   selector:
@@ -29,3 +27,27 @@ spec:
     {{- end }}
     {{- end }}
 {{- end }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "virtual-machine.fullname" . }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "virtual-machine.selectorLabels" . | nindent 6 }}
+  ingress:
+  - fromEntities:
+      - cluster
+  - fromEntities:
+      - world
+    {{- if eq .Values.externalMethod "PortList" }}
+    toPorts:
+      - ports:
+          {{- range .Values.externalPorts }}
+          - port: {{ quote . }}
+          {{- end }}
+    {{- end }}
+  egress:
+  - toEntities:
+      - world

packages/apps/virtual-machine/templates/vm.yaml

@@ -62,6 +62,7 @@ spec:
   template:
     metadata:
       annotations:
+        policy.cozystack.io/allow-external-communication: "false"
         kubevirt.io/allow-pod-bridge-network-live-migration: "true"
       labels:
         {{- include "virtual-machine.labels" . | nindent 8 }}

packages/apps/vm-instance/Chart.yaml

@@ -17,10 +17,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.11.0
+version: 0.12.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 0.11.0
+appVersion: 0.12.0

packages/apps/vm-instance/templates/service.yaml

@@ -6,14 +6,12 @@ metadata:
   name: {{ include "virtual-machine.fullname" . }}
   labels:
     {{- include "virtual-machine.labels" . | nindent 4 }}
-  {{- if eq .Values.externalMethod "WholeIP" }}
   annotations:
     networking.cozystack.io/wholeIP: "true"
-  {{- end }}
 spec:
   type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
   externalTrafficPolicy: Local
-    {{- if (include "cozy-lib.network.disableLoadBalancerNodePorts" $ | fromYaml) }}
+    {{- if ((include "cozy-lib.network.disableLoadBalancerNodePorts" $) | fromYaml) }}
   allocateLoadBalancerNodePorts: false
     {{- end }}
   selector:
@@ -29,3 +27,27 @@ spec:
     {{- end }}
     {{- end }}
 {{- end }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "virtual-machine.fullname" . }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "virtual-machine.selectorLabels" . | nindent 6 }}
+  ingress:
+  - fromEntities:
+      - cluster
+  - fromEntities:
+      - world
+    {{- if eq .Values.externalMethod "PortList" }}
+    toPorts:
+      - ports:
+        {{- range .Values.externalPorts }}
+        - port: {{ quote . }}
+        {{- end }}
+    {{- end }}
+  egress:
+  - toEntities:
+      - world

packages/apps/vm-instance/templates/vm.yaml

@@ -26,6 +26,7 @@ spec:
   template:
     metadata:
       annotations:
+        policy.cozystack.io/allow-external-communication: "false"
         kubevirt.io/allow-pod-bridge-network-live-migration: "true"
       labels:
         {{- include "virtual-machine.labels" . | nindent 8 }}

scripts/migrations/18

@@ -0,0 +1,18 @@
+#!/bin/sh
+# Migration 18 --> 19
+
+# Upgrade tenants.apps to new chart version
+kubectl get tenants.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do
+  kubectl patch tenants.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.13.0"}'
+done
+
+# Upgrade virtualmachines.apps to new chart version
+kubectl get virtualmachines.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do
+  kubectl patch virtualmachines.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.14.0"}'
+done
+kubectl get vminstances.apps.cozystack.io -A --no-headers --output=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' | while read NAMESPACE NAME; do
+  kubectl patch vminstances.apps.cozystack.io -n "$NAMESPACE" "$NAME" --type merge -p '{"appVersion":"1.12.0"}'
+done
+
+# Write version to cozystack-version config
+kubectl create configmap -n cozy-system cozystack-version --from-literal=version=19 --dry-run=client -o yaml | kubectl apply -f-