Add network policies

[nsklikas]

Apply network policies to deny ingress traffic to the Kratos APIs when it isn't coming from the traefik ingress.

I had to open all the none Kratos ports as I couldn't figure out exactly what is needed by juju/pebble. (need to change that).

To test these changes you need to:

# Pack the charm
$ charmcraft pack
# Deploy it 
$ juju deploy ./kratos_ubuntu-*-amd64.charm --resource oci-image=$(yq eval '.resources.oci-image.upstream-source' metadata.yaml) --trust
# Deploy other charms needed for the test 
$ juju deploy postgresql-k8s --channel edge --trust
$ juju deploy traefik-k8s traefik-admin

# Create relations
$ juju integrate kratos:admin-ingress traefik-k8s
$ juju integrate kratos postgresql-k8s

# Wait for the charms to go to idle
$ juju status

I am first creating the traefik relation and then the postgres one because I had some trouble with dns issues that where causing the migration to fail. First relating traefik and then postgres assures us that those issues are gone.

You must be able to see the network policy by running:

$ microk8s kubectl get -n {namespace} networkpolicies

To validate the networkpolicies you can juju ssh to a random pod (e.g. postgres and try to reach the kratos admin API):

$ juju ssh postgres/0 bash
$ curl {kratos_app_ip}:4434

This should timeout. To get the kratos app ip simply run juju status.
By doing the same test from the traefik pod, the http request must return.

[gruyaume]

We expect a list of policies so we should probably call the method apply_ingress_policies

[gruyaume]

We should standardise on naming, we use ingress policies and network policies interchangeably.

[gruyaume]

Shouldn't we simply change the status to blocked (or not catch the error and let the charm go to error state)? If something is broken we may not want to be deferring forever

[gruyaume]

Where are the unit tests for this file 👀

[natalian98]

Suggested change

	"""Applying the network policies failed."""
	"""Raised when applying the network policies failed."""

[natalian98]

It might be a juju bug, but when I try removing kratos it gets into terminated state with unit lost. When I use --force --no-wait, the charm is removed but in both cases the network policy is not deleted.

[nsklikas]

So I tried testing it a little more and when I test it manually, the policy is removed. I wrote an integration test to validate this and in the test the policy is not removed. This is very weird.

[nsklikas]

As far as I can tell the stop event is never fired, this is most likely a juju bug and not something we can control. Let's leave this as it is for now, it is the best we can do and juju should (hopefully) fix it in a later version.

[natalian98]

Suggested change

	"""Apply an ingress network policy about a related application.
	"""Apply an ingress network policy for a related application.

[natalian98]

Suggested change

	# Copyright 2022 Canonical Ltd.
	# Copyright 2023 Canonical Ltd.

[natalian98]

Should we retry applying the network policy?
Right now if you deploy kratos without trust, it gets into BlockedStatus, but if you trust it then it gets into active without creating the network policy.

[nsklikas]

In case applying the network policies fails we have several options:

1. Log the error and keep the normal operation, if the user wants they can deploy the charm (or re trigger the hook)
2. Go to a blocked state, this would make state management much more complicated
3. Raise an exception
4. Log an error and defer the event until patching succeeds

Since it is not needed for the charm operation and it is not essential for security I think that (1) and (4) make most sense because they allow the charm to run despite any error that might occur and the user can make the decision to stop the charm if they deem it necessary.

If we decide to go with (1) we can also provide an action for applying the network policies to allow the user to retry applying them if something goes wrong. cc @natalian98 @gruyaume