ROX 23555: Remove egress-proxy

[ebensh]

Description

Removes the egress-proxy, as it has been replaced by NetworkPolicies.

Checklist (Definition of Done)

• Unit and integration tests added
• Added test description under Test manual
• Documentation added if necessary (i.e. changes to dev setup, test execution, ...)
• CI and all relevant tests are passing
• Add the ticket number to the PR title if available, i.e. ROX-12345: ...
• Discussed security and business related topics privately. Will move any security and business related topics that arise to private communication channel.
• Add secret to app-interface Vault or Secrets Manager if necessary
• RDS changes were e2e tested manually
• Check AWS limits are reasonable for changes provisioning new resources
• (If applicable) Changes to the dp-terraform Helm values have been reflected in the addon on integration environment

Test manual

TODO: Add manual testing efforts

# To run tests locally run:
make db/teardown db/setup db/migrate
make ocm/setup
make verify lint binary test test/integration

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[vladbologa]

According to https://issues.redhat.com/browse/ROX-13199 the egress-proxy will not be removed from existing tenants. We should check that this is really the case.

Don't want to block this PR. The egress-proxy deployments will not be removed for existing tenants, but they will not be used anymore. We could also remove them with a script if it's too much effort to fix ROX-13199.

[vladbologa]

Had to change this from Service to NetworkPolicy because the tenant resource garbage collection mechanism no longer manages objects of type Service (see the change to zzz_managed_resources.go

[ebensh]

I don't think this will be a problem, but we do need to be careful - this isn't conditional on setting the secureTenantNetwork flag. If we disabled that flag, and this resource exists, all network traffic will be blocked for all tenants.

Can we use a non-NetworkPolicy resource? A ConfigMap or Secret?

[vladbologa]

I'm not sure if you noticed that this is a dummy file used in tests only.

Due to the way tenant resource deletion works, we can only use types that are mentioned in zzz_managed_resources.go. The types in that file are auto-generated by parsing everything in fleetshard/pkg/central/charts/data/tenant-resources.

These types currently are VerticalPodAutoscaler and NetworkPolicy. If you use any other type, the objects will not get deleted and some tests will fail (e.g. TestChartResourcesAreAddedAndRemoved).

The tests themselves are not conditional on secureTenantNetwork. But if we will no longer have NetworkPolicies deployed as tenant resources, this dummy file will need to be fixed, and dependent tests too.

[ebensh]

Will deleting this remove the ENV flag and break if we try to set it? Or will the unknown flag be silently ignored?

[vladbologa]

I think the order in which these are loaded is in reverse.

.Values.fleetshardSync.egressProxy.image in the fleetshard-sync template creates the env var. The value in the env var is then loaded here.

They were both removed, but the helm value is still set (for now) in the gitops config. I think helm will silently ignore that value.

[ebensh]

ACK; sounds good.

[ebensh]

I don't think this will be a problem, but we do need to be careful - this isn't conditional on setting the secureTenantNetwork flag. If we disabled that flag, and this resource exists, all network traffic will be blocked for all tenants.

Can we use a non-NetworkPolicy resource? A ConfigMap or Secret?

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ebensh, mclasmeier

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ebensh,mclasmeier]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment