Merge pull request 'OZG-6444: Enable egress to zufi, if feature is enabled'...

Merge pull request 'OZG-6444: Enable egress to zufi, if feature is enabled' (#727) from OZG-6444-policies-for-zufi into master

Reviewed-on: https://git.ozg-sh.de/ozgcloud-app/alfa/pulls/727


Reviewed-by: OZGCloud <ozgcloud@mgm-tp.com>

alfa-client/apps/admin/src/test/helm/deployment_env_test.yaml

@@ -73,3 +73,4 @@ tests:
           content:
             name: my_test_environment_name
             value: "A test value"
+

src/main/helm/templates/deployment.yaml

@@ -109,6 +109,10 @@ spec:
           value: {{ ((.Values.ozgcloud).xdomea).behoerdenschluesselUri}}
         - name: ozgcloud_xdomea_behoerdenschluesselVersion
           value: {{ ((.Values.ozgcloud).xdomea).behoerdenschluesselVersion | quote }}
+        {{- if ((.Values.ozgcloud).feature).collaborationEnabled }}
+        - name: ozgcloud_feature_collaborationEnabled
+          value: {{ ((.Values.ozgcloud).feature).collaborationEnabled | quote }}
+        {{- end }}
 
         image: "{{ .Values.image.repo }}/{{ .Values.image.name }}:{{ coalesce (.Values.image).tag "latest" }}"
         imagePullPolicy: Always

src/main/helm/templates/network_policy.yaml

@@ -21,6 +21,18 @@ spec:
 {{ toYaml . | indent 2 }}
 {{- end }}
   egress:
+{{- if ((.Values.ozgcloud).feature).collaborationEnabled }}
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: {{ required "zufiManager.namespace must be set if zufiManager server is enabled" (.Values.zufiManager).namespace }}
+      podSelector: 
+        matchLabels:
+          component: zufi-server
+    ports:
+      - port: 9090
+        protocol: TCP
+{{- end }}
   - to:
     - podSelector: 
         matchLabels:

src/test/helm/deployment_collaboration_env_test.yaml

+suite: deployment collaboration env
+release:
+  name: alfa
+  namespace: sh-helm-test
+templates:
+  - templates/deployment.yaml
+set:
+  baseUrl: test.company.local
+  ozgcloud:
+    environment: test
+    bundesland: sh
+    bezeichner: helm
+  sso:
+    serverUrl: https://sso.company.local
+  imagePullSecret: image-pull-secret
+tests:
+  - it: should enable collaboration
+    set:
+      ozgcloud:
+        feature:
+          collaborationEnabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ozgcloud_feature_collaborationEnabled
+            value: "true"
+  - it: should not enable collaboration
+    set:
+      ozgcloud:
+        feature:
+          collaborationEnabled: false
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ozgcloud_feature_collaborationEnabled
+          any: true
\ No newline at end of file

src/test/helm/network_policy_test.yaml

@@ -224,3 +224,39 @@ tests:
     asserts:
       - hasDocuments:
           count: 1
+
+  - it: should set egress for zufi if configured
+    set:
+      networkPolicy:
+        ssoPublicIp: 1.1.1.1
+        dnsServerNamespace: test-dns-server-namespace
+      ozgcloud:
+        feature:
+          collaborationEnabled: true
+      zufiManager:
+        namespace: by-zufi-dev
+    asserts:
+      - contains:
+          path: spec.egress
+          content:
+            to:
+              - podSelector:
+                  matchLabels:
+                    component: zufi-server
+                namespaceSelector:
+                  matchLabels:
+                    kubernetes.io/metadata.name: by-zufi-dev
+            ports:
+              - port: 9090
+                protocol: TCP
+  - it: should fail to set egress for zufi if namespace is missing
+    set:
+      networkPolicy:
+        ssoPublicIp: 1.1.1.1
+        dnsServerNamespace: test-dns-server-namespace
+      ozgcloud:
+        feature:
+          collaborationEnabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: zufiManager.namespace must be set if zufiManager server is enabled
\ No newline at end of file