From 779f715f8e9578c9f7a901f1ec686a5b05b383b0 Mon Sep 17 00:00:00 2001
From: OZGCloud <ozgcloud@mgm-tp.com>
Date: Wed, 28 Aug 2024 14:47:55 +0200
Subject: [PATCH] OZG-6254 OZG-6484 pvog routing add network policy

---
 src/main/helm/templates/network_policy.yaml   | 11 ++++
 src/test/helm/network_policy_test.yaml        | 52 ++++++++++++++++++-
 .../main/helm/templates/network_policy.yaml   | 11 ++++
 .../src/test/helm/network_policy_test.yaml    | 51 +++++++++++++++++-
 4 files changed, 123 insertions(+), 2 deletions(-)

diff --git a/src/main/helm/templates/network_policy.yaml b/src/main/helm/templates/network_policy.yaml
index 2d70106bb..7c5dc5eca 100644
--- a/src/main/helm/templates/network_policy.yaml
+++ b/src/main/helm/templates/network_policy.yaml
@@ -59,4 +59,15 @@ spec:
         protocol: UDP
       - port: 5353
         protocol: TCP
+
+{{- if eq (.Values.routing).routingStrategy "ZUFI" }}
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: {{ required "routing.zufiManager.namespace must be set if antragraum is enabled" ((.Values.routing).zufiManager).namespace }}
+      podSelector: 
+        matchLabels:
+          component: zufi-server
+{{- end }}
+
 {{- end }} 
\ No newline at end of file
diff --git a/src/test/helm/network_policy_test.yaml b/src/test/helm/network_policy_test.yaml
index ab74074fa..0e4ad5002 100644
--- a/src/test/helm/network_policy_test.yaml
+++ b/src/test/helm/network_policy_test.yaml
@@ -123,4 +123,54 @@ tests:
         dnsServerNamespace: test-dns-server-namespace
     asserts:
       - hasDocuments:
-          count: 1
\ No newline at end of file
+          count: 1
+
+
+  - it: should add zufi rule when zufi-routing is enabled
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-server-namespace
+      routing:
+        routingStrategy: ZUFI
+        zufiManager: 
+          namespace: zufi-namespace
+    asserts:
+    - contains:
+        path: spec.egress
+        content:
+          to:
+          - namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: zufi-namespace
+            podSelector: 
+              matchLabels:
+                component: zufi-server
+
+  - it: should throw error when zufi is enabled but zufi namespace not set
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-server-namespace
+      routing:
+        routingStrategy: ZUFI
+    asserts:
+    - failedTemplate:
+        errorMessage: routing.zufiManager.namespace must be set if antragraum is enabled
+
+  - it: should not add zufi rule when zufi-routing is disabled
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-server-namespace
+      routing:
+        zufiManager: 
+          namespace: zufi-namespace
+    asserts:
+    - notContains:
+        path: spec.egress
+        content:
+          to:
+          - namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: zufi-namespace
+            podSelector: 
+              matchLabels:
+                component: zufi-server
\ No newline at end of file
diff --git a/xta-adapter/src/main/helm/templates/network_policy.yaml b/xta-adapter/src/main/helm/templates/network_policy.yaml
index b65e30f07..90ef9b2c4 100644
--- a/xta-adapter/src/main/helm/templates/network_policy.yaml
+++ b/xta-adapter/src/main/helm/templates/network_policy.yaml
@@ -66,6 +66,17 @@ spec:
         protocol: TCP
       - port: 9000
         protocol: TCP
+
+{{- if eq (.Values.routing).routingStrategy "ZUFI" }}
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: {{ required "routing.zufiManager.namespace must be set if antragraum is enabled" ((.Values.routing).zufiManager).namespace }}
+      podSelector: 
+        matchLabels:
+          component: zufi-server
+{{- end }}
+
 {{- with (.Values.networkPolicy).additionalEgressConfigLocal }}
 {{ toYaml . | indent 2 }}
 {{- end }}
diff --git a/xta-adapter/src/test/helm/network_policy_test.yaml b/xta-adapter/src/test/helm/network_policy_test.yaml
index 74ac28589..304fe58d2 100644
--- a/xta-adapter/src/test/helm/network_policy_test.yaml
+++ b/xta-adapter/src/test/helm/network_policy_test.yaml
@@ -162,4 +162,53 @@ tests:
         dnsServerNamespace: test-dns-server-namespace
     asserts:
       - hasDocuments:
-          count: 1
\ No newline at end of file
+          count: 1
+
+  - it: should add zufi rule when zufi-routing is enabled
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-server-namespace
+      routing:
+        routingStrategy: ZUFI
+        zufiManager: 
+          namespace: zufi-namespace
+    asserts:
+    - contains:
+        path: spec.egress
+        content:
+          to:
+          - namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: zufi-namespace
+            podSelector: 
+              matchLabels:
+                component: zufi-server
+
+  - it: should throw error when zufi is enabled but zufi namespace not set
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-server-namespace
+      routing:
+        routingStrategy: ZUFI
+    asserts:
+    - failedTemplate:
+        errorMessage: routing.zufiManager.namespace must be set if antragraum is enabled
+
+  - it: should not add zufi rule when zufi-routing is disabled
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-server-namespace
+      routing:
+        zufiManager: 
+          namespace: zufi-namespace
+    asserts:
+    - notContains:
+        path: spec.egress
+        content:
+          to:
+          - namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: zufi-namespace
+            podSelector: 
+              matchLabels:
+                component: zufi-server
-- 
GitLab