From 120a78e921cf0ab8e61c02c58833ea717e2c4f0c Mon Sep 17 00:00:00 2001
From: OZGCloud <ozgcloud@mgm-tp.com>
Date: Thu, 13 Jul 2023 14:48:55 +0200
Subject: [PATCH] OZG-3880 - add network policy
---
run_helm_test.sh | 7 ++
.../helm/templates/network_policy_alfa.yaml | 47 +++++++
src/test/helm/network_policy_alfa_test.yaml | 119 ++++++++++++++++++
src/test/unit-values.yaml | 4 +
4 files changed, 177 insertions(+)
create mode 100755 run_helm_test.sh
create mode 100644 src/main/helm/templates/network_policy_alfa.yaml
create mode 100644 src/test/helm/network_policy_alfa_test.yaml
diff --git a/run_helm_test.sh b/run_helm_test.sh
new file mode 100755
index 0000000000..7324e7d118
--- /dev/null
+++ b/run_helm_test.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+helm template ./src/main/helm/ -f src/test/unit-values.yaml
+helm lint -f src/test/unit-values.yaml ./src/main/helm/
+cd src/main/helm && helm unittest --helm3 -f '../../test/helm/*.yaml' -v '../../test/unit-values.yaml' .
\ No newline at end of file
diff --git a/src/main/helm/templates/network_policy_alfa.yaml b/src/main/helm/templates/network_policy_alfa.yaml
new file mode 100644
index 0000000000..2cf22a422e
--- /dev/null
+++ b/src/main/helm/templates/network_policy_alfa.yaml
@@ -0,0 +1,47 @@
+{{- if not (.Values.network_policy).disabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: network-policy-alfa
+ namespace: {{ .Release.Namespace }}
+spec:
+ podSelector:
+ matchLabels:
+ component: goofy
+ policyTypes:
+ - Ingress
+ - Egress
+ ingress:
+ - ports:
+ - port: 8080
+ {{- with (.Values.network_policy).additional_ingress_config }}
+ - from:
+{{ toYaml . | indent 8 }}
+ {{- end }}
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ component: pluto
+ ports:
+ - port: 9090
+ protocol: TCP
+ # public keycloak ip
+ - to:
+ - ipBlock:
+ cidr: {{ required "Keycloak public IP must be set" (.Values.network_policy).sso_public_ip }}
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ matchExpressions:
+ - key: kubernetes.io/metadata.name
+ operator: In
+ values:
+ - kube-system
+ ports:
+ - port: 53
+ protocol: UDP
+ - port: 53
+ protocol: TCP
+{{- end }}
\ No newline at end of file
diff --git a/src/test/helm/network_policy_alfa_test.yaml b/src/test/helm/network_policy_alfa_test.yaml
new file mode 100644
index 0000000000..da664cced0
--- /dev/null
+++ b/src/test/helm/network_policy_alfa_test.yaml
@@ -0,0 +1,119 @@
+#
+# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den
+# Ministerpräsidenten des Landes Schleswig-Holstein
+# Staatskanzlei
+# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
+#
+# Lizenziert unter der EUPL, Version 1.2 oder - sobald
+# diese von der Europäischen Kommission genehmigt wurden -
+# Folgeversionen der EUPL ("Lizenz");
+# Sie dürfen dieses Werk ausschließlich gemäß
+# dieser Lizenz nutzen.
+# Eine Kopie der Lizenz finden Sie hier:
+#
+# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+#
+# Sofern nicht durch anwendbare Rechtsvorschriften
+# gefordert oder in schriftlicher Form vereinbart, wird
+# die unter der Lizenz verbreitete Software "so wie sie
+# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
+# ausdrücklich oder stillschweigend - verbreitet.
+# Die sprachspezifischen Genehmigungen und Beschränkungen
+# unter der Lizenz sind dem Lizenztext zu entnehmen.
+#
+
+suite: network policy alfa test
+release:
+ name: alfa
+ namespace: by-helm-test
+templates:
+ - templates/network_policy_alfa.yaml
+tests:
+ - it: should match apiVersion
+ asserts:
+ - isAPIVersion:
+ of: networking.k8s.io/v1
+ - it: should match kind
+ asserts:
+ - isKind:
+ of: NetworkPolicy
+ - it: validate metadata
+ asserts:
+ - equal:
+ path: metadata
+ value:
+ name: network-policy-alfa
+ namespace: by-helm-test
+ - it: validate spec
+ asserts:
+ - equal:
+ path: spec
+ value:
+ podSelector:
+ matchLabels:
+ component: goofy
+ policyTypes:
+ - Ingress
+ - Egress
+ ingress:
+ - ports:
+ - port: 8080
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ component: pluto
+ ports:
+ - port: 9090
+ protocol: TCP
+ # public keycloak ip
+ - to:
+ - ipBlock:
+ cidr: 51.89.117.53/32
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ matchExpressions:
+ - key: kubernetes.io/metadata.name
+ operator: In
+ values:
+ - kube-system
+ ports:
+ - port: 53
+ protocol: UDP
+ - port: 53
+ protocol: TCP
+ - it: add ingress rule by values
+ set:
+ network_policy:
+ additional_ingress_config:
+ - podSelector:
+ matchLabels:
+ component: client2
+ asserts:
+ - equal:
+ path: spec.ingress
+ value:
+ - ports:
+ - port: 8080
+ - from:
+ - podSelector:
+ matchLabels:
+ component: client2
+
+ - it: test network policy disabled
+ set:
+ network_policy:
+ disabled: true
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: test network policy unset should be disabled
+ set:
+ network_policy:
+ disabled: false
+ asserts:
+ - hasDocuments:
+ count: 1
\ No newline at end of file
diff --git a/src/test/unit-values.yaml b/src/test/unit-values.yaml
index 12b8a49117..23a29bbdbc 100644
--- a/src/test/unit-values.yaml
+++ b/src/test/unit-values.yaml
@@ -42,3 +42,7 @@ baseUrl: test.sh.ozg-cloud.de
image:
path: docker.ozg-sh.de/goofy
tag: snapshot-latest
+
+network_policy:
+ sso_public_ip: 51.89.117.53/32
+ additional_ingress_config:
--
GitLab