From 18e7597483dc0de2ea0ba8b0240544a532524e71 Mon Sep 17 00:00:00 2001
From: OZGCloud <ozgcloud@mgm-tp.com>
Date: Tue, 25 Jun 2024 15:12:48 +0200
Subject: [PATCH] OZG-5653 update netpol for zufi and add unittests
---
src/main/helm/templates/network_policy.yaml | 7 ++-
src/test/helm/network_policy_test.yaml | 68 +++++++++++++++------
2 files changed, 54 insertions(+), 21 deletions(-)
diff --git a/src/main/helm/templates/network_policy.yaml b/src/main/helm/templates/network_policy.yaml
index c1b0e20d4..e71661fe1 100644
--- a/src/main/helm/templates/network_policy.yaml
+++ b/src/main/helm/templates/network_policy.yaml
@@ -110,14 +110,17 @@ spec:
matchLabels:
component: info-manager
{{- end }}
-{{- if ((.Values.ozgcloud).zufi).enabled }}
+{{- if (.Values.zufiManager).enabled }}
- to:
- namespaceSelector:
matchLabels:
- kubernetes.io/metadata.name: {{ required "ozgcloud.zufi.namespace must be set if zufi is enabled" ((.Values.ozgcloud).zufi).namespace }}
+ kubernetes.io/metadata.name: {{ required "zufiManager.namespace must be set if zufiManager server is enabled" (.Values.zufiManager).namespace }}
podSelector:
matchLabels:
component: zufi-server
+ ports:
+ - port: 9190
+ protocol: TCP
{{- end }}
- to:
- namespaceSelector:
diff --git a/src/test/helm/network_policy_test.yaml b/src/test/helm/network_policy_test.yaml
index e601e5f02..5394332e6 100644
--- a/src/test/helm/network_policy_test.yaml
+++ b/src/test/helm/network_policy_test.yaml
@@ -264,38 +264,68 @@ tests:
- it: should add egress rule to zufi server if zufi is enabled
set:
- ozgcloud:
- zufi:
- enabled: true
- namespace: zufi
+ zufiManager:
+ enabled: true
+ namespace: zufi
asserts:
- contains:
path: spec.egress
content:
to:
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: zufi
- podSelector:
- matchLabels:
- component: zufi-server
+ - podSelector:
+ matchLabels:
+ component: zufi-server
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: zufi
+ ports:
+ - port: 9190
+ protocol: TCP
+
- it: should not add egress rule to zufi server if zufi is disabled
set:
- ozgcloud:
- zufi:
- enabled: false
+ zufiManager:
+ enabled: false
asserts:
- notContains:
path: spec.egress
content:
to:
- - namespaceSelector:
- matchLabels:
- kubernetes.io/metadata.name: zufi
- podSelector:
- matchLabels:
- component: zufi-server
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: zufi
+ podSelector:
+ matchLabels:
+ component: zufi-server
+ ports:
+ - port: 9190
+ protocol: TCP
+ - it: should throw error if zufi is enabled but zufi namespace is not set
+ set:
+ zufiManager:
+ enabled: true
+ namespace:
+ asserts:
+ - failedTemplate:
+ errorMessage: zufiManager.namespace must be set if zufiManager server is enabled
+
+ - it: should not enable zufi netpol by default
+ asserts:
+ - notContains:
+ path: spec.egress
+ content:
+ to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: zufi
+ podSelector:
+ matchLabels:
+ component: zufi-server
+ ports:
+ - port: 9190
+ protocol: TCP
+
- it: should add egress rule to dns service
--
GitLab