diff --git a/src/main/helm/templates/network_policy.yaml b/src/main/helm/templates/network_policy.yaml
index 81aa55fc1cfaa8fa41c7af3a5af875659a388a8e..b8750949572c54207885c21dc488aca7fb0b7b58 100644
--- a/src/main/helm/templates/network_policy.yaml
+++ b/src/main/helm/templates/network_policy.yaml
@@ -152,6 +152,18 @@ spec:
ports:
- port: 9090
protocol: TCP
+{{- end }}
+{{- if ((.Values.ozgcloud).muk).enabled }}
+ - to:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: {{ (((.Values.ozgcloud).muk).elsterTransfer).name }}
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: {{ required "ozgcloud.muk.elsterTransfer.namespace must be set if muk is enabled" (((.Values.ozgcloud).muk).elsterTransfer).namespace }}
+ ports:
+ - protocol: TCP
+ port: 8081
{{- end }}
- to:
- namespaceSelector:
diff --git a/src/main/helm/values.yaml b/src/main/helm/values.yaml
index 593494119835552285fd6e4dd2f957e775ec5d8a..a9130a41e6164e82f5f94df7a3a64e2ffb5dc65d 100644
--- a/src/main/helm/values.yaml
+++ b/src/main/helm/values.yaml
@@ -64,5 +64,10 @@ networkPolicy:
zentralerEingangNamespace: zentraler-eingang
ozgcloud:
+ muk:
+ enabled: false
+ elsterTransfer:
+ name: elster-transfer
+ namespace:
aggregationManager:
- enabled: false
\ No newline at end of file
+ enabled: false
diff --git a/src/test/helm/network_policy_test.yaml b/src/test/helm/network_policy_test.yaml
index 9dd6c548bddab9a9874c912b109b624a171d3c95..17c7a47611643bec68e2d54f90ccfbc74b4954be 100644
--- a/src/test/helm/network_policy_test.yaml
+++ b/src/test/helm/network_policy_test.yaml
@@ -651,6 +651,87 @@ tests:
- hasDocuments:
count: 1
+ - it: should require elster transfer namespace if muk is enabled
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
+ ozgcloud:
+ muk:
+ enabled: true
+ asserts:
+ - failedTemplate:
+ errorMessage: ozgcloud.muk.elsterTransfer.namespace must be set if muk is enabled
+
+ - it: should add egress rule to elster transfer if muk is enabled
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
+ ozgcloud:
+ muk:
+ enabled: true
+ elsterTransfer:
+ namespace: elster-transfer
+ asserts:
+ - contains:
+ path: spec.egress
+ content:
+ to:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: elster-transfer
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: elster-transfer
+ ports:
+ - port: 8081
+ protocol: TCP
+
+ - it: should set elster transfer name
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
+ ozgcloud:
+ muk:
+ enabled: true
+ elsterTransfer:
+ namespace: elster-transfer
+ name: elster-transfer-test
+ asserts:
+ - contains:
+ path: spec.egress
+ content:
+ to:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: elster-transfer-test
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: elster-transfer
+ ports:
+ - port: 8081
+ protocol: TCP
+
+ - it: should not add egress rule for elster-transfer if muk is disabled
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
+ ozgcloud:
+ muk:
+ enabled: false
+ elsterTransfer:
+ namespace: elster-transfer
+ asserts:
+ - notContains:
+ path: spec.egress
+ content:
+ to:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: elster-transfer
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: elster-transfer
+ any: true
- it: should add ingress rule for aggregation-manager
set:
networkPolicy: