From 4a5bcbf12e501552b3d2956b33935326897c0d68 Mon Sep 17 00:00:00 2001
From: OZGCloud <ozgcloud@mgm-tp.com>
Date: Fri, 13 Sep 2024 11:29:57 +0200
Subject: [PATCH] OZG-6708 add antragsraum-proxy to netpol

---
 src/main/helm/templates/network_policy.yaml |  7 +++
 src/test/helm/network_policy_test.yaml      | 53 +++++++++++++++++++++
 2 files changed, 60 insertions(+)

diff --git a/src/main/helm/templates/network_policy.yaml b/src/main/helm/templates/network_policy.yaml
index 3808e4bb7..cb275e46a 100644
--- a/src/main/helm/templates/network_policy.yaml
+++ b/src/main/helm/templates/network_policy.yaml
@@ -63,6 +63,13 @@ spec:
       podSelector: 
         matchLabels:
           component: antragsraum-server
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: {{ required "ozgcloud.antragraum.antragsraumProxyNamespace must be set if antragraum is enabled" ((.Values.ozgcloud).antragraum).antragsraumProxyNamespace }}
+      podSelector: 
+        matchLabels:
+          component: antragsraum-proxy
 {{- end }}
 
   - from:
diff --git a/src/test/helm/network_policy_test.yaml b/src/test/helm/network_policy_test.yaml
index d96ceb8d5..1fcaf1738 100644
--- a/src/test/helm/network_policy_test.yaml
+++ b/src/test/helm/network_policy_test.yaml
@@ -149,6 +149,7 @@ tests:
         antragraum:
           enabled: true
           namespace: antragraum02
+          antragsraumProxyNamespace: antragraum-proxy
     asserts:
     - contains:
         path: spec.ingress
@@ -160,6 +161,26 @@ tests:
               podSelector: 
                 matchLabels:
                   component: antragsraum-server
+  - it: should add ingress rule for antragraum-proxy if antragraum is enabled
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
+      ozgcloud:
+        antragraum:
+          enabled: true
+          namespace: antragraum-proxy
+          antragsraumProxyNamespace: antragraum-proxy
+    asserts:
+    - contains:
+        path: spec.ingress
+        content:
+          from:
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: antragraum-proxy
+              podSelector: 
+                matchLabels:
+                  component: antragsraum-proxy
 
 
   - it: should not add ingress rule for antragraum if antragraum is disabled
@@ -181,6 +202,25 @@ tests:
                 matchLabels:
                   component: antragraum-server
 
+  - it: should not add ingress rule for antragraum-proxy if antragraum is disabled
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
+      ozgcloud:
+        antragraum:
+          enabled: false
+    asserts:
+    - notContains:
+        path: spec.ingress
+        content:
+          from:
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: antragraum-proxy
+              podSelector: 
+                matchLabels:
+                  component: antragraum-proxy
+
   - it: should throw error if antragraum is enabled but antragraum namespace is not set
     set:
       networkPolicy:
@@ -188,9 +228,21 @@ tests:
       ozgcloud:
         antragraum:
           enabled: true
+          antragsraumProxyNamespace: antragraum-proxy
     asserts:
       - failedTemplate:
           errorMessage: ozgcloud.antragraum.namespace must be set if antragraum is enabled
+  - it: should throw error if antragraum is enabled but antragsraumProxyNamespace is not set
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
+      ozgcloud:
+        antragraum:
+          enabled: true
+          namespace: antragraum2
+    asserts:
+      - failedTemplate:
+          errorMessage: ozgcloud.antragraum.antragsraumProxyNamespace must be set if antragraum is enabled
 
   - it: should add default ingress rule for zentraler-eingang
     set:
@@ -356,6 +408,7 @@ tests:
         antragraum:
           enabled: true
           namespace: antragraum02
+          antragsraumProxyNamespace: antragraum-proxy
     asserts:
       - contains:
           path: spec.egress
-- 
GitLab