OZG-4846 update bayernid network policy

792935e2 · OZGCloud · 2ed52020 · 792935e2 · 792935e2
Commit 792935e2 authored 1 year ago by OZGCloud
--- a/src/main/helm/templates/network_policy.yaml
+++ b/src/main/helm/templates/network_policy.yaml
@@ -73,13 +73,18 @@ spec:
    ports:
      - port: 9000
        protocol: TCP
+{{- if ((.Values.ozgcloud).bayernid).enabled }}
  - to:
    - podSelector: 
        matchLabels:
          component: bayernid-proxy
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: {{ required "ozgcloud.bayernid.proxy.namespace must be set if bayernid is enabled" (((.Values.ozgcloud).bayernid).proxy).namespace }}
    ports:
      - port: 9090
        protocol: TCP 
+{{- end }}
  - to:
    - namespaceSelector:
        matchLabels:

--- a/src/test/helm/network_policy_test.yaml
+++ b/src/test/helm/network_policy_test.yaml
@@ -177,10 +177,15 @@ tests:
                - port: 5353
                  protocol: TCP

-  - it: should add egress rule to nachrichten-bayernid-proxy
+  - it: should add egress rule to nachrichten-bayernid-proxy if bayernid is enabled
    set:
      networkPolicy:
        dnsServerNamespace: test-dns-namespace
+      ozgcloud:
+        bayernid:
+          enabled: true
+          proxy:
+            namespace: bayernidProxyNamespace
    asserts:
      - contains:
          path: spec.egress
@@ -188,11 +193,44 @@ tests:
            to:
            - podSelector: 
                matchLabels:
-                  component: nachrichten-bayernid-proxy
+                  component: bayernid-proxy
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: bayernidProxyNamespace
+            ports:
+            - port: 9090
+              protocol: TCP 
+
+  - it: should not add egress rule to bayernid-proxy if bayernid is disabled
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
+      ozgcloud:
+        bayernid:
+          enabled: false
+    asserts:
+      - notContains:
+          path: spec.egress
+          content:
+            to:
+            - podSelector: 
+                matchLabels:
+                  component: bayernid-proxy
            ports:
            - port: 9090
              protocol: TCP 
  
+  - it: should throw error if bayernid-proxy is enabled but bayernid namespace is not set
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
+      ozgcloud:
+        bayernid:
+          enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: ozgcloud.bayernid.proxy.namespace must be set if bayernid is enabled
+
  - it: add ingress rule by values
    set:
      networkPolicy: