From 792935e2d44e56cdf5f40026a9b262bcd51e9294 Mon Sep 17 00:00:00 2001
From: OZGCloud <ozgcloud@mgm-tp.com>
Date: Thu, 29 Feb 2024 11:12:25 +0100
Subject: [PATCH] OZG-4846 update bayernid network policy

---
 src/main/helm/templates/network_policy.yaml |  5 +++
 src/test/helm/network_policy_test.yaml      | 42 ++++++++++++++++++++-
 2 files changed, 45 insertions(+), 2 deletions(-)

diff --git a/src/main/helm/templates/network_policy.yaml b/src/main/helm/templates/network_policy.yaml
index a8815da78..f79c861df 100644
--- a/src/main/helm/templates/network_policy.yaml
+++ b/src/main/helm/templates/network_policy.yaml
@@ -73,13 +73,18 @@ spec:
     ports:
       - port: 9000
         protocol: TCP
+{{- if ((.Values.ozgcloud).bayernid).enabled }}
   - to:
     - podSelector: 
         matchLabels:
           component: bayernid-proxy
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: {{ required "ozgcloud.bayernid.proxy.namespace must be set if bayernid is enabled" (((.Values.ozgcloud).bayernid).proxy).namespace }}
     ports:
       - port: 9090
         protocol: TCP 
+{{- end }}
   - to:
     - namespaceSelector:
         matchLabels:
diff --git a/src/test/helm/network_policy_test.yaml b/src/test/helm/network_policy_test.yaml
index 328040739..8328e0e7a 100644
--- a/src/test/helm/network_policy_test.yaml
+++ b/src/test/helm/network_policy_test.yaml
@@ -177,10 +177,15 @@ tests:
                 - port: 5353
                   protocol: TCP
 
-  - it: should add egress rule to nachrichten-bayernid-proxy
+  - it: should add egress rule to nachrichten-bayernid-proxy if bayernid is enabled
     set:
       networkPolicy:
         dnsServerNamespace: test-dns-namespace
+      ozgcloud:
+        bayernid:
+          enabled: true
+          proxy:
+            namespace: bayernidProxyNamespace
     asserts:
       - contains:
           path: spec.egress
@@ -188,10 +193,43 @@ tests:
             to:
             - podSelector: 
                 matchLabels:
-                  component: nachrichten-bayernid-proxy
+                  component: bayernid-proxy
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: bayernidProxyNamespace
+            ports:
+            - port: 9090
+              protocol: TCP 
+
+  - it: should not add egress rule to bayernid-proxy if bayernid is disabled
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
+      ozgcloud:
+        bayernid:
+          enabled: false
+    asserts:
+      - notContains:
+          path: spec.egress
+          content:
+            to:
+            - podSelector: 
+                matchLabels:
+                  component: bayernid-proxy
             ports:
             - port: 9090
               protocol: TCP 
+  
+  - it: should throw error if bayernid-proxy is enabled but bayernid namespace is not set
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
+      ozgcloud:
+        bayernid:
+          enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: ozgcloud.bayernid.proxy.namespace must be set if bayernid is enabled
 
   - it: add ingress rule by values
     set:
-- 
GitLab