Skip to content
Snippets Groups Projects
Commit 7a60a716 authored by OZGCloud's avatar OZGCloud
Browse files

Merge pull request 'OZG-5653 add networkpolicy for zufi server' (#385) from OZG-5653 into master

parents 2e7d2434 7cb49045
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
src/main/helm/templates/network_policy.yaml
+ 12
0
View file @ 7a60a716
......@@ -109,6 +109,18 @@ spec:
podSelector:
matchLabels:
component: info-manager
{{- end }}
{{- if (.Values.zufiManager).enabled }}
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: {{ required "zufiManager.namespace must be set if zufiManager server is enabled" (.Values.zufiManager).namespace }}
podSelector:
matchLabels:
component: zufi-server
ports:
- port: 9090
protocol: TCP
{{- end }}
- to:
- namespaceSelector:
......
src/test/helm/network_policy_test.yaml
+ 142
3
View file @ 7a60a716
......@@ -27,21 +27,28 @@ release:
namespace: by-helm-test
templates:
- templates/network_policy.yaml
tests:
- it: should match apiVersion
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
tests:
- it: should match apiVersion
asserts:
- isAPIVersion:
of: networking.k8s.io/v1
- it: should match kind
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- isKind:
of: NetworkPolicy
- it: validate metadata
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- equal:
path: metadata
......@@ -50,6 +57,9 @@ tests:
namespace: by-helm-test
- it: should set policy target matchLabel
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- equal:
path: spec.podSelector
......@@ -59,18 +69,27 @@ tests:
- it: should add policyType Egress
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.policyTypes
content: Egress
- it: should add policyType Ingress
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.policyTypes
content: Ingress
- it: should add ingress rule for eingangsmanager and alfa
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.ingress
......@@ -90,6 +109,8 @@ tests:
- it: should add ingress rule for antragraum if antragraum is enabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
antragraum:
enabled: true
......@@ -109,6 +130,8 @@ tests:
- it: should not add ingress rule for antragraum if antragraum is disabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
antragraum:
enabled: false
......@@ -126,6 +149,8 @@ tests:
- it: should throw error if antragraum is enabled but antragraum namespace is not set
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
antragraum:
enabled: true
......@@ -135,6 +160,9 @@ tests:
- it: should add egress rule to elasticsearch
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.egress
......@@ -151,6 +179,9 @@ tests:
protocol: TCP
- it: should add egress rule to mongodb
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.egress
......@@ -164,6 +195,9 @@ tests:
protocol: TCP
- it: should add egress rule to user-manager
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.egress
......@@ -178,6 +212,8 @@ tests:
- it: should add egress rule to nachrichten-bayernid-proxy if bayernid is enabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
bayernid:
enabled: true
......@@ -200,6 +236,8 @@ tests:
- it: should not add egress rule to bayernid-proxy if bayernid is disabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
bayernid:
enabled: false
......@@ -220,6 +258,8 @@ tests:
- it: should throw error if bayernid-proxy is enabled but bayernid namespace is not set
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
bayernid:
enabled: true
......@@ -229,6 +269,8 @@ tests:
- it: should add egress rule to info-manager if antragraum is enabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
antragraum:
enabled: true
......@@ -247,6 +289,8 @@ tests:
- it: should not add egress rule to info-manager if antragraum is disabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
antragraum:
enabled: false
......@@ -262,8 +306,83 @@ tests:
matchLabels:
component: info-manager
- it: should add egress rule to zufi server if zufi is enabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
zufiManager:
enabled: true
namespace: zufi
asserts:
- contains:
path: spec.egress
content:
to:
- podSelector:
matchLabels:
component: zufi-server
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: zufi
ports:
- port: 9090
protocol: TCP
- it: should not add egress rule to zufi server if zufi is disabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
zufiManager:
enabled: false
namespace: zufi
asserts:
- notContains:
path: spec.egress
content:
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: zufi
podSelector:
matchLabels:
component: zufi-server
any: true
- it: should throw error if zufi is enabled but zufi namespace is not set
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
zufiManager:
enabled: true
asserts:
- failedTemplate:
errorMessage: zufiManager.namespace must be set if zufiManager server is enabled
- it: should not enable zufi netpol by default
set:
zufiManager:
namespace: zufi
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- notContains:
path: spec.egress
content:
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: zufi
podSelector:
matchLabels:
component: zufi-server
any: true
- it: should add egress rule to dns service
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.egress
......@@ -285,6 +404,7 @@ tests:
- it: add ingress rule local by values
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ssoPublicIp: 51.89.117.53/32
additionalIngressConfigGlobal:
- from:
......@@ -302,6 +422,7 @@ tests:
- it: add ingress rule global by values
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ssoPublicIp: 51.89.117.53/32
additionalIngressConfigLocal:
- from:
......@@ -320,6 +441,7 @@ tests:
- it: add egress rules local by values
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
additionalEgressConfigGlobal:
- to:
- ipBlock:
......@@ -351,6 +473,7 @@ tests:
- it: add egress rules global by values
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
additionalEgressConfigLocal:
- to:
- ipBlock:
......@@ -380,6 +503,22 @@ tests:
set:
networkPolicy:
disabled: false
dnsServerNamespace: test-dns-namespace
asserts:
- hasDocuments:
count: 1
- it: test network policy dnsServerNamespace must be set message
set:
networkPolicy:
disabled: false
asserts:
- failedTemplate:
errorMessage: networkPolicy.dnsServerNamespace must be set
- it: test network policy should be enabled by default
set:
networkPolicy:
dnsServerNamespace: test-dns-server-namespace
asserts:
- hasDocuments:
count: 1
\ No newline at end of file
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

Impressum - Datenschutz - Barrierefreiheit