diff --git a/src/main/helm/templates/network_policy.yaml b/src/main/helm/templates/network_policy.yaml
index 0437702163106cd37fa6be06609c547b8907a3f3..28fab29f9e443b50b32b87d68c9ffdedc0220d4d 100644
--- a/src/main/helm/templates/network_policy.yaml
+++ b/src/main/helm/templates/network_policy.yaml
@@ -109,6 +109,18 @@ spec:
podSelector:
matchLabels:
component: info-manager
+{{- end }}
+{{- if (.Values.zufiManager).enabled }}
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: {{ required "zufiManager.namespace must be set if zufiManager server is enabled" (.Values.zufiManager).namespace }}
+ podSelector:
+ matchLabels:
+ component: zufi-server
+ ports:
+ - port: 9090
+ protocol: TCP
{{- end }}
- to:
- namespaceSelector:
diff --git a/src/test/helm/network_policy_test.yaml b/src/test/helm/network_policy_test.yaml
index 6348f8be5667775ec59dd74d3a1ab935baa25005..f63746306c5edeaa76f17028551c04243a137d31 100644
--- a/src/test/helm/network_policy_test.yaml
+++ b/src/test/helm/network_policy_test.yaml
@@ -27,21 +27,28 @@ release:
namespace: by-helm-test
templates:
- templates/network_policy.yaml
-set:
- networkPolicy:
- dnsServerNamespace: test-dns-namespace
+
tests:
- it: should match apiVersion
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
asserts:
- isAPIVersion:
of: networking.k8s.io/v1
- it: should match kind
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
asserts:
- isKind:
of: NetworkPolicy
- it: validate metadata
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
asserts:
- equal:
path: metadata
@@ -50,6 +57,9 @@ tests:
namespace: by-helm-test
- it: should set policy target matchLabel
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
asserts:
- equal:
path: spec.podSelector
@@ -59,18 +69,27 @@ tests:
- it: should add policyType Egress
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.policyTypes
content: Egress
- it: should add policyType Ingress
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.policyTypes
content: Ingress
- it: should add ingress rule for eingangsmanager and alfa
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.ingress
@@ -90,6 +109,8 @@ tests:
- it: should add ingress rule for antragraum if antragraum is enabled
set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
ozgcloud:
antragraum:
enabled: true
@@ -109,6 +130,8 @@ tests:
- it: should not add ingress rule for antragraum if antragraum is disabled
set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
ozgcloud:
antragraum:
enabled: false
@@ -126,6 +149,8 @@ tests:
- it: should throw error if antragraum is enabled but antragraum namespace is not set
set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
ozgcloud:
antragraum:
enabled: true
@@ -135,6 +160,9 @@ tests:
- it: should add egress rule to elasticsearch
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.egress
@@ -151,6 +179,9 @@ tests:
protocol: TCP
- it: should add egress rule to mongodb
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.egress
@@ -164,6 +195,9 @@ tests:
protocol: TCP
- it: should add egress rule to user-manager
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.egress
@@ -178,6 +212,8 @@ tests:
- it: should add egress rule to nachrichten-bayernid-proxy if bayernid is enabled
set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
ozgcloud:
bayernid:
enabled: true
@@ -200,6 +236,8 @@ tests:
- it: should not add egress rule to bayernid-proxy if bayernid is disabled
set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
ozgcloud:
bayernid:
enabled: false
@@ -220,6 +258,8 @@ tests:
- it: should throw error if bayernid-proxy is enabled but bayernid namespace is not set
set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
ozgcloud:
bayernid:
enabled: true
@@ -229,6 +269,8 @@ tests:
- it: should add egress rule to info-manager if antragraum is enabled
set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
ozgcloud:
antragraum:
enabled: true
@@ -247,6 +289,8 @@ tests:
- it: should not add egress rule to info-manager if antragraum is disabled
set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
ozgcloud:
antragraum:
enabled: false
@@ -262,8 +306,83 @@ tests:
matchLabels:
component: info-manager
+ - it: should add egress rule to zufi server if zufi is enabled
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
+ zufiManager:
+ enabled: true
+ namespace: zufi
+ asserts:
+ - contains:
+ path: spec.egress
+ content:
+ to:
+ - podSelector:
+ matchLabels:
+ component: zufi-server
+ namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: zufi
+ ports:
+ - port: 9090
+ protocol: TCP
+
+
+ - it: should not add egress rule to zufi server if zufi is disabled
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
+ zufiManager:
+ enabled: false
+ namespace: zufi
+ asserts:
+ - notContains:
+ path: spec.egress
+ content:
+ to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: zufi
+ podSelector:
+ matchLabels:
+ component: zufi-server
+ any: true
+
+ - it: should throw error if zufi is enabled but zufi namespace is not set
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
+ zufiManager:
+ enabled: true
+ asserts:
+ - failedTemplate:
+ errorMessage: zufiManager.namespace must be set if zufiManager server is enabled
+
+ - it: should not enable zufi netpol by default
+ set:
+ zufiManager:
+ namespace: zufi
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
+ asserts:
+ - notContains:
+ path: spec.egress
+ content:
+ to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: zufi
+ podSelector:
+ matchLabels:
+ component: zufi-server
+ any: true
+
- it: should add egress rule to dns service
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.egress
@@ -285,6 +404,7 @@ tests:
- it: add ingress rule local by values
set:
networkPolicy:
+ dnsServerNamespace: test-dns-namespace
ssoPublicIp: 51.89.117.53/32
additionalIngressConfigGlobal:
- from:
@@ -302,6 +422,7 @@ tests:
- it: add ingress rule global by values
set:
networkPolicy:
+ dnsServerNamespace: test-dns-namespace
ssoPublicIp: 51.89.117.53/32
additionalIngressConfigLocal:
- from:
@@ -320,6 +441,7 @@ tests:
- it: add egress rules local by values
set:
networkPolicy:
+ dnsServerNamespace: test-dns-namespace
additionalEgressConfigGlobal:
- to:
- ipBlock:
@@ -351,6 +473,7 @@ tests:
- it: add egress rules global by values
set:
networkPolicy:
+ dnsServerNamespace: test-dns-namespace
additionalEgressConfigLocal:
- to:
- ipBlock:
@@ -380,6 +503,22 @@ tests:
set:
networkPolicy:
disabled: false
+ dnsServerNamespace: test-dns-namespace
+ asserts:
+ - hasDocuments:
+ count: 1
+ - it: test network policy dnsServerNamespace must be set message
+ set:
+ networkPolicy:
+ disabled: false
+ asserts:
+ - failedTemplate:
+ errorMessage: networkPolicy.dnsServerNamespace must be set
+
+ - it: test network policy should be enabled by default
+ set:
+ networkPolicy:
+ dnsServerNamespace: test-dns-server-namespace
asserts:
- hasDocuments:
count: 1
\ No newline at end of file