Merge pull request 'OZG-5653 add networkpolicy for zufi server' (#385) from OZG-5653 into master

7a60a716 · OZGCloud · 2e7d2434 · 7cb49045 · 7a60a716 · 7a60a716
Commit 7a60a716 authored 1 year ago by OZGCloud
--- a/src/main/helm/templates/network_policy.yaml
+++ b/src/main/helm/templates/network_policy.yaml
@@ -109,6 +109,18 @@ spec:
        podSelector: 
          matchLabels:
            component: info-manager
+{{- end }}
+{{- if (.Values.zufiManager).enabled }}
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: {{ required "zufiManager.namespace must be set if zufiManager server is enabled" (.Values.zufiManager).namespace }}
+      podSelector: 
+        matchLabels:
+          component: zufi-server
+    ports:
+      - port: 9090
+        protocol: TCP
 {{- end }}
  - to:
    - namespaceSelector:

--- a/src/test/helm/network_policy_test.yaml
+++ b/src/test/helm/network_policy_test.yaml
@@ -27,21 +27,28 @@ release:
  namespace: by-helm-test
 templates:
  - templates/network_policy.yaml
+tests:
+  - it: should match apiVersion
    set: 
      networkPolicy:
        dnsServerNamespace: test-dns-namespace
-tests:
-  - it: should match apiVersion
    asserts:
      - isAPIVersion:
          of: networking.k8s.io/v1
  - it: should match kind
+    set: 
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
    asserts:
      - isKind:
          of: NetworkPolicy
  - it: validate metadata
+    set: 
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
    asserts:
      - equal:
          path: metadata
@@ -50,6 +57,9 @@ tests:
            namespace: by-helm-test
  - it: should set policy target matchLabel
+    set: 
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
    asserts:
      - equal:
          path: spec.podSelector
@@ -59,18 +69,27 @@ tests:
  - it: should add policyType Egress
+    set: 
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
    asserts:
      - contains:
          path: spec.policyTypes
          content: Egress
  - it: should add policyType Ingress
+    set: 
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
    asserts:
      - contains:
          path: spec.policyTypes
          content: Ingress
  - it: should add ingress rule for eingangsmanager and alfa
+    set: 
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
    asserts:
      - contains:
          path: spec.ingress
@@ -90,6 +109,8 @@ tests:
  - it: should add ingress rule for antragraum if antragraum is enabled
    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
      ozgcloud:
        antragraum:
          enabled: true
@@ -109,6 +130,8 @@ tests:
  - it: should not add ingress rule for antragraum if antragraum is disabled
    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
      ozgcloud:
        antragraum:
          enabled: false
@@ -126,6 +149,8 @@ tests:
  - it: should throw error if antragraum is enabled but antragraum namespace is not set
    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
      ozgcloud:
        antragraum:
          enabled: true
@@ -135,6 +160,9 @@ tests:
  - it: should add egress rule to elasticsearch
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
    asserts:
      - contains:
          path: spec.egress
@@ -151,6 +179,9 @@ tests:
                  protocol: TCP
  - it: should add egress rule to mongodb
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
    asserts:
      - contains:
          path: spec.egress
@@ -164,6 +195,9 @@ tests:
                  protocol: TCP
  - it: should add egress rule to user-manager
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
    asserts:
      - contains:
          path: spec.egress
@@ -178,6 +212,8 @@ tests:
  - it: should add egress rule to nachrichten-bayernid-proxy if bayernid is enabled
    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
      ozgcloud:
        bayernid:
          enabled: true
@@ -200,6 +236,8 @@ tests:
  - it: should not add egress rule to bayernid-proxy if bayernid is disabled
    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
      ozgcloud:
        bayernid:
          enabled: false
@@ -220,6 +258,8 @@ tests:
  - it: should throw error if bayernid-proxy is enabled but bayernid namespace is not set
    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
      ozgcloud:
        bayernid:
          enabled: true
@@ -229,6 +269,8 @@ tests:
  - it: should add egress rule to info-manager if antragraum is enabled
    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
      ozgcloud:
        antragraum:
          enabled: true
@@ -247,6 +289,8 @@ tests:
  - it: should not add egress rule to info-manager if antragraum is disabled
    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
      ozgcloud:
        antragraum:
          enabled: false
@@ -262,8 +306,83 @@ tests:
                  matchLabels:
                    component: info-manager
+  - it: should add egress rule to zufi server if zufi is enabled
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
+      zufiManager:
+        enabled: true
+        namespace: zufi
+    asserts:
+      - contains:
+          path: spec.egress
+          content:
+            to:
+            - podSelector: 
+                matchLabels:
+                  component: zufi-server
+              namespaceSelector:
+                matchLabels:
+                      kubernetes.io/metadata.name: zufi
+            ports:
+            - port: 9090
+              protocol: TCP         
+  - it: should not add egress rule to zufi server if zufi is disabled
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
+      zufiManager:
+        enabled: false
+        namespace: zufi
+    asserts:
+      - notContains:
+          path: spec.egress
+          content:
+            to:
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: zufi
+              podSelector: 
+                matchLabels:
+                  component: zufi-server
+          any: true
+  - it: should throw error if zufi is enabled but zufi namespace is not set
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
+      zufiManager:
+        enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: zufiManager.namespace must be set if zufiManager server is enabled
+  - it: should not enable zufi netpol by default
+    set:
+      zufiManager:
+        namespace: zufi
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
+    asserts:
+      - notContains:
+          path: spec.egress
+          content: 
+            to:
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: zufi
+              podSelector: 
+                matchLabels:
+                  component: zufi-server
+          any: true
  - it: should add egress rule to dns service
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
    asserts:
      - contains:
          path: spec.egress
@@ -285,6 +404,7 @@ tests:
  - it: add ingress rule local by values
    set:
      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
        ssoPublicIp: 51.89.117.53/32
        additionalIngressConfigGlobal:
        - from:
@@ -302,6 +422,7 @@ tests:
  - it: add ingress rule global by values
    set:
      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
        ssoPublicIp: 51.89.117.53/32
        additionalIngressConfigLocal:
        - from:
@@ -320,6 +441,7 @@ tests:
  - it: add egress rules local by values
    set:
      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
        additionalEgressConfigGlobal:
        - to:
          - ipBlock:
@@ -351,6 +473,7 @@ tests:
  - it: add egress rules global by values
    set:
      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
        additionalEgressConfigLocal:
        - to:
          - ipBlock:
@@ -380,6 +503,22 @@ tests:
    set:
      networkPolicy:
        disabled: false
+        dnsServerNamespace: test-dns-namespace
+    asserts:
+      - hasDocuments:
+          count: 1
+  - it: test network policy dnsServerNamespace must be set message
+    set:
+      networkPolicy:
+        disabled: false
+    asserts:
+      - failedTemplate:
+          errorMessage: networkPolicy.dnsServerNamespace must be set
+  - it: test network policy should be enabled by default
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-server-namespace
    asserts:
      - hasDocuments:
          count: 1
\ No newline at end of file