Skip to content
Snippets Groups Projects
Commit 7a60a716 authored by OZGCloud's avatar OZGCloud
Browse files

Merge pull request 'OZG-5653 add networkpolicy for zufi server' (#385) from OZG-5653 into master

parents 2e7d2434 7cb49045
No related branches found
No related tags found
No related merge requests found
...@@ -109,6 +109,18 @@ spec: ...@@ -109,6 +109,18 @@ spec:
podSelector: podSelector:
matchLabels: matchLabels:
component: info-manager component: info-manager
{{- end }}
{{- if (.Values.zufiManager).enabled }}
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: {{ required "zufiManager.namespace must be set if zufiManager server is enabled" (.Values.zufiManager).namespace }}
podSelector:
matchLabels:
component: zufi-server
ports:
- port: 9090
protocol: TCP
{{- end }} {{- end }}
- to: - to:
- namespaceSelector: - namespaceSelector:
......
...@@ -27,21 +27,28 @@ release: ...@@ -27,21 +27,28 @@ release:
namespace: by-helm-test namespace: by-helm-test
templates: templates:
- templates/network_policy.yaml - templates/network_policy.yaml
tests:
- it: should match apiVersion
set: set:
networkPolicy: networkPolicy:
dnsServerNamespace: test-dns-namespace dnsServerNamespace: test-dns-namespace
tests:
- it: should match apiVersion
asserts: asserts:
- isAPIVersion: - isAPIVersion:
of: networking.k8s.io/v1 of: networking.k8s.io/v1
- it: should match kind - it: should match kind
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts: asserts:
- isKind: - isKind:
of: NetworkPolicy of: NetworkPolicy
- it: validate metadata - it: validate metadata
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts: asserts:
- equal: - equal:
path: metadata path: metadata
...@@ -50,6 +57,9 @@ tests: ...@@ -50,6 +57,9 @@ tests:
namespace: by-helm-test namespace: by-helm-test
- it: should set policy target matchLabel - it: should set policy target matchLabel
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts: asserts:
- equal: - equal:
path: spec.podSelector path: spec.podSelector
...@@ -59,18 +69,27 @@ tests: ...@@ -59,18 +69,27 @@ tests:
- it: should add policyType Egress - it: should add policyType Egress
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts: asserts:
- contains: - contains:
path: spec.policyTypes path: spec.policyTypes
content: Egress content: Egress
- it: should add policyType Ingress - it: should add policyType Ingress
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts: asserts:
- contains: - contains:
path: spec.policyTypes path: spec.policyTypes
content: Ingress content: Ingress
- it: should add ingress rule for eingangsmanager and alfa - it: should add ingress rule for eingangsmanager and alfa
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts: asserts:
- contains: - contains:
path: spec.ingress path: spec.ingress
...@@ -90,6 +109,8 @@ tests: ...@@ -90,6 +109,8 @@ tests:
- it: should add ingress rule for antragraum if antragraum is enabled - it: should add ingress rule for antragraum if antragraum is enabled
set: set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud: ozgcloud:
antragraum: antragraum:
enabled: true enabled: true
...@@ -109,6 +130,8 @@ tests: ...@@ -109,6 +130,8 @@ tests:
- it: should not add ingress rule for antragraum if antragraum is disabled - it: should not add ingress rule for antragraum if antragraum is disabled
set: set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud: ozgcloud:
antragraum: antragraum:
enabled: false enabled: false
...@@ -126,6 +149,8 @@ tests: ...@@ -126,6 +149,8 @@ tests:
- it: should throw error if antragraum is enabled but antragraum namespace is not set - it: should throw error if antragraum is enabled but antragraum namespace is not set
set: set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud: ozgcloud:
antragraum: antragraum:
enabled: true enabled: true
...@@ -135,6 +160,9 @@ tests: ...@@ -135,6 +160,9 @@ tests:
- it: should add egress rule to elasticsearch - it: should add egress rule to elasticsearch
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts: asserts:
- contains: - contains:
path: spec.egress path: spec.egress
...@@ -151,6 +179,9 @@ tests: ...@@ -151,6 +179,9 @@ tests:
protocol: TCP protocol: TCP
- it: should add egress rule to mongodb - it: should add egress rule to mongodb
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts: asserts:
- contains: - contains:
path: spec.egress path: spec.egress
...@@ -164,6 +195,9 @@ tests: ...@@ -164,6 +195,9 @@ tests:
protocol: TCP protocol: TCP
- it: should add egress rule to user-manager - it: should add egress rule to user-manager
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts: asserts:
- contains: - contains:
path: spec.egress path: spec.egress
...@@ -178,6 +212,8 @@ tests: ...@@ -178,6 +212,8 @@ tests:
- it: should add egress rule to nachrichten-bayernid-proxy if bayernid is enabled - it: should add egress rule to nachrichten-bayernid-proxy if bayernid is enabled
set: set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud: ozgcloud:
bayernid: bayernid:
enabled: true enabled: true
...@@ -200,6 +236,8 @@ tests: ...@@ -200,6 +236,8 @@ tests:
- it: should not add egress rule to bayernid-proxy if bayernid is disabled - it: should not add egress rule to bayernid-proxy if bayernid is disabled
set: set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud: ozgcloud:
bayernid: bayernid:
enabled: false enabled: false
...@@ -220,6 +258,8 @@ tests: ...@@ -220,6 +258,8 @@ tests:
- it: should throw error if bayernid-proxy is enabled but bayernid namespace is not set - it: should throw error if bayernid-proxy is enabled but bayernid namespace is not set
set: set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud: ozgcloud:
bayernid: bayernid:
enabled: true enabled: true
...@@ -229,6 +269,8 @@ tests: ...@@ -229,6 +269,8 @@ tests:
- it: should add egress rule to info-manager if antragraum is enabled - it: should add egress rule to info-manager if antragraum is enabled
set: set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud: ozgcloud:
antragraum: antragraum:
enabled: true enabled: true
...@@ -247,6 +289,8 @@ tests: ...@@ -247,6 +289,8 @@ tests:
- it: should not add egress rule to info-manager if antragraum is disabled - it: should not add egress rule to info-manager if antragraum is disabled
set: set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud: ozgcloud:
antragraum: antragraum:
enabled: false enabled: false
...@@ -262,8 +306,83 @@ tests: ...@@ -262,8 +306,83 @@ tests:
matchLabels: matchLabels:
component: info-manager component: info-manager
- it: should add egress rule to zufi server if zufi is enabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
zufiManager:
enabled: true
namespace: zufi
asserts:
- contains:
path: spec.egress
content:
to:
- podSelector:
matchLabels:
component: zufi-server
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: zufi
ports:
- port: 9090
protocol: TCP
- it: should not add egress rule to zufi server if zufi is disabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
zufiManager:
enabled: false
namespace: zufi
asserts:
- notContains:
path: spec.egress
content:
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: zufi
podSelector:
matchLabels:
component: zufi-server
any: true
- it: should throw error if zufi is enabled but zufi namespace is not set
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
zufiManager:
enabled: true
asserts:
- failedTemplate:
errorMessage: zufiManager.namespace must be set if zufiManager server is enabled
- it: should not enable zufi netpol by default
set:
zufiManager:
namespace: zufi
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- notContains:
path: spec.egress
content:
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: zufi
podSelector:
matchLabels:
component: zufi-server
any: true
- it: should add egress rule to dns service - it: should add egress rule to dns service
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts: asserts:
- contains: - contains:
path: spec.egress path: spec.egress
...@@ -285,6 +404,7 @@ tests: ...@@ -285,6 +404,7 @@ tests:
- it: add ingress rule local by values - it: add ingress rule local by values
set: set:
networkPolicy: networkPolicy:
dnsServerNamespace: test-dns-namespace
ssoPublicIp: 51.89.117.53/32 ssoPublicIp: 51.89.117.53/32
additionalIngressConfigGlobal: additionalIngressConfigGlobal:
- from: - from:
...@@ -302,6 +422,7 @@ tests: ...@@ -302,6 +422,7 @@ tests:
- it: add ingress rule global by values - it: add ingress rule global by values
set: set:
networkPolicy: networkPolicy:
dnsServerNamespace: test-dns-namespace
ssoPublicIp: 51.89.117.53/32 ssoPublicIp: 51.89.117.53/32
additionalIngressConfigLocal: additionalIngressConfigLocal:
- from: - from:
...@@ -320,6 +441,7 @@ tests: ...@@ -320,6 +441,7 @@ tests:
- it: add egress rules local by values - it: add egress rules local by values
set: set:
networkPolicy: networkPolicy:
dnsServerNamespace: test-dns-namespace
additionalEgressConfigGlobal: additionalEgressConfigGlobal:
- to: - to:
- ipBlock: - ipBlock:
...@@ -351,6 +473,7 @@ tests: ...@@ -351,6 +473,7 @@ tests:
- it: add egress rules global by values - it: add egress rules global by values
set: set:
networkPolicy: networkPolicy:
dnsServerNamespace: test-dns-namespace
additionalEgressConfigLocal: additionalEgressConfigLocal:
- to: - to:
- ipBlock: - ipBlock:
...@@ -380,6 +503,22 @@ tests: ...@@ -380,6 +503,22 @@ tests:
set: set:
networkPolicy: networkPolicy:
disabled: false disabled: false
dnsServerNamespace: test-dns-namespace
asserts:
- hasDocuments:
count: 1
- it: test network policy dnsServerNamespace must be set message
set:
networkPolicy:
disabled: false
asserts:
- failedTemplate:
errorMessage: networkPolicy.dnsServerNamespace must be set
- it: test network policy should be enabled by default
set:
networkPolicy:
dnsServerNamespace: test-dns-server-namespace
asserts: asserts:
- hasDocuments: - hasDocuments:
count: 1 count: 1
\ No newline at end of file
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment