fix: team network policies (#1904)

Co-authored-by: Ani Argjiri <[email protected]>

Author: j-zimnowoda

charts/team-ns/templates/netpols/custom-istio-service-entries.yaml

@@ -49,8 +49,8 @@ metadata:
 spec:
   hosts:
   - {{ $host }}
-  ports:
 {{- with .ruleType.egress.ports }}
+  ports:
 {{- range . }}
   - number: {{ .number }}
     name: {{ printf "%s-%s" (lower .protocol) (toString .number) }}

tests/fixtures/env/teams.yaml

@@ -52,3 +52,6 @@ teamConfig:
                 - downloadCertificateAuthority
             policies:
                 - edit policies
+        networkPolicy:
+            egressPublic: false
+            ingressPrivate: true

tests/fixtures/env/teams/netpols.demo.yaml

@@ -1,3 +1,28 @@
 teamConfig:
     demo:
-        netpols: []
+        netpols:
+            - name: allow-ingress-1
+              ruleType:
+                  type: ingress
+                  ingress:
+                      toLabelName: to-label-demo
+                      toLabelValue: to-value-demo
+                      mode: AllowOnly
+                      allow:
+                          - fromLabelName: from-name-demo
+                            fromLabelValue: from-value-demo
+                            fromNamespace: from-namespace-demo
+            - name: allow-egress-1
+              ruleType:
+                  type: egress
+                  egress:
+                      domain: demo.local
+                      mode: AllowAll
+                      ports:
+                          - number: '123456'
+                            protocol: HTTPS
+            - name: allow-egress-2
+              ruleType:
+                  type: egress
+                  egress:
+                      domain: demo.local

tests/fixtures/env/teams/netpols.dev.yaml

@@ -1,3 +1,28 @@
 teamConfig:
     dev:
-        netpols: []
+        netpols:
+            - name: allow-ingress-1
+              ruleType:
+                  type: ingress
+                  ingress:
+                      toLabelName: to-label-dev
+                      toLabelValue: to-value-dev
+                      mode: AllowOnly
+                      allow:
+                          - fromLabelName: from-name-dev
+                            fromLabelValue: from-value-dev
+                            fromNamespace: from-namespace-dev
+            - name: allow-egress-2
+              ruleType:
+                  type: egress
+                  egress:
+                      domain: dev.local
+                      mode: AllowAll
+                      ports:
+                          - number: 123456
+                            protocol: HTTPS
+            - name: allow-egress-2
+              ruleType:
+                  type: egress
+                  egress:
+                      domain: dev.local

values-schema.yaml

@@ -623,6 +623,11 @@ definitions:
         description: 'A unique name for the network policy'
       ruleType:
         properties:
+          type:
+            type: string
+            enum:
+              - ingress
+              - egress
           ingress:
             properties:
               toLabelName:
@@ -683,6 +688,10 @@ definitions:
                     protocol: HTTPS
             required:
               - domain
+        required:
+          - type
+    required:
+      - name
   path:
     description: An absolute path
     type: string

values/team-ns/team-ns.gotmpl

@@ -40,7 +40,7 @@ backups: {{- $team | get "backups" list | toYaml | nindent 2 }}
 builds: {{- $team | get "builds" list | toYaml | nindent 2 }}
 policies: {{- $team | get "policies" list | toYaml | nindent 2 }}
 sealedsecrets: {{- $team | get "sealedsecrets" list | toYaml | nindent 2 }}
-netpols: {{- $team | get "netpols" dict | toYaml | nindent 2 }}
+netpols: {{- $team | get "netpols" list | toYaml | nindent 2 }}
 networkPolicy: {{- $team | get "networkPolicy" dict | toYaml | nindent 2 }}
 managedMonitoring: {{- $team | get "managedMonitoring" dict | toYaml | nindent 2 }}
 teamId: {{ $teamId }}