segregate kibana index network policy (#2025)

* segregate kibana index network policy * update network policy for kibana index pattern * fix kibana policy tests * fix authsidecar tests
astronomer · Oct 13, 2023 · 69a1b2b · 69a1b2b
1 parent ad90dc1
commit 69a1b2b
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 17 deletions.
diff --git a/charts/kibana/templates/kibana-networkpolicy.yaml b/charts/kibana/templates/kibana-networkpolicy.yaml
@@ -33,18 +33,22 @@ spec:
           component: ingress-controller
           release: {{ .Release.Name }}
     {{- end }}
-    {{ if .Values.createDefaultIndex }}
+    ports:
+    {{- if .Values.global.authSidecar.enabled  }}
+    - protocol: TCP
+      port: {{ .Values.global.authSidecar.port }}
+    {{- else }}
+    - protocol: TCP
+      port: {{ .Values.ports.http }}
+    {{- end}}
+{{ if .Values.createDefaultIndex }}
+  - from:
     - podSelector:
         matchLabels:
           component: kibana-default-index
           release: {{ .Release.Name }}
           tier: logging
-    {{- end }}
     ports:
-    {{- if .Values.global.authSidecar.enabled  }}
-    - protocol: TCP
-      port: {{ .Values.global.authSidecar.port }}
-    {{- else }}
     - protocol: TCP
       port: {{ .Values.ports.http }}
     {{- end}}

diff --git a/tests/chart_tests/test_authsidecar.py b/tests/chart_tests/test_authsidecar.py
@@ -120,18 +120,9 @@ def test_authSidecar_kibana(self, kube_version):
                 "namespaceSelector": {
                     "matchLabels": {"network.openshift.io/policy-group": "ingress"}
                 }
-            },
-            {
-                "podSelector": {
-                    "matchLabels": {
-                        "component": "kibana-default-index",
-                        "release": "release-name",
-                        "tier": "logging",
-                    }
-                }
-            },
+            }
         ] == jmespath.search("spec.ingress[0].from", docs[3])
-        assert [{"port": 8084, "protocol": "TCP"}] == jmespath.search(
+        assert {"port": 8084, "protocol": "TCP"} in jmespath.search(
             "spec.ingress[*].ports[0]", docs[3]
         )
 

diff --git a/tests/chart_tests/test_kibana.py b/tests/chart_tests/test_kibana.py
@@ -58,3 +58,30 @@ def test_kibana_index_disabled(self, kube_version):
         )
 
         assert len(docs) == 0
+
+    def test_kibana_index_network_policy_enabled(self, kube_version):
+        """Test network policy for kibana index service."""
+        docs = render_chart(
+            kube_version=kube_version,
+            values={"kibana": {"createDefaultIndex": True}},
+            show_only=[
+                "charts/kibana/templates/kibana-networkpolicy.yaml",
+            ],
+        )
+
+        assert len(docs) == 1
+        doc = docs[0]
+        assert "NetworkPolicy" == doc["kind"]
+        assert [
+            {
+                "podSelector": {
+                    "matchLabels": {
+                        "component": "kibana-default-index",
+                        "release": "release-name",
+                        "tier": "logging",
+                    }
+                },
+            }
+        ] == [doc["spec"]["ingress"][1]["from"][0]]
+
+        assert [{"port": 5601, "protocol": "TCP"}] == doc["spec"]["ingress"][1]["ports"]