Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

Commit

Permalink
[elasticsearch] fix network policies http additional rules (#1111) (#…
Browse files Browse the repository at this point in the history 
…1208)

* [elasticsearch] fix network policies http additional rules

This commit fix http additional rules to use with `NetworkPolicies`.

Fix #1106

* [elasticsearch] improve netpol tests

This commit adds some small improvements in network policies tests:
* update example Makefile to fix commands and use similar structure to
other examples Makefiles
* fix example values file extension
* use different values for http and transport network policies in python
test and example values to catch regressions where same values would be
used for both
  • Loading branch information
@jmlrt
jmlrt committed May 28, 2021
1 parent cf9c5ea commit 54fde15
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 29 deletions.
9 changes: 5 additions & 4 deletions elasticsearch/examples/networkpolicy/Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
default: test

include ../../../helpers/examples.mk

RELEASE := helm-es-networkpolicy
TIMEOUT := 1200s

install:
helm upgrade --wait --timeout=600s --install $(RELEASE) --values ./values.yaml ../../ ; \
helm upgrade --wait --timeout=$(TIMEOUT) --install --values values.yaml $(RELEASE) ../../

restart:
helm upgrade --set terminationGracePeriod=121 --wait --timeout=600s --install $(RELEASE) --values ./values.yaml ../../ ; \
test: install goss

purge:
helm del --purge $(RELEASE)
helm del $(RELEASE)
16 changes: 8 additions & 8 deletions ...csearch/examples/networkpolicy/values.yml → ...search/examples/networkpolicy/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,34 +4,34 @@ networkPolicy:
explicitNamespacesSelector:
# Accept from namespaces with all those different rules (from whitelisted Pods)
matchLabels:
role: frontend
role: frontend-http
matchExpressions:
- {key: role, operator: In, values: [frontend]}
- {key: role, operator: In, values: [frontend-http]}
additionalRules:
- podSelector:
matchLabels:
role: frontend
role: frontend-http
- podSelector:
matchExpressions:
- key: role
operator: In
values:
- frontend
- frontend-http
transport:
enabled: true
allowExternal: true
explicitNamespacesSelector:
matchLabels:
role: frontend
role: frontend-transport
matchExpressions:
- {key: role, operator: In, values: [frontend]}
- {key: role, operator: In, values: [frontend-transport]}
additionalRules:
- podSelector:
matchLabels:
role: frontend
role: frontend-transport
- podSelector:
matchExpressions:
- key: role
operator: In
values:
- frontend
- frontend-transport
2 changes: 1 addition & 1 deletion elasticsearch/templates/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ spec:
namespaceSelector:
{{ toYaml . | indent 12 }}
{{- end }}
{{- with .Values.networkPolicy.transport.additionalRules }}
{{- with .Values.networkPolicy.http.additionalRules }}
# Or from custom additional rules
{{ toYaml . | indent 8 }}
{{- end }}
Expand Down
32 changes: 16 additions & 16 deletions elasticsearch/tests/elasticsearch_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1423,37 +1423,37 @@ def test_network_policy():
explicitNamespacesSelector:
# Accept from namespaces with all those different rules (from whitelisted Pods)
matchLabels:
role: frontend
role: frontend-http
matchExpressions:
- {key: role, operator: In, values: [frontend]}
- {key: role, operator: In, values: [frontend-http]}
additionalRules:
- podSelector:
matchLabels:
role: frontend
role: frontend-http
- podSelector:
matchExpressions:
- key: role
operator: In
values:
- frontend
- frontend-http
transport:
enabled: true
allowExternal: true
explicitNamespacesSelector:
matchLabels:
role: frontend
role: frontend-transport
matchExpressions:
- {key: role, operator: In, values: [frontend]}
- {key: role, operator: In, values: [frontend-transport]}
additionalRules:
- podSelector:
matchLabels:
role: frontend
role: frontend-transport
- podSelector:
matchExpressions:
- key: role
operator: In
values:
- frontend
- frontend-transport
"""
r = helm_template(config)
Expand All @@ -1468,16 +1468,16 @@ def test_network_policy():
},
"namespaceSelector": {
"matchExpressions": [
{"key": "role", "operator": "In", "values": ["frontend"]}
{"key": "role", "operator": "In", "values": ["frontend-http"]}
],
"matchLabels": {"role": "frontend"},
"matchLabels": {"role": "frontend-http"},
},
},
{"podSelector": {"matchLabels": {"role": "frontend"}}},
{"podSelector": {"matchLabels": {"role": "frontend-http"}}},
{
"podSelector": {
"matchExpressions": [
{"key": "role", "operator": "In", "values": ["frontend"]}
{"key": "role", "operator": "In", "values": ["frontend-http"]}
]
}
},
Expand All @@ -1490,16 +1490,16 @@ def test_network_policy():
},
"namespaceSelector": {
"matchExpressions": [
{"key": "role", "operator": "In", "values": ["frontend"]}
{"key": "role", "operator": "In", "values": ["frontend-transport"]}
],
"matchLabels": {"role": "frontend"},
"matchLabels": {"role": "frontend-transport"},
},
},
{"podSelector": {"matchLabels": {"role": "frontend"}}},
{"podSelector": {"matchLabels": {"role": "frontend-transport"}}},
{
"podSelector": {
"matchExpressions": [
{"key": "role", "operator": "In", "values": ["frontend"]}
{"key": "role", "operator": "In", "values": ["frontend-transport"]}
]
}
},
Expand Down

1 comment on commit 54fde15

@ebuildy
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice one! We must wait for 7.13.1 release?

Please sign in to comment.