MAISTRA-2411 Create NetworkPolicy for additional ingress gateways (ma…

…istra#804)
mtturcsik · Dec 20, 2021 · 45862df · 45862df
1 parent c630045
commit 45862df
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 8 deletions.
diff --git a/pkg/controller/servicemesh/controlplane/gateways_test.go b/pkg/controller/servicemesh/controlplane/gateways_test.go
@@ -126,7 +126,50 @@ func TestAdditionalIngressGatewayInstall(t *testing.T) {
 			},
 		},
 		{
-			name: "app-label",
+			name: "labels",
+			smcp: New20SMCPResource(controlPlaneName, controlPlaneNamespace, &v2.ControlPlaneSpec{
+				Gateways: &v2.GatewaysConfig{
+					IngressGateways: map[string]*v2.IngressGatewayConfig{
+						additionalGatewayName: {
+							GatewayConfig: v2.GatewayConfig{
+								Enablement: v2.Enablement{
+									Enabled: &enabled,
+								},
+								Service: v2.GatewayServiceConfig{
+									Metadata: &v2.MetadataConfig{
+										Labels: map[string]string{
+											"test": "test",
+										},
+									},
+								},
+								Namespace: controlPlaneNamespace,
+							},
+						},
+					},
+				},
+			}),
+			create: IntegrationTestValidation{
+				Verifier: VerifyActions(
+					Verify("create").On("networkpolicies").Named("istio-ingressgateway").In(controlPlaneNamespace).Passes(
+						ExpectedLabelMatchedByNetworkPolicy("istio", "ingressgateway"),
+					),
+					Verify("create").On("networkpolicies").Named(additionalGatewayName).In(controlPlaneNamespace).Passes(
+						ExpectedLabelMatchedByNetworkPolicy("test", "test"),
+					),
+					Verify("create").On("deployments").Named(additionalGatewayName).In(controlPlaneNamespace).Passes(
+						ExpectedLabelGatewayCreate("test", "test"),
+					),
+				),
+				Assertions: ActionAssertions{},
+			},
+			delete: IntegrationTestValidation{
+				Assertions: ActionAssertions{
+					Assert("delete").On("deployments").Named(additionalGatewayName).In(controlPlaneNamespace).IsSeen(),
+				},
+			},
+		},
+		{
+			name: "labels-2.1",
 			smcp: New21SMCPResource(controlPlaneName, controlPlaneNamespace, &v2.ControlPlaneSpec{
 				Gateways: &v2.GatewaysConfig{
 					IngressGateways: map[string]*v2.IngressGatewayConfig{
@@ -150,10 +193,16 @@ func TestAdditionalIngressGatewayInstall(t *testing.T) {
 			}),
 			create: IntegrationTestValidation{
 				Verifier: VerifyActions(
+					Verify("create").On("networkpolicies").Named("istio-ingressgateway").In(controlPlaneNamespace).Passes(
+						ExpectedLabelMatchedByNetworkPolicy("istio", "ingressgateway"),
+					),
+					Verify("create").On("networkpolicies").Named(additionalGatewayName).In(controlPlaneNamespace).Passes(
+						ExpectedLabelMatchedByNetworkPolicy("test", "test"),
+					),
 					Verify("create").On("deployments").Named(additionalGatewayName).In(controlPlaneNamespace).Passes(
+						ExpectedLabelGatewayCreate("test", "test"),
 						ExpectedLabelGatewayCreate("maistra.io/gateway", additionalGatewayName+"."+controlPlaneNamespace),
 						ExpectedLabelGatewayCreate("app", additionalGatewayName),
-						ExpectedLabelGatewayCreate("test", "test"),
 					),
 				),
 				Assertions: ActionAssertions{},
@@ -193,3 +242,20 @@ func ExpectedExternalGatewayCreate(action clienttesting.Action) error {
 	}
 	return nil
 }
+
+func ExpectedLabelMatchedByNetworkPolicy(labelName string, expectedValue string) func(action clienttesting.Action) error {
+	return func(action clienttesting.Action) error {
+		createAction := action.(clienttesting.CreateAction)
+		obj := createAction.GetObject()
+		networkPolicy := obj.(*unstructured.Unstructured)
+		if val, found, err := unstructured.NestedString(networkPolicy.Object, "spec", "podSelector", "matchLabels", labelName); err == nil {
+			if !found || val != expectedValue {
+				return fmt.Errorf("expected %s label to be matched against value %s, but didn't", labelName, expectedValue)
+			}
+		} else if err != nil {
+			return err
+		}
+
+		return nil
+	}
+}
diff --git a/resources/helm/overlays/gateways/istio-ingress/templates/networkpolicy.yaml b/resources/helm/overlays/gateways/istio-ingress/templates/networkpolicy.yaml
@@ -2,20 +2,20 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: "istio-ingressgateway"
+  name: {{ $gateway.name }}
 {{- if not $gateway.namespace }}
   namespace: {{ .Release.Namespace }}
 {{- else }}
   namespace: {{ $gateway.namespace }}
 {{- end }}
   labels:
-    app: {{ index .Values "gateways" "istio-ingressgateway" "labels" "istio" }}
+{{ $gateway.labels | toYaml | indent 4 }}
     release: {{ .Release.Name }}
   annotations:
     "maistra.io/internal": "true"
 spec:
   podSelector:
     matchLabels:
-      istio: ingressgateway
+{{ $gateway.labels | toYaml | indent 6 }}
   ingress:
   - {}
diff --git a/resources/helm/v2.1/gateways/istio-ingress/templates/networkpolicy.yaml b/resources/helm/v2.1/gateways/istio-ingress/templates/networkpolicy.yaml
@@ -2,21 +2,21 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: "istio-ingressgateway"
+  name: {{ $gateway.name }}
 {{- if not $gateway.namespace }}
   namespace: {{ $gateway.namespace | default .Release.Namespace }}
 {{- else }}
   namespace: {{ $gateway.namespace | default .Release.Namespace }}
 {{- end }}
   labels:
     maistra-version: "2.1.0"
-    app: {{ index .Values "gateways" "istio-ingressgateway" "labels" "istio" }}
+{{ $gateway.labels | toYaml | indent 4 }}
     release: {{ .Release.Name }}
   annotations:
     "maistra.io/internal": "true"
 spec:
   podSelector:
     matchLabels:
-      istio: ingressgateway
+{{ $gateway.labels | toYaml | indent 6 }}
   ingress:
   - {}