strimzi · im-konge · Mar 7, 2024 · Mar 6, 2024
diff --git a/systemtest/src/main/java/io/strimzi/systemtest/TestConstants.java b/systemtest/src/main/java/io/strimzi/systemtest/TestConstants.java
@@ -118,6 +118,7 @@ public interface TestConstants {
      * Deployment labels related constants
      */
     String APP_POD_LABEL = "app";
+    String APP_KUBERNETES_INSTANCE_LABEL = "app.kubernetes.io/instance";
 
     /**
      * Label selectors for our resources

diff --git a/systemtest/src/main/java/io/strimzi/systemtest/resources/jaeger/SetupJaeger.java b/systemtest/src/main/java/io/strimzi/systemtest/resources/jaeger/SetupJaeger.java
@@ -11,6 +11,7 @@
 import io.strimzi.systemtest.resources.NamespaceManager;
 import io.strimzi.systemtest.resources.ResourceItem;
 import io.strimzi.systemtest.resources.ResourceManager;
+import io.strimzi.systemtest.resources.kubernetes.NetworkPolicyResource;
 import io.strimzi.systemtest.utils.kubeUtils.controllers.DeploymentUtils;
 import io.strimzi.test.TestUtils;
 import io.strimzi.test.logs.CollectorElement;
@@ -20,6 +21,7 @@
 import java.io.File;
 import java.nio.file.Files;
 import java.nio.file.Paths;
+import java.util.Map;
 import java.util.Stack;
 
 import static io.strimzi.systemtest.TestConstants.JAEGER_DEPLOYMENT_POLL;
@@ -43,6 +45,8 @@ public class SetupJaeger {
     private static final String CERT_MANAGER_PATH = TestUtils.USER_PATH + "/../systemtest/src/test/resources/tracing/cert-manager.yaml";
     private static final String JAEGER_INSTANCE_PATH = TestUtils.USER_PATH + "/../systemtest/src/test/resources/tracing/jaeger-instance.yaml";
     private static final String JAEGER_OPERATOR_PATH = TestUtils.USER_PATH + "/../systemtest/src/test/resources/tracing/jaeger-operator.yaml";
+    private static final String CERT_MANAGER = "cert-manager";
+    private static final String JAEGER = "jaeger";
 
     /**
      * Delete Jaeger instance
@@ -56,7 +60,17 @@ private static void deleteJaeger(String yamlContent) {
      */
     public static void deployJaegerOperatorAndCertManager() {
         deployAndWaitForCertManager();
+        allowNetworkPolicySettingsForCertManagerWebhook();
         deployJaegerOperator();
+        allowNetworkPolicySettingsForJaegerOperator();
+    }
+
+    public static void allowNetworkPolicySettingsForJaegerOperator() {
+        NetworkPolicyResource.allowNetworkPolicySettingsForWebhook(Environment.TEST_SUITE_NAMESPACE, JAEGER_OPERATOR_DEPLOYMENT_NAME, Map.of("name", JAEGER_OPERATOR_DEPLOYMENT_NAME));
+    }
+
+    public static void allowNetworkPolicySettingsForCertManagerWebhook() {
+        NetworkPolicyResource.allowNetworkPolicySettingsForWebhook(CERT_MANAGER_NAMESPACE, CERT_MANAGER, Map.of(TestConstants.APP_KUBERNETES_INSTANCE_LABEL, CERT_MANAGER));
     }
 
     /**
@@ -165,5 +179,8 @@ public static void deployJaegerInstance(String namespaceName) {
         ResourceManager.STORED_RESOURCES.get(ResourceManager.getTestContext().getDisplayName()).push(new ResourceItem<>(() -> cmdKubeClient(namespaceName).deleteContent(instanceYamlContent)));
 
         DeploymentUtils.waitForDeploymentAndPodsReady(namespaceName, JAEGER_INSTANCE_NAME, 1);
+
+        NetworkPolicyResource.allowNetworkPolicyBetweenScraperPodAndMatchingLabel(namespaceName, JAEGER_INSTANCE_NAME + "-allow", Map.of(TestConstants.APP_POD_LABEL, JAEGER));
+        NetworkPolicyResource.allowNetworkPolicyAllIngressForMatchingLabel(namespaceName, JAEGER_INSTANCE_NAME + "-traces-allow", Map.of(TestConstants.APP_POD_LABEL, JAEGER));
     }
 }
diff --git a/systemtest/src/main/java/io/strimzi/systemtest/resources/keycloak/SetupKeycloak.java b/systemtest/src/main/java/io/strimzi/systemtest/resources/keycloak/SetupKeycloak.java
@@ -9,12 +9,12 @@
 import io.fabric8.kubernetes.api.model.Secret;
 import io.fabric8.kubernetes.api.model.SecretBuilder;
 import io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy;
-import io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder;
 import io.strimzi.systemtest.Environment;
 import io.strimzi.systemtest.TestConstants;
 import io.strimzi.systemtest.keycloak.KeycloakInstance;
 import io.strimzi.systemtest.resources.ResourceItem;
 import io.strimzi.systemtest.resources.ResourceManager;
+import io.strimzi.systemtest.resources.kubernetes.NetworkPolicyResource;
 import io.strimzi.systemtest.templates.kubernetes.NetworkPolicyTemplates;
 import io.strimzi.systemtest.utils.kubeUtils.controllers.DeploymentUtils;
 import io.strimzi.systemtest.utils.kubeUtils.controllers.StatefulSetUtils;
@@ -33,6 +33,7 @@
 import java.nio.file.Path;
 import java.util.Base64;
 import java.util.List;
+import java.util.Map;
 
 import static io.strimzi.test.k8s.KubeClusterResource.cmdKubeClient;
 import static io.strimzi.test.k8s.KubeClusterResource.kubeClient;
@@ -80,7 +81,7 @@ public static KeycloakInstance deployKeycloakAndImportRealms(String namespaceNam
         deployKeycloak(namespaceName);
 
         KeycloakInstance keycloakInstance = createKeycloakInstance(namespaceName);
-        allowNetworkPolicySettingsForKeycloak(namespaceName);
+        NetworkPolicyResource.allowNetworkPolicyAllIngressForMatchingLabel(namespaceName, KEYCLOAK + "-allow", Map.of(TestConstants.APP_POD_LABEL, KEYCLOAK));
         importRealms(namespaceName, keycloakInstance);
 
         return keycloakInstance;
@@ -177,31 +178,6 @@ public static void allowNetworkPolicyBetweenKeycloakAndPostgres(String namespace
         }
     }
 
-    public static void allowNetworkPolicySettingsForKeycloak(String namespaceName) {
-        if (Environment.DEFAULT_TO_DENY_NETWORK_POLICIES) {
-            LOGGER.info("Apply NetworkPolicy access to {} from all Pods", KEYCLOAK);
-
-            NetworkPolicy networkPolicy = new NetworkPolicyBuilder()
-                .withApiVersion("networking.k8s.io/v1")
-                .withKind(TestConstants.NETWORK_POLICY)
-                .withNewMetadata()
-                    .withName(KEYCLOAK + "-allow")
-                    .withNamespace(namespaceName)
-                .endMetadata()
-                .editSpec()
-                    // keeping ingress empty to allow all connections to the Keycloak Pod
-                    .addNewIngress()
-                    .endIngress()
-                    .withNewPodSelector()
-                        .addToMatchLabels(TestConstants.APP_POD_LABEL, KEYCLOAK)
-                    .endPodSelector()
-                .endSpec()
-                .build();
-
-            ResourceManager.getInstance().createResourceWithWait(networkPolicy);
-        }
-    }
-
     private static void deleteKeycloak(String namespaceName) {
         LOGGER.info("Deleting Keycloak in Namespace: {}", namespaceName);
         cmdKubeClient(namespaceName).delete(KEYCLOAK_INSTANCE_FILE_PATH);

diff --git a/...mtest/src/main/java/io/strimzi/systemtest/resources/kubernetes/NetworkPolicyResource.java b/...mtest/src/main/java/io/strimzi/systemtest/resources/kubernetes/NetworkPolicyResource.java
@@ -25,6 +25,7 @@
 import org.junit.jupiter.api.extension.ExtensionContext;
 
 import java.util.List;
+import java.util.Map;
 
 import static io.strimzi.api.ResourceLabels.STRIMZI_KIND_LABEL;
 import static io.strimzi.api.ResourceLabels.STRIMZI_NAME_LABEL;
@@ -130,6 +131,79 @@ public static void allowNetworkPolicySettingsForBridgeScraper(String namespace,
         LOGGER.info("Network policy for LabelSelector {} successfully created", scraperLabelSelector);
     }
 
+    public static void allowNetworkPolicyBetweenScraperPodAndMatchingLabel(String namespaceName, String policyName, Map<String, String> matchLabels) {
+        if (Environment.DEFAULT_TO_DENY_NETWORK_POLICIES) {
+            LabelSelector scraperLabelSelector = new LabelSelectorBuilder()
+                .addToMatchLabels(TestConstants.SCRAPER_LABEL_KEY, TestConstants.SCRAPER_LABEL_VALUE)
+                .build();
+
+            LOGGER.info("Apply NetworkPolicy access to matching Pods: {} from Scraper Pod", matchLabels.toString());
+
+            NetworkPolicy networkPolicy = NetworkPolicyTemplates.networkPolicyBuilder(namespaceName, policyName, scraperLabelSelector)
+                .editSpec()
+                    .withNewPodSelector()
+                        .addToMatchLabels(matchLabels)
+                    .endPodSelector()
+                .endSpec()
+                .build();
+
+            ResourceManager.getInstance().createResourceWithWait(networkPolicy);
+        }
+    }
+
+    public static void allowNetworkPolicyAllIngressForMatchingLabel(String namespaceName, String policyName, Map<String, String> matchLabels) {
+        if (Environment.DEFAULT_TO_DENY_NETWORK_POLICIES) {
+            LOGGER.info("Apply NetworkPolicy with Ingress to accept all connections to the Pods matching labels: {}", matchLabels.toString());
+
+            NetworkPolicy networkPolicy = new NetworkPolicyBuilder()
+                .withApiVersion("networking.k8s.io/v1")
+                .withKind(TestConstants.NETWORK_POLICY)
+                .withNewMetadata()
+                    .withName(policyName)
+                    .withNamespace(namespaceName)
+                .endMetadata()
+                .editSpec()
+                    // keeping ingress empty to allow all connections
+                    .addNewIngress()
+                    .endIngress()
+                    .withNewPodSelector()
+                        .addToMatchLabels(matchLabels)
+                    .endPodSelector()
+                .endSpec()
+                .build();
+
+            ResourceManager.getInstance().createResourceWithWait(networkPolicy);
+        }
+    }
+
+    public static void allowNetworkPolicySettingsForWebhook(String namespaceName, String name, Map<String, String> matchLabels) {
+        if (Environment.DEFAULT_TO_DENY_NETWORK_POLICIES) {
+            LOGGER.info("Apply NetworkPolicy access to {} from all Pods", matchLabels.toString());
+
+            NetworkPolicy networkPolicy = new NetworkPolicyBuilder()
+                .withApiVersion("networking.k8s.io/v1")
+                .withKind(TestConstants.NETWORK_POLICY)
+                .withNewMetadata()
+                    .withName(name)
+                    .withNamespace(namespaceName)
+                .endMetadata()
+                .editSpec()
+                    // keeping ingress empty to allow all connections to the Keycloak Pod
+                    .addNewIngress()
+                        .addNewFrom()
+                            .withNamespaceSelector(new LabelSelector())
+                        .endFrom()
+                    .endIngress()
+                    .withNewPodSelector()
+                        .addToMatchLabels(matchLabels)
+                    .endPodSelector()
+                    .endSpec()
+                .build();
+
+            ResourceManager.getInstance().createResourceWithWait(networkPolicy);
+        }
+    }
+
     /**
      * Method for allowing network policies for Connect
      * @param resource mean Connect resource