Add missing annotation for skipjobs anduse service instead of applica…

…tion for dynamic ports (#514)
kartverket · Aug 19, 2024 · 40dd745 · 40dd745
1 parent 28198d1
commit 40dd745
Show file tree

Hide file tree

Showing 12 changed files with 152 additions and 11 deletions.
diff --git a/internal/controllers/common/reconciler.go b/internal/controllers/common/reconciler.go
@@ -184,13 +184,20 @@ func (r *ReconcilerBase) updateStatus(ctx context.Context, skipObj v1alpha1.SKIP
 	}
 }
 
-func (r *ReconcilerBase) getTargetApplication(ctx context.Context, appName string, namespace string) (*v1alpha1.Application, error) {
-	application := &v1alpha1.Application{}
-	if err := r.GetClient().Get(ctx, types.NamespacedName{Name: appName, Namespace: namespace}, application); err != nil {
+func (r *ReconcilerBase) getTargetApplicationPorts(ctx context.Context, appName string, namespace string) ([]networkingv1.NetworkPolicyPort, error) {
+	service := &corev1.Service{}
+	if err := r.GetClient().Get(ctx, types.NamespacedName{Name: appName, Namespace: namespace}, service); err != nil {
 		return nil, fmt.Errorf("error when trying to get target application: %w", err)
 	}
 
-	return application, nil
+	var servicePorts []networkingv1.NetworkPolicyPort
+
+	for _, port := range service.Spec.Ports {
+		servicePorts = append(servicePorts, networkingv1.NetworkPolicyPort{
+			Port: util.PointTo(intstr.FromInt32(port.Port)),
+		})
+	}
+	return servicePorts, nil
 }
 
 func (r *ReconcilerBase) UpdateAccessPolicy(ctx context.Context, obj v1alpha1.SKIPObject) {
@@ -225,11 +232,11 @@ func (r *ReconcilerBase) setPortsForRules(ctx context.Context, rules []podtypes.
 			}
 			namespace = namespaces.Items[0].Name
 		}
-		targetApp, err := r.getTargetApplication(ctx, rule.Application, namespace)
+		targetAppPorts, err := r.getTargetApplicationPorts(ctx, rule.Application, namespace)
 		if err != nil {
 			return err
 		}
-		rule.Ports = []networkingv1.NetworkPolicyPort{{Port: util.PointTo(intstr.FromInt32(int32(targetApp.Spec.Port)))}}
+		rule.Ports = targetAppPorts
 	}
 	return nil
 }
diff --git a/internal/controllers/skipjob.go b/internal/controllers/skipjob.go
@@ -151,7 +151,7 @@ func (r *SKIPJobReconciler) Reconcile(ctx context.Context, req reconcile.Request
 	for _, f := range resourceGeneration {
 		if err := f(reconciliation); err != nil {
 			rLog.Error(err, "failed to generate skipjob resource")
-			//At this point we don't have the gvk of the resource yet, so we can't set subresource status.
+			// At this point we don't have the gvk of the resource yet, so we can't set subresource status.
 			r.SetErrorState(ctx, skipJob, err, "failed to generate skipjob resource", "ResourceGenerationFailure")
 			return common.RequeueWithError(err)
 		}
@@ -208,13 +208,10 @@ func (r *SKIPJobReconciler) setSKIPJobDefaults(ctx context.Context, skipJob *ski
 
 func (r *SKIPJobReconciler) setResourceDefaults(resources []client.Object, skipJob *skiperatorv1alpha1.SKIPJob) error {
 	for _, resource := range resources {
-		if err := resourceutils.AddGVK(r.GetScheme(), resource); err != nil {
+		if err := r.SetSubresourceDefaults(resources, skipJob); err != nil {
 			return err
 		}
 		resourceutils.SetSKIPJobLabels(resource, skipJob)
-		if err := resourceutils.SetOwnerReference(skipJob, resource, r.GetScheme()); err != nil {
-			return err
-		}
 	}
 	return nil
 }

diff --git a/tests/application/access-policy/access-policy-istio-assert.yaml b/tests/application/access-policy/access-policy-istio-assert.yaml
@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: access-policy-to-istio-app
+spec:
+  egress:
+    -  ports:
+         - port: 8080
+           protocol: TCP
+         - port: 15020
+           protocol: TCP
+       to:
+         - namespaceSelector:
+             matchLabels:
+               kubernetes.io/metadata.name: ns-with-istio
+           podSelector:
+             matchLabels:
+               app: istio-application
+  podSelector:
+    matchLabels:
+      app: access-policy-to-istio-app
+  policyTypes:
+    - Egress
diff --git a/tests/application/access-policy/access-policy-istio.yaml b/tests/application/access-policy/access-policy-istio.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ns-with-istio
+  labels:
+    istio.io/rev: asm-stable
+---
+apiVersion: skiperator.kartverket.no/v1alpha1
+kind: Application
+metadata:
+  name: istio-application
+  namespace: ns-with-istio
+spec:
+  image: image
+  port: 8080
+---
+apiVersion: skiperator.kartverket.no/v1alpha1
+kind: Application
+metadata:
+  name: access-policy-to-istio-app
+spec:
+  image: image
+  port: 8080
+  accessPolicy:
+    outbound:
+      rules:
+        - application: istio-application
+          namespace: ns-with-istio
diff --git a/tests/application/access-policy/chainsaw-test.yaml b/tests/application/access-policy/chainsaw-test.yaml
@@ -32,3 +32,8 @@ spec:
             file: bad-policy-assert.yaml
         - error:
             file: bad-policy-error.yaml
+    - try:
+        - apply:
+            file: access-policy-istio.yaml
+        - assert:
+            file: access-policy-istio-assert.yaml
diff --git a/tests/skipjob/access-policy-job/app-istio.yaml b/tests/skipjob/access-policy-job/app-istio.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ns-with-istio
+  labels:
+    istio.io/rev: asm-stable
+---
+apiVersion: skiperator.kartverket.no/v1alpha1
+kind: Application
+metadata:
+  name: istio-application
+  namespace: ns-with-istio
+spec:
+  image: image
+  port: 8080
+
diff --git a/tests/skipjob/access-policy-job/application.yaml b/tests/skipjob/access-policy-job/application.yaml
@@ -5,3 +5,4 @@ metadata:
 spec:
   image: image
   port: 8080
+---
diff --git a/tests/skipjob/access-policy-job/chainsaw-test.yaml b/tests/skipjob/access-policy-job/chainsaw-test.yaml
@@ -27,3 +27,10 @@ spec:
             file: skipjob-cron-assert.yaml
         - error:
             file: skipjob-cron-error.yaml
+    - try:
+        - apply:
+            file: app-istio.yaml
+        - apply:
+            file: netpol-istio.yaml
+        - assert:
+            file: netpol-istio-assert.yaml
diff --git a/tests/skipjob/access-policy-job/netpol-istio-assert.yaml b/tests/skipjob/access-policy-job/netpol-istio-assert.yaml
@@ -0,0 +1,36 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: istio-policy-job-skipjob
+  annotations:
+    argocd.argoproj.io/sync-options: "Prune=false"
+  labels:
+    app.kubernetes.io/managed-by: skiperator
+    skiperator.kartverket.no/controller: skipjob
+    skiperator.kartverket.no/skipjob: 'true'
+    skiperator.kartverket.no/skipjobName: istio-policy-job
+  ownerReferences:
+    - apiVersion: skiperator.kartverket.no/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: SKIPJob
+      name: istio-policy-job
+spec:
+  egress:
+    -  ports:
+         - port: 8080
+           protocol: TCP
+         - port: 15020
+           protocol: TCP
+       to:
+         - namespaceSelector:
+             matchLabels:
+               kubernetes.io/metadata.name: ns-with-istio
+           podSelector:
+             matchLabels:
+               app: istio-application
+  podSelector:
+    matchLabels:
+      app: istio-policy-job-skipjob
+  policyTypes:
+    - Egress
diff --git a/tests/skipjob/access-policy-job/netpol-istio.yaml b/tests/skipjob/access-policy-job/netpol-istio.yaml
@@ -0,0 +1,17 @@
+apiVersion: skiperator.kartverket.no/v1alpha1
+kind: SKIPJob
+metadata:
+  name: istio-policy-job
+spec:
+  container:
+    image: "perl:5.34.0"
+    command:
+      - "perl"
+      - "-Mbignum=bpi"
+      - "-wle"
+      - "print bpi(2000)"
+    accessPolicy:
+      outbound:
+        rules:
+          - application: istio-application
+            namespace: ns-with-istio
diff --git a/tests/skipjob/access-policy-job/skipjob-assert.yaml b/tests/skipjob/access-policy-job/skipjob-assert.yaml
@@ -2,6 +2,8 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: access-policy-job-skipjob
+  annotations:
+    argocd.argoproj.io/sync-options: "Prune=false"
   labels:
     app.kubernetes.io/managed-by: skiperator
     skiperator.kartverket.no/controller: skipjob

diff --git a/tests/skipjob/access-policy-job/skipjob-cron-assert.yaml b/tests/skipjob/access-policy-job/skipjob-cron-assert.yaml
@@ -39,6 +39,8 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: access-policy-cron-job-skipjob
+  annotations:
+    argocd.argoproj.io/sync-options: "Prune=false"
   ownerReferences:
     - apiVersion: skiperator.kartverket.no/v1alpha1
       blockOwnerDeletion: true