Merge branch 'main' into accesspolicy_status

kartverket · Aug 30, 2024 · 439be98 · 439be98
2 parents 583b339 + 0205584
commit 439be98
Show file tree

Hide file tree

Showing 4 changed files with 133 additions and 12 deletions.
diff --git a/internal/controllers/common/reconciler.go b/internal/controllers/common/reconciler.go
@@ -212,31 +212,44 @@ func (r *ReconcilerBase) UpdateAccessPolicy(ctx context.Context, obj v1alpha1.SK
 	}
 }
 
-func (r *ReconcilerBase) setPortsForRules(ctx context.Context, rules []podtypes.InternalRule, namespace string) error {
+func (r *ReconcilerBase) setPortsForRules(ctx context.Context, rules []podtypes.InternalRule, skipObjNamespace string) error {
 	for i := range rules {
 		rule := &rules[i]
 		if len(rule.Ports) != 0 {
 			continue
 		}
-		if rule.Namespace != "" {
-			namespace = rule.Namespace
-		} else if len(rule.NamespacesByLabel) != 0 {
+		var namespaceList []string
+		switch {
+		case rule.Namespace != "":
+			namespaceList = append(namespaceList, rule.Namespace)
+		case len(rule.NamespacesByLabel) != 0:
 			selector := metav1.LabelSelector{MatchLabels: rule.NamespacesByLabel}
-			selectorString, _ := metav1.LabelSelectorAsSelector(&selector)
+			selectorString, err := metav1.LabelSelectorAsSelector(&selector)
+			if err != nil {
+			    return err
+			}
 			namespaces := &corev1.NamespaceList{}
 			if err := r.GetClient().List(ctx, namespaces, &client.ListOptions{LabelSelector: selectorString}); err != nil {
 				return err
 			}
-			if len(namespaces.Items) > 1 || len(namespaces.Items) == 0 {
-				return fmt.Errorf("expected exactly one namespace, but found %d", len(namespaces.Items))
+			for _, ns := range namespaces.Items {
+				namespaceList = append(namespaceList, ns.Name)
 			}
-			namespace = namespaces.Items[0].Name
+		default:
+			namespaceList = append(namespaceList, skipObjNamespace)
 		}
-		targetAppPorts, err := r.getTargetApplicationPorts(ctx, rule.Application, namespace)
-		if err != nil {
-			return err
+
+		if len(namespaceList) == 0 {
+			return fmt.Errorf("expected namespace, but found none for rule %s", rule.Application)
+		}
+
+		for _, ns := range namespaceList {
+			targetAppPorts, err := r.getTargetApplicationPorts(ctx, rule.Application, ns)
+			if err != nil {
+				return err
+			}
+			rule.Ports = append(rule.Ports, targetAppPorts...)
 		}
-		rule.Ports = targetAppPorts
 	}
 	return nil
 }
diff --git a/tests/application/access-policy/chainsaw-test.yaml b/tests/application/access-policy/chainsaw-test.yaml
@@ -37,3 +37,8 @@ spec:
             file: access-policy-istio.yaml
         - assert:
             file: access-policy-istio-assert.yaml
+    - try:
+        - apply:
+            file: multiple-ns-same-label.yaml
+        - assert:
+            file: multiple-ns-same-label-assert.yaml
diff --git a/tests/application/access-policy/multiple-ns-same-label-assert.yaml b/tests/application/access-policy/multiple-ns-same-label-assert.yaml
@@ -0,0 +1,36 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: accesspolicy-app
+spec:
+  podSelector:
+    matchLabels:
+      app: accesspolicy-app
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              team: someteam
+          podSelector:
+            matchLabels:
+              app: app2
+      ports:
+        - port: 8085
+          protocol: TCP
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              team: ateam
+          podSelector:
+            matchLabels:
+              app: app
+      ports:
+        - port: 8080
+          protocol: TCP
+        - port: 8082
+          protocol: TCP
+
diff --git a/tests/application/access-policy/multiple-ns-same-label.yaml b/tests/application/access-policy/multiple-ns-same-label.yaml
@@ -0,0 +1,67 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ateam-main
+  labels:
+    team: ateam
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ateam-feat
+  labels:
+    team: ateam
+---
+apiVersion: skiperator.kartverket.no/v1alpha1
+kind: Application
+metadata:
+  name: app
+  namespace: ateam-main
+spec:
+  image: image
+  port: 8080
+---
+apiVersion: skiperator.kartverket.no/v1alpha1
+kind: Application
+metadata:
+  name: app
+  namespace: ateam-feat
+spec:
+  image: image
+  port: 8082
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ($namespace)
+  labels:
+    team: someteam
+---
+apiVersion: skiperator.kartverket.no/v1alpha1
+kind: Application
+metadata:
+  name: app2
+spec:
+  image: image
+  port: 8095
+---
+apiVersion: skiperator.kartverket.no/v1alpha1
+kind: Application
+metadata:
+  name: accesspolicy-app
+spec:
+  image: image
+  port: 8085
+  accessPolicy:
+    inbound:
+      rules:
+        - application: app2
+          namespacesByLabel:
+            team: someteam
+    outbound:
+      rules:
+        - application: app
+          namespacesByLabel:
+            team: ateam
+
+