ensure network policies for eventing mock

Author: kwiatekus

config/serverless/templates/ingress-network-policy.yaml

@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   namespace: {{ .Release.Namespace }}
-  name: {{ template "fullname" . }}.kyma-project.io--allow-to-registry
+  name: {{ template "fullname" . }}.kyma-project.io--allow-to-registry-port
 spec:
   podSelector:
     matchLabels:
@@ -12,9 +12,6 @@ spec:
   - Ingress
   ingress:
   - from:
-    # - podSelector:
-    #     matchLabels:
-    #       serverless.kyma-project.io/managed-by: function-controller
     ports:
     - protocol: TCP
       port: {{ .Values.global.registryServicePort }}

tests/serverless/internal/resources/networkpolicy/networkpolicy.go

@@ -0,0 +1,78 @@
+package networkpolicy
+
+import (
+	"context"
+
+	"github.com/kyma-project/serverless/tests/serverless/internal/utils"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	networkingv1 "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	networkingclient "k8s.io/client-go/kubernetes/typed/networking/v1"
+)
+
+const (
+	componentLabel = "component"
+)
+
+type NetworkPolicy struct {
+	name          string
+	namespace     string
+	networkingCli networkingclient.NetworkPolicyInterface
+	log           *logrus.Entry
+	spec          networkingv1.NetworkPolicySpec
+}
+
+func NewNetworkPolicy(name, namespace string, spec networkingv1.NetworkPolicySpec, networkPolicies networkingclient.NetworkPolicyInterface, log *logrus.Entry) NetworkPolicy {
+	return NetworkPolicy{
+		name:          name,
+		namespace:     namespace,
+		networkingCli: networkPolicies,
+		log:           log,
+		spec:          spec,
+	}
+}
+
+func (n NetworkPolicy) Create(spec networkingv1.NetworkPolicySpec) error {
+
+	networkPolicy := &networkingv1.NetworkPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      n.name,
+			Namespace: n.namespace,
+			Labels: map[string]string{
+				componentLabel: n.name,
+			},
+		},
+		Spec: spec,
+	}
+	_, err := n.networkingCli.Create(context.Background(), networkPolicy, metav1.CreateOptions{})
+	return errors.Wrapf(err, "while creating NetworkPolicy %s in namespace %s", n.name, n.namespace)
+}
+
+func (n NetworkPolicy) Delete() error {
+	return n.networkingCli.Delete(context.Background(), n.name, metav1.DeleteOptions{})
+}
+
+func (n NetworkPolicy) LogResource() error {
+	policy, err := n.Get()
+	if err != nil {
+		return err
+	}
+
+	out, err := utils.PrettyMarshall(policy)
+	if err != nil {
+		return err
+	}
+
+	n.log.Infof("%s", out)
+	return nil
+}
+
+func (n NetworkPolicy) Get() (*networkingv1.NetworkPolicy, error) {
+	u, err := n.networkingCli.Get(context.Background(), n.name, metav1.GetOptions{})
+	if err != nil {
+		return nil, errors.Wrapf(err, "while getting %s", n.name)
+	}
+
+	return u, nil
+}

tests/serverless/internal/resources/networkpolicy/steps.go

@@ -0,0 +1,102 @@
+package networkpolicy
+
+import (
+	"github.com/kyma-project/serverless/tests/serverless/internal/executor"
+	"github.com/sirupsen/logrus"
+	networkingv1 "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	networkingclient "k8s.io/client-go/kubernetes/typed/networking/v1"
+)
+
+type newNetworkPolicyStep struct {
+	name            string
+	namespace       string
+	networkPolicies []*NetworkPolicy
+	// resCli          *resources.Resource
+	log *logrus.Entry
+}
+
+// Cleanup implements executor.Step.
+func (n newNetworkPolicyStep) Cleanup() error {
+	for _, networkPolicy := range n.networkPolicies {
+		err := networkPolicy.Delete()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Name implements executor.Step.
+func (n newNetworkPolicyStep) Name() string {
+	return n.name
+}
+
+// OnError implements executor.Step.
+func (n newNetworkPolicyStep) OnError() error {
+	for _, networkPolicy := range n.networkPolicies {
+		err := networkPolicy.LogResource()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Run implements executor.Step.
+func (n newNetworkPolicyStep) Run() error {
+	for _, networkPolicy := range n.networkPolicies {
+		err := networkPolicy.Create(networkPolicy.spec)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+var _ executor.Step = newNetworkPolicyStep{}
+
+func CreateNetworkPoliciesStep(log *logrus.Entry, name, namespace string, networkCli networkingclient.NetworkPolicyInterface) executor.Step {
+
+	allowEgressFromMockSpec := networkingv1.NetworkPolicySpec{
+		PodSelector: metav1.LabelSelector{
+			MatchLabels: map[string]string{
+				"serverless.kyma-project.io/managed-by": "function-controller",
+			},
+		},
+		PolicyTypes: []networkingv1.PolicyType{
+			networkingv1.PolicyTypeEgress,
+		},
+		Egress: []networkingv1.NetworkPolicyEgressRule{
+			networkingv1.NetworkPolicyEgressRule{},
+		},
+	}
+
+	allowIngressToMockSpec := networkingv1.NetworkPolicySpec{
+		PodSelector: metav1.LabelSelector{
+			MatchLabels: map[string]string{
+				"app.kubernetes.io/name": "eventing-publisher-proxy",
+			},
+		},
+		PolicyTypes: []networkingv1.PolicyType{
+			networkingv1.PolicyTypeIngress,
+		},
+		Ingress: []networkingv1.NetworkPolicyIngressRule{
+			networkingv1.NetworkPolicyIngressRule{},
+		},
+	}
+
+	allowEgressFromMock := NewNetworkPolicy("allow-all-egress-from-eventing-mock", "kyma-system", allowEgressFromMockSpec, networkCli, log)
+	allowIngressToMock := NewNetworkPolicy("allow-all-ingress-from-eventing-mock", "kyma-system", allowIngressToMockSpec, networkCli, log)
+
+	return newNetworkPolicyStep{
+		name:      name,
+		namespace: namespace,
+		networkPolicies: []*NetworkPolicy{
+			&allowEgressFromMock,
+			&allowIngressToMock,
+		},
+		log: log,
+	}
+
+}

tests/serverless/internal/testsuite/cloud_events.go

@@ -10,6 +10,7 @@ import (
 	"github.com/kyma-project/serverless/tests/serverless/internal/executor"
 	"github.com/kyma-project/serverless/tests/serverless/internal/resources/function"
 	"github.com/kyma-project/serverless/tests/serverless/internal/resources/namespace"
+	"github.com/kyma-project/serverless/tests/serverless/internal/resources/networkpolicy"
 	"github.com/kyma-project/serverless/tests/serverless/internal/resources/runtimes"
 	"github.com/kyma-project/serverless/tests/serverless/internal/utils"
 
@@ -18,6 +19,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"k8s.io/client-go/dynamic"
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
+	networkingv1 "k8s.io/client-go/kubernetes/typed/networking/v1"
 	"k8s.io/client-go/rest"
 )
 
@@ -35,6 +37,11 @@ func FunctionCloudEventsTest(restConfig *rest.Config, cfg internal.Config, logf
 		return nil, errors.Wrap(err, "while creating k8s CoreV1Client")
 	}
 
+	networkingCli, err := networkingv1.NewForConfig(restConfig)
+	if err != nil {
+		return nil, errors.Wrap(err, "while creating k8s NetworkingV1Client")
+	}
+
 	python312Logger := logf.WithField(runtimeKey, "python312")
 	nodejs20Logger := logf.WithField(runtimeKey, "nodejs20")
 	nodejs22Logger := logf.WithField(runtimeKey, "nodejs22")
@@ -56,6 +63,7 @@ func FunctionCloudEventsTest(restConfig *rest.Config, cfg internal.Config, logf
 
 	return executor.NewSerialTestRunner(logf, "Runtime test",
 		namespace.NewNamespaceStep(logf, fmt.Sprintf("Create %s namespace", genericContainer.Namespace), genericContainer.Namespace, coreCli),
+		networkpolicy.CreateNetworkPoliciesStep(logf, "Create network policies for publisher proxy mock", "kyma-system", networkingCli.NetworkPolicies("kyma-system")),
 		function.CreateFunction(logf, publisherProxyMock, "Create publisher proxy mock", runtimes.PythonPublisherProxyMock()),
 		executor.NewParallelRunner(logf, "Fn tests",
 			executor.NewSerialTestRunner(python312Logger, "Python312 test",
@@ -79,33 +87,3 @@ func FunctionCloudEventsTest(restConfig *rest.Config, cfg internal.Config, logf
 		),
 	), nil
 }
-
-// Define those as part of this test:
-
-// kind: NetworkPolicy
-// apiVersion: networking.k8s.io/v1
-// metadata:
-//   namespace: kyma-system
-//   name: temp1
-// spec:
-//   podSelector:
-//     matchLabels:
-//       serverless.kyma-project.io/managed-by: function-controller
-//   policyTypes:
-//   - Egress
-//   egress:
-//   - {}
-// ---
-// apiVersion: networking.k8s.io/v1
-// kind: NetworkPolicy
-// metadata:
-//   namespace: kyma-system
-//   name: temp2
-// spec:
-//   podSelector:
-//     matchLabels:
-//       app.kubernetes.io/name: eventing-publisher-proxy
-//   policyTypes:
-//   - Ingress
-//   ingress:
-//   - {}