Merge pull request #4117 from marsteg/ms/issue-4100

georgethebeatle · web-flow · commit 007d5b4b32b2 · 2025-10-13T17:16:27.000+03:00
Issue 4100
diff --git a/helm/korifi/templates/calico-deny-apps-egress-policy.yaml b/helm/korifi/templates/calico-deny-apps-egress-policy.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.experimental.securityGroups.enabled }}
+apiVersion: crd.projectcalico.org/v1
+kind: GlobalNetworkPolicy
+metadata:
+  name: default.deny-apps-egress
+spec:
+  order: 100
+  namespaceSelector: has(korifi.cloudfoundry.org/space-guid)
+  types:
+  - Egress
+{{- end }}
diff --git a/scripts/assets/calico-allow-apps-egress-policy.yaml b/scripts/assets/calico-allow-apps-egress-policy.yaml
@@ -0,0 +1,26 @@
+apiVersion: crd.projectcalico.org/v1
+kind: GlobalNetworkPolicy
+metadata:
+  name: default.allow-apps-egress
+spec:
+  order: 10
+  namespaceSelector: has(korifi.cloudfoundry.org/space-guid)
+  types:
+  - Egress
+  egress:
+  - action: Allow
+    protocol: TCP
+    destination:
+      ports:
+      - 1:65535
+  - action: Allow
+    protocol: UDP
+    destination:
+      ports:
+      - 1:65535
+  - action: Allow
+    protocol: TCP
+    destination:
+      services:
+        name: localregistry-docker-registry
+        namespace: default
diff --git a/scripts/deploy-on-kind.sh b/scripts/deploy-on-kind.sh
@@ -122,7 +122,9 @@ function ensure_local_registry() {
 function install_dependencies() {
   pushd "${ROOT_DIR}" >/dev/null
   {
-    "${SCRIPT_DIR}/install-dependencies.sh" -i
+    "${SCRIPT_DIR}/install-dependencies.sh" \
+      --insecure-tls-metrics-server \
+      --install-vendored-calico
   }
   popd >/dev/null
 }
@@ -263,6 +265,10 @@ function create_cluster_builder() {
   kubectl wait --for=condition=ready clusterbuilder --all=true --timeout=15m
 }
 
+function allow_apps_egress() {
+  kubectl apply -f "$SCRIPT_DIR/assets/calico-allow-apps-egress-policy.yaml"
+}
+
 function main() {
   make -C "$ROOT_DIR" bin/yq
 
@@ -271,6 +277,7 @@ function main() {
   ensure_kind_cluster "$CLUSTER_NAME"
   ensure_local_registry
   install_dependencies
+  allow_apps_egress
   create_namespaces
   create_registry_secret
   deploy_korifi
diff --git a/scripts/install-dependencies.sh b/scripts/install-dependencies.sh
@@ -18,6 +18,8 @@ Usage:
 flags:
   -i, --insecure-tls-metrics-server
       (optional) Provide insecure TLS args to Metrics Server. This is useful for distributions such as Kind, Minikube, etc.
+  -c, --install-vendored-calico
+      (optional) Installed vendored calico. Useful for testing on Kind.
 EOF
   exit 1
 }
@@ -37,6 +39,10 @@ while [[ $# -gt 0 ]]; do
       INSECURE_TLS_METRICS_SERVER=true
       shift
       ;;
+    -c | --install-vendored-calico)
+      INSTALL_VENDORED_CALICO=true
+      shift
+      ;;
     *)
       echo -e "Error: Unknown flag: ${i/=*/}\n" >&2
       usage_text >&2
@@ -105,3 +111,24 @@ if ! kubectl get apiservice v1beta1.metrics.k8s.io >/dev/null 2>&1; then
     kubectl apply -f "$VENDOR_DIR/metrics-server-local"
   fi
 fi
+
+if [[ "${INSTALL_VENDORED_CALICO:-}" == "true" ]]; then
+  echo "********************"
+  echo " Installing Calico"
+  echo "********************"
+
+  kubectl apply -f "$VENDOR_DIR/calico/operator-crds.yaml" --server-side
+  kubectl apply -f "$VENDOR_DIR/calico/tigera-operator.yaml" --server-side
+
+  kubectl -n tigera-operator rollout status deployment/tigera-operator --watch=true
+
+  TEMP_FILES+=("$DEP_DIR/calico/custom-resources.yaml")
+  cp "$VENDOR_DIR/calico/custom-resources.yaml" "$DEP_DIR/calico/custom-resources.yaml"
+  kubectl apply -k "$DEP_DIR/calico"
+
+  while ! kubectl get ns calico-system >/dev/null 2>&1; do
+    sleep 1
+  done
+  kubectl -n calico-system rollout status deployment/whisker --watch=true
+  sleep 1
+fi
diff --git a/tests/assets/dorifi-golang/main.go b/tests/assets/dorifi-golang/main.go
@@ -32,6 +32,7 @@ func main() {
 	http.HandleFunc("/servicebindingroot", serviceBindingRootHandler)
 	http.HandleFunc("/servicebindings", serviceBindingsHandler)
 	http.HandleFunc("/exit", exitHandler)
+	http.HandleFunc("/outbound", outboundHandler)
 	http.HandleFunc("/log", logHandler)
 
 	port := os.Getenv("PORT")
@@ -86,6 +87,21 @@ func helloWorldHandler(arg string) func(w http.ResponseWriter, _ *http.Request)
 	}
 }
 
+func outboundHandler(w http.ResponseWriter, _ *http.Request) {
+	client := &http.Client{
+		Timeout: 2 * time.Second,
+	}
+	resp, err := client.Get("http://google.com/")
+	if err != nil {
+		http.Error(w, fmt.Sprintf("Failed to make outbound request: %v", err), http.StatusBadRequest)
+		return
+	}
+	defer resp.Body.Close()
+	w.WriteHeader(http.StatusOK)
+	fmt.Fprintln(w, "Outbound request to google.com was successful")
+	fmt.Fprintln(w, "Response status code:", resp.StatusCode)
+}
+
 func envJsonHandler(w http.ResponseWriter, _ *http.Request) {
 	envJson := map[string]string{}
 	env := os.Environ()
diff --git a/tests/dependencies/calico/kustomization.yaml b/tests/dependencies/calico/kustomization.yaml
@@ -0,0 +1,13 @@
+resources:
+  - custom-resources.yaml
+
+patches:
+  - patch: |-
+      - op: replace
+        path: /spec/calicoNetwork/ipPools/0/cidr
+        value: 10.244.0.0/16
+    target:
+      kind: Installation
+      group: operator.tigera.io
+      version: v1
+      name: default
diff --git a/tests/vendir.lock.yml b/tests/vendir.lock.yml
@@ -13,6 +13,12 @@ directories:
       tag: v1.19.0
       url: https://api.github.com/repos/cert-manager/cert-manager/releases/252689218
     path: cert-manager
+  - git:
+      commitTitle: Fix parent-release-branch
+      sha: 068c7aa62a62c7459c9ecbf929c92f2a6594f22d
+      tags:
+      - v3.30.3
+    path: calico
   - git:
       commitTitle: Update Contour Docker image to v1.33.0....
       sha: 3635b068e25d74b7089c272eefd6ccb6a08f2861
diff --git a/tests/vendir.yml b/tests/vendir.yml
@@ -20,6 +20,18 @@ directories:
       latest: true
       disableAutoChecksumValidation: true
       assetNames: ["cert-manager*.yaml"]
+  - path: calico
+    git:
+      url: https://github.com/projectcalico/calico
+      depth: 1
+      refSelection:
+        semver:
+          constraints: ">=3.30.2"
+    includePaths:
+      - manifests/operator-crds.yaml
+      - manifests/tigera-operator.yaml
+      - manifests/custom-resources.yaml
+    newRootPath: manifests
   - path: contour
     git:
       url: https://github.com/projectcontour/contour
diff --git a/tests/vendor/calico/custom-resources.yaml b/tests/vendor/calico/custom-resources.yaml
@@ -0,0 +1,42 @@
+# This section includes base Calico installation configuration.
+# For more information, see: https://docs.tigera.io/calico/latest/reference/installation/api#operator.tigera.io/v1.Installation
+apiVersion: operator.tigera.io/v1
+kind: Installation
+metadata:
+  name: default
+spec:
+  # Configures Calico networking.
+  calicoNetwork:
+    ipPools:
+    - name: default-ipv4-ippool
+      blockSize: 26
+      cidr: 192.168.0.0/16
+      encapsulation: VXLANCrossSubnet
+      natOutgoing: Enabled
+      nodeSelector: all()
+
+---
+
+# This section configures the Calico API server.
+# For more information, see: https://docs.tigera.io/calico/latest/reference/installation/api#operator.tigera.io/v1.APIServer
+apiVersion: operator.tigera.io/v1
+kind: APIServer
+metadata:
+  name: default
+spec: {}
+
+---
+
+# Configures the Calico Goldmane flow aggregator.
+apiVersion: operator.tigera.io/v1
+kind: Goldmane
+metadata:
+  name: default
+
+---
+
+# Configures the Calico Whisker observability UI.
+apiVersion: operator.tigera.io/v1
+kind: Whisker
+metadata:
+  name: default
diff --git a/tests/vendor/calico/operator-crds.yaml b/tests/vendor/calico/operator-crds.yaml
diff --git a/tests/vendor/calico/tigera-operator.yaml b/tests/vendor/calico/tigera-operator.yaml
