MLE-16811: Helm: Missing values for specifying Egress definition in Network Policy (#300)

* refactored nwtwork pol to handle ingress and egress both.;

Author: barkhachoithani

charts/templates/networkPolicy.yaml

@@ -6,15 +6,19 @@ metadata:
   namespace: {{ .Release.Namespace }}
 spec:
   podSelector:
-    matchLabels:
-      {{- include "marklogic.selectorLabels" . | nindent 6 }}
+    {{- if .Values.networkPolicy.podSelector }}
+    {{- toYaml .Values.networkPolicy.podSelector | nindent 4 }}
+    {{- end }}
   policyTypes:
-    - Ingress
-  ingress:
-    {{- if .Values.networkPolicy.customRules }}
-    - from:
-        {{- toYaml .Values.networkPolicy.customRules | nindent 8 }}
+    {{- range .Values.networkPolicy.policyTypes }}
+    - {{ . }}
     {{- end }}
-    - ports:
-        {{- toYaml .Values.networkPolicy.ports | nindent 8 }}
+  {{- if .Values.networkPolicy.ingress }}
+  ingress:
+    {{- toYaml .Values.networkPolicy.ingress | nindent 4 }}
+  {{- end }}
+  {{- if .Values.networkPolicy.egress }}
+  egress:
+    {{- toYaml .Values.networkPolicy.egress | nindent 4 }}
+  {{- end }}
 {{- end }}

charts/values.yaml

@@ -235,21 +235,35 @@ priorityClassName:  ""
 ## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies
 networkPolicy:
   enabled: false
-  ## @param networkPolicy.customRules. Additional NetworkPolicy rules
-  ## Note that all rules are OR-ed.
-  customRules: {}
-    # - matchLabels:
-    #     - role: frontend
-    # - matchExpressions:
-    #     - key: role
-    #       operator: In
-    #       values:
-    #         - frontend
-  ## The endPort should be the last port exposed by an App Server
-  ports:
-    - port: 8000
-      endPort: 8020
-      protocol: TCP
+  podSelector: {}
+    # matchLabels:
+      # app: marklogic
+  policyTypes: []
+    # - Ingress
+    # - Egress
+  # ingress: 
+  #   - from:
+  #     - ipBlock:
+  #         cidr: ""
+  #         except: []
+  #     - namespaceSelector:
+  #         matchLabels:
+  #           project: marklogic
+  #     - podSelector:
+  #         matchLabels:
+  #           role: frontend
+  #   ## The endPort should be the last port exposed by an App Server
+  #     ports: 
+  #     # - port: 8000
+  #       # endPort: 8020
+  #       protocol: TCP
+  # egress: 
+  #   - to:
+  #     - ipBlock:
+  #         cidr: ""
+  #     ports:
+  #     - protocol: TCP
+  #       port: 8000
 
 ## Below are the security configuration at POD level, by default security will be enabled
 ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods

test/template/network_templ_test.go

@@ -1,6 +1,7 @@
 package template_test
 
 import (
+	"os"
 	"path/filepath"
 	"strings"
 	"testing"
@@ -21,17 +22,28 @@ func TestChartTemplateNetworkPolicyEnabled(t *testing.T) {
 	t.Log(helmChartPath, releaseName)
 	require.NoError(t, err)
 
+	imageRepo, repoPres := os.LookupEnv("dockerRepository")
+	imageTag, tagPres := os.LookupEnv("dockerVersion")
+	if !repoPres {
+		imageRepo = "progressofficial/marklogic-db"
+		t.Logf("No imageRepo variable present, setting to default value: " + imageRepo)
+	}
+
+	if !tagPres {
+		imageTag = "latest-11"
+		t.Logf("No imageTag variable present, setting to default value: " + imageTag)
+	}
+
 	// Set up the namespace; confirm that the template renders the expected value for the namespace.
 	namespaceName := "ml-" + strings.ToLower(random.UniqueId()) + "-network-policy"
 	t.Logf("Namespace: %s\n", namespaceName)
 
-	// Setup the args for helm install
+	// Setup the args for helm install using custom values.yaml file
 	options := &helm.Options{
+		ValuesFiles: []string{"../test_data/values/nwPolicy_templ_values.yaml"},
 		SetValues: map[string]string{
-			"image.repository":      "progressofficial/marklogic-db",
-			"image.tag":             "latest",
-			"persistence.enabled":   "false",
-			"networkPolicy.enabled": "true",
+			"image.repository": imageRepo,
+			"image.tag":        imageTag,
 		},
 		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
 	}
@@ -45,6 +57,6 @@ func TestChartTemplateNetworkPolicyEnabled(t *testing.T) {
 
 	// Verify the network policy type matches
 	networkPolicies := networkpolicy.Spec
-	expectedPolicyTypes := "Ingress"
-	require.Equal(t, string(networkPolicies.PolicyTypes[0]), expectedPolicyTypes)
+	require.Equal(t, string(networkPolicies.PolicyTypes[0]), "Ingress")
+	require.Equal(t, string(networkPolicies.PolicyTypes[1]), "Egress")
 }

test/test_data/values/nwPolicy_templ_values.yaml

@@ -0,0 +1,39 @@
+# This is a custom values files for template tests specific to TLS parameters
+replicaCount: 1  
+
+auth:
+  adminPassword: admin
+  adminUsername: admin
+
+terminationGracePeriod: 10
+
+persistence:
+  enabled: false
+
+networkPolicy:
+  enabled: true
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: marklogic
+      ports:
+        - protocol: TCP
+          port: 7997
+      namespaceSelector:
+        matchLabels:
+          name: marklogic
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              app: marklogic
+      ports:
+        - protocol: TCP
+          port: 7997
+      namespaceSelector:
+        matchLabels:
+          name: marklogic