Merge pull request #1961 from tmshort/add-np

openshift-merge-bot[bot] · web-flow · commit 7de7fae45594 · 2025-05-09T20:17:30.000Z
OPRUN-3883: Add NetworkPolicies to the list of resources
diff --git a/pkg/operator/resource/resourceapply/generic.go b/pkg/operator/resource/resourceapply/generic.go
@@ -9,6 +9,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 
 	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
 	policyv1 "k8s.io/api/policy/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	storagev1 "k8s.io/api/storage/v1"
@@ -142,6 +143,12 @@ func ApplyDirectly(ctx context.Context, clients *ClientHolder, recorder events.R
 			} else {
 				result.Result, result.Changed, result.Error = ApplySecretImproved(ctx, client, recorder, t, cache)
 			}
+		case *networkingv1.NetworkPolicy:
+			if clients.kubeClient == nil {
+				result.Error = fmt.Errorf("missing kubeClient")
+			} else {
+				result.Result, result.Changed, result.Error = ApplyNetworkPolicy(ctx, clients.kubeClient.NetworkingV1(), recorder, t)
+			}
 		case *rbacv1.ClusterRole:
 			if clients.kubeClient == nil {
 				result.Error = fmt.Errorf("missing kubeClient")
@@ -295,6 +302,12 @@ func DeleteAll(ctx context.Context, clients *ClientHolder, recorder events.Recor
 			} else {
 				_, result.Changed, result.Error = DeleteSecret(ctx, client, recorder, t)
 			}
+		case *networkingv1.NetworkPolicy:
+			if clients.kubeClient == nil {
+				result.Error = fmt.Errorf("missing kubeClient")
+			} else {
+				_, result.Changed, result.Error = DeleteNetworkPolicy(ctx, clients.kubeClient.NetworkingV1(), recorder, t)
+			}
 		case *rbacv1.ClusterRole:
 			if clients.kubeClient == nil {
 				result.Error = fmt.Errorf("missing kubeClient")
diff --git a/pkg/operator/resource/resourceapply/networking.go b/pkg/operator/resource/resourceapply/networking.go
@@ -0,0 +1,59 @@
+package resourceapply
+
+import (
+	"context"
+
+	networkingv1 "k8s.io/api/networking/v1"
+	"k8s.io/apimachinery/pkg/api/equality"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	networkingclientv1 "k8s.io/client-go/kubernetes/typed/networking/v1"
+	"k8s.io/klog/v2"
+
+	"github.com/openshift/library-go/pkg/operator/events"
+	"github.com/openshift/library-go/pkg/operator/resource/resourcehelper"
+	"github.com/openshift/library-go/pkg/operator/resource/resourcemerge"
+)
+
+// ApplyClusterRole merges objectmeta, does not worry about anything else
+func ApplyNetworkPolicy(ctx context.Context, client networkingclientv1.NetworkPoliciesGetter, recorder events.Recorder, required *networkingv1.NetworkPolicy) (*networkingv1.NetworkPolicy, bool, error) {
+	existing, err := client.NetworkPolicies(required.Namespace).Get(ctx, required.Name, metav1.GetOptions{})
+	if apierrors.IsNotFound(err) {
+		requiredCopy := required.DeepCopy()
+		actual, err := client.NetworkPolicies(required.Namespace).Create(
+			ctx, resourcemerge.WithCleanLabelsAndAnnotations(requiredCopy).(*networkingv1.NetworkPolicy), metav1.CreateOptions{})
+		resourcehelper.ReportCreateEvent(recorder, required, err)
+		return actual, true, err
+	}
+	if err != nil {
+		return nil, false, err
+	}
+
+	modified := false
+	existingCopy := existing.DeepCopy()
+
+	resourcemerge.EnsureObjectMeta(&modified, &existingCopy.ObjectMeta, required.ObjectMeta)
+	if equality.Semantic.DeepEqual(existingCopy.Spec, required.Spec) && !modified {
+		return existingCopy, false, nil
+	}
+
+	if klog.V(2).Enabled() {
+		klog.Infof("NetworkPolicy %q changes: %v", required.Name, JSONPatchNoError(existing, existingCopy))
+	}
+
+	actual, err := client.NetworkPolicies(existingCopy.Namespace).Update(ctx, existingCopy, metav1.UpdateOptions{})
+	resourcehelper.ReportUpdateEvent(recorder, required, err)
+	return actual, true, err
+}
+
+func DeleteNetworkPolicy(ctx context.Context, client networkingclientv1.NetworkPoliciesGetter, recorder events.Recorder, required *networkingv1.NetworkPolicy) (*networkingv1.NetworkPolicy, bool, error) {
+	err := client.NetworkPolicies(required.Namespace).Delete(ctx, required.Name, metav1.DeleteOptions{})
+	if err != nil && apierrors.IsNotFound(err) {
+		return nil, false, nil
+	}
+	if err != nil {
+		return nil, false, err
+	}
+	resourcehelper.ReportDeleteEvent(recorder, required, err)
+	return nil, true, nil
+}
diff --git a/pkg/operator/resource/resourceread/networking.go b/pkg/operator/resource/resourceread/networking.go
@@ -0,0 +1,26 @@
+package resourceread
+
+import (
+	networkingv1 "k8s.io/api/networking/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+)
+
+var (
+	netScheme = runtime.NewScheme()
+	netCodecs = serializer.NewCodecFactory(netScheme)
+)
+
+func init() {
+	if err := networkingv1.AddToScheme(netScheme); err != nil {
+		panic(err)
+	}
+}
+
+func ReadNetworkPolicyV1OrDie(objBytes []byte) *networkingv1.NetworkPolicy {
+	requiredObj, err := runtime.Decode(coreCodecs.UniversalDecoder(networkingv1.SchemeGroupVersion), objBytes)
+	if err != nil {
+		panic(err)
+	}
+	return requiredObj.(*networkingv1.NetworkPolicy)
+}
diff --git a/pkg/operator/staticresourcecontroller/static_resource_controller.go b/pkg/operator/staticresourcecontroller/static_resource_controller.go
@@ -17,6 +17,7 @@ import (
 	"k8s.io/client-go/restmapper"
 
 	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
 	policyv1 "k8s.io/api/policy/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	storagev1 "k8s.io/api/storage/v1"
@@ -236,6 +237,8 @@ func (c *StaticResourceController) AddKubeInformers(kubeInformersByNamespace v1h
 				ret = ret.AddInformer(informer.Core().V1().ConfigMaps().Informer())
 			case *corev1.Secret:
 				ret = ret.AddInformer(informer.Core().V1().Secrets().Informer())
+			case *networkingv1.NetworkPolicy:
+				ret = ret.AddInformer(informer.Networking().V1().NetworkPolicies().Informer())
 			case *rbacv1.ClusterRole:
 				ret = ret.AddInformer(informer.Rbac().V1().ClusterRoles().Informer())
 			case *rbacv1.ClusterRoleBinding:
