Use control-plane selectors in network-policies and tests for now (#2218)

tmshort · web-flow · commit e0a2e1733271 · 2025-09-12T19:00:42.000Z
Until downstream is ready to use the "app.kubernetes.io/name" selector, continue to use the "control-plane" selector in the tests. Change the network-policies to use a "control-plane" selector (which is still on pods because the Deployment selector is immutable). This includes a revert of "Use old and new pod selectors during kustomize-to-helm transition" This reverts #2214 This reverts commit 6e22e2b.
diff --git a/helm/olmv1/templates/networkpolicy/networkpolicy-olmv1-system-catalogd-controller-manager.yml b/helm/olmv1/templates/networkpolicy/networkpolicy-olmv1-system-catalogd-controller-manager.yml
@@ -22,7 +22,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: catalogd
+      control-plane: catalogd-controller-manager
   policyTypes:
     - Ingress
     - Egress
diff --git a/helm/olmv1/templates/networkpolicy/networkpolicy-olmv1-system-operator-controller-controller-manager.yml b/helm/olmv1/templates/networkpolicy/networkpolicy-olmv1-system-operator-controller-controller-manager.yml
@@ -18,7 +18,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: operator-controller
+      control-plane: operator-controller-controller-manager
   policyTypes:
     - Ingress
     - Egress
diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml
@@ -40,7 +40,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: catalogd
+      control-plane: catalogd-controller-manager
   policyTypes:
     - Ingress
     - Egress
@@ -82,7 +82,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: operator-controller
+      control-plane: operator-controller-controller-manager
   policyTypes:
     - Ingress
     - Egress
diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml
@@ -40,7 +40,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: catalogd
+      control-plane: catalogd-controller-manager
   policyTypes:
     - Ingress
     - Egress
@@ -82,7 +82,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: operator-controller
+      control-plane: operator-controller-controller-manager
   policyTypes:
     - Ingress
     - Egress
diff --git a/manifests/standard-e2e.yaml b/manifests/standard-e2e.yaml
@@ -40,7 +40,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: catalogd
+      control-plane: catalogd-controller-manager
   policyTypes:
     - Ingress
     - Egress
@@ -82,7 +82,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: operator-controller
+      control-plane: operator-controller-controller-manager
   policyTypes:
     - Ingress
     - Egress
diff --git a/manifests/standard.yaml b/manifests/standard.yaml
@@ -40,7 +40,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: catalogd
+      control-plane: catalogd-controller-manager
   policyTypes:
     - Ingress
     - Egress
@@ -82,7 +82,7 @@ spec:
           protocol: TCP
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: operator-controller
+      control-plane: operator-controller-controller-manager
   policyTypes:
     - Ingress
     - Egress
diff --git a/test/e2e/metrics_test.go b/test/e2e/metrics_test.go
@@ -32,7 +32,7 @@ import (
 func TestOperatorControllerMetricsExportedEndpoint(t *testing.T) {
 	client := utils.FindK8sClient(t)
 	curlNamespace := createRandomNamespace(t, client)
-	componentNamespace := getComponentNamespace(t, client, operatorManagerSelector)
+	componentNamespace := getComponentNamespace(t, client, "control-plane=operator-controller-controller-manager")
 	metricsURL := fmt.Sprintf("https://operator-controller-service.%s.svc.cluster.local:8443/metrics", componentNamespace)
 
 	config := NewMetricsTestConfig(
@@ -52,7 +52,7 @@ func TestOperatorControllerMetricsExportedEndpoint(t *testing.T) {
 func TestCatalogdMetricsExportedEndpoint(t *testing.T) {
 	client := utils.FindK8sClient(t)
 	curlNamespace := createRandomNamespace(t, client)
-	componentNamespace := getComponentNamespace(t, client, catalogdManagerSelector)
+	componentNamespace := getComponentNamespace(t, client, "control-plane=catalogd-controller-manager")
 	metricsURL := fmt.Sprintf("https://catalogd-service.%s.svc.cluster.local:7443/metrics", componentNamespace)
 
 	config := NewMetricsTestConfig(
@@ -231,20 +231,16 @@ func createRandomNamespace(t *testing.T, client string) string {
 }
 
 // getComponentNamespace returns the namespace where operator-controller or catalogd is running
-func getComponentNamespace(t *testing.T, client string, selectors []string) string {
-	for _, selector := range selectors {
-		cmd := exec.Command(client, "get", "pods", "--all-namespaces", "--selector="+selector, "--output=jsonpath={.items[0].metadata.namespace}")
-		output, err := cmd.CombinedOutput()
-		if err != nil {
-			continue
-		}
-		namespace := string(bytes.TrimSpace(output))
-		if namespace != "" {
-			return namespace
-		}
+func getComponentNamespace(t *testing.T, client, selector string) string {
+	cmd := exec.Command(client, "get", "pods", "--all-namespaces", "--selector="+selector, "--output=jsonpath={.items[0].metadata.namespace}")
+	output, err := cmd.CombinedOutput()
+	require.NoError(t, err, "Error determining namespace: %s", string(output))
+
+	namespace := string(bytes.TrimSpace(output))
+	if namespace == "" {
+		t.Fatal("No namespace found for selector " + selector)
 	}
-	t.Fatalf("No namespace found for selectors: %v", selectors)
-	return ""
+	return namespace
 }
 
 func stdoutAndCombined(cmd *exec.Cmd) ([]byte, []byte, error) {
diff --git a/test/e2e/network_policy_test.go b/test/e2e/network_policy_test.go
@@ -20,17 +20,14 @@ import (
 
 const (
 	minJustificationLength        = 40
+	catalogdManagerSelector       = "control-plane=catalogd-controller-manager"
+	operatorManagerSelector       = "control-plane=operator-controller-controller-manager"
 	catalogdMetricsPort           = 7443
 	catalogdWebhookPort           = 9443
 	catalogServerPort             = 8443
 	operatorControllerMetricsPort = 8443
 )
 
-var (
-	catalogdManagerSelector = []string{"app.kubernetes.io/name=catalogd", "control-plane=catalogd-controller-manager"}
-	operatorManagerSelector = []string{"app.kubernetes.io/name=operator-controller", "control-plane=operator-controller-controller-manager"}
-)
-
 type portWithJustification struct {
 	port          []networkingv1.NetworkPolicyPort
 	justification string
@@ -91,7 +88,7 @@ var prometheuSpec = allowedPolicyDefinition{
 // Ref: https://docs.google.com/document/d/1bHEEWzA65u-kjJFQRUY1iBuMIIM1HbPy4MeDLX4NI3o/edit?usp=sharing
 var allowedNetworkPolicies = map[string]allowedPolicyDefinition{
 	"catalogd-controller-manager": {
-		selector:    metav1.LabelSelector{MatchLabels: map[string]string{"app.kubernetes.io/name": "catalogd"}},
+		selector:    metav1.LabelSelector{MatchLabels: map[string]string{"control-plane": "catalogd-controller-manager"}},
 		policyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress},
 		ingressRule: ingressRule{
 			ports: []portWithJustification{
@@ -119,7 +116,7 @@ var allowedNetworkPolicies = map[string]allowedPolicyDefinition{
 		},
 	},
 	"operator-controller-controller-manager": {
-		selector:    metav1.LabelSelector{MatchLabels: map[string]string{"app.kubernetes.io/name": "operator-controller"}},
+		selector:    metav1.LabelSelector{MatchLabels: map[string]string{"control-plane": "operator-controller-controller-manager"}},
 		policyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress},
 		ingressRule: ingressRule{
 			ports: []portWithJustification{
