diff --git a/src/pepr/operator/controllers/network/generate.ts b/src/pepr/operator/controllers/network/generate.ts index d10cc48b7..fab3ab534 100644 --- a/src/pepr/operator/controllers/network/generate.ts +++ b/src/pepr/operator/controllers/network/generate.ts @@ -8,7 +8,7 @@ import { intraNamespace } from "./generators/intraNamespace"; import { kubeAPI } from "./generators/kubeAPI"; export function generate(namespace: string, policy: Allow): kind.NetworkPolicy { - // Create a unique name for the NetworkPolicy based on the package name, index, direction, pod labels, and port + // Generate a unique name for the NetworkPolicy const name = generateName(policy); // Create the NetworkPolicy @@ -112,9 +112,11 @@ export function generate(namespace: string, policy: Allow): kind.NetworkPolicy { } /** - * Generates a unique name for the NetworkPolicy based on the description, direction, and combination of remote properties + * Generates a unique name for the NetworkPolicy based on the policy. + * Will use the description if it exists, otherwise it will use the + * direction and combination of remote properties. * - * @param policy the name of the policy + * @param policy The policy to generate a name for */ export function generateName(policy: Allow) { const name = diff --git a/src/pepr/operator/controllers/network/policies.ts b/src/pepr/operator/controllers/network/policies.ts index df2dbbedc..bbd042cd0 100644 --- a/src/pepr/operator/controllers/network/policies.ts +++ b/src/pepr/operator/controllers/network/policies.ts @@ -17,6 +17,7 @@ export async function networkPolicies(pkg: UDSPackage, namespace: string) { Log.debug(pkg.metadata, `Generating NetworkPolicies for generation ${generation}`); + // Create default policies const policies = [ // All traffic must be explicitly allowed defaultDenyAll(namespace), @@ -41,6 +42,9 @@ export async function networkPolicies(pkg: UDSPackage, namespace: string) { for (const expose of exposeList.filter(exp => !exp.advancedHTTP?.directResponse)) { const { gateway = Gateway.Tenant, port, selector = {}, targetPort } = expose; + // Use the same port as the VirtualService if targetPort is not set + const policyPort = targetPort ?? port; + // Create the NetworkPolicy for the VirtualService const policy: Allow = { direction: Direction.Ingress, @@ -49,9 +53,9 @@ export async function networkPolicies(pkg: UDSPackage, namespace: string) { remoteSelector: { app: `${gateway}-ingressgateway`, }, - // Use the same port as the VirtualService if targetPort is not set - port: targetPort ?? port, - description: `${Object.values(selector)} Istio ${gateway} gateway`, + port: policyPort, + // Use the port, selector, and gateway to generate a description for VirtualService derived policies + description: `${policyPort}-${Object.values(selector)} Istio ${gateway} gateway`, }; // Generate the policy @@ -74,7 +78,8 @@ export async function networkPolicies(pkg: UDSPackage, namespace: string) { app: "prometheus", }, port: targetPort, - description: `${Object.values(selector)} Metrics`, + // Use the targetPort and selector to generate a description for the ServiceMonitor derived policies + description: `${targetPort}-${Object.values(selector)} Metrics`, }; // Generate the policy const generatedPolicy = generate(namespace, policy); diff --git a/src/test/app-admin.yaml b/src/test/app-admin.yaml index b9ebb1ecd..884401949 100644 --- a/src/test/app-admin.yaml +++ b/src/test/app-admin.yaml @@ -75,10 +75,10 @@ spec: name: httpbin resources: limits: - cpu: 100m - memory: 128Mi + cpu: 50m + memory: 64Mi requests: - cpu: 100m - memory: 128Mi + cpu: 50m + memory: 64Mi ports: - containerPort: 80 diff --git a/src/test/app-tenant.yaml b/src/test/app-tenant.yaml index c0c531f81..3eb203b99 100644 --- a/src/test/app-tenant.yaml +++ b/src/test/app-tenant.yaml @@ -1,74 +1,93 @@ apiVersion: v1 kind: Namespace metadata: - name: test-app + name: test-tenant-app --- apiVersion: uds.dev/v1alpha1 kind: Package metadata: - name: httpbin - namespace: test-app + name: test-tenant-app + namespace: test-tenant-app spec: network: expose: - - service: httpbin + - service: test-tenant-app selector: - app: httpbin + app: test-tenant-app gateway: tenant - host: demo - port: 8000 - targetPort: 80 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: httpbin - namespace: test-app + host: demo-8080 + port: 8080 + - service: test-tenant-app + selector: + app: test-tenant-app + gateway: tenant + host: demo-8081 + port: 8081 --- apiVersion: v1 kind: Service metadata: - name: httpbin - namespace: test-app + name: test-tenant-app + namespace: test-tenant-app labels: - app: httpbin - service: httpbin + app: test-tenant-app + service: test-tenant-app spec: ports: - - name: http - port: 8000 - targetPort: 80 + - name: port8080 + port: 8080 + targetPort: 8080 + - name: port8081 + port: 8081 + targetPort: 8081 selector: - app: httpbin + app: test-tenant-app --- apiVersion: apps/v1 kind: Deployment metadata: - name: httpbin - namespace: test-app + name: http-echo-multi-port + namespace: test-tenant-app spec: replicas: 1 selector: matchLabels: - app: httpbin - version: v1 + app: test-tenant-app template: metadata: labels: - app: httpbin - version: v1 + app: test-tenant-app spec: - serviceAccountName: httpbin containers: - - image: docker.io/kong/httpbin + - name: http-echo-port-8080 + image: hashicorp/http-echo + imagePullPolicy: IfNotPresent + args: + - "-text=Hello from port 8080" + - "-status-code=200" + - "-listen=:8080" + resources: + limits: + cpu: 50m + memory: 64Mi + requests: + cpu: 50m + memory: 64Mi + ports: + - containerPort: 8080 + - name: http-echo-port-8081 + image: hashicorp/http-echo imagePullPolicy: IfNotPresent - name: httpbin + args: + - "-text=Hello from port 8081" + - "-status-code=200" + - "-listen=:8081" resources: limits: - cpu: 100m - memory: 128Mi + cpu: 50m + memory: 64Mi requests: - cpu: 100m - memory: 128Mi + cpu: 50m + memory: 64Mi ports: - - containerPort: 80 + - containerPort: 8081 diff --git a/src/test/tasks.yaml b/src/test/tasks.yaml index 0a03c5324..c4ab3d4c2 100644 --- a/src/test/tasks.yaml +++ b/src/test/tasks.yaml @@ -19,8 +19,8 @@ tasks: wait: cluster: kind: Deployment - name: httpbin - namespace: test-app + name: http-echo-multi-port + namespace: test-tenant-app - description: Verify the admin app is accessible wait: @@ -43,12 +43,19 @@ tasks: address: demo.admin.uds.dev/status/410 code: 410 - - description: Verify the tenant app is accessible + - description: Verify the tenant app 8080 is accessible wait: network: protocol: https - address: demo.uds.dev/status/202 - code: 202 + address: demo-8080.uds.dev + code: 200 + + - description: Verify the tenant app 8081 is accessible + wait: + network: + protocol: https + address: demo-8081.uds.dev + code: 200 - description: Verify podinfo is healthy wait: diff --git a/src/test/zarf.yaml b/src/test/zarf.yaml index 6d58271c6..725d5baa2 100644 --- a/src/test/zarf.yaml +++ b/src/test/zarf.yaml @@ -14,9 +14,9 @@ components: - name: app-tenant files: - "app-tenant.yaml" - images: - docker.io/kong/httpbin:latest + - hashicorp/http-echo:latest - name: podinfo required: true