Set a network policy for the discover pod too

2024-08-16 23:30:22 +03:00 · 2024-06-07 02:34:13 -07:00 · 2024-06-07 02:34:13 -07:00 · 7ec3e785da
commit 7ec3e785da
parent 2d51abb970
1 changed files with 32 additions and 6 deletions
--- a/sandwich-contexts-kubernetes/lib/Test/Sandwich/Contexts/Kubernetes/MinioS3Server.hs
+++ b/sandwich-contexts-kubernetes/lib/Test/Sandwich/Contexts/Kubernetes/MinioS3Server.hs
@ -36,6 +36,7 @@ import Test.Sandwich.Contexts.Waits
 import UnliftIO.Environment
 import UnliftIO.Exception
 import UnliftIO.Process
+import UnliftIO.Timeout


 -- | Introduce a MinIO server on a Kubernetes cluster.
@ -134,10 +135,12 @@ withK8SMinioS3Server' kubectlBinary kubectlMinioBinary (KubernetesClusterContext
                                             ]

  let createNetworkPolicy = do
-        let (policyName, yaml) = networkPolicy deploymentName
+        let (policyName, discoverPodPolicyName, yaml) = networkPolicy deploymentName
        runWithKubeConfig' kubectlBinary ["create", "--namespace", toString namespace, "-f", "-"] yaml
-        pure policyName
-  let destroyNetworkPolicy policyName = runWithKubeConfig kubectlBinary ["delete", "NetworkPolicy", policyName, "--namespace", toString namespace]
+        pure (policyName, discoverPodPolicyName)
+  let destroyNetworkPolicy (policyName, discoverPodPolicyName) = do
+        runWithKubeConfig kubectlBinary ["delete", "NetworkPolicy", policyName, "--namespace", toString namespace]
+        runWithKubeConfig kubectlBinary ["delete", "NetworkPolicy", discoverPodPolicyName, "--namespace", toString namespace]

  -- TODO: create network policy allowing ingress/egress for v1.min.io/tenant = deploymentName
  bracket createNetworkPolicy destroyNetworkPolicy $ \_ -> bracket_ create destroy $ do
@ -171,10 +174,13 @@ withK8SMinioS3Server' kubectlBinary kubectlMinioBinary (KubernetesClusterContext
                                         , "--restart=Never"
                                         , "--command"
                                         , "--namespace", toString namespace
+                                         , "--labels=app=discover-pod"
                                         , "--"
                                         , "sh", "-c", [i|until nc -vz minio 80; do echo "Waiting for minio..."; sleep 3; done;|]
                                         ]) { env = Just env })
-      waitForProcess p >>= (`shouldBe` ExitSuccess)
+      timeout 300_000_000 (waitForProcess p >>= (`shouldBe` ExitSuccess)) >>= \case
+        Just () -> return ()
+        Nothing -> expectationFailure [i|Failed to wait for minio to come online.|]

    info [__i|Ready to try port-forward:
              export KUBECONFIG=#{kubernetesClusterKubeConfigPath}
@ -204,10 +210,11 @@ withK8SMinioS3Server' kubectlBinary kubectlMinioBinary (KubernetesClusterContext
      void $ action testServ


-networkPolicy :: Text -> (String, String)
-networkPolicy deploymentName = (policyName, yaml)
+networkPolicy :: Text -> (String, String, String)
+networkPolicy deploymentName = (policyName, discoverPodPolicyName, yaml)
  where
    policyName = "minio-allow"
+    discoverPodPolicyName = "discover-pod-allow"

    yaml = [__i|apiVersion: networking.k8s.io/v1
                kind: NetworkPolicy
@ -225,6 +232,25 @@ networkPolicy deploymentName = (policyName, yaml)
                  ingress:
                  - {}

+                  egress:
+                  - {}
+                ---
+                apiVersion: networking.k8s.io/v1
+                kind: NetworkPolicy
+                metadata:
+                  name: #{discoverPodPolicyName}
+                spec:
+                  podSelector:
+                    matchLabels:
+                      app: discover-pod
+
+                  policyTypes:
+                  - Ingress
+                  - Egress
+
+                  ingress:
+                  - {}
+
                  egress:
                  - {}
                |]