From d6c13068d048ee2041b65dca17cc1c3b416d3aff Mon Sep 17 00:00:00 2001
From: Julien Mailleret <8582351+jmlrt@users.noreply.github.com>
Date: Wed, 17 Mar 2021 18:04:48 +0100
Subject: [PATCH] [elasticsearch] fix network policies http additional rules
 (#1111)

* [elasticsearch] fix network policies http additional rules

This commit fix http additional rules to use with `NetworkPolicies`.

Fix #1106

* [elasticsearch] improve netpol tests

This commit adds some small improvements in network policies tests:
* update example Makefile to fix commands and use similar structure to
other examples Makefiles
* fix example values file extension
* use different values for http and transport network policies in python
test and example values to catch regressions where same values would be
used for both
---
 elasticsearch/examples/networkpolicy/Makefile |  9 +++---
 .../networkpolicy/{values.yml => values.yaml} | 16 +++++-----
 elasticsearch/templates/networkpolicy.yaml    |  2 +-
 elasticsearch/tests/elasticsearch_test.py     | 32 +++++++++----------
 4 files changed, 30 insertions(+), 29 deletions(-)
 rename elasticsearch/examples/networkpolicy/{values.yml => values.yaml} (68%)

diff --git a/elasticsearch/examples/networkpolicy/Makefile b/elasticsearch/examples/networkpolicy/Makefile
index 38dd40d3d..e7b20c51e 100644
--- a/elasticsearch/examples/networkpolicy/Makefile
+++ b/elasticsearch/examples/networkpolicy/Makefile
@@ -1,13 +1,14 @@
 default: test
+
 include ../../../helpers/examples.mk
 
 RELEASE := helm-es-networkpolicy
+TIMEOUT := 1200s
 
 install:
-	helm upgrade --wait --timeout=600s --install $(RELEASE) --values ./values.yaml ../../ ; \
+	helm upgrade --wait --timeout=$(TIMEOUT) --install --values values.yaml $(RELEASE) ../../
 
-restart:
-	helm upgrade --set terminationGracePeriod=121 --wait --timeout=600s --install $(RELEASE) --values ./values.yaml ../../ ; \
+test: install goss
 
 purge:
-	helm del --purge $(RELEASE)
+	helm del $(RELEASE)
diff --git a/elasticsearch/examples/networkpolicy/values.yml b/elasticsearch/examples/networkpolicy/values.yaml
similarity index 68%
rename from elasticsearch/examples/networkpolicy/values.yml
rename to elasticsearch/examples/networkpolicy/values.yaml
index 2f8178529..1963d204f 100644
--- a/elasticsearch/examples/networkpolicy/values.yml
+++ b/elasticsearch/examples/networkpolicy/values.yaml
@@ -4,34 +4,34 @@ networkPolicy:
     explicitNamespacesSelector:
       # Accept from namespaces with all those different rules (from whitelisted Pods)
       matchLabels:
-        role: frontend
+        role: frontend-http
       matchExpressions:
-        - {key: role, operator: In, values: [frontend]}
+        - {key: role, operator: In, values: [frontend-http]}
     additionalRules:
       - podSelector:
           matchLabels:
-            role: frontend
+            role: frontend-http
       - podSelector:
           matchExpressions:
             - key: role
               operator: In
               values:
-                - frontend
+                - frontend-http
   transport:
     enabled: true
     allowExternal: true
     explicitNamespacesSelector:
       matchLabels:
-        role: frontend
+        role: frontend-transport
       matchExpressions:
-        - {key: role, operator: In, values: [frontend]}
+        - {key: role, operator: In, values: [frontend-transport]}
     additionalRules:
       - podSelector:
           matchLabels:
-            role: frontend
+            role: frontend-transport
       - podSelector:
           matchExpressions:
             - key: role
               operator: In
               values:
-                - frontend
+                - frontend-transport
diff --git a/elasticsearch/templates/networkpolicy.yaml b/elasticsearch/templates/networkpolicy.yaml
index 80c0c9ed4..62bb1bd7f 100644
--- a/elasticsearch/templates/networkpolicy.yaml
+++ b/elasticsearch/templates/networkpolicy.yaml
@@ -28,7 +28,7 @@ spec:
           namespaceSelector:
 {{ toYaml . | indent 12 }}
 {{- end }}
-{{- with .Values.networkPolicy.transport.additionalRules }}
+{{- with .Values.networkPolicy.http.additionalRules }}
             # Or from custom additional rules
 {{ toYaml . | indent 8 }}
 {{- end }}
diff --git a/elasticsearch/tests/elasticsearch_test.py b/elasticsearch/tests/elasticsearch_test.py
index 2fc4297af..dbda062ef 100755
--- a/elasticsearch/tests/elasticsearch_test.py
+++ b/elasticsearch/tests/elasticsearch_test.py
@@ -1357,37 +1357,37 @@ def test_network_policy():
     explicitNamespacesSelector:
       # Accept from namespaces with all those different rules (from whitelisted Pods)
       matchLabels:
-        role: frontend
+        role: frontend-http
       matchExpressions:
-        - {key: role, operator: In, values: [frontend]}
+        - {key: role, operator: In, values: [frontend-http]}
     additionalRules:
       - podSelector:
           matchLabels:
-            role: frontend
+            role: frontend-http
       - podSelector:
           matchExpressions:
             - key: role
               operator: In
               values:
-                - frontend
+                - frontend-http
   transport:
     enabled: true
     allowExternal: true
     explicitNamespacesSelector:
       matchLabels:
-        role: frontend
+        role: frontend-transport
       matchExpressions:
-        - {key: role, operator: In, values: [frontend]}
+        - {key: role, operator: In, values: [frontend-transport]}
     additionalRules:
       - podSelector:
           matchLabels:
-            role: frontend
+            role: frontend-transport
       - podSelector:
           matchExpressions:
             - key: role
               operator: In
               values:
-                - frontend
+                - frontend-transport
 
 """
     r = helm_template(config)
@@ -1402,16 +1402,16 @@ def test_network_policy():
             },
             "namespaceSelector": {
                 "matchExpressions": [
-                    {"key": "role", "operator": "In", "values": ["frontend"]}
+                    {"key": "role", "operator": "In", "values": ["frontend-http"]}
                 ],
-                "matchLabels": {"role": "frontend"},
+                "matchLabels": {"role": "frontend-http"},
             },
         },
-        {"podSelector": {"matchLabels": {"role": "frontend"}}},
+        {"podSelector": {"matchLabels": {"role": "frontend-http"}}},
         {
             "podSelector": {
                 "matchExpressions": [
-                    {"key": "role", "operator": "In", "values": ["frontend"]}
+                    {"key": "role", "operator": "In", "values": ["frontend-http"]}
                 ]
             }
         },
@@ -1424,16 +1424,16 @@ def test_network_policy():
             },
             "namespaceSelector": {
                 "matchExpressions": [
-                    {"key": "role", "operator": "In", "values": ["frontend"]}
+                    {"key": "role", "operator": "In", "values": ["frontend-transport"]}
                 ],
-                "matchLabels": {"role": "frontend"},
+                "matchLabels": {"role": "frontend-transport"},
             },
         },
-        {"podSelector": {"matchLabels": {"role": "frontend"}}},
+        {"podSelector": {"matchLabels": {"role": "frontend-transport"}}},
         {
             "podSelector": {
                 "matchExpressions": [
-                    {"key": "role", "operator": "In", "values": ["frontend"]}
+                    {"key": "role", "operator": "In", "values": ["frontend-transport"]}
                 ]
             }
         },