Resolve "networkpolicy-gateway template not handling multiple istio hosts correctly"

General MR

Summary

More issues with the network policies found in the related issue.

Relevant logs/screenshots

Check this thread.

Relates to #16 (closed)

added community-contribution kindbug priority3 statusdoing teamTools & Automation labels

assigned to @andrewshoell

Testing Notes:

In both before and after switch .bigbang.tempo.enabled between true and false. (before it should fail either way, after it should succeed either way.

Use this yaml file for the before and after, helm template wrapper chart -f override.yaml

bigbang:
  domain: bigbang.dev
  networkPolicies:
    enabled: true
  istio:
    enabled: true
    injection: "enabled"
  tempo:
    enabled: true
package:
  name: test
  namespace:
    name: test
  istio:
    injection: "enabled"
    hosts:
      - names:
          - test
        domain: dev.test
        gateways:
          - public
        destination:
          service: web
          port: 8080
      - names:
          - test-too
        domain: dev.test
        gateways:
          - public
        destination:
          service: server
          port: 8080

added 1 commit

• 158b3c40 - two small fixes to get the wrapper working again

Compare with previous version

added 1 commit

• 4e726c34 - docs bump

Compare with previous version

marked this merge request as ready

added statusreview label and removed statusdoing label

requested review from @ryan.j.garcia, @jfoster, @michaelmartin, @ben.francis, @chris.oconnell, and @nicole.dupree

I have been watching this issue from the first community report. Andrew's fix is good.

approved this merge request

approved this merge request

unapproved this merge request

Testing this issue I still run into issues with templating testing with multiple istio.hosts entries (and also NetworkPolicy resources...)

added 1 commit

• 80a85b55 - trying different line chomping to get this to work

Compare with previous version

marked this merge request as draft

added statusdoing label and removed statusreview label

added 1 commit

• 94ab816d - another attempt

Compare with previous version

added 1 commit

• bee57d0d - removing all of the chomps in the range

Compare with previous version

added 1 commit

• c9c8e986 - fixing an issue with a comment in the istio sidecar network policies and...

Compare with previous version

added 1 commit

• 0d2c5612 - fixing a clamping issue in the istio sidecar template

Compare with previous version

added 2 commits

• ed8413af - trying another fix for the template
• b0bf0daa - another try

Compare with previous version

added 1 commit

• 32cb08a4 - I think i found a seperate issue

Compare with previous version

added 1 commit

• 4efc6615 - more broken stuff with ranges

Compare with previous version

as i'm fixing things I'm finding more things that are broken with multiple hosts, custom authorization policies, and network policies

added 1 commit

• 902c7f76 - updating how the name is generated so it will be unique

Compare with previous version

ok, this seems to be working now

added 1 commit

• 75627fbb - fixing the naming on authorization policies as well

Compare with previous version

added 1 commit

• a964779e - fixing a copy paste error

Compare with previous version

added 1 commit

• 242e899a - fixing the ordering so it'll work

Compare with previous version

added 1 commit

• da7e7e7b - fixing the ordering so it'll work

Compare with previous version

Testing Instructions

Deploy with BB with the following yaml and you should see multiple network policies, authorization policies, and virtual services show up. Also deploying with tempo.enabled = true or false should work. NOTE: kyvernoPolicies currently has to be set to audit (or you can find a way to add exclusions to wrapper in the BB values.yaml) because github's podinfo doesn't pass all of the policies. Beyond deploying podinfo successfully, you should be able to reach it at podinfo.bigbang.dev.

kyvernoPolicies:
  values:
    validationFailureAction: "audit"

istio:
  enabled: true

# monitoring:
#   enabled: true

wrapper:
  git:
    repo: "https://repo1.dso.mil/big-bang/product/packages/wrapper.git"
    path: "chart"
    tag: null
    branch: "16-networkpolicy-gateway-template-not-handling-multiple-istio-hosts-correctly"

packages:
  podinfo:
    enabled: true
    sourceType: "git"
    git:
      repo: https://github.com/stefanprodan/podinfo.git
      path: charts/podinfo
      # tag: null
      # tag: 6.3.4
      # branch: main
      # existingSecret: ""
      # credentials:
      #   password: ""
      #   username: ""
    flux:
      timeout: 5m
    postRenderers: []
    # dependsOn:
    #   - name: monitoring
    #     namespace: bigbang
    wrapper:
      enabled: true
    values:
      replicaCount: 3
    istio:
      injection: "enabled"
      hardened:
        enabled: true
        matchLabels:
          app.kubernetes.io/name: podinfo
        customAuthorizationPolicies:
          - name: "allow-nothing-1"
            enabled: true
            spec: {}
          - name: "allow-nothing-2"
            enabled: true
            spec: {}
      hosts:
        - names:
            - "podinfo"
          gateways:
            - "public"
          destination:
            port: 9898
        - names:
            - test-too
          domain: dev.test
          gateways:
            - public
          destination:
            port: 9898
    network:
      additionalPolicies:
        - name: policy-1
          spec:
            podSelector:
              matchLabels:
                role: db
            policyTypes:
              - Ingress
              - Egress
            ingress:
              - from:
                  - ipBlock:
                      cidr: 172.17.0.0/16
                      except:
                        - 172.17.1.0/24
                  - namespaceSelector:
                      matchLabels:
                        project: myproject
                  - podSelector:
                      matchLabels:
                        role: frontend
                ports:
                  - protocol: TCP
                    port: 6379
        - name: policy-2
          spec:
            podSelector:
              matchLabels:
                role: frontend
            policyTypes:
              - Ingress
              - Egress
            ingress:
              - from:
                  - ipBlock:
                      cidr: 172.19.0.0/16
                      except:
                        - 172.19.1.0/24
                  - namespaceSelector:
                      matchLabels:
                        project: myproject
                  - podSelector:
                      matchLabels:
                        role: frontend
                ports:
                  - protocol: TCP
                    port: 9300

marked this merge request as ready

added statusreview label and removed statusdoing label

approved this merge request

changed milestone to %2.19.0

resolved all threads

mentioned in commit 204f03ec

merged

mentioned in merge request big-bang/bigbang!3664 (merged)