fix NPs and test script

b83c41db · bhearn7 · 4d1b8575 · b83c41db · b83c41db
Commit b83c41db authored Jun 30, 2021 by bhearn7
Showing with 27 additions and 22 deletions

chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml ...lates/bigbang/networkpolicies/allow-egress-from-pods.yaml +19 -18

chart/tests/scripts/test.sh chart/tests/scripts/test.sh +8 -4

No files found.
--- a/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml
@@ -22,8 +22,8 @@ spec:
        except:
        - 169.254.169.254/32
 ---
-# the catalog pod requires egress for:
-# - pulling images from registries
+# the catalog and analyzer pods requires egress for:
+# - making connections with registries
 # - optionally, communicating with an external db
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -43,19 +43,16 @@ spec:
        # ONLY Block requests to AWS metadata IP
        except:
        - 169.254.169.254/32
-# if an external db is enabled OR anchore enterprise is disabled, the policy engine pods will require egress to communicate with the db OR pull opensource feed data
-{{- if or (hasKey .Values.postgresql "enabled") (not .Values.anchoreEnterpriseGlobal.enabled) }}
-{{- if or (not .Values.postgresql.enabled) (not .Values.anchoreEnterpriseGlobal.enabled) }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-egress-from-policy-engine
+  name: allow-egress-from-analyzers
  namespace: {{ .Release.Namespace }}
 spec:
  podSelector:
    matchLabels:
-      component: policy
+      component: analyzer
  policyTypes:
  - Egress
  egress:
@@ -65,20 +62,19 @@ spec:
        # ONLY Block requests to AWS metadata IP
        except:
        - 169.254.169.254/32
-{{- end }}
-{{- end }}
-# if anchore enterprise is enabled, the enterprise feeds pod will require egress to pull enterprise feed data
-{{- if .Values.anchoreEnterpriseGlobal.enabled }}
+{{- if or (hasKey .Values.postgresql "enabled") (not .Values.anchoreEnterpriseGlobal.enabled) }}
+{{- if or (not .Values.postgresql.enabled) (not .Values.anchoreEnterpriseGlobal.enabled) }}
 ---
+# if an external db is enabled OR anchore enterprise is disabled, the policy engine pods will require egress to communicate with the db OR pull opensource feed data
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-egress-from-feeds-service
+  name: allow-egress-from-policy-engine
  namespace: {{ .Release.Namespace }}
 spec:
  podSelector:
    matchLabels:
-      component: enterprise-feeds
+      component: policy
  policyTypes:
  - Egress
  egress:
@@ -89,10 +85,11 @@ spec:
        except:
        - 169.254.169.254/32
 {{- end }}
-# if an external db is enabled, the simplequeue and analyzer pods will require egress to communicate with the db
+{{- end }}
 {{- if hasKey .Values.postgresql "enabled" }}
 {{- if (not .Values.postgresql.enabled) }}
 ---
+# if an external db is enabled, the simplequeue pod will require egress to communicate with the db
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -111,16 +108,20 @@ spec:
        # ONLY Block requests to AWS metadata IP
        except:
        - 169.254.169.254/32
+{{- end }}
+{{- end }}
+{{- if .Values.anchoreEnterpriseGlobal.enabled }}
 ---
+# if anchore enterprise is enabled, the enterprise feeds pod will require egress to pull enterprise feed data
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-egress-from-analyzers
+  name: allow-egress-from-feeds-service
  namespace: {{ .Release.Namespace }}
 spec:
  podSelector:
    matchLabels:
-      component: analyzer
+      component: enterprise-feeds
  policyTypes:
  - Egress
  egress:
@@ -131,10 +132,10 @@ spec:
        except:
        - 169.254.169.254/32
 {{- end }}
-{{- end }}
-# if external redis is enabled, the ui pod will require egress
 {{- if and (hasKey (index .Values "anchore-ui-redis") "enabled") }}
 {{- if and (not (index .Values "anchore-ui-redis" "enabled")) .Values.anchoreEnterpriseGlobal.enabled }}
+---
+# if external redis is enabled, the ui pod will require egress as it depends on redis
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:

--- a/chart/tests/scripts/test.sh
+++ b/chart/tests/scripts/test.sh
@@ -11,7 +11,8 @@ status=$(anchore-cli --debug system status 2>&1)

 # IF status code is 200 AND all services are up
 if [[ ${status} =~ "httpcode from response: 200" && ${status} =~ "analyzer:8084): up" && ${status} =~ "simplequeue:8083): up" && ${status} =~ "policy:8087): up" && ${status} =~ "api:8228): up" && ${status} =~ "catalog:8082): up" ]]; then
-  echo "200 OK - all services up!"
+  echo ${status}
+  echo "***** 200 OK - all services up! *****"
 else
  echo ${status}
  sleep 10
@@ -23,7 +24,8 @@ add=$(anchore-cli --debug image add docker.io/library/centos:latest 2>&1)

 # IF status code is 200
 if [[ ${add} =~ "httpcode from response: 200" ]]; then
-  echo "200 OK - image analysis initiated!"
+  echo ${add}
+  echo "***** 200 OK - image analysis initiated! *****"
 else
  echo ${add}
  sleep 10
@@ -35,7 +37,8 @@ wait=$(anchore-cli --debug image wait docker.io/library/centos:latest 2>&1)

 # IF status code is 200
 if [[ ${wait} =~ "httpcode from response: 200" ]]; then
-  echo "200 OK - image analysis completed!"
+  echo ${wait}
+  echo "***** 200 OK - image analysis completed! *****"
 else
  echo ${wait}
  sleep 10
@@ -48,7 +51,8 @@ list=$(anchore-cli --debug image list 2>&1)

 # IF status code is 200
 if [[ ${list} =~ "httpcode from response: 200" ]]; then
-  echo "200 OK - image analysis stored!"
+  echo ${list}
+  echo "***** 200 OK - image analysis stored! *****"
 else
  echo ${list}
  sleep 10