[ST] Fix NetworkPolicies for Oauth tests (#9776)

Signed-off-by: Lukas Kral <[email protected]>

systemtest/src/main/java/io/strimzi/systemtest/resources/keycloak/SetupKeycloak.java

@@ -4,11 +4,18 @@
  */
 package io.strimzi.systemtest.resources.keycloak;
 
+import io.fabric8.kubernetes.api.model.LabelSelector;
+import io.fabric8.kubernetes.api.model.LabelSelectorBuilder;
 import io.fabric8.kubernetes.api.model.Secret;
 import io.fabric8.kubernetes.api.model.SecretBuilder;
+import io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicy;
+import io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyBuilder;
+import io.strimzi.systemtest.Environment;
+import io.strimzi.systemtest.TestConstants;
 import io.strimzi.systemtest.keycloak.KeycloakInstance;
 import io.strimzi.systemtest.resources.ResourceItem;
 import io.strimzi.systemtest.resources.ResourceManager;
+import io.strimzi.systemtest.templates.kubernetes.NetworkPolicyTemplates;
 import io.strimzi.systemtest.utils.kubeUtils.controllers.DeploymentUtils;
 import io.strimzi.systemtest.utils.kubeUtils.controllers.StatefulSetUtils;
 import io.strimzi.systemtest.utils.kubeUtils.objects.SecretUtils;
@@ -45,6 +52,9 @@ public class SetupKeycloak {
     public final static String PATH_TO_KEYCLOAK_PREPARE_SCRIPT = "../systemtest/src/test/resources/oauth2/prepare_keycloak_operator.sh";
     public final static String PATH_TO_KEYCLOAK_TEARDOWN_SCRIPT = "../systemtest/src/test/resources/oauth2/teardown_keycloak_operator.sh";
 
+    private static final String KEYCLOAK = "keycloak";
+    private static final String POSTGRES = "postgres";
+
     private static final Logger LOGGER = LogManager.getLogger(SetupKeycloak.class);
 
     public static void deployKeycloakOperator(final String deploymentNamespace, final String watchNamespace) {
@@ -66,8 +76,11 @@ public static void deleteKeycloakOperator(final String deploymentNamespace, fina
 
     public static KeycloakInstance deployKeycloakAndImportRealms(String namespaceName) {
         deployPostgres(namespaceName);
+        allowNetworkPolicyBetweenKeycloakAndPostgres(namespaceName);
         deployKeycloak(namespaceName);
+
         KeycloakInstance keycloakInstance = createKeycloakInstance(namespaceName);
+        allowNetworkPolicySettingsForKeycloak(namespaceName);
         importRealms(namespaceName, keycloakInstance);
 
         return keycloakInstance;
@@ -144,6 +157,51 @@ private static void importRealms(String keycloakNamespace, KeycloakInstance keyc
         });
     }
 
+    public static void allowNetworkPolicyBetweenKeycloakAndPostgres(String namespaceName) {
+        if (Environment.DEFAULT_TO_DENY_NETWORK_POLICIES) {
+            LabelSelector labelSelector = new LabelSelectorBuilder()
+                .addToMatchLabels(TestConstants.APP_POD_LABEL, KEYCLOAK)
+                .build();
+
+            LOGGER.info("Apply NetworkPolicy access to {} from Pods with LabelSelector {}", KEYCLOAK, labelSelector);
+
+            NetworkPolicy networkPolicy = NetworkPolicyTemplates.networkPolicyBuilder(namespaceName, KEYCLOAK + "-" + POSTGRES, labelSelector)
+                .editSpec()
+                    .withNewPodSelector()
+                       .addToMatchLabels(TestConstants.APP_POD_LABEL, POSTGRES)
+                    .endPodSelector()
+                .endSpec()
+                .build();
+
+            ResourceManager.getInstance().createResourceWithWait(networkPolicy);
+        }
+    }
+
+    public static void allowNetworkPolicySettingsForKeycloak(String namespaceName) {
+        if (Environment.DEFAULT_TO_DENY_NETWORK_POLICIES) {
+            LOGGER.info("Apply NetworkPolicy access to {} from all Pods", KEYCLOAK);
+
+            NetworkPolicy networkPolicy = new NetworkPolicyBuilder()
+                .withApiVersion("networking.k8s.io/v1")
+                .withKind(TestConstants.NETWORK_POLICY)
+                .withNewMetadata()
+                    .withName(KEYCLOAK + "-allow")
+                    .withNamespace(namespaceName)
+                .endMetadata()
+                .editSpec()
+                    // keeping ingress empty to allow all connections to the Keycloak Pod
+                    .addNewIngress()
+                    .endIngress()
+                    .withNewPodSelector()
+                        .addToMatchLabels(TestConstants.APP_POD_LABEL, KEYCLOAK)
+                    .endPodSelector()
+                .endSpec()
+                .build();
+
+            ResourceManager.getInstance().createResourceWithWait(networkPolicy);
+        }
+    }
+
     private static void deleteKeycloak(String namespaceName) {
         LOGGER.info("Deleting Keycloak in Namespace: {}", namespaceName);
         cmdKubeClient(namespaceName).delete(KEYCLOAK_INSTANCE_FILE_PATH);

systemtest/src/test/java/io/strimzi/systemtest/security/oauth/OauthPlainST.java

@@ -10,6 +10,7 @@
 import io.strimzi.api.kafka.model.common.metrics.JmxPrometheusExporterMetrics;
 import io.strimzi.api.kafka.model.common.metrics.JmxPrometheusExporterMetricsBuilder;
 import io.strimzi.api.kafka.model.connect.KafkaConnect;
+import io.strimzi.api.kafka.model.connect.KafkaConnectResources;
 import io.strimzi.api.kafka.model.kafka.KafkaResources;
 import io.strimzi.api.kafka.model.kafka.listener.GenericKafkaListenerBuilder;
 import io.strimzi.api.kafka.model.kafka.listener.KafkaListenerType;
@@ -34,6 +35,7 @@
 import io.strimzi.systemtest.resources.crd.KafkaNodePoolResource;
 import io.strimzi.systemtest.resources.crd.KafkaResource;
 import io.strimzi.systemtest.resources.crd.StrimziPodSetResource;
+import io.strimzi.systemtest.resources.kubernetes.NetworkPolicyResource;
 import io.strimzi.systemtest.storage.TestStorage;
 import io.strimzi.systemtest.templates.crd.KafkaBridgeTemplates;
 import io.strimzi.systemtest.templates.crd.KafkaConnectTemplates;
@@ -356,6 +358,9 @@ void testProducerConsumerConnectWithOauthMetrics() {
 
         resourceManager.createResourceWithWait(connect);
 
+        // Allow connections from scraper to Connect Pod when NetworkPolicies are set to denied by default
+        NetworkPolicyResource.allowNetworkPolicySettingsForResource(connect, KafkaConnectResources.componentName(oauthClusterName));
+
         final String kafkaConnectPodName = kubeClient().listPods(Environment.TEST_SUITE_NAMESPACE, oauthClusterName, Labels.STRIMZI_KIND_LABEL, KafkaConnect.RESOURCE_KIND).get(0).getMetadata().getName();
 
         KafkaConnectUtils.waitUntilKafkaConnectRestApiIsAvailable(Environment.TEST_SUITE_NAMESPACE, kafkaConnectPodName);
@@ -738,6 +743,9 @@ void testProducerConsumerBridgeWithOauthMetrics() {
             .endSpec()
             .build());
 
+        // Allow connections from scraper to Bridge pods when NetworkPolicies are set to denied by default
+        NetworkPolicyResource.allowNetworkPolicySettingsForBridgeScraper(Environment.TEST_SUITE_NAMESPACE, scraperPodName, KafkaBridgeResources.componentName(oauthClusterName));
+
         final String kafkaBridgePodName = kubeClient().listPods(Environment.TEST_SUITE_NAMESPACE, oauthClusterName, Labels.STRIMZI_KIND_LABEL, KafkaBridge.RESOURCE_KIND).get(0).getMetadata().getName();
         final String kafkaBridgeLogs = KubeClusterResource.cmdKubeClient(Environment.TEST_SUITE_NAMESPACE).execInCurrentNamespace(Level.DEBUG, "logs", kafkaBridgePodName).out();
         verifyOauthConfiguration(kafkaBridgeLogs);