[public-api] Add network policy to allow connections from proxy

Author: easyCZ

install/installer/pkg/components/public-api-server/networkpolicy.go

@@ -0,0 +1,55 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License-AGPL.txt in the project root for license information.
+
+package public_api_server
+
+import (
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
+	networkingv1 "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+func networkpolicy(ctx *common.RenderContext) ([]runtime.Object, error) {
+	labels := common.DefaultLabels(Component)
+
+	return []runtime.Object{
+		&networkingv1.NetworkPolicy{
+			TypeMeta: common.TypeMetaNetworkPolicy,
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      Component,
+				Namespace: ctx.Namespace,
+				Labels:    labels,
+			},
+			Spec: networkingv1.NetworkPolicySpec{
+				PodSelector: metav1.LabelSelector{MatchLabels: labels},
+				PolicyTypes: []networkingv1.PolicyType{"Ingress"},
+				Ingress: []networkingv1.NetworkPolicyIngressRule{
+					{
+						Ports: []networkingv1.NetworkPolicyPort{
+							{
+								Protocol: common.TCPProtocol,
+								Port:     &intstr.IntOrString{IntVal: HTTPContainerPort},
+							},
+							{
+								Protocol: common.TCPProtocol,
+								Port:     &intstr.IntOrString{IntVal: GRPCContainerPort},
+							},
+						},
+						From: []networkingv1.NetworkPolicyPeer{
+							{
+								PodSelector: &metav1.LabelSelector{
+									MatchLabels: map[string]string{
+										"component": common.ProxyComponent,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}, nil
+}

install/installer/pkg/components/public-api-server/networkpolicy_test.go

@@ -0,0 +1,47 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License-AGPL.txt in the project root for license information.package public_api_server
+package public_api_server
+
+import (
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
+	"github.com/stretchr/testify/require"
+	networkingv1 "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"testing"
+)
+
+func TestNetworkPolicy(t *testing.T) {
+	objects, err := networkpolicy(renderContextWithPublicAPIEnabled(t))
+	require.NoError(t, err)
+	require.Len(t, objects, 1)
+
+	policy, ok := objects[0].(*networkingv1.NetworkPolicy)
+	require.Truef(t, ok, "must cast object to network policy")
+
+	ingress := policy.Spec.Ingress
+	require.Len(t, ingress, 1, "must have only one ingress rule")
+
+	require.Equal(t, networkingv1.NetworkPolicyIngressRule{
+		Ports: []networkingv1.NetworkPolicyPort{
+			{
+				Protocol: common.TCPProtocol,
+				Port:     &intstr.IntOrString{IntVal: HTTPContainerPort},
+			},
+			{
+				Protocol: common.TCPProtocol,
+				Port:     &intstr.IntOrString{IntVal: GRPCContainerPort},
+			},
+		},
+		From: []networkingv1.NetworkPolicyPeer{
+			{
+				PodSelector: &metav1.LabelSelector{
+					MatchLabels: map[string]string{
+						"component": common.ProxyComponent,
+					},
+				},
+			},
+		},
+	}, ingress[0])
+}

install/installer/pkg/components/public-api-server/objects.go

@@ -22,6 +22,7 @@ func Objects(ctx *common.RenderContext) ([]runtime.Object, error) {
 		rolebinding,
 		common.DefaultServiceAccount(Component),
 		service,
+		networkpolicy,
 	)(ctx)
 }