Merge pull request #3611 from ti-afra/ingress-dex

add new ingress policy to dex for apiserver

pkg/render/common/meta/meta.go

@@ -119,6 +119,14 @@ func APIServerNamespace(v operatorv1.ProductVariant) string {
 	return "tigera-system"
 }
 
+// APIServerDeploymentName returns the deployment to use for the API server component.
+func APIServerDeploymentName(v operatorv1.ProductVariant) string {
+	if v == operatorv1.Calico {
+		return "calico-apiserver"
+	}
+	return "tigera-apiserver"
+}
+
 // GetResourceRequirements retrieves the component ResourcesRequirements from the installation. If it doesn't exist, it
 // returns an empty ResourceRequirements struct.
 func GetResourceRequirements(i *operatorv1.InstallationSpec, name operatorv1.ComponentName) corev1.ResourceRequirements {

pkg/render/common/networkpolicy/networkpolicy.go

@@ -23,6 +23,8 @@ import (
 
 	v3 "github.com/tigera/api/pkg/apis/projectcalico/v3"
 	"github.com/tigera/api/pkg/lib/numorstring"
+	operatorv1 "github.com/tigera/operator/api/v1"
+	"github.com/tigera/operator/pkg/render/common/meta"
 )
 
 const (
@@ -279,6 +281,10 @@ func (h *NetworkPolicyHelper) ManagerSourceEntityRule() v3.EntityRule {
 	return CreateSourceEntityRule(h.namespace("tigera-manager"), "tigera-manager")
 }
 
+func (h *NetworkPolicyHelper) APIServerSourceEntityRule(v operatorv1.ProductVariant) v3.EntityRule {
+	return CreateSourceEntityRule(h.namespace(meta.APIServerNamespace(v)), meta.APIServerDeploymentName(v))
+}
+
 func (h *NetworkPolicyHelper) PolicyRecommendationSourceEntityRule() v3.EntityRule {
 	return CreateSourceEntityRule(h.namespace("tigera-policy-recommendation"), "tigera-policy-recommendation")
 }

pkg/render/dex.go

@@ -115,7 +115,7 @@ func (c *dexComponent) Objects() ([]client.Object, []client.Object) {
 
 	objs := []client.Object{
 		CreateNamespace(DexObjectName, c.cfg.Installation.KubernetesProvider, PSSRestricted),
-		c.allowTigeraNetworkPolicy(),
+		c.allowTigeraNetworkPolicy(c.cfg.Installation.Variant),
 		networkpolicy.AllowTigeraDefaultDeny(DexNamespace),
 		c.serviceAccount(),
 		c.deployment(),
@@ -389,7 +389,7 @@ func (c *dexComponent) configMap() *corev1.ConfigMap {
 	}
 }
 
-func (c *dexComponent) allowTigeraNetworkPolicy() *v3.NetworkPolicy {
+func (c *dexComponent) allowTigeraNetworkPolicy(installationVariant operatorv1.ProductVariant) *v3.NetworkPolicy {
 	egressRules := []v3.Rule{}
 	egressRules = networkpolicy.AppendDNSEgressRules(egressRules, c.cfg.OpenShift)
 	egressRules = append(egressRules, []v3.Rule{
@@ -466,6 +466,12 @@ func (c *dexComponent) allowTigeraNetworkPolicy() *v3.NetworkPolicy {
 					Source:      networkpolicy.PrometheusSourceEntityRule,
 					Destination: dexIngressPortDestination,
 				},
+				{
+					Action:      v3.Allow,
+					Protocol:    &networkpolicy.TCPProtocol,
+					Source:      networkpolicy.DefaultHelper().APIServerSourceEntityRule(installationVariant),
+					Destination: dexIngressPortDestination,
+				},
 			},
 			Egress: egressRules,
 		},

pkg/render/testutils/expected_policies/dex.json

@@ -78,6 +78,19 @@
           "selector": "k8s-app == 'tigera-prometheus'",
           "namespaceSelector": "name == 'tigera-prometheus'"
         }
+      },
+      {
+        "action": "Allow",
+        "destination": {
+          "ports": [
+            5556
+          ]
+        },
+        "protocol": "TCP",
+        "source": {
+          "selector": "k8s-app == 'tigera-apiserver'",
+          "namespaceSelector": "projectcalico.org/name == 'tigera-system'"
+        }
       }
     ],
     "egress": [

pkg/render/testutils/expected_policies/dex_ocp.json

@@ -78,6 +78,19 @@
           "selector": "k8s-app == 'tigera-prometheus'",
           "namespaceSelector": "name == 'tigera-prometheus'"
         }
+      },
+      {
+        "action": "Allow",
+        "destination": {
+          "ports": [
+            5556
+          ]
+        },
+        "protocol": "TCP",
+        "source": {
+          "selector": "k8s-app == 'tigera-apiserver'",
+          "namespaceSelector": "projectcalico.org/name == 'tigera-system'"
+        }
       }
     ],
     "egress": [