From 60cfa470b5ddca480fa1b30d6e336d99fcfd9809 Mon Sep 17 00:00:00 2001
From: Ryan Richard <richardry@vmware.com>
Date: Wed, 9 Oct 2024 17:07:48 -0700
Subject: [PATCH] hack/prepare-for-integration-tests.sh has new option to
 firewall IDPs

---
 hack/prepare-for-integration-tests.sh | 90 ++++++++++++++++++++++++++-
 1 file changed, 89 insertions(+), 1 deletion(-)

diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh
index 338f212b1..0f1f3511c 100755
--- a/hack/prepare-for-integration-tests.sh
+++ b/hack/prepare-for-integration-tests.sh
@@ -34,7 +34,7 @@ clean_kind=no
 api_group_suffix="pinniped.dev" # same default as in the values.yaml ytt file
 dockerfile_path=""
 get_active_directory_vars="" # specify a filename for a script to get AD related env variables
-get_github_vars="" # specify a filename for a script to get GitHub related env variables
+get_github_vars=""           # specify a filename for a script to get GitHub related env variables
 alternate_deploy="undefined"
 pre_install="undefined"
 
@@ -319,6 +319,15 @@ service_https_nodeport_nodeport: $service_https_nodeport_nodeport
 service_https_clusterip_port: $service_https_clusterip_port
 EOF
 
+if [[ "${FIREWALL_IDPS:-no}" == "yes" ]]; then
+  # Configure the web proxy on the Supervisor pods. Note that .svc and .cluster.local are not included,
+  # so requests for things like dex.tools.svc.cluster.local will go through the web proxy.
+  cat <<EOF >>"$data_values_file"
+https_proxy: "http://proxy.tools.svc.cluster.local:3128"
+no_proxy: "\$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost"
+EOF
+fi
+
 if [ "$alternate_deploy" != "undefined" ]; then
   log_note "The Pinniped Supervisor will be deployed with $alternate_deploy pinniped-supervisor $tag $registry_with_port $repo $data_values_file ..."
   $alternate_deploy pinniped-supervisor "$tag" $registry_with_port $repo $data_values_file
@@ -354,6 +363,16 @@ image_tag: $tag
 discovery_url: $discovery_url
 EOF
 
+if [[ "${FIREWALL_IDPS:-no}" == "yes" ]]; then
+  # Configure the web proxy on the Concierge pods. Note that .svc and .cluster.local are not included,
+  # so requests for things like pinniped-supervisor-clusterip.supervisor.svc.cluster.local and
+  # local-user-authenticator.local-user-authenticator.svc will go through the web proxy.
+  cat <<EOF >>"$data_values_file"
+https_proxy: "http://proxy.tools.svc.cluster.local:3128"
+no_proxy: "\$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost"
+EOF
+fi
+
 if [ "$alternate_deploy" != "undefined" ]; then
   log_note "The Pinniped Concierge will be deployed with $alternate_deploy pinniped-concierge $tag $registry_with_port $repo $data_values_file ..."
   $alternate_deploy pinniped-concierge "$tag" $registry_with_port $repo $data_values_file
@@ -366,6 +385,75 @@ else
   popd >/dev/null
 fi
 
+#
+# Now that the everything is deployed, optionally firewall the Dex server, the local user authenticator server,
+# and the GitHub API so that the Supervisor and Concierge cannot reach them directly. However, the Squid
+# proxy server can reach them all, so the Supervisor and Concierge can reach them through the proxy.
+#
+if [[ "${FIREWALL_IDPS:-no}" == "yes" ]]; then
+  log_note "Setting up firewalls for the Supervisor and Concierge's outgoing TCP/UDP/SCTP network traffic..."
+  cat <<EOF | kubectl apply --wait -f -
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: supervisor-cannot-make-external-requests
+  namespace: ${supervisor_namespace}
+spec:
+  # Having no podSelector will select all pods in the namespace.
+  policyTypes:
+    - Egress
+  # This is an allow list. Everything else disallowed.
+  # Especially note that it cannot access Dex or the GitHub API directly.
+  egress:
+  - to:
+    # Allowed to make requests to all pods in kube-system for DNS and Kube API.
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+    # Allowed to make requests to the LDAP server in tools, because we cannot use
+    # an HTTP proxy for the LDAP protocol, since LDAP is not over HTTP.
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: tools
+      podSelector:
+        matchLabels:
+          app: ldap
+    # Allowed to make requests to the Squid proxy server in the tools namespace.
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: tools
+      podSelector:
+        matchLabels:
+          app: proxy
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: concierge-cannot-make-external-requests
+  namespace: ${concierge_namespace}
+spec:
+  # Having no podSelector will select all pods in the namespace.
+  policyTypes:
+    - Egress
+  # This is an allow list. Everything else disallowed.
+  # Especially note that it cannot access the local user authenticator or Supervisor directly.
+  egress:
+  - to:
+    # Allowed to make requests to all pods in kube-system for DNS and Kube API.
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+    # Allowed to make requests to the Squid proxy server in the tools namespace.
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: tools
+      podSelector:
+        matchLabels:
+          app: proxy
+EOF
+fi
+
 #
 # Create a test user in the local-user-authenticator and get its CA bundle.
 #