gitlab-org--gitlab-foss/lib/gitlab/kubernetes/cilium_network_policy.rb

# frozen_string_literal: true

module Gitlab
  module Kubernetes
    class CiliumNetworkPolicy
      include NetworkPolicyCommon
      extend ::Gitlab::Utils::Override

      API_VERSION = "cilium.io/v2"
      KIND = 'CiliumNetworkPolicy'

      PREDEFINED_POLICIES = {
        'allow-inbound-http' => <<~YAML.rstrip,
          apiVersion: cilium.io/v2
          kind: CiliumNetworkPolicy
          metadata:
            name: allow-inbound-http
          spec:
            endpointSelector:
              matchLabels:
                network-policy.gitlab.com/disabled_by: gitlab
            ingress:
            - toPorts:
              - ports:
                - port: '80'
                - port: '443'
        YAML
        'drop-outbound' => <<~YAML.rstrip
          apiVersion: cilium.io/v2
          kind: CiliumNetworkPolicy
          metadata:
            name: drop-outbound
          spec:
            endpointSelector:
              matchLabels:
                network-policy.gitlab.com/disabled_by: gitlab
            egress:
            - {}
        YAML
      }.freeze

      # We are modeling existing kubernetes resource and don't have
      # control over amount of parameters.
      # rubocop:disable Metrics/ParameterLists
      def initialize(name:, namespace:, selector:, ingress:, resource_version: nil, description: nil, labels: nil, creation_timestamp: nil, egress: nil, annotations: nil, environment_ids: [])
        @name = name
        @description = description
        @namespace = namespace
        @labels = labels
        @creation_timestamp = creation_timestamp
        @selector = selector
        @resource_version = resource_version
        @ingress = ingress
        @egress = egress
        @annotations = annotations
        @environment_ids = environment_ids
      end
      # rubocop:enable Metrics/ParameterLists

      def self.from_yaml(manifest)
        return unless manifest

        policy = YAML.safe_load(manifest, symbolize_names: true)
        return if !policy[:metadata] || !policy[:spec]

        metadata = policy[:metadata]
        spec = policy[:spec]
        self.new(
          name: metadata[:name],
          description: policy[:description],
          namespace: metadata[:namespace],
          annotations: metadata[:annotations],
          resource_version: metadata[:resourceVersion],
          labels: metadata[:labels],
          selector: spec[:endpointSelector],
          ingress: spec[:ingress],
          egress: spec[:egress]
        )
      rescue Psych::SyntaxError, Psych::DisallowedClass
        nil
      end

      def self.from_resource(resource, environment_ids = [])
        return unless resource
        return if !resource[:metadata] || !resource[:spec]

        metadata = resource[:metadata]
        spec = resource[:spec].to_h
        self.new(
          name: metadata[:name],
          description: resource[:description],
          namespace: metadata[:namespace],
          annotations: metadata[:annotations]&.to_h,
          resource_version: metadata[:resourceVersion],
          labels: metadata[:labels]&.to_h,
          creation_timestamp: metadata[:creationTimestamp],
          selector: spec[:endpointSelector],
          ingress: spec[:ingress],
          egress: spec[:egress],
          environment_ids: environment_ids
        )
      end

      override :resource
      def resource
        resource = {
          apiVersion: API_VERSION,
          kind: KIND,
          metadata: metadata,
          spec: spec
        }
        resource[:description] = description if description
        resource
      end

      private

      attr_reader :name, :description, :namespace, :labels, :creation_timestamp, :resource_version, :ingress, :egress, :annotations, :environment_ids

      def selector
        @selector ||= {}
      end

      def metadata
        meta = { name: name, namespace: namespace }
        meta[:labels] = labels if labels
        meta[:resourceVersion] = resource_version if resource_version
        meta[:annotations] = annotations if annotations
        meta
      end

      def spec
        {
          endpointSelector: selector,
          ingress: ingress,
          egress: egress
        }.compact
      end
    end
  end
end