From 93a743765d5a01c425b615c6d735dffb6ca4acdb Mon Sep 17 00:00:00 2001
From: Erik Brakkee <erik@brakkee.org>
Date: Sat, 4 Jan 2025 00:16:25 +0100
Subject: [PATCH] rules appear to be working.

---
 cmd/policygen/main.go                         |  5 +++-
 .../templates/netpol/namespace/jaeger.yaml    | 17 ++++++++++++
 .../templates/netpol/namespace/linkerd.yaml   |  1 -
 .../templates/netpol/namespace/monitored.yaml |  3 ++-
 .../templates/netpol/namespace/namespace.yaml |  2 +-
 cmd/policygen/templates/netpol/pod/pod.yaml   | 26 ++++++++++++-------
 6 files changed, 40 insertions(+), 14 deletions(-)
 create mode 100644 cmd/policygen/templates/netpol/namespace/jaeger.yaml

diff --git a/cmd/policygen/main.go b/cmd/policygen/main.go
index c85224d..7d91731 100644
--- a/cmd/policygen/main.go
+++ b/cmd/policygen/main.go
@@ -76,5 +76,8 @@ func main() {
 		},
 	}
 
-	cmd.Execute()
+	err = cmd.Execute()
+	if err != nil {
+		os.Exit(1)
+	}
 }
diff --git a/cmd/policygen/templates/netpol/namespace/jaeger.yaml b/cmd/policygen/templates/netpol/namespace/jaeger.yaml
new file mode 100644
index 0000000..975df16
--- /dev/null
+++ b/cmd/policygen/templates/netpol/namespace/jaeger.yaml
@@ -0,0 +1,17 @@
+{{- if not .Open }}
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-jaeger # required for OCSP
+  namespace: {{ .Name }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: observability
+  {{- end }}
\ No newline at end of file
diff --git a/cmd/policygen/templates/netpol/namespace/linkerd.yaml b/cmd/policygen/templates/netpol/namespace/linkerd.yaml
index fdb0e70..f34bb31 100644
--- a/cmd/policygen/templates/netpol/namespace/linkerd.yaml
+++ b/cmd/policygen/templates/netpol/namespace/linkerd.yaml
@@ -24,7 +24,6 @@ spec:
         - namespaceSelector:
             matchLabels:
               kubernetes.io/metadata.name: monitoring
-          # podSelector prometheus
   egress:
     - to:
         - namespaceSelector:
diff --git a/cmd/policygen/templates/netpol/namespace/monitored.yaml b/cmd/policygen/templates/netpol/namespace/monitored.yaml
index 9bf34e4..489481d 100644
--- a/cmd/policygen/templates/netpol/namespace/monitored.yaml
+++ b/cmd/policygen/templates/netpol/namespace/monitored.yaml
@@ -1,5 +1,6 @@
 {{- if not .Open }}
-
+---
+kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
   name: allow-monitoring
diff --git a/cmd/policygen/templates/netpol/namespace/namespace.yaml b/cmd/policygen/templates/netpol/namespace/namespace.yaml
index 2c1e013..ce52c32 100644
--- a/cmd/policygen/templates/netpol/namespace/namespace.yaml
+++ b/cmd/policygen/templates/netpol/namespace/namespace.yaml
@@ -1,6 +1,6 @@
 
-{{- if not .Open }}
 ---
+{{- if not .Open }}
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
diff --git a/cmd/policygen/templates/netpol/pod/pod.yaml b/cmd/policygen/templates/netpol/pod/pod.yaml
index 9e8d400..0496cff 100644
--- a/cmd/policygen/templates/netpol/pod/pod.yaml
+++ b/cmd/policygen/templates/netpol/pod/pod.yaml
@@ -1,10 +1,10 @@
 {{- define "ports" }}
-          {{- range $port := . }}
-          - port: {{ $port.Port }}
-            {{- if $port.Protocol }}
-            protocol: {{ $port.Protocol }}
-            {{- end }}
-          {{- end }}
+      {{- range $port := . }}
+        - port: {{ $port.Port }}
+       {{- if $port.Protocol }}
+          protocol: {{ $port.Protocol }}
+        {{- end }}
+      {{- end }}
 {{- end }}
 {{- define "peers" }}
       {{- range .Applications }}
@@ -24,6 +24,7 @@
 {{- end }}
 {{- define "networks" }}
       {{- range .Networks }}
+  {{- if .Network.CIDR }}
   - {{.Rule}}:
       # {{ .Network.Name }}
       - ipBlock:
@@ -31,11 +32,16 @@
           except:
           {{- range $except := .Network.Except }}
           - {{ $except }}
-          {{- end }}
-    {{- if .Ports }}
+  {{- end }}
+  {{- end }}
+  {{- if .Ports }}
+  {{- if .Network.CIDR }}
     ports:
-      {{- template "ports" .Ports }}
-    {{- end }}
+  {{- else }}
+  - ports:
+  {{- end }}
+  {{- template "ports" .Ports }}
+  {{- end }}
 {{- end }}
 {{- end }}