SKIP-1512 - Generate network policy if external rule is ip (#596)

* SKIP-1512 - Generate network policy if external rule is ip

* review

internal/controllers/application.go

@@ -283,7 +283,7 @@ func (r *ApplicationReconciler) finalizeApplication(application *skiperatorv1alp
 		ctrlutil.RemoveFinalizer(application, applicationFinalizer)
 		err := r.GetClient().Update(ctx, application)
 		if err != nil {
-			return fmt.Errorf("Something went wrong when trying to finalize application. %w", err)
+			return fmt.Errorf("something went wrong when trying to finalize application. %w", err)
 		}
 	}
 

pkg/resourcegenerator/networkpolicy/dynamic/common.go

@@ -5,9 +5,11 @@ import (
 	"github.com/kartverket/skiperator/api/v1alpha1/podtypes"
 	"github.com/kartverket/skiperator/pkg/reconciliation"
 	"github.com/kartverket/skiperator/pkg/util"
+	v1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"net"
 	"slices"
 	"strings"
 )
@@ -93,9 +95,41 @@ func getEgressRules(accessPolicy *podtypes.AccessPolicy, appNamespace string) []
 		egressRules = append(egressRules, getEgressRule(rule, appNamespace))
 	}
 
+	for _, externalRule := range accessPolicy.Outbound.External {
+		if externalRule.Ports == nil || externalRule.Ip == "" || net.ParseIP(externalRule.Ip) == nil {
+			continue
+		}
+		egressRules = append(egressRules, getIPExternalRule(externalRule))
+	}
+
 	return egressRules
 }
 
+func getIPExternalRule(externalRule podtypes.ExternalRule) networkingv1.NetworkPolicyEgressRule {
+	externalRuleForIP := networkingv1.NetworkPolicyEgressRule{
+		To: []networkingv1.NetworkPolicyPeer{
+			{
+				IPBlock: &networkingv1.IPBlock{
+					CIDR: externalRule.Ip + "/32",
+				},
+			},
+		},
+		Ports: mapExternalPortsToNetworkPolicyPorts(externalRule.Ports),
+	}
+	return externalRuleForIP
+}
+
+func mapExternalPortsToNetworkPolicyPorts(externalPorts []podtypes.ExternalPort) []networkingv1.NetworkPolicyPort {
+	var ports []networkingv1.NetworkPolicyPort
+	for _, externalPort := range externalPorts {
+		ports = append(ports, networkingv1.NetworkPolicyPort{
+			Port:     util.PointTo(intstr.FromInt(externalPort.Port)),
+			Protocol: util.PointTo(v1.ProtocolTCP),
+		})
+	}
+	return ports
+}
+
 func getEgressRule(outboundRule podtypes.InternalRule, namespace string) networkingv1.NetworkPolicyEgressRule {
 	slices.SortFunc(outboundRule.Ports, sortNetPolPorts)
 	egressRuleForOutboundRule := networkingv1.NetworkPolicyEgressRule{

tests/application/access-policy/chainsaw-test.yaml

@@ -42,3 +42,8 @@ spec:
             file: multiple-ns-same-label.yaml
         - assert:
             file: multiple-ns-same-label-assert.yaml
+    - try:
+        - apply:
+            file: external-ip-policy.yaml
+        - assert:
+            file: external-ip-policy-assert.yaml

tests/application/access-policy/external-ip-policy-assert.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: external-ip-policy
+spec:
+  podSelector:
+    matchLabels:
+      app: external-ip-policy
+  egress:
+    - ports:
+        - protocol: TCP
+          port: 5432
+      to:
+        - ipBlock:
+            cidr: 22.134.52.36/32
+  policyTypes:
+    - Egress

tests/application/access-policy/external-ip-policy.yaml

@@ -0,0 +1,18 @@
+apiVersion: skiperator.kartverket.no/v1alpha1
+kind: Application
+metadata:
+  name: external-ip-policy
+spec:
+  image: image
+  port: 8080
+  accessPolicy:
+    outbound:
+      external:
+        - host: xkcd.com
+        - host: backstage-db-sandbox
+          ip: 22.134.52.36
+          ports:
+            - name: sql
+              port: 5432
+              protocol: TCP
+