suite: test networkpolicy templates: - alertmanager/networkpolicy.yaml tests: - it: should be empty if alertmanager is not enabled set: alertmanager.enabled: false alertmanager.networkPolicy.enabled: true asserts: - hasDocuments: count: 0 - it: should be empty if networkpolicy is not enabled set: alertmanager.enabled: true alertmanager.networkPolicy.enabled: false asserts: - hasDocuments: count: 0 - it: should have correct API version and kind set: alertmanager.enabled: true alertmanager.networkPolicy.enabled: true asserts: - hasDocuments: count: 1 - isKind: of: NetworkPolicy - isAPIVersion: of: networking.k8s.io/v1 - it: should configure gateway namespace correctly set: alertmanager.enabled: true alertmanager.networkPolicy.enabled: true alertmanager.networkPolicy.gateway.namespace: custom-gateway asserts: - equal: path: spec.ingress[0].from[0].namespaceSelector.matchLabels["kubernetes.io/metadata.name"] value: custom-gateway - it: should configure gateway pod labels correctly set: alertmanager.enabled: true alertmanager.networkPolicy.enabled: true alertmanager.networkPolicy.gateway.podLabels: app.kubernetes.io/name: custom-gateway asserts: - equal: path: spec.ingress[0].from[0].podSelector.matchLabels value: app.kubernetes.io/name: custom-gateway - it: should include Prometheus rules when enabled set: alertmanager.enabled: true alertmanager.networkPolicy.enabled: true alertmanager.networkPolicy.monitoringRules.prometheus: true alertmanager.service.port: 9093 asserts: - matchRegex: path: spec.ingress[1].from[0].podSelector.matchLabels["app.kubernetes.io/name"] pattern: prometheus - it: should include Loki rules when enabled set: alertmanager.enabled: true alertmanager.networkPolicy.enabled: true alertmanager.networkPolicy.monitoringRules.loki: true alertmanager.service.port: 9093 asserts: - matchRegex: path: spec.ingress[2].from[0].podSelector.matchLabels["app.kubernetes.io/name"] pattern: loki - it: should include cluster rules when enabled set: alertmanager.enabled: true alertmanager.networkPolicy.enabled: true alertmanager.networkPolicy.enableClusterRules: true alertmanager.service.clusterPort: 9094 asserts: - matchRegex: path: spec.ingress[3].from[0].podSelector.matchLabels["app.kubernetes.io/name"] pattern: alertmanager - it: should add additional ingress rules when specified set: alertmanager.enabled: true alertmanager.networkPolicy.enabled: true alertmanager.networkPolicy.additionalIngress: - from: - namespaceSelector: matchLabels: name: custom-namespace asserts: - equal: path: spec.ingress[-1].from[0].namespaceSelector.matchLabels.name value: custom-namespace - it: should include egress rules when enabled set: alertmanager.enabled: true alertmanager.networkPolicy.enabled: true alertmanager.networkPolicy.egress: enabled: true rules: - to: - podSelector: matchLabels: name: smtp-relay asserts: - equal: path: spec.egress[0].to[0].podSelector.matchLabels.name value: smtp-relay - it: should use specified policy types set: alertmanager.enabled: true alertmanager.networkPolicy.enabled: true alertmanager.networkPolicy.policyTypes: - Ingress - Egress asserts: - equal: path: spec.policyTypes value: - Ingress - Egress - it: should handle empty gateway pod labels set: alertmanager.enabled: true alertmanager.networkPolicy.enabled: true alertmanager.networkPolicy.gateway.namespace: custom-gateway alertmanager.networkPolicy.gateway.podLabels: null alertmanager.networkPolicy.policyTypes[0]: Ingress alertmanager.service.port: 9093 asserts: - hasDocuments: count: 1 - isKind: of: NetworkPolicy - equal: path: spec.ingress[0].from[0].namespaceSelector.matchLabels["kubernetes.io/metadata.name"] value: custom-gateway - equal: path: spec.ingress[0].ports[0].port value: 9093