test: handle some labels

Signed-off-by: Jintao Zhang <[email protected]>

Author: tao12345666333

controller/gateway/controller.go

@@ -460,10 +460,13 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 				return ctrl.Result{}, fmt.Errorf("failed to update DataPlane with KonnectExtension to make it work as Hybrid: %w", err)
 			}
 		}
-	} else {
+	}
+
+	var controlplane *gwtypes.ControlPlane
+	if !isGatewayHybrid(gatewayConfig) {
 		// Provision controlplane creates a controlplane and adds the ControlPlaneReady condition to the Gateway status
 		// if the controlplane is ready, the ControlPlaneReady status is set to true, otherwise false.
-		controlplane := r.provisionControlPlane(ctx, logger, &gateway, gatewayConfig)
+		controlplane = r.provisionControlPlane(ctx, logger, &gateway, gatewayConfig)
 		// Set the ControlPlaneReady Condition to False. This happens only if:
 		// * the new status is false and there was no ControlPlaneReady condition in the gateway
 		// * the new status is false and the previous status was true
@@ -505,7 +508,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	// If the code is run outside of k8s (like in envtest or integration test), do not create network policies.
 	if k8sutils.RunningOnKubernetes() {
 		log.Trace(logger, "ensuring DataPlane's NetworkPolicy exists")
-		createdOrUpdated, err := r.ensureDataPlaneHasNetworkPolicy(ctx, &gateway, dataplane)
+		createdOrUpdated, err := r.ensureDataPlaneHasNetworkPolicy(ctx, &gateway, dataplane, controlplane)
 		if err != nil {
 			return ctrl.Result{}, err
 		}

controller/gateway/controller_reconciler_utils.go

@@ -392,6 +392,7 @@ func (r *Reconciler) ensureDataPlaneHasNetworkPolicy(
 	ctx context.Context,
 	gateway *gwtypes.Gateway,
 	dataplane *operatorv1beta1.DataPlane,
+	controlplane *gwtypes.ControlPlane,
 ) (createdOrUpdate bool, err error) {
 	networkPolicies, err := gatewayutils.ListNetworkPoliciesForGateway(ctx, r.Client, gateway)
 	if err != nil {
@@ -406,8 +407,8 @@ func (r *Reconciler) ensureDataPlaneHasNetworkPolicy(
 		return false, errors.New("number of networkPolicies reduced")
 	}
 
-	// generate the network policy that allows the KO pod to access the admin APIs of dataplane pods.
-	generatedPolicy, err := generateDataPlaneNetworkPolicy(r.Namespace, dataplane, r.PodLabels)
+	// generate the network policy that allows the ControlPlane pod to access the admin APIs of dataplane pods.
+	generatedPolicy, err := generateDataPlaneNetworkPolicy(dataplane, controlplane)
 	if err != nil {
 		return false, fmt.Errorf("failed generating network policy for DataPlane %s: %w", dataplane.Name, err)
 	}
@@ -434,29 +435,20 @@ func (r *Reconciler) ensureDataPlaneHasNetworkPolicy(
 	return true, r.Create(ctx, generatedPolicy)
 }
 
-// generateDataPlaneNetworkPolicy generates the NetworkPolicy that allows the KO pod to access admin API of dataplane pods.
-// the params `namespace` and `podLabels` are namespace and labels of the KO pod itself, and `dataplane` is the target dataplane.
+// generateDataPlaneNetworkPolicy generates the NetworkPolicy that allows the ControlPlane pod to access admin API of dataplane pods.
+// The ControlPlane (KIC) is the component that actually communicates with the DataPlane admin API, not the operator directly.
+// In hybrid mode (Konnect), controlplane may be nil since there's no local ControlPlane - in that case,
+// the admin API access restriction is omitted.
 func generateDataPlaneNetworkPolicy(
-	namespace string,
 	dataplane *operatorv1beta1.DataPlane,
-	podLabels map[string]string,
+	controlplane *gwtypes.ControlPlane,
 ) (*networkingv1.NetworkPolicy, error) {
 	var (
 		protocolTCP     = corev1.ProtocolTCP
 		adminAPISSLPort = intstr.FromInt(consts.DataPlaneAdminAPIPort)
 		proxyPort       = intstr.FromInt(consts.DataPlaneProxyPort)
 		proxySSLPort    = intstr.FromInt(consts.DataPlaneProxySSLPort)
 		metricsPort     = intstr.FromInt(consts.DataPlaneMetricsPort)
-		// The label keys to match Kong operator pod.
-		// To not create new NetworkPolicy on upgrade of , we just keep the keys marking the application
-		// and remove the keys related to versions such as `version`,`pod-template-hash`,`helm.sh/chart`.
-		podLabelSelectorKeys = []string{
-			"app",
-			"app.kubernetes.io/component",
-			"app.kubernetes.io/instance",
-			"app.kubernetes.io/name",
-			"control-plane",
-		}
 	)
 
 	// Check if KONG_PROXY_LISTEN and/or KONG_ADMIN_LISTEN are set in
@@ -490,35 +482,31 @@ func generateDataPlaneNetworkPolicy(
 		}
 	}
 
-	// Construct the policy to allow the KO pod to access DataPlane admin APIs.
-	policyPeerForControllerPod := networkingv1.NetworkPolicyPeer{
-		NamespaceSelector: &metav1.LabelSelector{
-			MatchLabels: map[string]string{
-				"kubernetes.io/metadata.name": namespace,
+	// Construct the policy to allow the ControlPlane pod to access DataPlane admin APIs.
+	// For hybrid mode (Konnect), there's no local ControlPlane, so we don't add admin API restrictions.
+	var limitAdminAPIIngress networkingv1.NetworkPolicyIngressRule
+	if controlplane != nil {
+		policyPeerForControlPlanePod := networkingv1.NetworkPolicyPeer{
+			PodSelector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"app": controlplane.Name,
+				},
+			},
+			NamespaceSelector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"kubernetes.io/metadata.name": dataplane.Namespace,
+				},
 			},
-		},
-	}
-
-	if len(podLabels) > 0 {
-		matchPodLabels := map[string]string{}
-		for _, key := range podLabelSelectorKeys {
-			value, ok := podLabels[key]
-			if ok {
-				matchPodLabels[key] = value
-			}
 		}
-		policyPeerForControllerPod.PodSelector = &metav1.LabelSelector{
-			MatchLabels: matchPodLabels,
+		limitAdminAPIIngress = networkingv1.NetworkPolicyIngressRule{
+			Ports: []networkingv1.NetworkPolicyPort{
+				{Protocol: &protocolTCP, Port: &adminAPISSLPort},
+			},
+			From: []networkingv1.NetworkPolicyPeer{
+				policyPeerForControlPlanePod,
+			},
 		}
 	}
-	limitAdminAPIIngress := networkingv1.NetworkPolicyIngressRule{
-		Ports: []networkingv1.NetworkPolicyPort{
-			{Protocol: &protocolTCP, Port: &adminAPISSLPort},
-		},
-		From: []networkingv1.NetworkPolicyPeer{
-			policyPeerForControllerPod,
-		},
-	}
 
 	allowProxyIngress := networkingv1.NetworkPolicyIngressRule{
 		Ports: []networkingv1.NetworkPolicyPort{
@@ -533,6 +521,15 @@ func generateDataPlaneNetworkPolicy(
 		},
 	}
 
+	ingressRules := []networkingv1.NetworkPolicyIngressRule{
+		allowProxyIngress,
+		allowMetricsIngress,
+	}
+	// Only add admin API restriction when there's a local ControlPlane (not hybrid mode)
+	if controlplane != nil {
+		ingressRules = append([]networkingv1.NetworkPolicyIngressRule{limitAdminAPIIngress}, ingressRules...)
+	}
+
 	return &networkingv1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace:    dataplane.Namespace,
@@ -547,11 +544,7 @@ func generateDataPlaneNetworkPolicy(
 			PolicyTypes: []networkingv1.PolicyType{
 				networkingv1.PolicyTypeIngress,
 			},
-			Ingress: []networkingv1.NetworkPolicyIngressRule{
-				limitAdminAPIIngress,
-				allowProxyIngress,
-				allowMetricsIngress,
-			},
+			Ingress: ingressRules,
 		},
 	}, nil
 }

pkg/utils/kubernetes/self_metadata.go

@@ -37,47 +37,84 @@ func GetSelfPodLabels() (map[string]string, error) {
 		locations []string
 	)
 
+	// Prefer explicit override first
 	if override := os.Getenv("KONG_OPERATOR_POD_LABELS_FILE"); override != "" {
 		locations = append(locations, override)
 	}
 
-	locations = append(locations, podLabelsFile)
+	// Then try TELEPRESENCE_ROOT mounted path
 	if root := os.Getenv("TELEPRESENCE_ROOT"); root != "" {
 		relPath := strings.TrimPrefix(podLabelsFile, "/")
-		locations = append([]string{filepath.Join(root, relPath)}, locations...)
+		locations = append(locations, filepath.Join(root, relPath))
 	}
 
+	// Finally fall back to standard pod labels file
+	locations = append(locations, podLabelsFile)
+
 	for _, path := range locations {
 		buf, err := os.ReadFile(path)
 		if err != nil {
 			lastErr = err
 			continue
 		}
 
-		labels := strings.SplitSeq(string(buf), "\n")
-		ret := make(map[string]string)
-		for label := range labels {
-			labelKV := strings.SplitN(label, "=", 2)
-			if len(labelKV) != 2 {
-				return nil, fmt.Errorf("invalid label format, should be key=value")
-			}
-			key := labelKV[0]
-			// The value in labels are escaped, e.g: "ko" => "\"ko\"". So we need to unquote it.
-			value, err := strconv.Unquote(labelKV[1])
-			if err != nil {
-				continue
-			}
-			ret[key] = value
+		ret := parsePodLabels(string(buf))
+		if len(ret) > 0 {
+			return ret, nil
 		}
-		return ret, nil
+		lastErr = fmt.Errorf("no valid labels found in %s", path)
 	}
 
 	if lastErr != nil {
-		return nil, fmt.Errorf("cannot find pod labels from file %s: %w", locations[len(locations)-1], lastErr)
+		return nil, fmt.Errorf("cannot find pod labels from %v: %w", locations, lastErr)
 	}
 	return nil, fmt.Errorf("cannot determine pod labels")
 }
 
+// parsePodLabels parses pod labels from DownwardAPI format.
+// Supports both newline-separated and comma-separated formats.
+func parsePodLabels(content string) map[string]string {
+	ret := make(map[string]string)
+	content = strings.TrimSpace(content)
+	if content == "" {
+		return ret
+	}
+
+	// Try newline-separated first
+	lines := strings.Split(content, "\n")
+	// If we only have one line and it contains commas, try comma-separated
+	if len(lines) == 1 && strings.Contains(content, ",") {
+		lines = strings.Split(content, ",")
+	}
+
+	for _, label := range lines {
+		label = strings.TrimSpace(label)
+		if label == "" {
+			continue
+		}
+
+		labelKV := strings.SplitN(label, "=", 2)
+		if len(labelKV) != 2 {
+			continue
+		}
+
+		key := strings.TrimSpace(labelKV[0])
+		value := strings.TrimSpace(labelKV[1])
+		if key == "" {
+			continue
+		}
+
+		// Try to unquote the value (DownwardAPI escapes values)
+		if unquoted, err := strconv.Unquote(value); err == nil {
+			value = unquoted
+		}
+
+		ret[key] = value
+	}
+
+	return ret
+}
+
 // RunningOnKubernetes returns true if it is running in the kubernetes environment.
 // If the env KUBERNETES_SERVICE_HOST is configured to access the kubernetes API server,
 // it is considered to be running on k8s.