From c59e66d74a9de49ee8d99629a5e4a4947b63c306 Mon Sep 17 00:00:00 2001 From: Codex Date: Wed, 1 Jul 2026 11:50:52 +0000 Subject: [PATCH] fix(web-sentinel): allow manual trigger apiserver egress --- config/hwlab-web-probe-sentinel/profiles.yaml | 5 +++++ scripts/src/hwlab-node-web-sentinel-cicd.ts | 14 +++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/config/hwlab-web-probe-sentinel/profiles.yaml b/config/hwlab-web-probe-sentinel/profiles.yaml index 84250e26..d65c4d19 100644 --- a/config/hwlab-web-probe-sentinel/profiles.yaml +++ b/config/hwlab-web-probe-sentinel/profiles.yaml @@ -34,6 +34,11 @@ baselines: tracesEndpoint: http://otel-collector.platform-infra.svc.cluster.local:4318/v1/traces sampler: parentbased_traceidratio samplerArg: "1" + kubernetesApi: + egress: + enabled: true + cidr: 10.43.0.1/32 + port: 443 scheduler15m: &scheduler-15m intervalMs: 900000 heartbeatStaleSeconds: 900 diff --git a/scripts/src/hwlab-node-web-sentinel-cicd.ts b/scripts/src/hwlab-node-web-sentinel-cicd.ts index 2dfd3416..9241215d 100644 --- a/scripts/src/hwlab-node-web-sentinel-cicd.ts +++ b/scripts/src/hwlab-node-web-sentinel-cicd.ts @@ -1075,6 +1075,7 @@ function renderSentinelManifests( const pvcStorage = stringAt(runtime, "pvcStorage"); const stateRoot = stringAt(runtime, "stateRoot"); const sentinelEnv = sentinelContainerEnv(sentinelId, runtime, cicd, secrets); + const kubernetesApiEgress = sentinelKubernetesApiEgress(runtime); const cadenceJob = sentinelCadenceCronJobPlan(spec, sentinelId, runtime, cicd, scenarios, image.ref, sentinelEnv); if (cadenceJob !== null) { emitWebProbeSentinelSpan({ @@ -1221,7 +1222,10 @@ function renderSentinelManifests( podSelector: { matchLabels: { "app.kubernetes.io/name": deploymentName } }, policyTypes: ["Ingress", "Egress"], ingress: [{ from: [{ namespaceSelector: {} }], ports: [{ protocol: "TCP", port: servicePort }] }], - egress: [{ to: [{ namespaceSelector: {} }] }], + egress: [ + { to: [{ namespaceSelector: {} }] }, + ...kubernetesApiEgress, + ], }, }, { @@ -1242,6 +1246,14 @@ function renderSentinelManifests( ]; } +function sentinelKubernetesApiEgress(runtime: Record): readonly Record[] { + if (booleanAtNullable(runtime, "kubernetesApi.egress.enabled") !== true) return []; + return [{ + to: [{ ipBlock: { cidr: stringAt(runtime, "kubernetesApi.egress.cidr") } }], + ports: [{ protocol: "TCP", port: numberAt(runtime, "kubernetesApi.egress.port") }], + }]; +} + function sentinelContainerEnv(sentinelId: string, runtime: Record, cicd: Record, secrets: Record): readonly Record[] { const env: Record[] = [{ name: "UNIDESK_WEB_PROBE_SENTINEL_ID", value: sentinelId }]; const otelEnabled = booleanAtNullable(runtime, "observability.otel.enabled") ?? booleanAtNullable(cicd, "observability.otel.enabled") ?? false;