test: new tests for network policy

[dbasunag]

Pull Request

Summary

Related Issues

• Fixes:
• JIRA:

How it has been tested

• Locally
• Jenkins

Additional Requirements

• If this PR introduces a new test image, did you create a PR to mirror it in disconnected environment?
• If this PR introduces new marker(s)/adds a new component, was relevant ticket created to update relevant Jenkins job?

Summary by CodeRabbit

• Tests
  • Expanded test coverage for database secret validation, password recreation, and pod readiness after changes.
  • Added network policy tests verifying port 5432 access restrictions and catalog pod access control.
  • Tests validate automatic resource recovery after deletion.

[github-actions]

The following are automatically added/executed:

• PR size label.
• Run pre-commit
• Run tox
• Add PR author as the PR assignee
• Build image based on the PR

Available user actions:

• To mark a PR as WIP, add /wip in a comment. To remove it from the PR comment /wip cancel to the PR.
• To block merging of a PR, add /hold in a comment. To un-block merging of PR comment /hold cancel.
• To mark a PR as approved, add /lgtm in a comment. To remove, add /lgtm cancel.
  lgtm label removed on each new commit push.
• To mark PR as verified comment /verified to the PR, to un-verify comment /verified cancel to the PR.
  verified label removed on each new commit push.
• To Cherry-pick a merged PR /cherry-pick <target_branch_name> to the PR. If <target_branch_name> is valid,
  and the current PR is merged, a cherry-picked PR would be created and linked to the current PR.
• To build and push image to quay, add /build-push-pr-image in a comment. This would create an image with tag
  pr-<pr_number> to quay repository. This image tag, however would be deleted on PR merge or close action.

Supported labels

{'/cherry-pick', '/hold', '/lgtm', '/wip', '/build-push-pr-image', '/verified'}

[coderabbitai]

📝 Walkthrough

Walkthrough

Consolidated model catalog database validation tests by restructuring fixture organization, consolidating secret and network policy tests into a unified test module, and introducing a new NetworkPolicy fixture to support network policy validation tests.

Changes

Cohort / File(s)	Summary
Test Fixtures tests/model_registry/model_catalog/db_check/conftest.py	Added new class-scoped fixture model_catalog_postgres_network_policy that instantiates a NetworkPolicy object for model-catalog-postgres with ensure_exists=True, mirroring existing secret fixtures.
Test Module Consolidation tests/model_registry/model_catalog/db_check/test_model_catalog_db_validation.py	New unified test module combining TestModelCatalogDBSecret (3 test methods for secret existence, password recreation, pod readiness) and TestModelCatalogDBNetworkPolicy (4 test methods for policy existence, port 5432 restriction, podSelector ingress validation, and operator-driven recreation).
Test Module Removal tests/model_registry/model_catalog/db_check/test_model_catalog_secrets.py	Deleted legacy test file; tests migrated to test_model_catalog_db_validation.py.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is entirely empty/templated with no concrete summary, test results, or issue references provided.	Fill the Summary section describing the new network policy tests, secret test consolidation, and fixtures added. Document testing approach and link any related issues.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: adding new tests for network policy validation alongside existing secret tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can generate a title for your PR based on the changes.

Add @coderabbitai placeholder anywhere in the title of your PR and CodeRabbit will replace it with a title based on the changes in the PR. You can change the placeholder by changing the reviews.auto_title_placeholder setting.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@tests/model_registry/model_catalog/db_check/test_model_catalog_db_validation.py`:
- Around line 71-78: The test
test_postgres_network_policy_allows_only_catalog_pods currently only validates
the first ingress peer via from_selector and can miss other peers (e.g., ipBlock
or other podSelectors); update the test in model_catalog_postgres_network_policy
to iterate over
model_catalog_postgres_network_policy.instance.spec.ingress[0]["from"] and
assert for each entry that it does not contain an ipBlock and that any
podSelector.matchLabels has component == "model-catalog", failing if any extra
peers are present or labeled differently so all ingress peers are validated, not
just the first.
- Around line 61-69: The test_postgres_network_policy_restricts_to_port_5432
currently only checks spec.ingress[0].ports[0], which allows additional ports to
slip through; update the test to iterate over all ingress rules and all ports
(e.g., for each entry in spec.ingress and each port in ports) and assert every
port.port == 5432 and every port.protocol == "TCP", and also assert there is
exactly one ingress rule and that each ingress.ports list contains only the
allowed port(s) to ensure no extra ports are permitted.
- Around line 80-100: The test currently only checks that NetworkPolicy exists;
update test_postgres_network_policy_recreated_after_deletion to also validate
the recreated NetworkPolicy's ingress/egress rules are secure by retrieving the
NetworkPolicy object (via the NetworkPolicy helper returned by TimeoutSampler)
and asserting its spec matches expected constraints (e.g., allowed
peers/namespaceSelector, allowed ports like 5432, and no overly permissive from:
[]/ipBlock: 0.0.0.0/0). Use or add an expected policy representation (e.g.,
expected_postgres_network_policy() or inline expected_rules) and compare against
np.obj.spec (or relevant accessor) and fail the test with clear assertion
messages if rules are missing/too permissive; keep the existing wait loop
(TimeoutSampler, NetworkPolicy, get_postgres_pod_in_namespace, LOGGER) but add
the security assertions immediately after confirming np.exists before breaking.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 78b4cef5-3120-4c69-bf17-7de03410b80c

📥 Commits

Reviewing files that changed from the base of the PR and between 15b5606 and 05c54b6.

📒 Files selected for processing (3)

• tests/model_registry/model_catalog/db_check/conftest.py
• tests/model_registry/model_catalog/db_check/test_model_catalog_db_validation.py
• tests/model_registry/model_catalog/db_check/test_model_catalog_secrets.py

💤 Files with no reviewable changes (1)

• tests/model_registry/model_catalog/db_check/test_model_catalog_secrets.py

[coderabbitai]

⚠️ Potential issue | 🟠 Major

High: Line 67 only validates the first ingress port, allowing extra open ports to slip through (CWE-284).

Severity: High.
Exploit scenario: a policy with ports [5432, 8080] still passes because only index 0 is asserted.

Remediation diff

-        port = spec.ingress[0].ports[0]
-        assert port.port == 5432, "NetworkPolicy should allow only PostgreSQL port 5432"
-        assert port.protocol == "TCP", "NetworkPolicy port should use TCP protocol"
+        ports = spec.ingress[0].ports or []
+        assert len(ports) == 1, "NetworkPolicy must expose exactly one ingress port"
+        port = ports[0]
+        assert port.port == 5432, "NetworkPolicy should allow only PostgreSQL port 5432"
+        assert port.protocol == "TCP", "NetworkPolicy port should use TCP protocol"
+        assert getattr(port, "endPort", None) in (None, 5432), "Port range expansion is not allowed"

As per coding guidelines, **: "REVIEW PRIORITIES: 1. Security vulnerabilities (provide severity, exploit scenario, and remediation code)".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@tests/model_registry/model_catalog/db_check/test_model_catalog_db_validation.py`
around lines 61 - 69, The test_postgres_network_policy_restricts_to_port_5432
currently only checks spec.ingress[0].ports[0], which allows additional ports to
slip through; update the test to iterate over all ingress rules and all ports
(e.g., for each entry in spec.ingress and each port in ports) and assert every
port.port == 5432 and every port.protocol == "TCP", and also assert there is
exactly one ingress rule and that each ingress.ports list contains only the
allowed port(s) to ensure no extra ports are permitted.

[fege]

/lgtm

[github-actions]

Status of building tag latest: success.
Status of pushing tag latest to image registry: success.