From d9f687987ae98d40d222e0cf7211b0c9551db77b Mon Sep 17 00:00:00 2001
From: Gael Crova <gael.crova@fr.ibm.com>
Date: Mon, 28 Oct 2024 09:51:06 +0100
Subject: [PATCH] 24.0.0-IF003

---
 airgap/ADS-case-list.yaml |  6 ++--
 eks/README.md             |  6 ++++
 eks/extended-netpols.yaml | 72 +++++++++++++++++++++++++++++++++++++++
 scripts/constants.sh      |  2 +-
 4 files changed, 82 insertions(+), 4 deletions(-)
 create mode 100644 eks/extended-netpols.yaml

diff --git a/airgap/ADS-case-list.yaml b/airgap/ADS-case-list.yaml
index 1c8e890..3a1a391 100644
--- a/airgap/ADS-case-list.yaml
+++ b/airgap/ADS-case-list.yaml
@@ -1,9 +1,9 @@
 name: ibm-ads
-version: 1.3.2
-description: List of CASEs required for air gapped deployment of ADS 24.0.0-IF002
+version: 1.3.3
+description: List of CASEs required for air gapped deployment of ADS 24.0.0-IF003
 cases:
 - name: ibm-ads
-  version: 1.3.2
+  version: 1.3.3
   launch: true
 - name: ibm-cp-common-services
   version: 4.6.2
diff --git a/eks/README.md b/eks/README.md
index 9af65b5..7f772fe 100644
--- a/eks/README.md
+++ b/eks/README.md
@@ -84,3 +84,9 @@ controller:
 
 Then you'll use [ads-generate-ingresses.sh](../scripts/ads-generate-ingresses.sh) script to obtain the ingresses definition you'll have to apply to your cluster.
 
+## Special network configuration
+Depending on how the network was configured, the communication between the kube-api server and worker nodes can be restricted, causing errors during webhook invocations as shown in the following example:
+```
+I0624 14:19:58.368935       1 waitToCreateCsCR.go:36] Webhook Server not ready, waiting for it to be ready : could not Create resource: Internal error occurred: failed calling webhook \"vcommonservice.kb.io\": failed to call webhook: Post \"https://ibm-common-service-operator-service.ads.svc:443/validate-operator-ibm-com-v3-commonservice?timeout=10s\": context deadline exceeded
+```
+To explicitly allow communications, customize and apply additional custom network [policies](./extended-netpols.yaml) into your cluster to unblock.
diff --git a/eks/extended-netpols.yaml b/eks/extended-netpols.yaml
new file mode 100644
index 0000000..54b4793
--- /dev/null
+++ b/eks/extended-netpols.yaml
@@ -0,0 +1,72 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: access-to-ibm-common-service-operator
+  namespace: "<ads-namespace>"
+spec:
+  podSelector:
+    matchLabels:
+      name: ibm-common-service-operator
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 9443
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: access-to-postgresql-operator
+  namespace: "<ads-namespace>"
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name : cloud-native-postgresql       
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: 9443
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: access-to-kubernetes
+  namespace: "<ads-namespace>"
+spec:
+  egress:
+  - ports:
+    - port: 443
+      protocol: TCP
+    to:
+    - namespaceSelector:
+        matchExpressions:
+          - key: kubernetes.io/metadata.name
+            operator: In
+            values:
+            - default
+  podSelector: {}
+  policyTypes:
+  - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ingress-from-olm
+  namespace: "<ads-namespace>"
+spec:
+  podSelector:
+    matchLabels:
+      olm.managed: "true"
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchExpressions:
+        - key: kubernetes.io/metadata.name
+          operator: In
+          values:
+            - olm
+  policyTypes:
+    - Ingress
diff --git a/scripts/constants.sh b/scripts/constants.sh
index ddadd35..9465014 100755
--- a/scripts/constants.sh
+++ b/scripts/constants.sh
@@ -25,6 +25,6 @@ licensing_catalog_image="icr.io/cpopen/ibm-licensing-catalog@sha256:dfdd38cac150
 cert_manager_catalog_image="icr.io/cpopen/ibm-cert-manager-operator-catalog@sha256:955732299dd174524612ec8e8076237a491cedee1264e4e4be39c2a92f48bc39" # IBM Certificate Manager 4.2.2 from https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-cert-manager/4.2.2
 
 cs_catalog_image="icr.io/cpopen/ibm-common-service-catalog@sha256:601e84bf15e92a98e2b9a6e64320a2cd4f4912533bf49407eed4aeacca8d0c00" # IBM Cloud Foundational Services 4.6.2 from https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-cp-common-services/4.6.2
-ads_catalog_image="icr.io/cpopen/ibm-ads-operator-catalog@sha256:02af330aefd37a344f639520bd5873eb4d5c93b8b2566e2cb81bc8acd2ef0eee" # 24.0.0-IF002
+ads_catalog_image="icr.io/cpopen/ibm-ads-operator-catalog@sha256:4990604c8d691e163b27c14af3f33f410e43941dddde34961e3b42db04cf6c0f" # 24.0.0-IF003
 edb_catalog_image="icr.io/cpopen/ibm-cpd-cloud-native-postgresql-operator-catalog@sha256:c96aa2e6bce92f2e5e4874116cf1cc1cdd60676499cd04ab1631462b8b883357" # Cloud Native PostgresSQL 4.18.0 from https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-cloud-native-postgresql/4.18.0