rewrite of status on network policies

nais · Nov 7, 2023 · ef83b9a · ef83b9a
1 parent eb4b8a0
commit ef83b9a
Show file tree

Hide file tree

Showing 4 changed files with 290 additions and 239 deletions.
diff --git a/schema.graphql b/schema.graphql
@@ -710,6 +710,7 @@ type Resources {
 type Rule {
   application: String!
   cluster: String!
+  isJob: Boolean!
   mutual: Boolean!
   mutualExplanation: String!
   namespace: String!

diff --git a/src/lib/AppErrorTypeToMessage.svelte b/src/lib/AppErrorTypeToMessage.svelte
@@ -36,6 +36,7 @@
 						mutual
 						mutualExplanation
 						namespace
+						isJob
 					}
 				}
 				... on NoRunningInstancesError {
@@ -48,6 +49,7 @@
 						mutual
 						mutualExplanation
 						namespace
+						isJob
 					}
 				}
 			}
@@ -59,87 +61,132 @@
 	$: app = $page.params.app;
 </script>
 
-{#if $data.revision === PendingValue}
-	<div class="wrapper">
-		<Loading />
-	</div>
-{:else if $data.__typename === 'DeprecatedRegistryError'}
-	<div class="wrapper">
-		<Alert variant="warning">
-			Deprecated image registry <strong>{$data.registry}</strong> for image
-			<strong>{$data.name}</strong>. See
-			<a href="https://github.com/nais/docker-build-push"> docker-build-push</a> on how to migrate to
-			Google Artifact Registry.
-		</Alert>
-	</div>
-{:else if $data.__typename === 'NoRunningInstancesError'}
-	<div class="wrapper">
-		<Alert variant="error">
-			No running instances of <strong>{app}</strong> in <strong>{env}</strong>.
-		</Alert>
-	</div>
-{:else if $data.__typename === 'DeprecatedIngressError'}
-	<div class="wrapper">
-		<Alert variant="warning">
-			Deprecated ingress <strong>{$data.ingress}</strong>. See
-			{#if env === 'dev-gcp'}
-				<a href="https://doc.nais.io/clusters/gcp/#dev-gcp-ingresses"> ingress documentation</a>
-			{:else if env === 'prod-gcp'}
-				<a href="https://doc.nais.io/clusters/gcp/#prod-gcp-ingresses"> ingress documentation</a>
-			{:else if env === 'dev-fss'}
-				<a href="https://doc.nais.io/clusters/on-premises/#dev-fss"> ingress documentation</a>
-			{:else if env === 'prod-fss'}
-				<a href="https://doc.nais.io/clusters/on-premises/#prod-fss"> ingress documentation</a>
-			{/if} for available ingress domains.
-		</Alert>
-	</div>
-{:else if $data.__typename === 'InvalidNaisYamlError'}
-	<div class="wrapper">
-		<Alert variant="error">
-			Nais-yaml might be invalid for application <strong>{app}</strong>.
-		</Alert>
-	</div>
-{:else if $data.__typename === 'NewInstancesFailingError'}
-	<div class="wrapper">
-		<Alert variant="warning">
-			{#if app}
-				New instances of <strong>{app}</strong> in <strong>{env}</strong> are failing. Check logs
-				for one or more of the instances:
-				{#each $data.failingInstances as instance}
-					<br /><a href="/team/{team}/{env}/app/{app}/logs?name={instance}">{instance}</a>
-				{/each}
-			{/if}
-		</Alert>
-	</div>
-{:else if $data.__typename === 'InboundAccessError'}
-	{#if $data.rule.mutualExplanation !== 'NO_ZERO_TRUST' && $data.rule.mutualExplanation !== 'CLUSTER_NOT_FOUND'}
+{#if $data}
+	{#if $data.revision === PendingValue}
 		<div class="wrapper">
-			<Alert variant="warning"
-				><a
-					href="/team/{$data.rule.namespace || team}/{$data.rule.cluster
-						? $data.rule.cluster
-						: env}/app/{$data.rule.application}"
-					>{$data.rule.application}.{$data.rule.namespace || team}.{$data.rule.cluster
-						? $data.rule.cluster
-						: env}</a
+			<Loading />
+		</div>
+	{:else if $data.__typename === 'DeprecatedRegistryError'}
+		<div class="wrapper">
+			<Alert variant="warning">
+				Deprecated image registry <strong>{$data.registry}</strong> for image
+				<strong>{$data.name}</strong>. See
+				<a href="https://github.com/nais/docker-build-push"> docker-build-push</a> on how to migrate
+				to Google Artifact Registry.
+			</Alert>
+		</div>
+	{:else if $data.__typename === 'NoRunningInstancesError'}
+		<div class="wrapper">
+			<Alert variant="error">
+				No running instances of <strong>{app}</strong> in <strong>{env}</strong>.
+			</Alert>
+		</div>
+	{:else if $data.__typename === 'DeprecatedIngressError'}
+		<div class="wrapper">
+			<Alert variant="warning">
+				Deprecated ingress <strong>{$data.ingress}</strong>. See
+				{#if env === 'dev-gcp'}
+					<a href="https://doc.nais.io/clusters/gcp/#dev-gcp-ingresses"> ingress documentation</a>
+				{:else if env === 'prod-gcp'}
+					<a href="https://doc.nais.io/clusters/gcp/#prod-gcp-ingresses"> ingress documentation</a>
+				{:else if env === 'dev-fss'}
+					<a href="https://doc.nais.io/clusters/on-premises/#dev-fss"> ingress documentation</a>
+				{:else if env === 'prod-fss'}
+					<a href="https://doc.nais.io/clusters/on-premises/#prod-fss"> ingress documentation</a>
+				{/if} for available ingress domains.
+			</Alert>
+		</div>
+	{:else if $data.__typename === 'InvalidNaisYamlError'}
+		<div class="wrapper">
+			<Alert variant="error">
+				Nais-yaml might be invalid for application <strong>{app}</strong>.
+			</Alert>
+		</div>
+	{:else if $data.__typename === 'NewInstancesFailingError'}
+		<div class="wrapper">
+			<Alert variant="warning">
+				{#if app}
+					New instances of <strong>{app}</strong> in <strong>{env}</strong> are failing. Check logs
+					for one or more of the instances:
+					{#each $data.failingInstances as instance}
+						<br /><a href="/team/{team}/{env}/app/{app}/logs?name={instance}">{instance}</a>
+					{/each}
+				{/if}
+			</Alert>
+		</div>
+	{:else if $data.__typename === 'InboundAccessError'}
+		{#if $data.rule.mutualExplanation !== 'NO_ZERO_TRUST'}
+			<div class="wrapper">
+				<Alert variant="warning">
+					{#if $data.rule.isJob}
+						{$data.rule.mutualExplanation}
+						<a
+							href="/team/{$data.rule.namespace || team}/{$data.rule.cluster
+								? $data.rule.cluster
+								: env}/job/{$data.rule.application}">{$data.rule.application}</a
+						>
+					{:else if $data.rule.mutualExplanation === 'APP_NOT_FOUND'}
+						Traffic from {$data.rule.application} in namespace {$data.rule.namespace || team} ({$data
+							.rule.cluster
+							? $data.rule.cluster
+							: env}) is allowed by access policy, but application is not found.
+					{:else}
+						Traffic from <a
+							href="/team/{$data.rule.namespace || team}/{$data.rule.cluster
+								? $data.rule.cluster
+								: env}/app/{$data.rule.application}">{$data.rule.application}</a
+						>
+						in namespace {$data.rule.namespace || team} ({$data.rule.cluster
+							? $data.rule.cluster
+							: env}) is allowed by access policy, but
+						<a
+							href="/team/{$data.rule.namespace || team}/{$data.rule.cluster
+								? $data.rule.cluster
+								: env}/app/{$data.rule.application}">{$data.rule.application}</a
+						>
+						does not have an outbound rule for {app}.
+					{/if}
+					<br />
+					Consult
+					<a href="https://docs.nais.io/nais-application/application/?h=#accesspolicy"
+						>Nais Application reference - accessPolicy</a
+					>.</Alert
 				>
-				is missing outbound rule for
-				<a href="/team/{team}/{env}/app/{app}">{app}.{team}.{env}</a>.
-				<br />
-				{#if $data.rule.mutualExplanation === 'APP_NOT_FOUND'}
-					Application not found. Verify outbound rules for {$data.rule.application}. Does
-					application exist, or are namespace or cluster missing from rule?
-				{:else if $data.rule.mutualExplanation === 'RULE_NOT_FOUND'}
-					Please add outbound rule for {app}.{team}.{env} to
+			</div>
+		{/if}
+	{:else if $data.__typename === 'OutboundAccessError'}
+		<div class="wrapper">
+			<Alert variant="warning">
+				{#if $data.rule.isJob}
+					{$data.rule.mutualExplanation}
 					<a
 						href="/team/{$data.rule.namespace || team}/{$data.rule.cluster
 							? $data.rule.cluster
-							: env}/app/{$data.rule.application}/yaml">manifest</a
-					>.
+							: env}/job/{$data.rule.application}"
+						>{$data.rule.application}.{$data.rule.namespace || team}.{$data.rule.cluster
+							? $data.rule.cluster
+							: env}</a
+					>
+				{:else if $data.rule.mutualExplanation === 'APP_NOT_FOUND'}
+					Traffic to {$data.rule.application} in namespace {$data.rule.namespace || team} ({$data
+						.rule.cluster
+						? $data.rule.cluster
+						: env}) is allowed by access policy, but application is not found.
 				{:else}
-					<!--Please verify outbound rule for {app}. Check rule in
-				<a href="/team/{team}/{env}/app/{app}/yaml">manifest</a>.-->
-					{$data.rule.mutualExplanation}
+					Traffic to <a
+						href="/team/{$data.rule.namespace || team}/{$data.rule.cluster
+							? $data.rule.cluster
+							: env}/app/{$data.rule.application}">{$data.rule.application}</a
+					>
+					in namespace {$data.rule.namespace || team} ({$data.rule.cluster
+						? $data.rule.cluster
+						: env}) is allowed by access policy, but
+					<a
+						href="/team/{$data.rule.namespace || team}/{$data.rule.cluster
+							? $data.rule.cluster
+							: env}/app/{$data.rule.application}">{$data.rule.application}</a
+					>
+					does not have an inbound rule for {app}.
 				{/if}
 				<br />
 				Consult
@@ -148,46 +195,11 @@
 				>.</Alert
 			>
 		</div>
+	{:else}
+		<div class="wrapper">
+			<Alert variant="error">Unkown error</Alert>
+		</div>
 	{/if}
-{:else if $data.__typename === 'OutboundAccessError'}
-	<div class="wrapper">
-		<Alert variant="warning"
-			><a
-				href="/team/{$data.rule.namespace || team}/{$data.rule.cluster
-					? $data.rule.cluster
-					: env}/app/{$data.rule.application}"
-				>{$data.rule.application}.{$data.rule.namespace || team}.{$data.rule.cluster
-					? $data.rule.cluster
-					: env}</a
-			>
-			is missing inbound rule for
-			<a href="/team/{team}/{env}/app/{app}">{app}.{team}.{env}</a>.
-			<br />
-			{#if $data.rule.mutualExplanation == 'APP_NOT_FOUND'}
-				Please verify inbound rule for {app}. Check rule in
-				<a href="/team/{team}/{env}/app/{app}/yaml">manifest</a>. Are namespace or cluster missing
-				from rule? Does the application exist?
-			{:else if $data.rule.mutualExplanation === 'RULE_NOT_FOUND'}
-				Please add inbound rule for {app}.{team}.{env} to {$data.rule.application}.{$data.rule
-					.namespace || team}.{$data.rule.cluster ? $data.rule.cluster : env}
-				<a
-					href="/team/{$data.rule.namespace || team}/{$data.rule.cluster
-						? $data.rule.cluster
-						: env}/app/{$data.rule.application}/yaml">manifest</a
-				>.
-			{:else}
-				{$data.rule.mutualExplanation}
-			{/if}
-			<br />Consult
-			<a href="https://docs.nais.io/nais-application/application/?h=#accesspolicy"
-				>Nais Application reference - accessPolicy</a
-			>.</Alert
-		>
-	</div>
-{:else}
-	<div class="wrapper">
-		<Alert variant="error">Unkown error</Alert>
-	</div>
 {/if}
 
 <style>

diff --git a/src/lib/JobErrorTypeToMessage.svelte b/src/lib/JobErrorTypeToMessage.svelte
@@ -76,7 +76,7 @@
 			Nais-yaml might be invalid for application <strong>{job}</strong>.
 		</Alert>
 	{:else if $data.__typename === 'InboundAccessError'}
-		{#if $data.rule.mutualExplanation !== 'NO_ZERO_TRUST' && $data.rule.mutualExplanation !== 'CLUSTER_NOT_FOUND'}
+		{#if $data.rule.mutualExplanation !== 'NO_ZERO_TRUST'}
 			<Alert variant="warning"
 				><a
 					href="/team/{$data.rule.namespace || team}/{$data.rule.cluster