fix: kubeapi netpol generation now also includes the ip from the kube…

…rnetes service (#219)

Fixes a bug in EKS vpc-cni for gitlab where the gitlab pods couldn't
talk to the api server

## Type of change

- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request)
followed

Co-authored-by: Micah Nagel <micah.nagel@defenseunicorns.com>
Co-authored-by: Tristan Holaday <40547442+TristanHoladay@users.noreply.github.com>

src/pepr/operator/controllers/network/generators/kubeAPI.ts

@@ -8,11 +8,12 @@ import { anywhere } from "./anywhere";
 let apiServerPeers: V1NetworkPolicyPeer[];
 
 /**
- * Initialize the API server CIDR by getting the EndpointSlice for the API server
+ * Initialize the API server CIDR by getting the EndpointSlice and Service for the API server
  */
 export async function initAPIServerCIDR() {
   const slice = await K8s(kind.EndpointSlice).InNamespace("default").Get("kubernetes");
-  await updateAPIServerCIDR(slice);
+  const svc = await K8s(kind.Service).InNamespace("default").Get("kubernetes");
+  await updateAPIServerCIDR(slice, svc);
 }
 
 /**
@@ -30,17 +31,41 @@ export function kubeAPI() {
   return [anywhere];
 }
 
+/**
+ * When the kubernetes EndpointSlice is created or updated, update the API server CIDR
+ * @param slice The EndpointSlice for the API server
+ */
+export async function updateAPIServerCIDRFromEndpointSlice(slice: kind.EndpointSlice) {
+  const svc = await K8s(kind.Service).InNamespace("default").Get("kubernetes");
+  await updateAPIServerCIDR(slice, svc);
+}
+
+/**
+ * When the kubernetes Service is created or updated, update the API server CIDR
+ * @param svc The Service for the API server
+ */
+export async function updateAPIServerCIDRFromService(svc: kind.Service) {
+  const slice = await K8s(kind.EndpointSlice).InNamespace("default").Get("kubernetes");
+  await updateAPIServerCIDR(slice, svc);
+}
+
 /**
  * Update the API server CIDR and update the NetworkPolicies
  *
  * @param slice The EndpointSlice for the API server
+ * @param svc The Service for the API server
  */
-export async function updateAPIServerCIDR(slice: kind.EndpointSlice) {
+export async function updateAPIServerCIDR(slice: kind.EndpointSlice, svc: kind.Service) {
   const { endpoints } = slice;
+  const k8sApiIP = svc.spec?.clusterIP;
 
   // Flatten the endpoints into a list of IPs
   const peers = endpoints?.flatMap(e => e.addresses);
 
+  if (k8sApiIP) {
+    peers?.push(k8sApiIP);
+  }
+
   // If the peers are found, cache and process them
   if (peers?.length) {
     apiServerPeers = peers.flatMap(ip => ({

src/pepr/operator/index.ts

@@ -3,7 +3,11 @@ import { a } from "pepr";
 import { When } from "./common";
 import { cleanupNamespace } from "./controllers/istio/injection";
 import { purgeSSOClients } from "./controllers/keycloak/client-sync";
-import { initAPIServerCIDR, updateAPIServerCIDR } from "./controllers/network/generators/kubeAPI";
+import {
+  initAPIServerCIDR,
+  updateAPIServerCIDRFromEndpointSlice,
+  updateAPIServerCIDRFromService,
+} from "./controllers/network/generators/kubeAPI";
 import { UDSPackage } from "./crd";
 import { validator } from "./crd/validator";
 import { reconciler } from "./reconciler";
@@ -20,7 +24,14 @@ When(a.EndpointSlice)
   .IsCreatedOrUpdated()
   .InNamespace("default")
   .WithName("kubernetes")
-  .Watch(updateAPIServerCIDR);
+  .Watch(updateAPIServerCIDRFromEndpointSlice);
+
+// Watch for changes to the API server Service and update the API server CIDR
+When(a.Service)
+  .IsCreatedOrUpdated()
+  .InNamespace("default")
+  .WithName("kubernetes")
+  .Watch(updateAPIServerCIDRFromService);
 
 // Watch for changes to the UDSPackage CRD and cleanup the namespace mutations
 When(UDSPackage)