Summary

OTA-1609 covers OSUS operand with a Network Policy that allows all egress to allow OSUS to scrape image registries. This Network Policy can be tightened to only allow egress on a specific port; either default (443), specified by the registry location (registry.host:8080) and possibly influenced by a cluster-wide proxy. Whether cluster-wide proxy should be respected also depends on whether the scraped registry is accessed through an internal endpoint (say, cluster-collocated quay exposed through a Service) or not.

This is likely a stretch goal for OTA-1498, the OTA-1609 operand coverage is probably enough initially

Definition of Done

1. The NetworkPolicy created for each UpdateService (OTA-1609) should restrict the communication to the minimal possible port
   • Default should be 443
   • Registry URI may specify a port 
   • Proxy may specify a port, and OSUS will use the proxy if scraping a cluster-external location
   • Proxy should not come into picture if scraping cluster-internal location (.svc)

Testing

• Expected NetworkPolicy resources are created for each UpdateService instance
• OSUS must be able to work as normal, that means scrape image registry and serve the content through the route endpoint
  • Tested configurations should likely include a default, registry with specified port and proxy with specified port