From 78164723d50b1012015d938c9cf4dc7720219c3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Grzegorz=20Burzy=C5=84ski?= <czeslavo@gmail.com>
Date: Mon, 5 Feb 2024 18:31:49 +0100
Subject: [PATCH] feat: install default allow-all traffic permission when kuma
 >= 2.6.0 (#957)

---
 CHANGELOG.md                      |  5 ++++-
 pkg/clusters/addons/kuma/addon.go | 31 ++++++++++++++++++++++++++++++-
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ff915f40..d693ef51 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,10 +1,13 @@
 # Changelog
 
-## Unreleased
+## v0.45.0
 
 - `Kuma` addon now properly uses the Helm chart version passed in its builder's
   `WithVersion` method.
   [#949](https://github.com/Kong/kubernetes-testing-framework/pull/949)
+- When `Kuma` addon is used with version greater or equal to `2.6.0` and mTLS enabled,
+  a default allow-all `TrafficPermission` gets installed to preserve previous behavior.
+  [#950](https://github.com/Kong/kubernetes-testing-framework/pull/950)
 
 ## v0.44.0
 
diff --git a/pkg/clusters/addons/kuma/addon.go b/pkg/clusters/addons/kuma/addon.go
index 0f28eaa9..75dc3dec 100644
--- a/pkg/clusters/addons/kuma/addon.go
+++ b/pkg/clusters/addons/kuma/addon.go
@@ -234,12 +234,36 @@ spec:
       name: ca-1
       type: builtin
     enabledBackend: ca-1`
+
+	allowAllTrafficPermission = `apiVersion: kuma.io/v1alpha1
+kind: MeshTrafficPermission
+metadata:
+  name: allow-all
+  namespace: kuma-system
+  labels:
+    kuma.io/mesh: default
+spec:
+  targetRef:
+    kind: Mesh
+  from:
+  - targetRef:
+      kind: Mesh
+    default:
+      action: Allow`
+)
+
+var (
+	// From Kuma 2.6.0, the default mesh traffic permission is no longer created by default
+	// and must be created manually if mTLS is enabled.
+	// https://github.com/kumahq/kuma/blob/2.6.0/UPGRADE.md#default-trafficroute-and-trafficpermission-resources-are-not-created-when-creating-a-new-mesh
+	installDefaultMeshTrafficPermissionCutoffVersion = semver.MustParse("2.6.0")
 )
 
 // enableMTLS attempts to apply a Mesh resource with a basic retry mechanism to deal with delays in the Kuma webhook
 // startup
 func (a *Addon) enableMTLS(ctx context.Context, cluster clusters.Cluster) (err error) {
 	ticker := time.NewTicker(5 * time.Second) //nolint:gomnd
+	defer ticker.Stop()
 	timeoutTimer := time.NewTimer(time.Minute)
 
 	for {
@@ -247,7 +271,12 @@ func (a *Addon) enableMTLS(ctx context.Context, cluster clusters.Cluster) (err e
 		case <-ctx.Done():
 			return fmt.Errorf("context completed while retrying to apply Mesh")
 		case <-ticker.C:
-			err = clusters.ApplyManifestByYAML(ctx, cluster, mtlsEnabledDefaultMesh)
+			yamlToApply := mtlsEnabledDefaultMesh
+			if v, ok := a.Version(); ok && v.GTE(installDefaultMeshTrafficPermissionCutoffVersion) {
+				a.logger.Infof("Kuma version is %s or later, creating default mesh traffic permission", installDefaultMeshTrafficPermissionCutoffVersion)
+				yamlToApply = strings.Join([]string{mtlsEnabledDefaultMesh, allowAllTrafficPermission}, "\n---\n")
+			}
+			err = clusters.ApplyManifestByYAML(ctx, cluster, yamlToApply)
 			if err == nil {
 				return nil
 			}