From 551fa4f08396be583db97eeb318f12b8b002deac Mon Sep 17 00:00:00 2001
From: Evgeny Dmitriev <edmitriev@wallarm.com>
Date: Thu, 21 Mar 2024 21:20:23 +0700
Subject: [PATCH] DE-11 fix iptables for arm64

---
 files/template.yaml.tpl       | 2 +-
 helm/test/integration_test.py | 7 +------
 helm/values.yaml              | 2 ++
 3 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/files/template.yaml.tpl b/files/template.yaml.tpl
index abc39fe..9db7114 100644
--- a/files/template.yaml.tpl
+++ b/files/template.yaml.tpl
@@ -229,7 +229,7 @@ volumes:
       value: "{{ template `applicationPort` . }}"
     - name: NGINX_PORT
       value: "{{ getAnnotation .ObjectMeta (withAP "nginx-listen-port") .Config.nginx.listenPort }}"
-  command: ["iptables"]
+  command: ["iptables-nft"]
   args: ["-t", "nat", "-A", "PREROUTING", "-p", "tcp", "-d", "$(POD_IP)", "--dport", "$(APP_PORT)", "-j", "REDIRECT", "--to-ports", "$(NGINX_PORT)"]
   securityContext:
     {{ toYaml .Config.sidecar.initContainers.iptables.securityContext | indent 4 }}
diff --git a/helm/test/integration_test.py b/helm/test/integration_test.py
index 5dc6ea5..888f1a4 100644
--- a/helm/test/integration_test.py
+++ b/helm/test/integration_test.py
@@ -13,7 +13,7 @@
 FORBIDDEN_HTTP_PATH = '/?id=\'or+1=1--a-<script>prompt(1)</script>\''
 SCRIPT_PATH = os.path.dirname(os.path.realpath(__file__))
 PATCHES_PATH = f'{SCRIPT_PATH}/kustomize/patches'
-WAIT_PODS_TIMEOUT = '120s'
+WAIT_PODS_TIMEOUT = '180s'
 
 print('PATCHES_PATH: ${PATCHES_PATH}')
 patchList = []
@@ -93,11 +93,6 @@ def test_main_functionality(self, config, helpers, teardown_namespace):
         # Register teardown and setup resources for test
         teardown_namespace['namespace'] = namespace
 
-        # Skip tests with ip-tables if run on arm64
-        if ("iptables_enabled" in config) and ("aarch64" in sysconfig.get_platform().split("-")[-1].lower()):
-            pytest.skip(f'Skip {config} test since aarch64')
-            return
-
         helpers.setup_resources(config_path, namespace)
 
         # Need delay here to ensure that service is ready to send traffic to pods
diff --git a/helm/values.yaml b/helm/values.yaml
index dc5097b..5f54825 100644
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -273,6 +273,8 @@ config:
         ### Security context for `iptables` container
         ###
         securityContext:
+          runAsNonRoot: false
+          runAsUser: 0
           capabilities:
             add:
               - NET_ADMIN