Merge pull request #77 from brjos/master

[common]: add egress and namespaceSelector in networkpolicy
bedag · Apr 4, 2023 · a848b7b · a848b7b
2 parents b5b5e3d + 794bc76
commit a848b7b
Show file tree

Hide file tree

Showing 8 changed files with 233 additions and 102 deletions.
diff --git a/charts/common/Chart.yaml b/charts/common/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: common
 description: "Bedag's common Helm chart to use for creating other Helm charts"
-version: 9.1.3
+version: 10.0.0
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives
@@ -27,5 +27,6 @@ annotations:
   artifacthub.io/prerelease: "false"
   artifacthub.io/license: Apache-2.0
   artifacthub.io/changes: |
-    - "[Fixed]: Allows controller replica of count 0"
-    - "[Fixed]: Typo in volumemout of binaryfiles"
+    - "[Changed]: possibility to create multiple networkpolicies"
+    - "[Added]: namespaceSelector in networkpolicy"
+    - "[Added]: egress networkpolicies"
diff --git a/charts/common/README.md b/charts/common/README.md
@@ -1,6 +1,6 @@
 # common
 
-![Version: 9.1.3](https://img.shields.io/badge/Version-9.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 10.0.0](https://img.shields.io/badge/Version-10.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Bedag's common Helm chart to use for creating other Helm charts
 
@@ -22,6 +22,7 @@ Major Changes to functions are documented with the version affected. **Before up
 | :----------- | :---------------- | :--------------------- | :-------------- |
 |logPersistence removed|8.0.0|Removes logPersistence functionality as it can be achieved with volumeMounts & extraVolumeClaimTemplates and is buggy anyway.|https://github.com/bedag/helm-charts/pull/68|
 |networkpolicy template changes|9.0.0|add possibility to define more than one Port in networkpolicy|https://github.com/bedag/helm-charts/pull/70|
+|networkpolicy template changes|10.0.0|add possibility to create multiple networkpolicies|https://github.com/bedag/helm-charts/pull/77|
 
 ## Values
 
@@ -45,7 +46,7 @@ Major Changes to functions are documented with the version affected. **Before up
 | components.component-1.controller.tolerations | list | `[]` |  |
 | components.component-1.controller.type | string | `"Deployment"` |  |
 | components.component-1.controller.volumes | list | `[]` |  |
-| components.component-1.networkpolicy.deploy | bool | `false` |  |
+| components.component-1.networkpolicies | object | `{}` |  |
 | components.component-1.services.service-1.deploy | bool | `false` |  |
 | defaultTag | string | `"latest"` |  |
 | ingress.annotations."nginx.ingress.kubernetes.io/ssl-redirect" | string | `"true"` |  |

diff --git a/charts/common/README.md.gotmpl b/charts/common/README.md.gotmpl
@@ -31,6 +31,7 @@ Major Changes to functions are documented with the version affected. **Before up
 | :----------- | :---------------- | :--------------------- | :-------------- |
 |logPersistence removed|8.0.0|Removes logPersistence functionality as it can be achieved with volumeMounts & extraVolumeClaimTemplates and is buggy anyway.|https://github.com/bedag/helm-charts/pull/68|
 |networkpolicy template changes|9.0.0|add possibility to define more than one Port in networkpolicy|https://github.com/bedag/helm-charts/pull/70|
+|networkpolicy template changes|10.0.0|add possibility to create multiple networkpolicies|https://github.com/bedag/helm-charts/pull/77|
 {{/*
   Chart Values
 */}}

diff --git a/charts/common/ci/values.test.yaml b/charts/common/ci/values.test.yaml
@@ -43,11 +43,23 @@ components:
           - 10.0.0.0/8
     # end common.service
     # start common.networkpolicy
-    networkpolicy:
-      deploy: true
-      podSelector:
-      - matchLabels:
-          app.kubernetes.io/component: component-2
+    networkpolicies:
+      networkpolicy-1:
+        policyTypes:
+          - Ingress
+          - Egress
+        ingress:
+          namespaceSelector:
+          - matchLabels:
+              kubernetes.io/metadata.name: namespace-1
+          podSelector:
+          - matchLabels:
+              app.kubernetes.io/component: component-2
+        egress:
+          namespaceSelector:
+          - matchLabels:
+              kubernetes.io/metadata.name: namespace-1
+
     # end common.networkpolicy
     controller:
       deploy: true
@@ -134,10 +146,13 @@ components:
         deploy: true
     # end common.service
     # start common.networkpolicy
-    networkpolicy:
-      deploy: true
-      ipBlock:
-        cidr: 0.0.0.0/0
+    networkpolicies:
+      networkpolicy-1:
+        policyTypes:
+          - Ingress
+        ingress:
+          ipBlock:
+            cidr: 0.0.0.0/0
     # end common.networkpolicy
     controller:
       deploy: true
@@ -207,13 +222,16 @@ components:
         deploy: true
     # end common.service
     # start common.networkpolicy
-    networkpolicy:
-      deploy: true
-      ingressPorts:
-      - protocol: TCP
-        port: "8080"
-      - protocol: TCP
-        port: "8081"
+    networkpolicies:
+      networkpolicy-1:
+        policyTypes:
+          - Ingress
+        ingress:
+          ports:
+          - protocol: TCP
+            port: 8080
+          - protocol: TCP
+            port: 8081
     # end common.networkpolicy
     controller:
       deploy: true
@@ -281,10 +299,6 @@ components:
       service-1:
         deploy: false
     # end common.service
-    # start common.networkpolicy
-    networkpolicy:
-      deploy: false
-    # end common.networkpolicy
 
     controller:
       deploy: true

diff --git a/charts/common/templates/_networkpolicy-sections.yaml b/charts/common/templates/_networkpolicy-sections.yaml
@@ -0,0 +1,35 @@
+{{- define "networkpolicy.sections" -}}
+{{- $section := . }}
+{{- if $section.ipBlock }}
+- ipBlock:
+    cidr: {{ $section.ipBlock.cidr }}
+{{- end }}
+{{- if $section.namespaceSelector }}
+{{- range $section.namespaceSelector }}
+{{- if .matchLabels }}
+- namespaceSelector:
+    matchLabels:
+      {{- range $key, $val := .matchLabels }}
+      {{ $key }}: {{ $val | quote }}
+      {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if $section.podSelector }}
+{{- range $section.podSelector }}
+{{- if .matchLabels }}
+- podSelector:
+    matchLabels:
+      {{- range $key, $val := .matchLabels }}
+      {{ $key }}: {{ $val | quote }}
+      {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if $section.ports }}
+ports:
+{{- with $section.ports }}
+{{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/common/templates/_networkpolicy.yaml b/charts/common/templates/_networkpolicy.yaml
@@ -17,14 +17,14 @@ spec:
 
 {{- $root := . }}
 {{- range $name, $component := .Values.components }}
-{{- if $component.networkpolicy }}
-{{- $networkpolicy := $component.networkpolicy }}
-{{- if $networkpolicy.deploy }}
+{{- if $component.networkpolicies }}
+{{- range $networkpolicyname, $networkpolicy := $component.networkpolicies }}
+{{- if $networkpolicy }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: {{ template "library.name" $root }}-{{ $name }}
+  name: {{ template "library.name" $root }}-{{ $name }}-{{ $networkpolicyname }}
   labels:
 {{ include "library.labels.standard" $root | indent 4 }}
     app.kubernetes.io/component: {{ $name }}
@@ -34,30 +34,22 @@ spec:
       app.kubernetes.io/name: {{ template "library.name" $root }}
       app.kubernetes.io/component: {{ $name }}
   policyTypes:
-    - Ingress
+    {{- range $policytype := $networkpolicy.policyTypes }}
+    - {{ $policytype | quote }}
+    {{- end }}
+  {{- if $networkpolicy.ingress }}
+  {{- $section := $networkpolicy.ingress }}
   ingress:
     - from:
-      {{- if $networkpolicy.ipBlock }}
-      - ipBlock:
-          cidr: {{ $networkpolicy.ipBlock.cidr }}
-      {{- end }}
-      {{- if $networkpolicy.podSelector }}
-      {{- range $networkpolicy.podSelector }}
-      {{- if .matchLabels }}
-      - podSelector:
-          matchLabels:
-            {{- range $key, $val := .matchLabels }}
-            {{ $key }}: {{ $val | quote }}
-            {{- end }}
-      {{- end }}
-      {{- end }}
-      {{- end }}
-      {{- if $networkpolicy.ingressPorts }}
-      ports:
-      {{- with $networkpolicy.ingressPorts }}
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- end }}
+      {{- include "networkpolicy.sections" $section | indent 6 }}
+  {{- end }}
+  {{- if $networkpolicy.egress }}
+  {{- $section := $networkpolicy.egress }}
+  egress:
+    - to:
+      {{- include "networkpolicy.sections" $section | indent 6 }}
+  {{- end }}
+{{- end }}
 {{- end }}
 {{- end }}
 {{- end }}

diff --git a/charts/common/values.schema.json b/charts/common/values.schema.json
@@ -119,7 +119,10 @@
                 "type": "string"
               },
               "containerPort": {
-                "type": "integer"
+                "type": [
+                  "number",
+                  "string"
+                ]
               }
             }
           }
@@ -276,6 +279,76 @@
           "default": "http"
         }
       }
+    },
+    "networkpolicyType": {
+      "type": "object",
+      "properties": {
+        "ipBlock": {
+          "type": "object",
+          "required": [
+            "cidr"
+          ],
+          "properties": {
+            "cidr": {
+              "type": "string"
+            }
+          }
+        },
+        "namespaceSelector": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "patternProperties": {
+              "^.*$": {
+                "type": "object",
+                "patternProperties": {
+                  "^.*$": {
+                    "type": "string"
+                  }
+                }
+              }
+            }
+          }
+        },
+        "podSelector": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "patternProperties": {
+              "^.*$": {
+                "type": "object",
+                "patternProperties": {
+                  "^.*$": {
+                    "type": "string"
+                  }
+                }
+              }
+            }
+          }
+        },
+        "ports": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "protocol": {
+                "type": "string",
+                "enum": [
+                  "TCP",
+                  "UDP",
+                  "SCTP"
+                ]
+              },
+              "port": {
+                "type": [
+                  "number",
+                  "string"
+                ]
+              }
+            }
+          }
+        }
+      }
     }
   },
   "properties": {
@@ -620,44 +693,24 @@
                 }
               }
             },
-            "networkpolicy": {
+            "networkpolicies": {
               "type": "object",
-              "required": [
-                "deploy"
-              ],
-              "properties": {
-                "deploy": {
-                  "type": "boolean",
-                  "default": false
-                },
-                "ipBlock": {
+              "patternProperties": {
+                "^.*$": {
                   "type": "object",
-                  "required": [
-                    "cidr"
-                  ],
                   "properties": {
-                    "cidr": {
-                      "type": "string"
-                    }
-                  }
-                },
-                "ingressPorts": {
-                  "type": "array",
-                  "items": {
-                    "type": "object",
-                    "properties": {
-                      "protocol": {
+                    "policyTypes": {
+                      "type": "array",
+                      "items": {
                         "type": "string",
-                        "default": "TCP",
-                        "enum": [
-                          "TCP",
-                          "UDP",
-                          "SCTP"
-                        ]
-                      },
-                      "port": {
-                        "type": "integer"
+                        "enum": ["Ingress", "Egress"]
                       }
+                    },
+                    "ingress": {
+                      "$ref": "#/$defs/networkpolicyType"
+                    },
+                    "egress": {
+                      "$ref": "#/$defs/networkpolicyType"
                     }
                   }
                 }