Network Policies

5126d320 · Micah Nagel · dd8cdf9a · 5126d320 · 5126d320 · 5126d320
Commit 5126d320 authored Jun 01, 2021 by Micah Nagel 💰
19 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ---
+## [0.1.6-bb.1] - 2021-06-01
+### Changed
+- Moved tests to gluon library
+### Added
+- Default NetworkPolicies added
 ## [0.1.6-bb.0] - 2021-05-11
 ### Changed
 - Migrated Cypress tests to Helm tests

--- a/chart/Chart.lock
+++ b/chart/Chart.lock
@@ -5,8 +5,8 @@ dependencies:
 - name: minio-instance
  repository: file://./deps/minio
  version: 2.0.9-bb.9
- name: bb-test-lib
+- name: gluon
-  repository: oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates
+  repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon
-  version: 0.5.2
+  version: 0.1.1
-digest: sha256:0a15fa5bcd2dafdc621740c7cd177210b2c875337f32fe78755af8806bba735a
+digest: sha256:d5a1399418dd0d20db43fc884acd0ac51b1f8a3272d81d1e2e4650092ec25d87
-generated: "2021-05-13T10:38:37.154607-06:00"
+generated: "2021-05-28T11:12:03.789056-06:00"
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
--- 
 apiVersion: v2
 name: mattermost
 type: application
-version: "0.1.6-bb.0"
+version: "0.1.6-bb.1"
 appVersion: "5.34.2"
 description: "Deployment of mattermost"
-keywords: 
+keywords:
  - Mattermost
  - Instance
 kubeVersion: ">=1.12.0-0"
 dependencies:
  - name: postgresql
    version: 10.3.5
@@ -21,6 +19,6 @@ dependencies:
    alias: minio
    condition: minio.install
    repository: file://./deps/minio
-  - name: bb-test-lib
+  - name: gluon
-    version: 0.5.2
+    version: 0.1.1
-    repository: "oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates"
+    repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon
--- a/chart/charts/bb-test-lib-0.5.2.tgz
+++ b/chart/charts/bb-test-lib-0.5.2.tgz
--- a/chart/charts/gluon-0.1.1.tgz
+++ b/chart/charts/gluon-0.1.1.tgz
--- a/chart/charts/minio-instance-2.0.9-bb.9.tgz
+++ b/chart/charts/minio-instance-2.0.9-bb.9.tgz
--- a/chart/charts/postgresql-10.3.5.tgz
+++ b/chart/charts/postgresql-10.3.5.tgz
--- a/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-elastic-egress.yaml
+{{- if and .Values.networkPolicies.enabled .Values.elasticsearch.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-elastic-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: mattermost
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: logging
+      podSelector:
+        matchLabels:
+          common.k8s.elastic.co/type: elasticsearch
+    ports:
+    - port: 9200
+      protocol: TCP
+{{- end }}
--- a/chart/templates/bigbang/networkpolicies/allow-external-filestore.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-external-filestore.yaml
+{{- if and .Values.networkPolicies.enabled (not .Values.minio.install) }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-external-filestore-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: mattermost
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
--- a/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml
+{{- if and .Values.networkPolicies.enabled (not .Values.postgresql.install) }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-external-postgres-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: mattermost
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
--- a/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-in-ns.yaml
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-in-ns
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - podSelector: {}
+  egress:
+    - to:
+        - podSelector: {}
+{{- end }}
--- a/chart/templates/bigbang/networkpolicies/allow-istio.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-istio.yaml
+{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-istio
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: mattermost
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: istio-controlplane
+      podSelector:
+        matchLabels:
+          {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}}
+    ports:
+    - port: 8065
+      protocol: TCP
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: istio-controlplane
+      podSelector:
+        matchLabels:
+          istio: pilot
+{{- end }}
--- a/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-monitoring-ingress.yaml
+{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled .Values.enterprise.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-monitoring-ingress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: mattermost
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: monitoring
+      podSelector:
+        matchLabels:
+          app: prometheus
+    ports:
+    - port: 8067
+      protocol: TCP
+{{- end }}
--- a/chart/templates/bigbang/networkpolicies/allow-sso-egress.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-sso-egress.yaml
+{{- if and .Values.networkPolicies.enabled .Values.sso.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-sso-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: mattermost
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
--- a/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml
+{{- $bbtests := .Values.bbtests | default dict -}}
+{{- $cypress := $bbtests.cypress | default dict -}}
+{{- $enabled := (hasKey $bbtests "enabled") -}}
+{{- $artifacts := (hasKey $cypress "artifacts") -}}
+{{- if and $enabled $artifacts }}
+{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled .Values.bbtests.cypress.artifacts }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-test-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      helm-test: enabled
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+          - 169.254.169.254/32
+{{- end }}
+{{- end }}
--- a/chart/templates/bigbang/networkpolicies/deny-default.yaml
+++ b/chart/templates/bigbang/networkpolicies/deny-default.yaml
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+  # Deny all ingress
+  ingress: []
+  # Deny egress by default
+  # Allow access to DNS and Kube API
+  egress:
+  - to:
+    - namespaceSelector: {}
+    ports:
+    - port: 53
+      protocol: UDP
+{{- end }}
--- a/chart/templates/tests/test-ui.yaml
+++ b/chart/templates/tests/test-ui.yaml
-{{- include "bb-test-lib.cypress-configmap.overrides" (list . "mattermost-test.cypress-configmap") }}
+{{- include "gluon.tests.cypress-configmap.overrides" (list . "mattermost-test.cypress-configmap") }}
 {{- define "mattermost-test.cypress-configmap" }}
 metadata:
  labels:
    {{ include "mattermost.labels" . | nindent 4 }}
 {{- end }}
 ---
-{{- include "bb-test-lib.cypress-runner.overrides" (list . "mattermost-test.cypress-runner") -}}
+{{- include "gluon.tests.cypress-runner.overrides" (list . "mattermost-test.cypress-runner") -}}
 {{- define "mattermost-test.cypress-runner" -}}
 metadata:
  labels:

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -18,6 +18,12 @@ monitoring:
  enabled: false
  namespace: monitoring
+networkPolicies:
+  enabled: false
+  ingressLabels:
+    app: istio-ingressgateway
+    istio: ingressgateway
 sso:
  enabled: false
  client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-mattermost

--- a/tests/test-values.yml
+++ b/tests/test-values.yml
@@ -4,7 +4,11 @@ minio:
 postgresql:
  install: true
+networkPolicies:
+  enabled: true
 bbtests:
+  enabled: true
  cypress:
    artifacts: true
    envs: