Merge branch 'np-init' into 'main-minio2'

Fix MM NP Bug See merge request !40

Merge branch 'np-init' into 'main-minio2'
Fix MM NP Bug See merge request !40
9f9b8ca9 · Micah Nagel · a143a98d · a0744fa5 · 9f9b8ca9 · 9f9b8ca9
Commit 9f9b8ca9 authored Jun 21, 2021 by Micah Nagel 💰
7 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

 ---

+## [0.1.6-bb.5] - 2021-06-21
+### Fixed
+- NetworkPolicy blocking an init container, added policy to allow postgres egress for the init container
+- Redo of test egress
+- Move around DNS policy
+
 ## [0.1.6-bb.4] - 2021-06-07
 ### Added
 - Ability to pass volumes / volumeMounts to MM pods

--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: mattermost
 type: application
-version: "0.1.6-bb.4"
+version: "0.1.6-bb.5"
 appVersion: "5.34.2"
 description: "Deployment of mattermost"
 keywords:

--- a/chart/templates/bigbang/networkpolicies/allow-dns-egress.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-dns-egress.yaml
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-dns-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  # Allow access to DNS
+  egress:
+  - to:
+    - namespaceSelector: {}
+    ports:
+    - port: 53
+      protocol: UDP
+{{- end }}
--- a/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-external-postgres.yaml
@@ -17,4 +17,23 @@ spec:
        # ONLY Block requests to AWS metadata IP
        except:
        - 169.254.169.254/32
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-external-postgres-egress-upgrade
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: mattermost-update-check
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
 {{- end }}
--- a/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-test-egress.yaml
@@ -11,9 +11,16 @@ spec:
  podSelector:
    matchLabels:
      helm-test: enabled
+  egress:
+  - to:
+    - ipBlock:
+        cidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+        {{- if eq .Values.networkPolicies.controlPlaneCidr "0.0.0.0/0" }}
+        # ONLY Block requests to cloud metadata IP
+        except:
+        - 169.254.169.254/32
+        {{- end }}
  policyTypes:
  - Egress
-  egress:
-  - {}
 {{- end }}
 {{- end }}
--- a/chart/templates/bigbang/networkpolicies/deny-default.yaml
+++ b/chart/templates/bigbang/networkpolicies/deny-default.yaml
@@ -9,14 +9,6 @@ spec:
  policyTypes:
  - Ingress
  - Egress
-  # Deny all ingress
  ingress: []
-  # Deny egress by default
-  # Allow access to DNS and Kube API
-  egress:
-  - to:
-    - namespaceSelector: {}
-    ports:
-    - port: 53
-      protocol: UDP
+  egress: []
 {{- end }}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -23,6 +23,7 @@ networkPolicies:
  ingressLabels:
    app: istio-ingressgateway
    istio: ingressgateway
+  controlPlaneCidr: 0.0.0.0/0

 sso:
  enabled: false