Merge branch 'network-policies' into 'main'

Network policies

See merge request !4

CHANGELOG.md

 # Changelog
 
+## [29.1.0-bb.2]
+# Added
+* default-deny-all network policy
+* istio network policy
+* monitoring network policy

chart/Chart.yaml

 apiVersion: v2
 name: nexus-repository-manager
-version: 29.1.0-bb.1
+version: 29.1.0-bb.2
 appVersion: 3.29.0
 description: Sonatype Nexus Repository Manager - Universal Binary repository
 type: application

chart/templates/bigbang/networkpolicies/default-deny-all.yaml

+{{ if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress: []
+  egress: []
+{{- end }}
+

chart/templates/bigbang/networkpolicies/istio.yaml

+{{ if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-istio-ingressgateway
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: istio-controlplane
+      podSelector:
+        matchLabels:
+          {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}}
+    ports:
+      - port: {{ .Values.nexus.nexusPort }}
+      {{- range .Values.nexus.docker.registries }}
+      - port: {{ .port }}
+      {{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-istio-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: istio-controlplane
+      podSelector:
+        matchLabels:
+          istio: pilot
+    ports:
+    - port: 15012
+{{- end }}

chart/templates/bigbang/networkpolicies/kube-api-egress.yaml

+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: kube-api-dns-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  egress:
+  - to:
+    - namespaceSelector: {}
+    ports:
+    - port: 443
+      protocol: TCP
+    - port: 53
+      protocol: UDP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: nexus-repository-manager
+  policyTypes:
+  - Egress
\ No newline at end of file

chart/templates/bigbang/networkpolicies/monitoring.yaml

+{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-scraping
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            app.kubernetes.io/name: monitoring
+        podSelector:
+          matchLabels:
+            app: prometeus
+      ports:
+      - port: {{ .Values.nexus.nexusPort }}
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: nexus-repository-manager
+  policyTypes:
+    - Ingress
+{{- end }}
+

chart/values.yaml

@@ -6,6 +6,13 @@ istio:
   nexus:
     gateways:
     - "istio-system/main"
+
+networkPolicies:
+  enabled: false
+  ingressLabels:
+    app: istio-ingressgateway
+    istio: ingressgateway
+
 monitoring:
   enabled: false
 license_key: ""

tests/test-values.yml

@@ -4,5 +4,6 @@ istio:
 nexus:
   imagePullSecrets: 
   - name: private-registry-mil
- 
+networkPolicies:
+  enabled: true