diff --git a/CHANGELOG.md b/CHANGELOG.md index 4cd73902eaccbe2ff120d3617087f581f12e2962..ec31ad8fc9cd7333fcc414ca2f5dfb84a598d30c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- +## [9.2.6-bb.10] - 2021-05-24 +### Added +- Adding network policies. + ## [9.2.6-bb.9] - 2021-05-10 ### Changed - Moved cypress testing to the new helm test structure. diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 592e43429b2cb8c178cbf053e9b3da72fb7a15fe..515f121e7d03702efdfadff700b504933dfce3e7 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 appVersion: 8.7.1-community name: sonarqube description: SonarQube is an open sourced code quality scanning tool -version: 9.2.6-bb.9 +version: 9.2.6-bb.10 keywords: - coverage - security @@ -18,6 +18,6 @@ maintainers: - name: tsiddique email: tsiddique@live.com dependencies: - - name: bb-test-lib - version: "0.4.0" - repository: "oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates" + - name: gluon + version: "0.1.1" + repository: "oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon" diff --git a/chart/charts/.gitkeep b/chart/charts/.gitkeep deleted file mode 100644 index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0000000000000000000000000000000000000000 diff --git a/chart/charts/bb-test-lib-0.4.0.tgz b/chart/charts/bb-test-lib-0.4.0.tgz deleted file mode 100644 index 75be43576bcc47b2ea027059ec8ce1b94b9f5dcf..0000000000000000000000000000000000000000 Binary files a/chart/charts/bb-test-lib-0.4.0.tgz and /dev/null differ diff --git a/chart/charts/gluon-0.1.1.tgz b/chart/charts/gluon-0.1.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..b4a4878dae126348cdee9d80977a15121ba59f9f Binary files /dev/null and b/chart/charts/gluon-0.1.1.tgz differ diff --git a/chart/requirements.lock b/chart/requirements.lock index df6e03a166dd1e0ca1fc10fa82dbf5767b823bc9..f7b92aa528c3cda8b174093f53d621e1e112a8ff 100644 --- a/chart/requirements.lock +++ b/chart/requirements.lock @@ -1,6 +1,6 @@ dependencies: -- name: postgresql - repository: file://./deps/postgresql - version: 8.6.4 -digest: sha256:ee20a56a481163f172694703dccf40e88ca9f8a5a4b1637f8dce3361f592aed2 -generated: "2021-05-07T13:46:34.5689816-06:00" +- name: gluon + repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon + version: 0.1.1 +digest: sha256:cf1107c00a11cde8074a39624643312fe85ee11250bb7d9380e3787bde0af0f7 +generated: "2021-05-25T13:09:48.372995-06:00" diff --git a/chart/templates/bigbang/networkpolicies/default-deny-all.yaml b/chart/templates/bigbang/networkpolicies/default-deny-all.yaml new file mode 100644 index 0000000000000000000000000000000000000000..6ee4c27f440608768c550d8186ec535d23ad2d17 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/default-deny-all.yaml @@ -0,0 +1,15 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-all + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + egress: + - to: + - namespaceSelector: {} +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/helm-test-network-policy.yaml b/chart/templates/bigbang/networkpolicies/helm-test-network-policy.yaml new file mode 100644 index 0000000000000000000000000000000000000000..fd3d356a2f95ea489c9de7af1b24c42f058d1d1c --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/helm-test-network-policy.yaml @@ -0,0 +1,26 @@ +{{- $bbtests := .Values.bbtests | default dict -}} +{{- $cypress := $bbtests.cypress | default dict -}} +{{- $enabled := (hasKey $bbtests "enabled") -}} +{{- $artifacts := (hasKey $cypress "artifacts") -}} +{{- if and $enabled $artifacts }} +{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled .Values.bbtests.cypress.artifacts }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-helm-test-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + helm-test: enabled + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/istio-allow.yaml b/chart/templates/bigbang/networkpolicies/istio-allow.yaml new file mode 100644 index 0000000000000000000000000000000000000000..3bbc079d14c02b760b1ab6264d20c67f5d419ef5 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/istio-allow.yaml @@ -0,0 +1,31 @@ +{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-istio + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}} + ports: + - port: {{ .Values.service.externalPort }} + protocol: TCP + egress: + - to: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + istio: pilot +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/monitoring-ingress.yaml b/chart/templates/bigbang/networkpolicies/monitoring-ingress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..09bb73821cd03a94a3db1110406ac7fb0973f827 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/monitoring-ingress.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-scraping + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: monitoring + ports: + - port: {{ .Values.service.internalPort }} + protocol: TCP +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/namespace-allow.yaml b/chart/templates/bigbang/networkpolicies/namespace-allow.yaml new file mode 100644 index 0000000000000000000000000000000000000000..495131c6ca86c6be9e4e10acf8c8b86bbe95e344 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/namespace-allow.yaml @@ -0,0 +1,18 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-in-ns + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: {} + egress: + - to: + - podSelector: {} +{{- end }} \ No newline at end of file diff --git a/chart/templates/bigbang/networkpolicies/postgres-egress.yaml b/chart/templates/bigbang/networkpolicies/postgres-egress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..bb1abadf97c77f74277703d2314f9a011dceed09 --- /dev/null +++ b/chart/templates/bigbang/networkpolicies/postgres-egress.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.networkPolicies.enabled (not .Values.postgresql.enabled) }} +# For external postgres server +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-postgresql-egress + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - ports: + - protocol: TCP + port: {{ .Values.postgresql.service.port }} + to: + - ipBlock: + # This should be replaced with the IP of postgresql.postgresqlServer + #cidr: {{ .Values.postgresql.postgresqlServer }}/32 + cidr: 0.0.0.0/0 + # ONLY Block requests to AWS metadata IP + except: + - 169.254.169.254/32 +{{- end }} \ No newline at end of file diff --git a/chart/templates/tests/sonarqube-cypress-test.yaml b/chart/templates/tests/sonarqube-cypress-test.yaml index cdc96355bb27c5ba37306a6e61a46e26419cd2f3..6ccb206bf5e9e63c175f81453998fa38853f8e04 100644 --- a/chart/templates/tests/sonarqube-cypress-test.yaml +++ b/chart/templates/tests/sonarqube-cypress-test.yaml @@ -1,4 +1,4 @@ -{{- include "bb-test-lib.cypress-configmap.overrides" (list . "sonarqube-test.cypress-configmap") }} +{{- include "gluon.tests.cypress-configmap.overrides" (list . "sonarqube-test.cypress-configmap") }} {{- define "sonarqube-test.cypress-configmap" }} metadata: labels: @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/part-of: sonarqube {{- end }} --- -{{- include "bb-test-lib.cypress-runner.overrides" (list . "sonarqube-test.cypress-runner") -}} +{{- include "gluon.tests.cypress-runner.overrides" (list . "sonarqube-test.cypress-runner") -}} {{- define "sonarqube-test.cypress-runner" -}} metadata: labels: diff --git a/chart/values.yaml b/chart/values.yaml index 83a686e648cd2caf5d10f737ff0eb99795470b11..7bb5d87f8be4caec78668f3fb6f6e6cba3120310 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -371,3 +371,9 @@ istio: - sonarqube.{{ .Values.hostname }} monitoring: enabled: false + +networkPolicies: + enabled: false + ingressLabels: + app: istio-ingressgateway + istio: ingressgateway \ No newline at end of file diff --git a/tests/test-values.yml b/tests/test-values.yml index ef111d128896ae1ffa35ee556f5513bdeebab418..e5e7fa6e40a13d8a45e0f16c2a5c1de6785ece3d 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -1,4 +1,5 @@ bbtests: + enabled: true cypress: artifacts: true envs: @@ -6,3 +7,5 @@ bbtests: cypress_user: "admin" cypress_password: "admin" cypress_newpassword: "new_admin_password" +networkPolicies: + enabled: true \ No newline at end of file