Merge branch 'network-policy' into 'main'

Network policy

See merge request !28

CHANGELOG.md

@@ -3,6 +3,10 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+## [9.2.6-bb.10] - 2021-05-24
+### Added
+- Adding network policies.
+
 ## [9.2.6-bb.9] - 2021-05-10
 ### Changed
 - Moved cypress testing to the new helm test structure.

chart/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: 8.7.1-community
 name: sonarqube
 description: SonarQube is an open sourced code quality scanning tool
-version: 9.2.6-bb.9
+version: 9.2.6-bb.10
 keywords:
   - coverage
   - security
@@ -18,6 +18,6 @@ maintainers:
   - name: tsiddique
     email: tsiddique@live.com
 dependencies:
-  - name: bb-test-lib
-    version: "0.4.0"
-    repository: "oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates"
+  - name: gluon
+    version: "0.1.1"
+    repository: "oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon"

chart/requirements.lock

 dependencies:
-- name: postgresql
-  repository: file://./deps/postgresql
-  version: 8.6.4
-digest: sha256:ee20a56a481163f172694703dccf40e88ca9f8a5a4b1637f8dce3361f592aed2
-generated: "2021-05-07T13:46:34.5689816-06:00"
+- name: gluon
+  repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon
+  version: 0.1.1
+digest: sha256:cf1107c00a11cde8074a39624643312fe85ee11250bb7d9380e3787bde0af0f7
+generated: "2021-05-25T13:09:48.372995-06:00"

chart/templates/bigbang/networkpolicies/default-deny-all.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector: {}
+{{- end }}
\ No newline at end of file

chart/templates/bigbang/networkpolicies/helm-test-network-policy.yaml

+{{- $bbtests := .Values.bbtests | default dict -}}
+{{- $cypress := $bbtests.cypress | default dict -}}
+{{- $enabled := (hasKey $bbtests "enabled") -}}
+{{- $artifacts := (hasKey $cypress "artifacts") -}}
+{{- if and $enabled $artifacts }}
+{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled .Values.bbtests.cypress.artifacts }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-helm-test-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      helm-test: enabled
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+          - 169.254.169.254/32
+{{- end }}
+{{- end }}
\ No newline at end of file

chart/templates/bigbang/networkpolicies/istio-allow.yaml

+{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-istio
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: istio-controlplane
+      podSelector:
+        matchLabels:
+          {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}}
+    ports:
+    - port: {{ .Values.service.externalPort }}
+      protocol: TCP
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: istio-controlplane
+      podSelector:
+        matchLabels:
+          istio: pilot
+{{- end }}
\ No newline at end of file

chart/templates/bigbang/networkpolicies/monitoring-ingress.yaml

+{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-scraping
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: monitoring
+    ports:
+    - port: {{ .Values.service.internalPort }}
+      protocol: TCP
+{{- end }}
\ No newline at end of file

chart/templates/bigbang/networkpolicies/namespace-allow.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-in-ns
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - podSelector: {}
+  egress:
+    - to:
+        - podSelector: {}
+{{- end }}
\ No newline at end of file

chart/templates/bigbang/networkpolicies/postgres-egress.yaml

+{{- if and .Values.networkPolicies.enabled (not .Values.postgresql.enabled) }}
+# For external postgres server
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-postgresql-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - ports:
+    - protocol: TCP
+      port: {{ .Values.postgresql.service.port }}
+    to:
+    - ipBlock:
+        # This should be replaced with the IP of postgresql.postgresqlServer
+        #cidr: {{ .Values.postgresql.postgresqlServer }}/32
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+          - 169.254.169.254/32
+{{- end }}
\ No newline at end of file

chart/templates/tests/sonarqube-cypress-test.yaml

-{{- include "bb-test-lib.cypress-configmap.overrides" (list . "sonarqube-test.cypress-configmap") }}
+{{- include "gluon.tests.cypress-configmap.overrides" (list . "sonarqube-test.cypress-configmap") }}
 {{- define "sonarqube-test.cypress-configmap" }}
 metadata:
   labels:
@@ -8,7 +8,7 @@ metadata:
     app.kubernetes.io/part-of: sonarqube
 {{- end }}
 ---
-{{- include "bb-test-lib.cypress-runner.overrides" (list . "sonarqube-test.cypress-runner") -}}
+{{- include "gluon.tests.cypress-runner.overrides" (list . "sonarqube-test.cypress-runner") -}}
 {{- define "sonarqube-test.cypress-runner" -}}
 metadata:
   labels:

chart/values.yaml

@@ -371,3 +371,9 @@ istio:
       - sonarqube.{{ .Values.hostname }}
 monitoring:
   enabled: false
+  
+networkPolicies:
+  enabled: false
+  ingressLabels:
+    app: istio-ingressgateway
+    istio: ingressgateway
\ No newline at end of file

tests/test-values.yml

 bbtests:
+  enabled: true
   cypress:
     artifacts: true
     envs:
@@ -6,3 +7,5 @@ bbtests:
       cypress_user: "admin"
       cypress_password: "admin"
       cypress_newpassword: "new_admin_password"
+networkPolicies:
+  enabled: true
\ No newline at end of file