Merge branch 'network-policy' into 'main'

Network policy See merge request !28

Merge branch 'network-policy' into 'main'
Network policy See merge request !28
32ff797a · Branden Cobb · 4efb432e · f29d80b1 · 32ff797a · 32ff797a
Commit 32ff797a authored May 26, 2021 by Branden Cobb
15 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,10 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ---
+## [9.2.6-bb.10] - 2021-05-24
+### Added
+- Adding network policies.
 ## [9.2.6-bb.9] - 2021-05-10
 ### Changed
 - Moved cypress testing to the new helm test structure.

--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: 8.7.1-community
 name: sonarqube
 description: SonarQube is an open sourced code quality scanning tool
-version: 9.2.6-bb.9
+version: 9.2.6-bb.10
 keywords:
  - coverage
  - security
@@ -18,6 +18,6 @@ maintainers:
  - name: tsiddique
    email: tsiddique@live.com
 dependencies:
-  - name: bb-test-lib
+  - name: gluon
-    version: "0.4.0"
+    version: "0.1.1"
-    repository: "oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates"
+    repository: "oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon"
--- a/chart/charts/.gitkeep
+++ b/chart/charts/.gitkeep
--- a/chart/charts/bb-test-lib-0.4.0.tgz
+++ b/chart/charts/bb-test-lib-0.4.0.tgz
--- a/chart/charts/gluon-0.1.1.tgz
+++ b/chart/charts/gluon-0.1.1.tgz
--- a/chart/requirements.lock
+++ b/chart/requirements.lock
 dependencies:
- name: postgresql
+- name: gluon
-  repository: file://./deps/postgresql
+  repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon
-  version: 8.6.4
+  version: 0.1.1
-digest: sha256:ee20a56a481163f172694703dccf40e88ca9f8a5a4b1637f8dce3361f592aed2
+digest: sha256:cf1107c00a11cde8074a39624643312fe85ee11250bb7d9380e3787bde0af0f7
-generated: "2021-05-07T13:46:34.5689816-06:00"
+generated: "2021-05-25T13:09:48.372995-06:00"
--- a/chart/templates/bigbang/networkpolicies/default-deny-all.yaml
+++ b/chart/templates/bigbang/networkpolicies/default-deny-all.yaml
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector: {}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/networkpolicies/helm-test-network-policy.yaml
+++ b/chart/templates/bigbang/networkpolicies/helm-test-network-policy.yaml
+{{- $bbtests := .Values.bbtests | default dict -}}
+{{- $cypress := $bbtests.cypress | default dict -}}
+{{- $enabled := (hasKey $bbtests "enabled") -}}
+{{- $artifacts := (hasKey $cypress "artifacts") -}}
+{{- if and $enabled $artifacts }}
+{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled .Values.bbtests.cypress.artifacts }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-helm-test-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      helm-test: enabled
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+          - 169.254.169.254/32
+{{- end }}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/networkpolicies/istio-allow.yaml
+++ b/chart/templates/bigbang/networkpolicies/istio-allow.yaml
+{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-istio
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: istio-controlplane
+      podSelector:
+        matchLabels:
+          {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}}
+    ports:
+    - port: {{ .Values.service.externalPort }}
+      protocol: TCP
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: istio-controlplane
+      podSelector:
+        matchLabels:
+          istio: pilot
+{{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/networkpolicies/monitoring-ingress.yaml
+++ b/chart/templates/bigbang/networkpolicies/monitoring-ingress.yaml
+{{- if and .Values.networkPolicies.enabled .Values.monitoring.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-scraping
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: monitoring
+    ports:
+    - port: {{ .Values.service.internalPort }}
+      protocol: TCP
+{{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/networkpolicies/namespace-allow.yaml
+++ b/chart/templates/bigbang/networkpolicies/namespace-allow.yaml
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-in-ns
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - podSelector: {}
+  egress:
+    - to:
+        - podSelector: {}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/networkpolicies/postgres-egress.yaml
+++ b/chart/templates/bigbang/networkpolicies/postgres-egress.yaml
+{{- if and .Values.networkPolicies.enabled (not .Values.postgresql.enabled) }}
+# For external postgres server
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-postgresql-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - ports:
+    - protocol: TCP
+      port: {{ .Values.postgresql.service.port }}
+    to:
+    - ipBlock:
+        # This should be replaced with the IP of postgresql.postgresqlServer
+        #cidr: {{ .Values.postgresql.postgresqlServer }}/32
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+          - 169.254.169.254/32
+{{- end }}
\ No newline at end of file
--- a/chart/templates/tests/sonarqube-cypress-test.yaml
+++ b/chart/templates/tests/sonarqube-cypress-test.yaml
-{{- include "bb-test-lib.cypress-configmap.overrides" (list . "sonarqube-test.cypress-configmap") }}
+{{- include "gluon.tests.cypress-configmap.overrides" (list . "sonarqube-test.cypress-configmap") }}
 {{- define "sonarqube-test.cypress-configmap" }}
 metadata:
  labels:
@@ -8,7 +8,7 @@ metadata:
    app.kubernetes.io/part-of: sonarqube
 {{- end }}
 ---
-{{- include "bb-test-lib.cypress-runner.overrides" (list . "sonarqube-test.cypress-runner") -}}
+{{- include "gluon.tests.cypress-runner.overrides" (list . "sonarqube-test.cypress-runner") -}}
 {{- define "sonarqube-test.cypress-runner" -}}
 metadata:
  labels:

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -371,3 +371,9 @@ istio:
      - sonarqube.{{ .Values.hostname }}
 monitoring:
  enabled: false
+networkPolicies:
+  enabled: false
+  ingressLabels:
+    app: istio-ingressgateway
+    istio: ingressgateway
\ No newline at end of file
--- a/tests/test-values.yml
+++ b/tests/test-values.yml
 bbtests:
+  enabled: true
  cypress:
    artifacts: true
    envs:
@@ -6,3 +7,5 @@ bbtests:
      cypress_user: "admin"
      cypress_password: "admin"
      cypress_newpassword: "new_admin_password"
+networkPolicies:
+  enabled: true
\ No newline at end of file