From 5e6f9b414c0d932e598515b2cbdf5c0b17a1873c Mon Sep 17 00:00:00 2001
From: Ryan Garcia <garcia.ryan@solute.us>
Date: Tue, 8 Jun 2021 18:59:57 +0000
Subject: [PATCH] Network Policy Template Finalization

---
 CHANGELOG.md                                  | 22 +++++++++++++++++++
 chart/Chart.yaml                              |  2 +-
 .../egress-default-deny-external.yml          |  0
 .../networkpolicies/egress-kube-dns.yaml      | 17 ++++++++++++++
 .../networkpolicies/helm-test-egress.yaml     | 21 ++++++++++++++++++
 .../ingress-allow-ns.yml}                     |  6 ++---
 .../ingress-default-deny.yml                  |  0
 .../ingress-istio-ingressgateway.yml}         | 18 ++++++++-------
 .../ingress-monitoring.yml                    | 14 ++++++++----
 .../networkpolicies/istiod-egress.yml         | 21 ++++++++++++++++++
 chart/values.yaml                             |  3 +++
 tests/test-values.yml                         |  3 +++
 12 files changed, 110 insertions(+), 17 deletions(-)
 rename chart/templates/{network-policy => networkpolicies}/egress-default-deny-external.yml (100%)
 create mode 100644 chart/templates/networkpolicies/egress-kube-dns.yaml
 create mode 100644 chart/templates/networkpolicies/helm-test-egress.yaml
 rename chart/templates/{network-policy/ingress-all-ns.yml => networkpolicies/ingress-allow-ns.yml} (62%)
 rename chart/templates/{network-policy => networkpolicies}/ingress-default-deny.yml (100%)
 rename chart/templates/{network-policy/ingress-egress-istio.yml => networkpolicies/ingress-istio-ingressgateway.yml} (52%)
 rename chart/templates/{network-policy => networkpolicies}/ingress-monitoring.yml (52%)
 create mode 100644 chart/templates/networkpolicies/istiod-egress.yml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2259d76..e75fa64 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,28 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ---
 
+## [0.0.5-bb.0] - 2021-06-02
+
+### Changed
+
+- Network policy resource Templates
+
+## [0.0.4-bb.3] - 2021-06-01
+
+### Added
+
+- Gluon test library dependency
+
+### Changed
+
+- CI Test infrastructure. Migrating to helm tests with script capabilities.
+
+## [0.0.4-bb.2] - 2021-05-26
+
+### Added
+
+- Network policy resource Templates
+
 ## [0.0.4-bb.0] - 2021-05-12
 
 ### Added
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index 571ee7b..f09518e 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: twistlock
-version: 0.0.4-bb.3
+version: 0.0.5-bb.0
 appVersion: 21.04.412
 dependencies:
   - name: gluon
diff --git a/chart/templates/network-policy/egress-default-deny-external.yml b/chart/templates/networkpolicies/egress-default-deny-external.yml
similarity index 100%
rename from chart/templates/network-policy/egress-default-deny-external.yml
rename to chart/templates/networkpolicies/egress-default-deny-external.yml
diff --git a/chart/templates/networkpolicies/egress-kube-dns.yaml b/chart/templates/networkpolicies/egress-kube-dns.yaml
new file mode 100644
index 0000000..7e7a35c
--- /dev/null
+++ b/chart/templates/networkpolicies/egress-kube-dns.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: egress-kube-dns
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  egress:
+    - to:
+      - namespaceSelector: {} # all namespaces
+      ports:
+        - port: 53
+          protocol: UDP
+  podSelector: {} # all pods in Release namespace
+  policyTypes:
+    - Egress
+{{- end }}
diff --git a/chart/templates/networkpolicies/helm-test-egress.yaml b/chart/templates/networkpolicies/helm-test-egress.yaml
new file mode 100644
index 0000000..2364497
--- /dev/null
+++ b/chart/templates/networkpolicies/helm-test-egress.yaml
@@ -0,0 +1,21 @@
+{{- $bbtests := .Values.bbtests | default dict -}}
+{{- $cypress := $bbtests.cypress | default dict -}}
+{{- $enabled := (hasKey $bbtests "enabled") -}}
+{{- $artifacts := (hasKey $cypress "artifacts") -}}
+{{- if and $enabled $artifacts }}
+{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled .Values.bbtests.cypress.artifacts }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-helm-test-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      helm-test: enabled
+  policyTypes:
+  - Egress
+  egress:
+  - {}
+{{- end }}
+{{- end }}
diff --git a/chart/templates/network-policy/ingress-all-ns.yml b/chart/templates/networkpolicies/ingress-allow-ns.yml
similarity index 62%
rename from chart/templates/network-policy/ingress-all-ns.yml
rename to chart/templates/networkpolicies/ingress-allow-ns.yml
index 49f8bba..6e8a95a 100644
--- a/chart/templates/network-policy/ingress-all-ns.yml
+++ b/chart/templates/networkpolicies/ingress-allow-ns.yml
@@ -2,14 +2,12 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: ingress-allow-cluster
+  name: ingress-allow-ns
   namespace: "{{ .Release.Namespace }}"
 spec:
   ingress:
     - from:
-        - namespaceSelector: {} # all namespaces for now
-      ports:
-        - port: 8084 # communications port
+      - podSelector: {} # all pods in namespace
   podSelector: {} # all pods
   policyTypes:
     - Ingress
diff --git a/chart/templates/network-policy/ingress-default-deny.yml b/chart/templates/networkpolicies/ingress-default-deny.yml
similarity index 100%
rename from chart/templates/network-policy/ingress-default-deny.yml
rename to chart/templates/networkpolicies/ingress-default-deny.yml
diff --git a/chart/templates/network-policy/ingress-egress-istio.yml b/chart/templates/networkpolicies/ingress-istio-ingressgateway.yml
similarity index 52%
rename from chart/templates/network-policy/ingress-egress-istio.yml
rename to chart/templates/networkpolicies/ingress-istio-ingressgateway.yml
index 80fb410..29b55a7 100644
--- a/chart/templates/network-policy/ingress-egress-istio.yml
+++ b/chart/templates/networkpolicies/ingress-istio-ingressgateway.yml
@@ -2,21 +2,23 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: istio
+  name: istio-ingress
   namespace: "{{ .Release.Namespace }}"
 spec:
-  podSelector: {}
+  podSelector:
+    matchLabels:
+      app: twistlock-console
   policyTypes:
     - Ingress
-    - Egress
   ingress:
     - from:
-        - namespaceSelector:
-            matchLabels:
-              app.kubernetes.io/name: istio-controlplane
-  egress:
-    - to:
       - namespaceSelector:
           matchLabels:
             app.kubernetes.io/name: istio-controlplane
+        podSelector:
+          matchLabels:
+            {{- toYaml .Values.networkPolicies.ingressLabels | nindent 12}}
+      ports:
+      - port: 8081 #Default UI console Port
+      - port: 8083 #TLS configured UI console Port
 {{- end }}
diff --git a/chart/templates/network-policy/ingress-monitoring.yml b/chart/templates/networkpolicies/ingress-monitoring.yml
similarity index 52%
rename from chart/templates/network-policy/ingress-monitoring.yml
rename to chart/templates/networkpolicies/ingress-monitoring.yml
index 0bc7274..8f683c7 100644
--- a/chart/templates/network-policy/ingress-monitoring.yml
+++ b/chart/templates/networkpolicies/ingress-monitoring.yml
@@ -7,11 +7,17 @@ metadata:
 spec:
   ingress:
     - from:
-        - namespaceSelector: {} # all namespaces for now
+      - namespaceSelector:
+          matchLabels:
+            app.kubernetes.io/name: monitoring
+        podSelector:
+          matchLabels:
+            app: prometheus
       ports:
-        - port: PROMETHEUS_PORT
-          protocol: TCP
-  podSelector: {} # all pods
+      - port: 8081
+  podSelector:
+    matchLabels:
+      name: twistlock-console
   policyTypes:
     - Ingress
 {{- end }}
diff --git a/chart/templates/networkpolicies/istiod-egress.yml b/chart/templates/networkpolicies/istiod-egress.yml
new file mode 100644
index 0000000..f5d9665
--- /dev/null
+++ b/chart/templates/networkpolicies/istiod-egress.yml
@@ -0,0 +1,21 @@
+{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-istiod-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: istio-controlplane
+      podSelector:
+        matchLabels:
+          app: istiod
+    ports:
+    - port: 15012
+{{- end }}
\ No newline at end of file
diff --git a/chart/values.yaml b/chart/values.yaml
index 54266e5..1795bdd 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -18,6 +18,9 @@ istio:
 
 networkPolicies:
   enabled: false
+  ingressLabels:
+    app: istio-ingressgateway
+    istio: ingressgateway
 
 # imagePullSecrets defines the secrets to use when pulling the operator container image.
 imagePullSecrets: []
diff --git a/tests/test-values.yml b/tests/test-values.yml
index 520f8ce..b0d2e56 100644
--- a/tests/test-values.yml
+++ b/tests/test-values.yml
@@ -1,6 +1,9 @@
 istio:
   enabled: true
 
+networkPolicies:
+  enabled: true
+
 imagePullSecrets:
   - name: private-registry-mil
 
-- 
GitLab