From cf9bfdf9b8493d810e8671d87ab06f45566bac39 Mon Sep 17 00:00:00 2001
From: Antoine DUBOIS <antoine.dubois@jobteaser.com>
Date: Mon, 19 Feb 2024 15:34:49 +0100
Subject: [PATCH] feat: add NetworkPolicies

---
 README.md                    |  8 ++++++++
 templates/networkPolicy.yaml | 28 ++++++++++++++++++++++++++++
 values.schema.json           | 26 ++++++++++++++++++++++++++
 values.yaml                  | 18 ++++++++++++++++++
 4 files changed, 80 insertions(+)
 create mode 100644 templates/networkPolicy.yaml

diff --git a/README.md b/README.md
index e4da663..f4c0de2 100644
--- a/README.md
+++ b/README.md
@@ -83,6 +83,14 @@ please refer to [the official krakend documentation](https://www.krakend.io/docs
 | lifecycle | object | `{}` | Krakend container lifecycle hooks (PostStart, PreStop) |
 | livenessProbe | object | `{"httpGet":{"path":"/__health","port":"http"}}` | The livenessProbe to use for the krakend pod |
 | nameOverride | string | `""` |  |
+| networkPolicies | object | `{"enabled":false,"policies":[{"name":"allow-namespace1","namespace":"namespace1","type":"ingress"},{"name":"allow-namespace2","namespace":"namespace2","type":"egress"}]}` | The networkPolicies configures ingress NetworkPolicies for your application |
+| networkPolicies.enabled | bool | `false` | Set to true to create NetworkPolicies for your application |
+| networkPolicies.policies | list | `[{"name":"allow-namespace1","namespace":"namespace1","type":"ingress"},{"name":"allow-namespace2","namespace":"namespace2","type":"egress"}]` | List of NetworkPolicy objects |
+| networkPolicies.policies[0] | object | `{"name":"allow-namespace1","namespace":"namespace1","type":"ingress"}` | Name of the NetworkPolicy |
+| networkPolicies.policies[0].namespace | string | `"namespace1"` | Name of the namespace allowed to reach (or be reached by) your application |
+| networkPolicies.policies[0].type | string | `"ingress"` | Type of the network policy (ingress or egress) |
+| networkPolicies.policies[1].namespace | string | `"namespace2"` | Name of the namespace allowed to reach (or be reached by) your application |
+| networkPolicies.policies[1].type | string | `"egress"` | Type of the network policy (ingress or egress) |
 | nodeSelector | object | `{}` | The nodeSelector to use for the krakend pod |
 | podAnnotations | object | `{}` | The annotations to use for the krakend pod |
 | podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":"","minAvailable":1,"unhealthyPodEvictionPolicy":""}` | podDisruptionBudget allows you to define minumum and maximum available pods |
diff --git a/templates/networkPolicy.yaml b/templates/networkPolicy.yaml
new file mode 100644
index 0000000..3048da2
--- /dev/null
+++ b/templates/networkPolicy.yaml
@@ -0,0 +1,28 @@
+{{- if .Values.networkPolicies.enabled }}
+{{- range $index, $policy := .Values.networkPolicies.policies }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $policy.name }}
+spec:
+  podSelector: {}
+  policyTypes:
+  {{- if eq $policy.type "ingress" }}
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          name: {{ $policy.namespace }}
+  {{- end }}
+  {{- if eq $policy.type "egress" }}
+  - Egress
+  egress:
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            name: {{ $policy.namespace }}
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/values.schema.json b/values.schema.json
index 101f1cb..b2739dc 100644
--- a/values.schema.json
+++ b/values.schema.json
@@ -235,6 +235,32 @@
         "nameOverride": {
             "type": "string"
         },
+        "networkPolicies": {
+            "type": "object",
+            "properties": {
+                "enabled": {
+                    "type": "boolean"
+                },
+                "policies": {
+                    "type": "array",
+                    "items": {
+                        "type": "object",
+                        "properties": {
+                            "name": {
+                                "type": "string"
+                            },
+                            "namespace": {
+                                "type": "string"
+                            },
+                            "type": {
+                                "type": "string"
+                            }
+                        },
+                        "required": ["name", "namespace", "type"]
+                    }
+                }
+            }
+        },
         "nodeSelector": {
             "type": "object"
         },
diff --git a/values.yaml b/values.yaml
index dffbcc1..95847ee 100644
--- a/values.yaml
+++ b/values.yaml
@@ -253,3 +253,21 @@ serviceMonitor:
   scrapeTimeout: 10s
   # -- prometheus metrics port exposed by krakend
   targetPort: 9091
+
+# -- (object) The networkPolicies configures ingress NetworkPolicies for your application
+networkPolicies:
+  # -- (bool) Set to true to create NetworkPolicies for your application
+  enabled: false
+  # -- (list) List of NetworkPolicy objects
+  policies:
+    # -- Name of the NetworkPolicy
+    - name: "allow-namespace1"
+      # -- Name of the namespace allowed to reach (or be reached by) your application
+      namespace: "namespace1"
+      # -- Type of the network policy (ingress or egress)
+      type: "ingress"
+    - name: "allow-namespace2"
+      # -- Name of the namespace allowed to reach (or be reached by) your application
+      namespace: "namespace2"
+      # -- Type of the network policy (ingress or egress)
+      type: "egress"