From 922799081d6037d71971baf3fecf3519c35326e9 Mon Sep 17 00:00:00 2001
From: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
Date: Tue, 13 Jul 2021 08:35:25 +0200
Subject: [PATCH] feat(argo-cd): Add ability to create network policies (#800)

Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
---
 charts/argo-cd/Chart.yaml                     |  7 +++--
 charts/argo-cd/README.md                      |  2 ++
 .../networkpolicy.yaml                        | 19 ++++++++++++
 .../argocd-repo-server/networkpolicy.yaml     | 31 +++++++++++++++++++
 .../argocd-server/networkpolicy.yaml          | 16 ++++++++++
 .../argo-cd/templates/dex/networkpolicy.yaml  | 31 +++++++++++++++++++
 .../templates/networkpolicy-default-deny.yaml | 12 +++++++
 .../argo-cd/templates/redis/deployment.yaml   |  2 +-
 .../templates/redis/networkpolicy.yaml        | 29 +++++++++++++++++
 charts/argo-cd/values.yaml                    |  4 +++
 10 files changed, 149 insertions(+), 4 deletions(-)
 create mode 100644 charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml
 create mode 100644 charts/argo-cd/templates/argocd-repo-server/networkpolicy.yaml
 create mode 100644 charts/argo-cd/templates/argocd-server/networkpolicy.yaml
 create mode 100644 charts/argo-cd/templates/dex/networkpolicy.yaml
 create mode 100644 charts/argo-cd/templates/networkpolicy-default-deny.yaml
 create mode 100644 charts/argo-cd/templates/redis/networkpolicy.yaml

diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml
index ea3fbc45..60ff890e 100644
--- a/charts/argo-cd/Chart.yaml
+++ b/charts/argo-cd/Chart.yaml
@@ -2,9 +2,9 @@ apiVersion: v2
 appVersion: 2.0.4
 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 3.8.2
+version: 3.9.0
 home: https://github.com/argoproj/argo-helm
-icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
+icon: https://argoproj.github.io/argo-cd/assets/logo.png
 keywords:
   - argoproj
   - argocd
@@ -21,4 +21,5 @@ dependencies:
     condition: redis-ha.enabled
 annotations:
   artifacthub.io/changes: |
-    - "[Changed]: Add important upgrading notes to README concerning potential ServiceAccount renamings introduced in chart version 3.8.1+."
+    - "[Added]: Ability to create network policies"
+    - "[Changed]: Fix icon url"
diff --git a/charts/argo-cd/README.md b/charts/argo-cd/README.md
index 1c12a617..bb929e93 100644
--- a/charts/argo-cd/README.md
+++ b/charts/argo-cd/README.md
@@ -136,6 +136,8 @@ NAME: my-release
 | global.securityContext | Toggle and define securityContext | See [values.yaml](values.yaml) |
 | global.imagePullSecrets | If defined, uses a Secret to pull an image from a private Docker registry or repository. | `[]` |
 | global.hostAliases | Mapping between IP and hostnames that will be injected as entries in the pod's hosts files | `[]` |
+| global.networkPolicy.create | Create NetworkPolicy objects for all components | `false` |
+| global.networkPolicy.defaultDenyIngress | Default deny all ingress traffic | `false` |
 | kubeVersionOverride | Override the Kubernetes version, which is used to evaluate certain manifests | `""` |
 | nameOverride | Provide a name in place of `argocd` | `"argocd"` |
 | fullnameOverride | String to fully override `"argo-cd.fullname"` | `""` |
diff --git a/charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml b/charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml
new file mode 100644
index 00000000..9116fbcf
--- /dev/null
+++ b/charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.global.networkPolicy.create }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
+  name: {{ template "argo-cd.controller.fullname" . }}
+spec:
+  ingress:
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: controller
+  podSelector:
+    matchLabels:
+      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
+  policyTypes:
+  - Ingress
+{{- end }}
diff --git a/charts/argo-cd/templates/argocd-repo-server/networkpolicy.yaml b/charts/argo-cd/templates/argocd-repo-server/networkpolicy.yaml
new file mode 100644
index 00000000..0d9274ed
--- /dev/null
+++ b/charts/argo-cd/templates/argocd-repo-server/networkpolicy.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.global.networkPolicy.create }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
+  name: {{ template "argo-cd.repoServer.fullname" . }}
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 10 }}
+    - podSelector:
+        matchLabels:
+          {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 10 }}
+    ports:
+    - port: repo-server
+      protocol: TCP
+  {{- if .Values.repoServer.metrics.enabled }}
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: metrics
+  {{- end }}
+  podSelector:
+    matchLabels:
+      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.repoServer.name) | nindent 6 }}
+  policyTypes:
+  - Ingress
+{{- end }}
diff --git a/charts/argo-cd/templates/argocd-server/networkpolicy.yaml b/charts/argo-cd/templates/argocd-server/networkpolicy.yaml
new file mode 100644
index 00000000..8300d696
--- /dev/null
+++ b/charts/argo-cd/templates/argocd-server/networkpolicy.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.global.networkPolicy.create }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
+  name: {{ template "argo-cd.server.fullname" . }}
+spec:
+  ingress:
+  - {}
+  podSelector:
+    matchLabels:
+      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 6 }}
+  policyTypes:
+  - Ingress
+{{- end }}
diff --git a/charts/argo-cd/templates/dex/networkpolicy.yaml b/charts/argo-cd/templates/dex/networkpolicy.yaml
new file mode 100644
index 00000000..e79a2e3e
--- /dev/null
+++ b/charts/argo-cd/templates/dex/networkpolicy.yaml
@@ -0,0 +1,31 @@
+{{- if and .Values.global.networkPolicy.create .Values.dex.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.dex.name "name" .Values.dex.name) | nindent 4 }}
+  name: {{ template "argo-cd.dex.fullname" . }}
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 10 }}
+    ports:
+    - port: http
+      protocol: TCP
+    - port: grpc
+      protocol: TCP
+  {{- if .Values.dex.metrics.enabled }}
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: metrics
+      protocol: TCP
+  {{- end }}
+  podSelector:
+    matchLabels:
+      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.dex.name) | nindent 6 }}
+  policyTypes:
+  - Ingress
+{{- end }}
diff --git a/charts/argo-cd/templates/networkpolicy-default-deny.yaml b/charts/argo-cd/templates/networkpolicy-default-deny.yaml
new file mode 100644
index 00000000..3d47a397
--- /dev/null
+++ b/charts/argo-cd/templates/networkpolicy-default-deny.yaml
@@ -0,0 +1,12 @@
+{{- if and .Values.global.networkPolicy.create .Values.global.networkPolicy.defaultDenyIngress }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "argo-cd.labels" (dict "context" .) | nindent 4 }}
+  name: {{ template "argo-cd.fullname" . }}-default-deny
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+{{- end }}
diff --git a/charts/argo-cd/templates/redis/deployment.yaml b/charts/argo-cd/templates/redis/deployment.yaml
index 05500337..5b5879a3 100755
--- a/charts/argo-cd/templates/redis/deployment.yaml
+++ b/charts/argo-cd/templates/redis/deployment.yaml
@@ -59,8 +59,8 @@ spec:
         {{- end }}
         ports:
         - containerPort: {{ .Values.redis.containerPort }}
+          name: redis
 {{- if .Values.redis.volumeMounts }}
-
         volumeMounts:
 {{- toYaml .Values.redis.volumeMounts | nindent 10 }}
 {{- end }}
diff --git a/charts/argo-cd/templates/redis/networkpolicy.yaml b/charts/argo-cd/templates/redis/networkpolicy.yaml
new file mode 100644
index 00000000..881e257c
--- /dev/null
+++ b/charts/argo-cd/templates/redis/networkpolicy.yaml
@@ -0,0 +1,29 @@
+{{- $redisHa := (index .Values "redis-ha") -}}
+{{- if and .Values.global.networkPolicy.create .Values.redis.enabled (not $redisHa.enabled) }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }}
+  name: {{ template "argo-cd.redis.fullname" . }}
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 10 }}
+    - podSelector:
+        matchLabels:
+          {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.repoServer.name) | nindent 10 }}
+    - podSelector:
+        matchLabels:
+          {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 10 }}
+    ports:
+    - port: redis
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.redis.name) | nindent 6 }}
+  policyTypes:
+  - Ingress
+{{- end }}
diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml
index 3ecfd228..452aba69 100755
--- a/charts/argo-cd/values.yaml
+++ b/charts/argo-cd/values.yaml
@@ -20,6 +20,10 @@ global:
   #   hostnames:
   #   - git.myhostname
 
+  networkPolicy:
+    create: false
+    defaultDenyIngress: false
+
 # Override APIVersions
 # If you want to template helm charts but cannot access k8s API server
 # you can set api versions here