feat(argo-cd): Add ability to create network policies (#800)

Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>

charts/argo-cd/Chart.yaml

@@ -2,9 +2,9 @@ apiVersion: v2
 appVersion: 2.0.4
 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 3.8.2
+version: 3.9.0
 home: https://github.com/argoproj/argo-helm
-icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
+icon: https://argoproj.github.io/argo-cd/assets/logo.png
 keywords:
   - argoproj
   - argocd
@@ -21,4 +21,5 @@ dependencies:
     condition: redis-ha.enabled
 annotations:
   artifacthub.io/changes: |
-    - "[Changed]: Add important upgrading notes to README concerning potential ServiceAccount renamings introduced in chart version 3.8.1+."
+    - "[Added]: Ability to create network policies"
+    - "[Changed]: Fix icon url"

charts/argo-cd/README.md

@@ -136,6 +136,8 @@ NAME: my-release
 | global.securityContext | Toggle and define securityContext | See [values.yaml](values.yaml) |
 | global.imagePullSecrets | If defined, uses a Secret to pull an image from a private Docker registry or repository. | `[]` |
 | global.hostAliases | Mapping between IP and hostnames that will be injected as entries in the pod's hosts files | `[]` |
+| global.networkPolicy.create | Create NetworkPolicy objects for all components | `false` |
+| global.networkPolicy.defaultDenyIngress | Default deny all ingress traffic | `false` |
 | kubeVersionOverride | Override the Kubernetes version, which is used to evaluate certain manifests | `""` |
 | nameOverride | Provide a name in place of `argocd` | `"argocd"` |
 | fullnameOverride | String to fully override `"argo-cd.fullname"` | `""` |

charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.global.networkPolicy.create }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
+  name: {{ template "argo-cd.controller.fullname" . }}
+spec:
+  ingress:
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: controller
+  podSelector:
+    matchLabels:
+      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
+  policyTypes:
+  - Ingress
+{{- end }}

charts/argo-cd/templates/argocd-repo-server/networkpolicy.yaml

@@ -0,0 +1,31 @@
+{{- if .Values.global.networkPolicy.create }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
+  name: {{ template "argo-cd.repoServer.fullname" . }}
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 10 }}
+    - podSelector:
+        matchLabels:
+          {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 10 }}
+    ports:
+    - port: repo-server
+      protocol: TCP
+  {{- if .Values.repoServer.metrics.enabled }}
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: metrics
+  {{- end }}
+  podSelector:
+    matchLabels:
+      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.repoServer.name) | nindent 6 }}
+  policyTypes:
+  - Ingress
+{{- end }}

charts/argo-cd/templates/argocd-server/networkpolicy.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.global.networkPolicy.create }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
+  name: {{ template "argo-cd.server.fullname" . }}
+spec:
+  ingress:
+  - {}
+  podSelector:
+    matchLabels:
+      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 6 }}
+  policyTypes:
+  - Ingress
+{{- end }}

charts/argo-cd/templates/dex/networkpolicy.yaml

@@ -0,0 +1,31 @@
+{{- if and .Values.global.networkPolicy.create .Values.dex.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.dex.name "name" .Values.dex.name) | nindent 4 }}
+  name: {{ template "argo-cd.dex.fullname" . }}
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 10 }}
+    ports:
+    - port: http
+      protocol: TCP
+    - port: grpc
+      protocol: TCP
+  {{- if .Values.dex.metrics.enabled }}
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: metrics
+      protocol: TCP
+  {{- end }}
+  podSelector:
+    matchLabels:
+      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.dex.name) | nindent 6 }}
+  policyTypes:
+  - Ingress
+{{- end }}

charts/argo-cd/templates/networkpolicy-default-deny.yaml

@@ -0,0 +1,12 @@
+{{- if and .Values.global.networkPolicy.create .Values.global.networkPolicy.defaultDenyIngress }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "argo-cd.labels" (dict "context" .) | nindent 4 }}
+  name: {{ template "argo-cd.fullname" . }}-default-deny
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+{{- end }}

charts/argo-cd/templates/redis/deployment.yaml

@@ -59,8 +59,8 @@ spec:
         {{- end }}
         ports:
         - containerPort: {{ .Values.redis.containerPort }}
+          name: redis
 {{- if .Values.redis.volumeMounts }}
-
         volumeMounts:
 {{- toYaml .Values.redis.volumeMounts | nindent 10 }}
 {{- end }}

charts/argo-cd/templates/redis/networkpolicy.yaml

@@ -0,0 +1,29 @@
+{{- $redisHa := (index .Values "redis-ha") -}}
+{{- if and .Values.global.networkPolicy.create .Values.redis.enabled (not $redisHa.enabled) }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }}
+  name: {{ template "argo-cd.redis.fullname" . }}
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 10 }}
+    - podSelector:
+        matchLabels:
+          {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.repoServer.name) | nindent 10 }}
+    - podSelector:
+        matchLabels:
+          {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 10 }}
+    ports:
+    - port: redis
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.redis.name) | nindent 6 }}
+  policyTypes:
+  - Ingress
+{{- end }}

charts/argo-cd/values.yaml

@@ -20,6 +20,10 @@ global:
   #   hostnames:
   #   - git.myhostname
 
+  networkPolicy:
+    create: false
+    defaultDenyIngress: false
+
 # Override APIVersions
 # If you want to template helm charts but cannot access k8s API server
 # you can set api versions here