feat: ingress rules for server networkPolicy (#877)

* feat: allow server netPol to specify podSelector * feat(test): add podSelector NetworkPolicy unittest * chore: introduce server.networkPolicy.ingress As suggested let users template the whole ingress object for the networkPolicy than only the podSelector. Co-authored-by: tvoran <444265+tvoran@users.noreply.github.com> --------- Co-authored-by: tvoran <444265+tvoran@users.noreply.github.com>
2023-11-16 01:42:26 +01:00 · 2023-11-16 01:42:26 +01:00 · e77dce38b2
commit e77dce38b2
parent 97166e5207
3 changed files with 20 additions and 8 deletions
--- a/templates/server-network-policy.yaml
+++ b/templates/server-network-policy.yaml
@ -16,14 +16,7 @@ spec:
    matchLabels:
      app.kubernetes.io/name: {{ template "vault.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
-  ingress:
-    - from:
-        - namespaceSelector: {}
-      ports:
-      - port: 8200
-        protocol: TCP
-      - port: 8201
-        protocol: TCP
+  ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }}
  {{- if .Values.server.networkPolicy.egress }}
  egress:
  {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }}
--- a/test/unit/server-network-policy.bats
+++ b/test/unit/server-network-policy.bats
@ -21,6 +21,17 @@ load _helpers
  [ "${actual}" = "true" ]
 }

+@test "server/network-policy: ingress changed by server.networkPolicy.ingress" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --set 'server.networkPolicy.enabled=true' \
+      --set 'server.networkPolicy.ingress[0].from[0].podSelector.matchLabels.foo=bar' \
+      --show-only templates/server-network-policy.yaml \
+      . | tee /dev/stderr |
+      yq -r '.spec.ingress[0].from[0].podSelector.matchLabels.foo' | tee /dev/stderr)
+  [ "${actual}" = "bar" ]
+}
+
@test "server/network-policy: egress enabled by server.networkPolicy.egress" {
  cd `chart_dir`
  local actual=$(helm template \
--- a/values.yaml
+++ b/values.yaml
@ -647,6 +647,14 @@ server:
    #   ports:
    #   - protocol: TCP
    #     port: 443
+    ingress:
+      - from:
+          - namespaceSelector: {}
+        ports:
+        - port: 8200
+          protocol: TCP
+        - port: 8201
+          protocol: TCP

  # Priority class for server pods
  priorityClassName: ""