From e77dce38b265b72035f899bb7b611cc8ae82026c Mon Sep 17 00:00:00 2001
From: Marco Lecheler <marco@task.media>
Date: Thu, 16 Nov 2023 01:42:26 +0100
Subject: [PATCH] feat: ingress rules for server networkPolicy (#877)

* feat: allow server netPol to specify podSelector

* feat(test): add podSelector NetworkPolicy unittest

* chore: introduce server.networkPolicy.ingress

As suggested let users template the whole ingress object for the
networkPolicy than only the podSelector.

Co-authored-by: tvoran <444265+tvoran@users.noreply.github.com>

---------

Co-authored-by: tvoran <444265+tvoran@users.noreply.github.com>
---
 templates/server-network-policy.yaml |  9 +--------
 test/unit/server-network-policy.bats | 11 +++++++++++
 values.yaml                          |  8 ++++++++
 3 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/templates/server-network-policy.yaml b/templates/server-network-policy.yaml
index 62d4ae1..43dcdb1 100644
--- a/templates/server-network-policy.yaml
+++ b/templates/server-network-policy.yaml
@@ -16,14 +16,7 @@ spec:
     matchLabels:
       app.kubernetes.io/name: {{ template "vault.name" . }}
       app.kubernetes.io/instance: {{ .Release.Name }}
-  ingress:
-    - from:
-        - namespaceSelector: {}
-      ports:
-      - port: 8200
-        protocol: TCP
-      - port: 8201
-        protocol: TCP
+  ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }}
   {{- if .Values.server.networkPolicy.egress }}
   egress:
   {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }}
diff --git a/test/unit/server-network-policy.bats b/test/unit/server-network-policy.bats
index 1364321..1792685 100755
--- a/test/unit/server-network-policy.bats
+++ b/test/unit/server-network-policy.bats
@@ -21,6 +21,17 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
+@test "server/network-policy: ingress changed by server.networkPolicy.ingress" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --set 'server.networkPolicy.enabled=true' \
+      --set 'server.networkPolicy.ingress[0].from[0].podSelector.matchLabels.foo=bar' \
+      --show-only templates/server-network-policy.yaml \
+      . | tee /dev/stderr |
+      yq -r '.spec.ingress[0].from[0].podSelector.matchLabels.foo' | tee /dev/stderr)
+  [ "${actual}" = "bar" ]
+}
+
 @test "server/network-policy: egress enabled by server.networkPolicy.egress" {
   cd `chart_dir`
   local actual=$(helm template \
diff --git a/values.yaml b/values.yaml
index a18912e..eaa35a3 100644
--- a/values.yaml
+++ b/values.yaml
@@ -647,6 +647,14 @@ server:
     #   ports:
     #   - protocol: TCP
     #     port: 443
+    ingress:
+      - from:
+          - namespaceSelector: {}
+        ports:
+        - port: 8200
+          protocol: TCP
+        - port: 8201
+          protocol: TCP
 
   # Priority class for server pods
   priorityClassName: ""