feat: ingress rules for server networkPolicy (#877)

* feat: allow server netPol to specify podSelector * feat(test): add podSelector NetworkPolicy unittest * chore: introduce server.networkPolicy.ingress As suggested let users template the whole ingress object for the networkPolicy than only the podSelector. Co-authored-by: tvoran <444265+tvoran@users.noreply.github.com> --------- Co-authored-by: tvoran <444265+tvoran@users.noreply.github.com>
2023-11-16 01:42:26 +01:00 · 2023-11-16 01:42:26 +01:00 · e77dce38b2
commit e77dce38b2
parent 97166e5207
3 changed files with 20 additions and 8 deletions
--- a/templates/server-network-policy.yaml
+++ b/templates/server-network-policy.yaml
@ -16,14 +16,7 @@ spec:
    matchLabels:
      app.kubernetes.io/name: {{ template "vault.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
-  ingress:
+  ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }}
    - from:
        - namespaceSelector: {}
      ports:
      - port: 8200
        protocol: TCP
      - port: 8201
        protocol: TCP
  {{- if .Values.server.networkPolicy.egress }}
  egress:
  {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }}
--- a/test/unit/server-network-policy.bats
+++ b/test/unit/server-network-policy.bats
@ -21,6 +21,17 @@ load _helpers
  [ "${actual}" = "true" ]
 }
@test "server/network-policy: ingress changed by server.networkPolicy.ingress" {
  cd `chart_dir`
  local actual=$(helm template \
      --set 'server.networkPolicy.enabled=true' \
      --set 'server.networkPolicy.ingress[0].from[0].podSelector.matchLabels.foo=bar' \
      --show-only templates/server-network-policy.yaml \
      . | tee /dev/stderr |
      yq -r '.spec.ingress[0].from[0].podSelector.matchLabels.foo' | tee /dev/stderr)
  [ "${actual}" = "bar" ]
 }
@test "server/network-policy: egress enabled by server.networkPolicy.egress" {
  cd `chart_dir`
  local actual=$(helm template \
--- a/values.yaml
+++ b/values.yaml
@ -647,6 +647,14 @@ server:
    #   ports:
    #   - protocol: TCP
    #     port: 443
    ingress:
      - from:
          - namespaceSelector: {}
        ports:
        - port: 8200
          protocol: TCP
        - port: 8201
          protocol: TCP
  # Priority class for server pods
  priorityClassName: ""