diff --git a/README.md b/README.md index 84e0d42..4bdfd63 100644 --- a/README.md +++ b/README.md @@ -36,4 +36,5 @@ Following the list complete list of supported Helm Charts: * devlake * elasticsearch-umbrella * imagepullsecret-patcher +* networkpolicies * yace-exporter \ No newline at end of file diff --git a/charts/networkpolicies/.helmignore b/charts/networkpolicies/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/networkpolicies/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/networkpolicies/Chart.yaml b/charts/networkpolicies/Chart.yaml new file mode 100644 index 0000000..a77ac60 --- /dev/null +++ b/charts/networkpolicies/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: networkpolicies +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.1.0" diff --git a/charts/networkpolicies/README.md b/charts/networkpolicies/README.md new file mode 100644 index 0000000..8642310 --- /dev/null +++ b/charts/networkpolicies/README.md @@ -0,0 +1,41 @@ +# networkpolicies + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square) + +A Helm chart for Kubernetes + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| aws.dns | bool | `false` | | +| aws.enabled | bool | `false` | | +| aws.kinesis | bool | `false` | | +| aws.redis | bool | `false` | | +| aws.redisCIDR | string | `"0.0.0.0/0"` | | +| aws.redisPort | int | `6379` | | +| aws.s3 | bool | `false` | | +| aws.sns | bool | `false` | | +| aws.sqs | bool | `false` | | +| dns.app | string | `"kube-dns"` | | +| dns.namespace | string | `"kube-system"` | | +| egressRules | list | `[]` | [example](#rules) | +| fullnameOverride | string | `""` | | +| ingressRules | list | `[]` | [example](#rules) | +| mongoAtlas.cidr | string | `"0.0.0.0/0"` | | +| mongoAtlas.enabled | bool | `false` | | +| mongoAtlas.port | int | `27017` | | +| nameOverride | string | `""` | | + +## Rules + +```yaml +- selectors: + - namespaceSelector: {} + podSelector: + matchLabels: + empathy.co/component: test-service + ports: + - protocol: TCP + port: 80 +``` \ No newline at end of file diff --git a/charts/networkpolicies/templates/_helpers.tpl b/charts/networkpolicies/templates/_helpers.tpl new file mode 100644 index 0000000..113a816 --- /dev/null +++ b/charts/networkpolicies/templates/_helpers.tpl @@ -0,0 +1,59 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "networkpolicies.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "networkpolicies.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "networkpolicies.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "networkpolicies.labels" -}} +helm.sh/chart: {{ include "networkpolicies.chart" . }} +{{ include "networkpolicies.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "networkpolicies.selectorLabels" -}} +app.kubernetes.io/name: {{ include "networkpolicies.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + + +{{/* +Return the appropriate apiVersion for the object +*/}} +{{- define "apiVersion" -}} +{{- default "networking.k8s.io/v1" .Values.apiVersion -}} +{{- end -}} \ No newline at end of file diff --git a/charts/networkpolicies/templates/networkpolicy-atlas-rules.yaml b/charts/networkpolicies/templates/networkpolicy-atlas-rules.yaml new file mode 100644 index 0000000..91a6569 --- /dev/null +++ b/charts/networkpolicies/templates/networkpolicy-atlas-rules.yaml @@ -0,0 +1,43 @@ +{{ if .Values.mongoAtlas.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "apiVersion" . }} +metadata: + name: {{ include "networkpolicies.name" . }}-atlas +{{- if .Values.annotations }} + annotations: +{{ toYaml .Values.annotations | indent 4}} +{{- end }} + labels: + {{- include "networkpolicies.labels" . | nindent 4 }} +{{- if .Values.labels }} +{{ toYaml .Values.labels | indent 4 }} +{{- end }} +spec: +{{- if .Values.podSelector }} + podSelector: + matchLabels: +{{ toYaml .Values.podSelector.matchLabels | indent 7 }} +{{- end }} +{{- if or (eq .Values.aws.s3 true) (eq .Values.aws.kinesis true) (eq .Values.aws.sns true) (eq .Values.aws.sqs true)}} + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: + - 0.0.0.0/0 + ports: + - protocol: TCP + port: 443 +{{- end }} + +{{- if eq .Values.aws.redis true }} + - to: + - ipBlock: + cidr: + - {{ .Values.aws.redisCIDR }} + ports: + - protocol: TCP + port: {{ .Values.aws.redisPort }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/networkpolicies/templates/networkpolicy-aws-rules.yaml b/charts/networkpolicies/templates/networkpolicy-aws-rules.yaml new file mode 100644 index 0000000..8de5aa8 --- /dev/null +++ b/charts/networkpolicies/templates/networkpolicy-aws-rules.yaml @@ -0,0 +1,43 @@ +{{ if .Values.aws.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "apiVersion" . }} +metadata: + name: {{ include "networkpolicies.name" . }}-aws +{{- if .Values.annotations }} + annotations: +{{ toYaml .Values.annotations | indent 4}} +{{- end }} + labels: + {{- include "networkpolicies.labels" . | nindent 4 }} +{{- if .Values.labels }} +{{ toYaml .Values.labels | indent 4 }} +{{- end }} +spec: +{{- if .Values.podSelector }} + podSelector: + matchLabels: +{{ toYaml .Values.podSelector.matchLabels | indent 7 }} +{{- end }} +{{- if or (eq .Values.aws.s3 true) (eq .Values.aws.kinesis true) (eq .Values.aws.sns true) (eq .Values.aws.sqs true)}} + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: + - 0.0.0.0/0 + ports: + - protocol: TCP + port: 443 +{{- end }} + +{{- if eq .Values.aws.redis true }} + - to: + - ipBlock: + cidr: + - {{ .Values.aws.redisCIDR }} + ports: + - protocol: TCP + port: {{ .Values.aws.redisPort }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/networkpolicies/templates/networkpolicy.yaml b/charts/networkpolicies/templates/networkpolicy.yaml new file mode 100644 index 0000000..9a4bc9b --- /dev/null +++ b/charts/networkpolicies/templates/networkpolicy.yaml @@ -0,0 +1,81 @@ +kind: NetworkPolicy +apiVersion: {{ include "apiVersion" . }} +metadata: + name: {{ include "networkpolicies.name" . }} +{{- if .Values.annotations }} + annotations: +{{ toYaml .Values.annotations | indent 4}} +{{- end }} + labels: + {{- include "networkpolicies.labels" . | nindent 4 }} +{{- if .Values.labels }} +{{ toYaml .Values.labels | indent 4 }} +{{- end }} +spec: +{{- if .Values.podSelector }} + podSelector: + matchLabels: +{{ toYaml .Values.podSelector.matchLabels | indent 7 }} +{{- end }} +{{- if or .Values.ingressRules .Values.egressRules }} + policyTypes: +{{- if .Values.ingressRules }} + - Ingress +{{- end }} +{{- if .Values.egressRules }} + - Egress +{{- end }} +{{- end }} +{{- if .Values.egressRules }} + egress: +{{- range $rule := .Values.egressRules }} + - to: +{{ toYaml $rule.selectors | indent 9 }} + ports: +{{ toYaml $rule.ports | indent 9 }} +{{- end }} +{{- end }} +{{- if .Values.ingressRules }} + ingress: +{{- range $rule := .Values.ingressRules }} + - from: +{{ toYaml $rule.selectors | indent 7 }} + ports: +{{ toYaml $rule.ports | indent 9 }} +{{- end }} +{{- end }} +--- +{{- if .Values.dns }} +kind: NetworkPolicy +apiVersion: {{ include "apiVersion" . }} +metadata: + name: {{ include "networkpolicies.name" . }}-dns +{{- if .Values.annotations }} + annotations: +{{ toYaml .Values.annotations | indent 4}} +{{- end }} + labels: + {{- include "networkpolicies.labels" . | nindent 4 }} +{{- if .Values.labels }} +{{ toYaml .Values.labels | indent 4 }} +{{- end }} +spec: + podSelector: + matchLabels: +{{ toYaml .Values.podSelector.matchLabels | indent 7 }} + policyTypes: + - Egress + egress: + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + to: + - podSelector: + matchLabels: + app: {{ .Values.dns.app }} + - namespaceSelector: + matchLabels: + name: {{ .Values.dns.namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/networkpolicies/values.yaml b/charts/networkpolicies/values.yaml new file mode 100644 index 0000000..48ddb2d --- /dev/null +++ b/charts/networkpolicies/values.yaml @@ -0,0 +1,25 @@ +# Default values for networkpolicies. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +nameOverride: "" +fullnameOverride: "" +egressRules: [] +ingressRules: [] +dns: + namespace: kube-system + app: kube-dns +aws: + enabled: false + dns: false + s3: false + kinesis: false + sqs: false + sns: false + redis: false + redisCIDR: 0.0.0.0/0 + redisPort: 6379 +mongoAtlas: + enabled: false + cidr: 0.0.0.0/0 + port: 27017 +