fix(mycloud-nextcloud): add networkpolicy

2024-09-04 22:37:48 +02:00 · 2024-09-04 22:37:48 +02:00 · 47a04c4ef9
commit 47a04c4ef9
parent 37c84787de
4 changed files with 168 additions and 0 deletions
--- a/base-values/commons.yaml
+++ b/base-values/commons.yaml
@ -46,6 +46,8 @@ commons:
      ingress: []
      metrics: []
    to:
+      dns: []
+      k8sAPI: []
      smtp: []
      matrix: []

--- a/mycloud-nextcloud/README.adoc
+++ b/mycloud-nextcloud/README.adoc
@ -255,6 +255,41 @@ image::https://img.shields.io/badge/Version-application-informational?style=flat
 | `"sub"`
 | oidc field which us used as id in nextcloud for username (for security reason it is sub, but could be overwritten by username) https://goauthentik.io/integrations/services/nextcloud/#provider-and-application

+| chart.ref
+| object
+| `{"branch":"feat/imaginary"}`
+| for default set: null
+
+| chart.url
+| string
+| `"https://github.com/wrenix/nextcloud-helm.git"`
+| for default set: https://nextcloud.github.io/helm/
+
+| commons.networkpolicies.enabled
+| bool
+| `false`
+|
+
+| commons.networkpolicies.from.ingress
+| list
+| `[]`
+|
+
+| commons.networkpolicies.from.metrics
+| list
+| `[]`
+|
+
+| commons.networkpolicies.to.dns
+| list
+| `[]`
+|
+
+| config
+| object
+| `{}`
+|
+
 | database.host
 | string
 | `"mycloud-services-postgresql"`
@ -285,6 +320,11 @@ image::https://img.shields.io/badge/Version-application-informational?style=flat
 | `"GB"`
 |

+| imaginary.enabled
+| bool
+| `true`
+|
+
 | ingress.annotations
 | string
 | `nil`
--- a/mycloud-nextcloud/templates/networkpolicy.yaml
+++ b/mycloud-nextcloud/templates/networkpolicy.yaml
@ -0,0 +1,118 @@
+{{- if .Values.commons.networkpolicies.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: app
+      app.kubernetes.io/instance: {{ .Release.Name }}-hr
+      app.kubernetes.io/name: nextcloud
+  policyTypes:
+    - Ingress
+  ingress:
+    - ports:
+        - port: 80
+          protocol: TCP
+      from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/component: metrics
+              app.kubernetes.io/instance: {{ .Release.Name }}-hr
+              app.kubernetes.io/name: nextcloud 
+        {{- with .Values.commons.networkpolicies.from.ingress }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+{{- if .Values.imaginary.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Release.Name }}-imaginary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: imaginary
+      app.kubernetes.io/instance: {{ .Release.Name }}-hr
+      app.kubernetes.io/name: nextcloud
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - port: 9000
+          protocol: TCP
+      from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/component: app
+              app.kubernetes.io/instance: {{ .Release.Name }}-hr
+              app.kubernetes.io/name: nextcloud
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Release.Name }}-metrics
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: metrics
+      app.kubernetes.io/instance: {{ .Release.Name }}-hr
+      app.kubernetes.io/name: nextcloud 
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - port: 9205
+          protocol: TCP
+      from:
+        {{- toYaml .Values.commons.networkpolicies.from.metrics | nindent 8 }}
+  egress:
+    - ports:
+        - port: 80
+          protocol: TCP
+      to:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/component: app
+              app.kubernetes.io/instance: {{ .Release.Name }}-hr
+              app.kubernetes.io/name: nextcloud
+    - ports:
+        - port: 53
+          protocol: UDP
+      to:
+        {{- toYaml .Values.commons.networkpolicies.to.dns | nindent 8 }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Release.Name }}-redis
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: master
+      app.kubernetes.io/instance: {{ .Release.Name }}-hr
+      app.kubernetes.io/name: redis
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - port: 6379
+          protocol: TCP
+      from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/component: app
+              app.kubernetes.io/instance: {{ .Release.Name }}-hr
+              app.kubernetes.io/name: nextcloud
+    - ports:
+        - port: 9121
+          protocol: TCP
+      from:
+        {{- toYaml .Values.commons.networkpolicies.from.metrics | nindent 8 }}
+{{- end }}
--- a/mycloud-nextcloud/values.yaml
+++ b/mycloud-nextcloud/values.yaml
@ -86,6 +86,14 @@ commons:
      # @section -- Commons Ingress
      override: []

+  networkpolicies:
+    enabled: false
+    from:
+      ingress: []
+      metrics: []
+    to:
+      dns: []
+
  prometheus:
    monitor:
      # -- labels on Pod- and Service-Monitor