From 47a04c4ef9907bafdea88724b2460c0d79d19e52 Mon Sep 17 00:00:00 2001
From: WrenIX <dev@wrenix.eu>
Date: Wed, 4 Sep 2024 22:37:48 +0200
Subject: [PATCH] fix(mycloud-nextcloud): add networkpolicy

---
 base-values/commons.yaml                      |   2 +
 mycloud-nextcloud/README.adoc                 |  40 ++++++
 .../templates/networkpolicy.yaml              | 118 ++++++++++++++++++
 mycloud-nextcloud/values.yaml                 |   8 ++
 4 files changed, 168 insertions(+)
 create mode 100644 mycloud-nextcloud/templates/networkpolicy.yaml

diff --git a/base-values/commons.yaml b/base-values/commons.yaml
index b10919b..f6f6146 100644
--- a/base-values/commons.yaml
+++ b/base-values/commons.yaml
@@ -46,6 +46,8 @@ commons:
       ingress: []
       metrics: []
     to:
+      dns: []
+      k8sAPI: []
       smtp: []
       matrix: []
 
diff --git a/mycloud-nextcloud/README.adoc b/mycloud-nextcloud/README.adoc
index 2743fba..94e0bc4 100644
--- a/mycloud-nextcloud/README.adoc
+++ b/mycloud-nextcloud/README.adoc
@@ -255,6 +255,41 @@ image::https://img.shields.io/badge/Version-application-informational?style=flat
 | `"sub"`
 | oidc field which us used as id in nextcloud for username (for security reason it is sub, but could be overwritten by username) https://goauthentik.io/integrations/services/nextcloud/#provider-and-application
 
+| chart.ref
+| object
+| `{"branch":"feat/imaginary"}`
+| for default set: null
+
+| chart.url
+| string
+| `"https://github.com/wrenix/nextcloud-helm.git"`
+| for default set: https://nextcloud.github.io/helm/
+
+| commons.networkpolicies.enabled
+| bool
+| `false`
+|
+
+| commons.networkpolicies.from.ingress
+| list
+| `[]`
+|
+
+| commons.networkpolicies.from.metrics
+| list
+| `[]`
+|
+
+| commons.networkpolicies.to.dns
+| list
+| `[]`
+|
+
+| config
+| object
+| `{}`
+|
+
 | database.host
 | string
 | `"mycloud-services-postgresql"`
@@ -285,6 +320,11 @@ image::https://img.shields.io/badge/Version-application-informational?style=flat
 | `"GB"`
 |
 
+| imaginary.enabled
+| bool
+| `true`
+|
+
 | ingress.annotations
 | string
 | `nil`
diff --git a/mycloud-nextcloud/templates/networkpolicy.yaml b/mycloud-nextcloud/templates/networkpolicy.yaml
new file mode 100644
index 0000000..6a99210
--- /dev/null
+++ b/mycloud-nextcloud/templates/networkpolicy.yaml
@@ -0,0 +1,118 @@
+{{- if .Values.commons.networkpolicies.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: app
+      app.kubernetes.io/instance: {{ .Release.Name }}-hr
+      app.kubernetes.io/name: nextcloud
+  policyTypes:
+    - Ingress
+  ingress:
+    - ports:
+        - port: 80
+          protocol: TCP
+      from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/component: metrics
+              app.kubernetes.io/instance: {{ .Release.Name }}-hr
+              app.kubernetes.io/name: nextcloud 
+        {{- with .Values.commons.networkpolicies.from.ingress }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+{{- if .Values.imaginary.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Release.Name }}-imaginary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: imaginary
+      app.kubernetes.io/instance: {{ .Release.Name }}-hr
+      app.kubernetes.io/name: nextcloud
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - port: 9000
+          protocol: TCP
+      from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/component: app
+              app.kubernetes.io/instance: {{ .Release.Name }}-hr
+              app.kubernetes.io/name: nextcloud
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Release.Name }}-metrics
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: metrics
+      app.kubernetes.io/instance: {{ .Release.Name }}-hr
+      app.kubernetes.io/name: nextcloud 
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - port: 9205
+          protocol: TCP
+      from:
+        {{- toYaml .Values.commons.networkpolicies.from.metrics | nindent 8 }}
+  egress:
+    - ports:
+        - port: 80
+          protocol: TCP
+      to:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/component: app
+              app.kubernetes.io/instance: {{ .Release.Name }}-hr
+              app.kubernetes.io/name: nextcloud
+    - ports:
+        - port: 53
+          protocol: UDP
+      to:
+        {{- toYaml .Values.commons.networkpolicies.to.dns | nindent 8 }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Release.Name }}-redis
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: master
+      app.kubernetes.io/instance: {{ .Release.Name }}-hr
+      app.kubernetes.io/name: redis
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - port: 6379
+          protocol: TCP
+      from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/component: app
+              app.kubernetes.io/instance: {{ .Release.Name }}-hr
+              app.kubernetes.io/name: nextcloud
+    - ports:
+        - port: 9121
+          protocol: TCP
+      from:
+        {{- toYaml .Values.commons.networkpolicies.from.metrics | nindent 8 }}
+{{- end }}
diff --git a/mycloud-nextcloud/values.yaml b/mycloud-nextcloud/values.yaml
index b6efd6c..2370c92 100644
--- a/mycloud-nextcloud/values.yaml
+++ b/mycloud-nextcloud/values.yaml
@@ -86,6 +86,14 @@ commons:
       # @section -- Commons Ingress
       override: []
 
+  networkpolicies:
+    enabled: false
+    from:
+      ingress: []
+      metrics: []
+    to:
+      dns: []
+
   prometheus:
     monitor:
       # -- labels on Pod- and Service-Monitor