fix(ntfy): add networkpolicy support

ntfy/Chart.yaml

@@ -3,7 +3,7 @@ name: ntfy
 description: A Helm chart for Kubernetes
 icon: https://github.com/binwiederhier/ntfy/raw/main/web/public/static/images/pwa-512x512.png
 type: application
-version: 0.3.2
+version: 0.4.0
 # renovate: image=docker.io/binwiederhier/ntfy
 appVersion: "2.11.0"
 maintainers:

ntfy/README.adoc

@@ -2,7 +2,7 @@
 
 = ntfy
 
-image::https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square[Version: 0.3.2]
+image::https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square[Version: 0.4.0]
 image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application]
 image::https://img.shields.io/badge/AppVersion-2.11.0-informational?style=flat-square[AppVersion: 2.11.0]
 == Maintainers
@@ -167,6 +167,36 @@ helm uninstall ntfy-release
 | `""`
 |
 
+| networkPolicy.egress.enabled
+| bool
+| `true`
+| activate egress no networkpolicy
+
+| networkPolicy.egress.extra
+| list
+| `[]`
+| egress rules
+
+| networkPolicy.enabled
+| bool
+| `false`
+|
+
+| networkPolicy.ingress.http
+| list
+| `[]`
+| ingress for http port (e.g. ingress-controller)
+
+| networkPolicy.ingress.metrics
+| list
+| `[]`
+| ingress for metrics port (e.g. prometheus)
+
+| networkPolicy.ingress.smtp
+| list
+| `[]`
+| ingress for smtp
+
 | nodeSelector
 | object
 | `{}`

ntfy/templates/deployment.yaml

@@ -63,9 +63,11 @@ spec:
               containerPort: {{ .Values.ntfy.metrics.port }}
               protocol: TCP
             {{- end }}
+            {{- if .Values.service.smtp.enabled }}
             - name: smtp
               containerPort: {{ .Values.service.smtp.port }}
               protocol: TCP
+            {{- end }}
           livenessProbe:
             httpGet:
               path: /v1/health

ntfy/templates/networkpolicy.yaml

@@ -0,0 +1,44 @@
+{{- if .Values.networkPolicy.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "ntfy.fullname" . }}
+  labels:
+    {{- include "ntfy.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "ntfy.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+    {{- if .Values.networkPolicy.egress.enabled }}
+    - Egress
+    {{- end }}
+  ingress:
+    {{- with .Values.networkPolicy.ingress.http }}
+    - ports:
+        - port: {{ $.Values.service.http.port }}
+          protocol: TCP
+      from:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- if and .Values.ntfy.metrics.enable .Values.networkPolicy.ingress.metrics }}
+    - ports:
+        - port: {{ .Values.ntfy.metrics.port }}
+          protocol: TCP
+      from:
+        {{- toYaml .Values.networkPolicy.ingress.metrics | nindent 8 }}
+    {{- end }}
+    {{- if and .Values.service.smtp.enabled .Values.networkPolicy.ingress.smtp }}
+    - ports:
+        - port: {{ .Values.service.smtp.port }}
+          protocol: TCP
+      from:
+        {{- toYaml .Values.networkPolicy.ingress.smtp | nindent 8 }}
+    {{- end }}
+  {{- with .Values.networkPolicy.egress }}
+  egress:
+    {{- toYaml .extra | nindent 4 }}
+  {{- end }}
+{{- end }}

ntfy/values.yaml

@@ -187,6 +187,21 @@ service:
     type: LoadBalancer
     port: 25
 
+networkPolicy:
+  enabled: false
+  ingress:
+    # -- ingress for http port (e.g. ingress-controller)
+    http: []
+    # -- ingress for metrics port (e.g. prometheus)
+    metrics: []
+    # -- ingress for smtp
+    smtp: []
+  egress:
+    # -- activate egress no networkpolicy
+    enabled: true
+    # -- egress rules
+    extra: []
+
 ingress:
   enabled: false
   className: ""