From d4e05b82470b2f80e1387291b4cfd0066c3cda6f Mon Sep 17 00:00:00 2001 From: Debakel Orakel Date: Sat, 2 May 2026 12:13:52 +0200 Subject: [PATCH] Support creating NetworkPolicies --- class/defaults.yml | 7 ++ component/main.jsonnet | 33 ++++++++ .../ROOT/pages/references/parameters.adoc | 76 ++++++++++++++++++- tests/extra-config.yml | 5 ++ .../openshift/30_network_policies.yaml | 21 +++++ tests/openshift.yml | 5 ++ 6 files changed, 146 insertions(+), 1 deletion(-) create mode 100644 tests/golden/openshift/openshift/openshift/30_network_policies.yaml diff --git a/class/defaults.yml b/class/defaults.yml index fdca0814..532e757f 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -88,6 +88,13 @@ parameters: #increase if auth credentials change secretVersion: 0 + networkPolicy: + enabled: true + exposedComponents: + - query-frontend + - gateway + allowedNamespaces: [] + ingress: enabled: false tls: diff --git a/component/main.jsonnet b/component/main.jsonnet index f2551231..2b9c2687 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -45,6 +45,37 @@ local secrets = com.generateResources( } ); +local netpols = kube.NetworkPolicy('allow-from-other-namespaces') { + metadata+: { + labels+: { + 'app.kubernetes.io/managed-by': 'commodore', + 'app.kubernetes.io/name': 'allow-from-other-namespaces', + }, + namespace: params.namespace.name, + }, + spec: { + policyTypes: [ 'Ingress' ], + [if std.length(params.networkPolicy.exposedComponents) > 0 then 'podSelector']: { + matchExpressions: [ { + key: 'app.kubernetes.io/component', + operator: 'In', + values: com.renderArray(params.networkPolicy.exposedComponents), + } ], + }, + ingress: [ { + from: [ { + namespaceSelector: { + matchExpressions: [ { + key: 'kubernetes.io/metadata.name', + operator: 'In', + values: com.renderArray(params.networkPolicy.allowedNamespaces), + } ], + }, + } ], + } ], + }, +}; + // Define outputs below { @@ -70,4 +101,6 @@ local secrets = com.generateResources( namespace: params.namespace.name, }, }, + + [if params.networkPolicy.enabled && std.length(params.networkPolicy.allowedNamespaces) > 0 then '30_network_policies']: netpols, } diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index f741de14..fbfffa0a 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -461,6 +461,80 @@ Zone-aware replication is the replication of data across failure domains. Zone-aware replication helps to avoid data loss during a domain outage. Grafana Mimir defines failure domains as zones. +== `networkPolicy` + +Configure the NetworkPolicy if necessary. + +=== `networkPolicy.enabled` + +[horizontal] +type:: boolean +default:: ++ +[source,yaml] +---- +networkPolicy: + enabled: true +---- + +Enables or disables NetworkPolicy. + +[TIP] +==== +The networkPolicy will only be deployed if it is `enabled` and has at least 1 entry in `allowedNamespaces`. +==== + +=== `networkPolicy.enabled` + +[horizontal] +type:: dict +default:: ++ +[source,yaml] +---- +networkPolicy: + exposedComponents: + - query-frontend + - gateway +---- +example:: ++ +[source,yaml] +---- +networkPolicy: + exposedComponents: + - ~query-frontend +---- + +Define what components this NetworkPolicy should allow access to. + +The components prefixed with a tilde `~` are removed from the resulting list. + +=== `networkPolicy.allowedNamespaces` + +[horizontal] +type:: dict +default:: ++ +[source,yaml] +---- +networkPolicy: + allowedNamespaces: [] +---- +example:: ++ +[source,yaml] +---- +networkPolicy: + allowedNamespaces: + - vshn-grafana +---- + +Define the namespaces that should be able to access this instance. + +The namespaces prefixed with a tilde `~` are removed from the resulting list. + + == `ingress` Ingress configuration @@ -474,7 +548,7 @@ If both are enabled, nginx takes precedence. === `ingress.enabled` [horizontal] -type:: dict +type:: boolean default:: + [source,yaml] diff --git a/tests/extra-config.yml b/tests/extra-config.yml index 9805c715..c13a5154 100644 --- a/tests/extra-config.yml +++ b/tests/extra-config.yml @@ -78,6 +78,11 @@ parameters: zoneAwareReplication: enabled: true + networkPolicy: + enabled: false + allowedNamespaces: + - vshn-grafana + config: tenantFederation: true haTracker: true diff --git a/tests/golden/openshift/openshift/openshift/30_network_policies.yaml b/tests/golden/openshift/openshift/openshift/30_network_policies.yaml new file mode 100644 index 00000000..85374917 --- /dev/null +++ b/tests/golden/openshift/openshift/openshift/30_network_policies.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: {} + labels: + app.kubernetes.io/managed-by: commodore + app.kubernetes.io/name: allow-from-other-namespaces + name: allow-from-other-namespaces + name: allow-from-other-namespaces + namespace: openshift +spec: + ingress: + - from: + - namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - vshn-grafana + policyTypes: + - Ingress diff --git a/tests/openshift.yml b/tests/openshift.yml index f0356a28..d4dbb5d7 100644 --- a/tests/openshift.yml +++ b/tests/openshift.yml @@ -70,6 +70,11 @@ parameters: zoneAwareReplication: enabled: true + networkPolicy: + ~exposedComponents: [] + allowedNamespaces: + - vshn-grafana + ingress: enabled: true url: metrics-receive.example.com