Merge remote-tracking branch 'origin/main' into PROJ-1949-Utilise-opensearch-la-place-d-algolia

Author: Nastaliss

k8s/projects-backend/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: common
   repository: oci://criprodprod.azurecr.io/helm
-  version: 0.2.2
-digest: sha256:4acf4dc5eb4837691080a74c531fbd9799d460999ec61511d2675a2b961c88f4
-generated: "2024-08-08T11:31:39.945125013+02:00"
+  version: 0.3.3
+digest: sha256:0ff29bcf57521c451eb9931a0bd014283f40c1c6dcbae6dec1e03d5ceb52778b
+generated: "2024-12-09T10:55:34.525875278+01:00"

k8s/projects-backend/Chart.yaml

@@ -25,4 +25,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: common
   repository: oci://criprodprod.azurecr.io/helm
-  version: 0.2.2
+  version: 0.3.3

k8s/projects-backend/templates/ingress.yaml

@@ -1,3 +1,30 @@
+{{- if .Values.traefik }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ tpl .Values.fullName . }}
+  labels:
+    {{- (tpl ($.Values.backend.commonLabels | toYaml ) $) | nindent 4 }}
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod-traefik
+    kubernetes.io/ingress.class: traefik
+spec:
+  rules:
+    - host: {{ .Values.hostname }}
+      http:
+        paths:
+          - path: {{ .Values.ingressPath }}
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ tpl .Values.fullName . }}
+                port:
+                  name: http
+  tls:
+    - hosts:
+        - {{ .Values.hostname }}
+      secretName: {{ printf "%s-tls" .Values.hostname }}
+{{- else }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -24,3 +51,4 @@ spec:
     - hosts:
         - {{ .Values.hostname }}
       secretName: {{ printf "%s-tls" .Values.hostname }}
+{{- end }}

k8s/projects-backend/templates/network-policy.yaml

@@ -1,32 +1,13 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: {{ tpl $.Values.fullName $ }}
-  labels:
-  {{- (tpl ($.Values.backend.commonLabels | toYaml ) $) | nindent 4 }}
-spec:
-  podSelector:
-    matchLabels:
-    {{- (tpl ($.Values.backend.commonLabels | toYaml ) $) | nindent 6 }}
-  policyTypes:
-    - Ingress
-  ingress:
-    - from:
-      # Incoming http traffic from nginx-ingress
-      - namespaceSelector:
-          matchLabels:
-            kubernetes.io/metadata.name: ingress-nginx
-      # Incoming traffic from projects namespace
-      - namespaceSelector:
-          matchLabels:
-            kubernetes.io/metadata.name: {{ .Values.namespace }}
-      # Incoming traffic from monitoring namespace
-      - namespaceSelector:
-          matchLabels:
-            kubernetes.io/metadata.name: {{ .Values.monitoringNamespace }}
-      ports:
-        - protocol: TCP
-          port: http
+{{ include "common.security.networkPolicy" (dict
+  "name" (tpl .Values.fullName .)
+  "podSelector" (dict "matchLabels" (tpl (.Values.backend.commonLabels | toJson) .| fromJson) )
+  "allowFromReverseProxy" true
+  "reverseProxyNamespace" (ternary "traefik" "ingress-nginx" .Values.traefik  )
+  "additionalIngresses" (get (tpl ((dict "root" .Values.backend.networkPolicyAdditionalIngresses) | toJson) . | fromJson) "root")
+  "commonLabels" (tpl (.Values.backend.commonLabels | toJson) . | fromJson)
+  "enableEgress" false
+) }}
+
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy

k8s/projects-backend/values.yaml

@@ -75,6 +75,19 @@ backend:
     minReplicas: 1
     maxReplicas: 4
     targetCPUUtilizationPercentage: 50
+  networkPolicyAdditionalIngresses:
+  - from:
+      # Incoming traffic from projects namespace
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: "{{ .Values.namespace }}"
+      # Incoming traffic from monitoring namespace
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: "{{ .Values.monitoringNamespace }}"
+    ports:
+    - protocol: TCP
+      port: http
 
 celery:
   enabled: true
@@ -158,3 +171,5 @@ workflow:
       templateName: create-db
 
 runMigrations: true
+
+traefik: false