feat(): allow network policy

charts/node-red/Chart.yaml

@@ -9,7 +9,7 @@ icon: https://nodered.org/about/resources/media/node-red-icon-2.png
 
 type: application
 
-version: 0.40.1
+version: 0.42.0
 appVersion: 4.1.2
 
 keywords:

charts/node-red/README.md

@@ -98,6 +98,12 @@ The command removes all the Kubernetes components associated with the chart and
 | metrics.serviceMonitor.relabelings | list | `[]` | Prometheus [RelabelConfigs] to apply to samples before scraping |
 | metrics.serviceMonitor.selector | object | `{}` | Prometheus ServiceMonitor selector |
 | nameOverride | string | `""` | Provide a name in place of node-red |
+| networkPolicy.cilium.egress | list | `[]` | Cilium network policy egress https://docs.cilium.io/en/stable/security/policy/ |
+| networkPolicy.cilium.ingress | list | `[]` | Cilium network policy ingress https://docs.cilium.io/en/stable/security/policy/ |
+| networkPolicy.egress  | list | `[]` | Kubernetes egress spec https://kubernetes.io/docs/concepts/services-networking/network-policies/ |
+| networkPolicy.enabled | bool | `false` | Enable network policy management |
+| networkPolicy.flavor | string | `kubernetes` | Network policy mode in kubernetes, cilium |
+| networkPolicy.ingress  | list | `[]` |  | Kubernetes ingress spec https://kubernetes.io/docs/concepts/services-networking/network-policies/ |
 | nodeSelector | object | `{}` | Node selector |
 | npmrc.content | string | `"# Custom npmrc config\n"` | Configuration to add custom npmrc config |
 | npmrc.enabled | bool | `false` | Enable custom npmrc config |

charts/node-red/templates/ciliumnetworkpolicy.yaml

@@ -0,0 +1,22 @@
+{{- if and .Values.networkPolicy.enabled (eq .Values.networkPolicy.flavor "cilium") }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "node-red.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "node-red.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      k8s:app.kubernetes.io/name: '{{ include "node-red.name" . }}'
+      k8s:app.kubernetes.io/instance: '{{ .Release.Name }}'
+  {{- if and .Values.networkPolicy.cilium .Values.networkPolicy.cilium.egress }}
+  egress:
+    {{- toYaml .Values.networkPolicy.cilium.egress | nindent 4 }}
+  {{- end }}
+  {{- if and .Values.networkPolicy.cilium .Values.networkPolicy.cilium.ingress }}
+  ingress:
+    {{- toYaml .Values.networkPolicy.cilium.ingress | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/node-red/templates/networkpolicy.yaml

@@ -0,0 +1,28 @@
+{{- if and .Values.networkPolicy.enabled (eq .Values.networkPolicy.flavor "kubernetes") }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "node-red.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "node-red.labels" . | nindent 4 }}
+spec:
+  {{- if .Values.networkPolicy.egress }}
+  egress:
+    {{- toYaml .Values.networkPolicy.egress | nindent 4 }}
+  {{- end }}
+  {{- if .Values.networkPolicy.ingress }}
+  ingress:
+    {{- toYaml .Values.networkPolicy.ingress | nindent 4 }}
+  {{- end }}
+  policyTypes:
+  {{- if .Values.networkPolicy.egress }}
+    - Egress
+  {{- end }}
+  {{- if .Values.networkPolicy.ingress }}
+    - Ingress
+  {{- end }}
+  podSelector:
+    matchLabels:
+      {{- include "node-red.selectorLabels" . | nindent 6 }}
+{{- end }}

charts/node-red/values.yaml

@@ -199,6 +199,58 @@ ingress:
     # -- Name of the Issuer
     #     name: "test"
 
+# -- Define network policy targeting managed pod
+networkPolicy:
+  enabled: false
+  # -- If cilium flavor is defined, fill definition here
+  cilium:
+    egress: []
+    # Exemple to talk to mqtt
+    # - toPorts:
+    #   - ports:
+    #     - port: "1883"
+    #       protocol: TCP
+    #     - port: "8883"
+    #       protocol: TCP
+    #
+    # Exemple to restrict https output
+    # - toFQDNs: &dns_names
+    #   - matchName: registry.npmjs.org
+    #   toPorts:
+    #   - ports:
+    #     - port: "443"
+    #       protocol: TCP
+    # - toEndpoints:
+    #   - matchLabels:
+    #       k8s:io.kubernetes.pod.namespace: kube-system
+    #       k8s:k8s-app: kube-dns
+    #   toPorts:
+    #   - ports:
+    #     - port: "53"
+    #       protocol: UDP
+    #     - port: "53"
+    #       protocol: TCP
+    #     rules:
+    #       dns: *dns_names
+    ingress:
+    - toPorts:
+      - ports:
+        - port: http
+  # -- Choose policy flavor in 'kubernetes', 'cilium'
+  flavor: kubernetes
+  # -- If kubernetes flavor is defined, fill definition here
+  ingress:
+  - ports:
+    - protocol: TCP
+      port: http
+  egress: []
+  # Exemple to talk to mqtt
+  # - ports:
+  #   - port: 1883
+  #     protocol: TCP
+  #   - port: 8883
+  #     protocol: TCP
+
 # -- Startup probe for the Deployment
 startupProbe:
   httpGet: