feat: add network policies chart (#2434)

CasLubbers · svcAPLBot · otomi-admin · web-flow · commit e86ef653e969 · 2025-08-12T09:38:20.000+02:00
Co-authored-by: svcAPLBot &lt;174728082+svcAPLBot@users.noreply.github.com&gt;
Co-authored-by: otomi-admin &lt;pipeline@cluster.local&gt;
diff --git a/charts/apl-network-policies/Chart.yaml b/charts/apl-network-policies/Chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: v2
+name: apl-network-policies
+description: APL Platform Network Policies for secure application communication
+type: application
+version: 0.1.0
+appVersion: "1.0"
+keywords:
+  - network-policy
+  - security
+  - platform
+home: https://github.com/linode/apl-core
+maintainers:
+  - name: APL Team
+    url: https://github.com/linode/apl-core
diff --git a/charts/apl-network-policies/templates/_helpers.tpl b/charts/apl-network-policies/templates/_helpers.tpl
@@ -0,0 +1,51 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "apl-network-policies.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "apl-network-policies.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "apl-network-policies.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "apl-network-policies.labels" -}}
+helm.sh/chart: {{ include "apl-network-policies.chart" . }}
+{{ include "apl-network-policies.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "apl-network-policies.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "apl-network-policies.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
diff --git a/charts/apl-network-policies/templates/networkpolicies/gitea.yaml b/charts/apl-network-policies/templates/networkpolicies/gitea.yaml
@@ -0,0 +1,79 @@
+{{- if .Values.netpols.gitea }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: gitea-platform-policy
+  namespace: gitea
+  labels:
+    {{- include "apl-network-policies.labels" . | nindent 4 }}
+    app: gitea
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+  ingress:
+    # Allow access from Istio public ingress gateway
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: istio-system
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/instance: istio-ingressgateway-public
+    # Allow APL Gitea operator access
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: apl-gitea-operator
+    # Allow APL operator access
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: apl-operator
+    # Allow APL API access
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: otomi
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: otomi-api
+    # Allow team build access for git clone
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              type: team
+          podSelector:
+            matchLabels:
+              tekton.dev/task: git-clone
+    # Allow monitoring access
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: monitoring
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/instance: po-prometheus
+    # Allow CNPG system access
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: cnpg-system
+    # Allow database access within gitea namespace
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: gitea
+          podSelector:
+            matchLabels:
+              cnpg.io/cluster: gitea-db
+    # Allow internal gitea app communication
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: gitea
+          podSelector:
+            matchLabels:
+              app: gitea
+{{- end }}
diff --git a/charts/apl-network-policies/values.yaml b/charts/apl-network-policies/values.yaml
@@ -0,0 +1,27 @@
+# Default configuration for APL Network Policies
+# Network policies are now configured using simple per-app boolean flags
+
+# The actual network policies configuration comes from defaults.yaml
+# This values.yaml file contains only examples for reference
+
+# Example configuration (all commented out):
+# Simple on/off switch per application
+# netpols:
+#   gitea: true  # Enable network policies for Gitea with sensible defaults
+
+# Network policy behavior when enabled:
+#
+# For Gitea (netpols.gitea: true):
+# - Creates a NetworkPolicy in the gitea namespace
+# - Allows ingress from:
+#   * Istio public ingress gateway (for web access)
+#   * APL Gitea operator (for management)
+#   * APL operator (for core management)
+#   * APL API (for API access)
+#   * Team namespaces with git-clone tasks (for CI/CD)
+#   * Monitoring namespace (for metrics)
+#   * CNPG system (for database management)
+#   * Internal gitea namespace communication
+#
+# The complex network policy rules are baked into the chart templates,
+# so users only need to toggle network policies on/off per application.
diff --git a/helmfile.d/helmfile-07.init.yaml.gotmpl b/helmfile.d/helmfile-07.init.yaml.gotmpl
@@ -38,3 +38,10 @@ releases:
     labels:
       pkg: minio
     <<: *raw
+  - name: apl-network-policies
+    installed: true
+    namespace: apl-operator
+    labels:
+      pkg: platform
+    <<: *default
+
diff --git a/helmfile.d/snippets/defaults.yaml b/helmfile.d/snippets/defaults.yaml
@@ -305,6 +305,8 @@ environments:
           gitea:
             adminUsername: otomi-admin
             _rawValues: {}
+            networkPolicies:
+              enabled: true
             resources:
               gitea:
                 limits:
diff --git a/values-schema.yaml b/values-schema.yaml
@@ -604,6 +604,13 @@ definitions:
     nullable: true
     type: object
     title: Kubernetes secrets
+  appNetworkPolicyConfig:
+    type: object
+    properties:
+      enabled:
+        type: boolean
+        default: false
+        description: Enable network policies for this application with sensible defaults
   netpol:
     type: object
     properties:
@@ -1893,6 +1900,8 @@ properties:
                 $ref: '#/definitions/resources'
               memcachedMetrics:
                 $ref: '#/definitions/resources'
+          networkPolicies:
+            $ref: '#/definitions/appNetworkPolicyConfig'
       grafana:
         additionalProperties: false
         properties:
diff --git a/values/apl-network-policies/apl-network-policies.gotmpl b/values/apl-network-policies/apl-network-policies.gotmpl
@@ -0,0 +1,6 @@
+{{- $v := .Values }}
+{{- $a := $v.apps }}
+
+# Simple per-app network policy configuration
+netpols:
+  gitea: {{ $a.gitea.networkPolicies.enabled}}
