Add network policy and labelling updates

RADAR-base · Nov 30, 2023 · 684df41 · 684df41
1 parent a3e94b2
commit 684df41
Show file tree

Hide file tree

Showing 7 changed files with 74 additions and 16 deletions.
diff --git a/charts/radar-oura-connector/README.md b/charts/radar-oura-connector/README.md
@@ -67,6 +67,7 @@ A Helm chart for RADAR-base oura connector. This application collects data from
 | readinessProbe.timeoutSeconds | int | `5` | Timeout seconds for readinessProbe |
 | readinessProbe.successThreshold | int | `1` | Success threshold for readinessProbe |
 | readinessProbe.failureThreshold | int | `3` | Failure threshold for readinessProbe |
+| networkpolicy | object | check `values.yaml` | Network policy defines who can access this application and who this applications has access to |
 | zookeeper | string | `"cp-zookeeper-headless:2181"` | URI of Zookeeper instances of the cluster |
 | kafka | string | `"PLAINTEXT://cp-kafka-headless:9092"` | URI of Kafka brokers of the cluster |
 | kafka_num_brokers | string | `"3"` | Number of Kafka brokers. This is used to validate the cluster availability at connector init. |

diff --git a/charts/radar-oura-connector/templates/configmap-properties.yaml b/charts/radar-oura-connector/templates/configmap-properties.yaml
@@ -3,10 +3,7 @@ kind: ConfigMap
 metadata:
   name: {{ template "radar-oura-connector.fullname" . }}-properties
   labels:
-    app: {{ template "radar-oura-connector.name" . }}
-    chart: {{ template "radar-oura-connector.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
+{{ include "radar-fitbit-connector.labels" . | indent 4 }}
 data:
   source-oura.properties: |
     name=radar-oura-source

diff --git a/charts/radar-oura-connector/templates/deployment.yaml b/charts/radar-oura-connector/templates/deployment.yaml
@@ -3,10 +3,7 @@ kind: Deployment
 metadata:
   name: {{ include "radar-oura-connector.fullname" . }}
   labels:
-    app.kubernetes.io/name: {{ include "radar-oura-connector.name" . }}
-    helm.sh/chart: {{ include "radar-oura-connector.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{ include "radar-fitbit-connector.labels" . | indent 4 }}
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:

diff --git a/charts/radar-oura-connector/templates/networkpolicy.yaml b/charts/radar-oura-connector/templates/networkpolicy.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.networkpolicy }}
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ template "radar-oura-connector.fullname" . }}
+  labels:
+{{ include "radar-oura-connector.labels" . | indent 4 }}
+spec:
+  podSelector:
+{{ include "radar-oura-connector.labels" . | indent 4 }}
+    {{- tpl (toYaml .Values.networkpolicy) .  | nindent 2 }}
+{{- end -}}
diff --git a/charts/radar-oura-connector/templates/pvc.yaml b/charts/radar-oura-connector/templates/pvc.yaml
@@ -4,10 +4,7 @@ apiVersion: v1
 metadata:
   name: {{ template "radar-oura-connector.fullname" . }}
   labels:
-    app: "{{ template "radar-oura-connector.fullname" . }}"
-    chart: "{{ template "radar-oura-connector.chart" . }}"
-    release: {{ .Release.Name | quote }}
-    heritage: {{ .Release.Service | quote }}
+{{ include "radar-fitbit-connector.labels" . | indent 4 }}
 spec:
   accessModes:
     - {{ .Values.persistence.accessMode | quote }}

diff --git a/charts/radar-oura-connector/templates/service.yaml b/charts/radar-oura-connector/templates/service.yaml
@@ -3,10 +3,7 @@ kind: Service
 metadata:
   name: {{ include "radar-oura-connector.fullname" . }}
   labels:
-    app.kubernetes.io/name: {{ include "radar-oura-connector.name" . }}
-    helm.sh/chart: {{ include "radar-oura-connector.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{ include "radar-fitbit-connector.labels" . | indent 4 }}
 spec:
   type: {{ .Values.service.type }}
   ports:

diff --git a/charts/radar-oura-connector/values.yaml b/charts/radar-oura-connector/values.yaml
@@ -126,6 +126,63 @@ readinessProbe:
   # -- Failure threshold for readinessProbe
   failureThreshold: 3
 
+# -- Network policy defines who can access this application and who this applications has access to
+# @default -- check `values.yaml`
+networkpolicy:
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        except:
+        - 10.0.0.0/8
+        - 192.168.0.0/16
+        - 172.16.0.0/20
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: '{{ .Release.Namespace }}'
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: 'cp-zookeeper'
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: '{{ .Release.Namespace }}'
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: 'cp-kafka'
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: '{{ .Release.Namespace }}'
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: 'cp-schema-registry'
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: '{{ .Release.Namespace }}'
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: 'radar-rest-sources-backend'
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: '{{ .Release.Namespace }}'
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: 'management-portal'
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+      podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+    ports:
+      - port: 53
+        protocol: UDP
+      - port: 53
+        protocol: TCP
+
 # -- URI of Zookeeper instances of the cluster
 zookeeper: cp-zookeeper-headless:2181
 # -- URI of Kafka brokers of the cluster