diff --git a/helm/flowforge/README.md b/helm/flowforge/README.md index fb62daa4..0f844596 100644 --- a/helm/flowforge/README.md +++ b/helm/flowforge/README.md @@ -30,12 +30,15 @@ For other values please refer to the documentation below. - `forge.localPostrgresql` Deploy a PostgreSQL v14 Database into Kubernetes cluster (default `true`) - `forge.cloudProvider` currently only accepts `aws` but will include more as needed (default not set) - `forge.projectSelector` a collection of labels and values to filter nodes that Project Pods will run on (default `role: projects`) + - `forge.projectNamespace` namespace Project Pods will run in (default `flowforge`) + - `forge.projectDeploymentTolerations` tolerations settings for Project instances. Default is `[]`. + - `forge.projectNetworkPolicy.enabled` specified if [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) should be created for project pods ( default `false`) + - `forge.projectNetworkPolicy.ingress` a list of ingress rules for the [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) applied on project pods ( default `[]`) + - `forge.projectNetworkPolicy.egress` a list of egress rules for the [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) applied in project pods ( default `[]`) - `forge.managementSelector` a collection of labels and values to filter nodes the Forge App will run on (default `role: management`) - `forge.affinity` allows to configure [affinity or anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) for the core application pod - - `forge.projectNamespace` namespace Project Pods will run in (default `flowforge`) - `forge.license` FlowForge EE license string (optional, default not set) - `forge.branding` Object holding branding inserts (default not set) - - `forge.projectDeploymentTolerations` tolerations settings for Project instances. Default is `[]`. - `forge.clusterRole.name` custom name for the ClusterRole (default `create-pod`) - `forge.resources` allows to configure [resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the core application container - `forge.podSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the core application pod diff --git a/helm/flowforge/templates/network-policy.yaml b/helm/flowforge/templates/network-policy.yaml index ed20cec0..81e403e8 100644 --- a/helm/flowforge/templates/network-policy.yaml +++ b/helm/flowforge/templates/network-policy.yaml @@ -1,29 +1,4 @@ -{{- if not .Values.forge.localPostgresql }} -{{- if .Values.forge.cloudProvider }} -{{- if eq .Values.forge.cloudProvider "aws" }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: flowforge-database-policy - namespace: {{ .Release.Namespace }} - labels: - {{- include "forge.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - nodered: "true" - role: projects - policyTypes: - - Egress - egress: - - to: - - ipBlock: - cidr: 0.0.0.0/0 - except: - - 10.0.0.0/24 -{{- end }} -{{- end }} -{{- else }} +{{- if .Values.forge.localPostgresql }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/helm/flowforge/templates/projects-networkpolicy.yaml b/helm/flowforge/templates/projects-networkpolicy.yaml new file mode 100644 index 00000000..9e2d940d --- /dev/null +++ b/helm/flowforge/templates/projects-networkpolicy.yaml @@ -0,0 +1,35 @@ +{{- if (((.Values.forge).projectNetworkPolicy).enabled) }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: flowfuse-projects-policy + namespace: {{ .Values.forge.projectNamespace }} + labels: + {{- include "forge.labels" . | nindent 4 }} + {{- with .Values.forge.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + policyTypes: + {{- if .Values.forge.projectNetworkPolicy.ingress }} + - Ingress + {{- end }} + {{- if .Values.forge.projectNetworkPolicy.egress }} + - Egress + {{- end }} + podSelector: + matchLabels: + nodered: true + {{- if .Values.forge.projectNetworkPolicy.egress }} + egress: + {{- with .Values.forge.projectNetworkPolicy.egress }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.forge.projectNetworkPolicy.ingress }} + ingress: + {{- with .Values.forge.projectNetworkPolicy.ingress }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/helm/flowforge/values.schema.json b/helm/flowforge/values.schema.json index 2addd49a..4e22e93b 100644 --- a/helm/flowforge/values.schema.json +++ b/helm/flowforge/values.schema.json @@ -94,6 +94,20 @@ "projectSelector": { "type": "object" }, + "projectNetworkPolicy": { + "type": "object", + "properties": { + "egress": { + "type": "array" + }, + "enabled": { + "type": "boolean" + }, + "ingress": { + "type": "array" + } + } + }, "projectDeploymentTolerations": { "type": "array", "items": { diff --git a/helm/flowforge/values.yaml b/helm/flowforge/values.yaml index d98ce972..d8772b21 100644 --- a/helm/flowforge/values.yaml +++ b/helm/flowforge/values.yaml @@ -5,10 +5,8 @@ forge: projectSelector: role: projects projectDeploymentTolerations: [] - # - key: purpose - # operator: Equal - # value: flowforge-projects - # effect: NoSchedule + projectNetworkPolicy: + enabled: false managementSelector: role: management telemetry: