📦 Group network policies, within each template, for improved maintain…

…ability
ndebuhr · Sep 11, 2021 · aa1a1ef · aa1a1ef
1 parent db592c6
commit aa1a1ef
Show file tree

Hide file tree

Showing 2 changed files with 127 additions and 129 deletions.
diff --git a/helm/templates/guacamole.yaml b/helm/templates/guacamole.yaml
@@ -41,31 +41,6 @@ spec:
         securityContext:
           readOnlyRootFilesystem: true
       restartPolicy: Always
-{{- if eq .Values.policies.enabled true }}
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: guacd
-  namespace: {{ .Values.namespace }}
-spec:
-  podSelector:
-    matchLabels:
-      app: guacd
-  policyTypes:
-  - Egress
-  - Ingress
-  ingress:
-  - from:
-    - podSelector:
-        matchLabels:
-          app: guacamole
-  egress:
-  - to:
-    - podSelector:
-        matchLabels:
-          app: guacamole
-{{- end }}
 ---
 apiVersion: v1
 kind: Service
@@ -123,28 +98,6 @@ spec:
           value: myguac123
         resources: {{- toYaml .Values.components.guacamole.resources | nindent 10 }}
       restartPolicy: Always
-{{- if eq .Values.policies.enabled true }}
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: guacamole
-  namespace: {{ .Values.namespace }}
-spec:
-  podSelector:
-    matchLabels:
-      app: guacamole
-  policyTypes:
-  - Egress
-  - Ingress
-  ingress:
-  - from:
-    - podSelector:
-        matchLabels:
-          app: keycloak-gatekeeper
-  egress:
-  - {}
-{{- end }}
 ---
 apiVersion: v1
 kind: Service
@@ -220,31 +173,6 @@ spec:
         configMap:
           name: guacamole-init-sql
           defaultMode: 0777
-{{- if eq .Values.policies.enabled true }}
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: guacamole-postgresql
-  namespace: {{ .Values.namespace }}
-spec:
-  podSelector:
-    matchLabels:
-      app: guacamole-postgresql
-  policyTypes:
-  - Egress
-  - Ingress
-  ingress:
-  - from:
-    - podSelector:
-        matchLabels:
-          app: guacamole
-  egress:
-  - to:
-    - podSelector:
-        matchLabels:
-          app: guacamole
-{{- end }}
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -1044,4 +972,72 @@ data:
     JOIN guacamole_entity          ON permissions.username = guacamole_entity.name AND guacamole_entity.type = 'USER'
     JOIN guacamole_entity affected ON permissions.affected_username = affected.name AND guacamole_entity.type = 'USER'
     JOIN guacamole_user            ON guacamole_user.entity_id = affected.entity_id;
+{{- if eq .Values.policies.enabled true }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: guacd
+  namespace: {{ .Values.namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: guacd
+  policyTypes:
+  - Egress
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: guacamole
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app: guacamole
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: guacamole
+  namespace: {{ .Values.namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: guacamole
+  policyTypes:
+  - Egress
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: keycloak-gatekeeper
+  egress:
+  - {}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: guacamole-postgresql
+  namespace: {{ .Values.namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: guacamole-postgresql
+  policyTypes:
+  - Egress
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: guacamole
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app: guacamole
+{{- end }}
 {{- end }}
diff --git a/helm/templates/keycloak.yaml b/helm/templates/keycloak.yaml
@@ -41,25 +41,6 @@ spec:
       - name: keycloak-postgres
         persistentVolumeClaim:
           claimName: keycloak-postgres-pvc
-{{- if eq .Values.policies.enabled true }}
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: keycloak-postgres
-  namespace: {{ .Values.namespace }}
-spec:
-  podSelector:
-    matchLabels:
-      app: keycloak-postgres
-  policyTypes:
-  - Ingress
-  ingress:
-  - from:
-    - podSelector:
-        matchLabels:
-          app: keycloak
-{{- end }}
 ---
 apiVersion: v1
 kind: Service
@@ -134,28 +115,6 @@ spec:
           runAsNonRoot: true
         resources: {{- toYaml .Values.components.keycloak.resources | nindent 10 }}
       restartPolicy: Always
-{{- if eq .Values.policies.enabled true }}
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: keycloak
-  namespace: {{ .Values.namespace }}
-spec:
-  podSelector:
-    matchLabels:
-      app: keycloak
-  policyTypes:
-  - Egress
-  - Ingress
-  ingress:
-  - {}
-  egress:
-  - to:
-    - podSelector:
-        matchLabels:
-          app: keycloak-postgres
-{{- end }}
 ---
 apiVersion: v1
 kind: Service
@@ -225,42 +184,85 @@ spec:
         - --server-write-timeout=50s
       {{- end }}
       restartPolicy: Always
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak-gatekeeper
+  namespace: {{ .Values.namespace }}
+  labels:
+    app: keycloak-gatekeeper
+spec:
+  type: ClusterIP
+  ports:
+  {{- range .Values.access }}
+  - name: {{ .name }}
+    port: {{ .port }}
+  {{- end }}
+  selector:
+    app: keycloak-gatekeeper
 {{- if eq .Values.policies.enabled true }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: keycloak-gatekeeper
+  name: keycloak-postgres
   namespace: {{ .Values.namespace }}
 spec:
   podSelector:
     matchLabels:
-      app: keycloak-gatekeeper
+      app: keycloak-postgres
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: keycloak
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: keycloak
+  namespace: {{ .Values.namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: keycloak
   policyTypes:
   - Egress
   - Ingress
   ingress:
   - from:
+    - podSelector:
+        matchLabels:
+          app: keycloak-init
     - podSelector:
         matchLabels:
           app: haproxy
   egress:
-  - {}
-{{- end }}
+  - to:
+    - podSelector:
+        matchLabels:
+          app: keycloak-postgres
 ---
-apiVersion: v1
-kind: Service
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
 metadata:
   name: keycloak-gatekeeper
   namespace: {{ .Values.namespace }}
-  labels:
-    app: keycloak-gatekeeper
 spec:
-  type: ClusterIP
-  ports:
-  {{- range .Values.access }}
-  - name: {{ .name }}
-    port: {{ .port }}
-  {{- end }}
-  selector:
-    app: keycloak-gatekeeper
+  podSelector:
+    matchLabels:
+      app: keycloak-gatekeeper
+  policyTypes:
+  - Egress
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: haproxy
+  egress:
+  - {}
+{{- end }}