FORMS-1495: Network Policies for NATS protocol (bcgov#1541)

* FORMS-1495: Network Poilicies for NATS protocol Signed-off-by: Jason Sherman <[email protected]> * remove the smoke test configuration, revert to production like config. Signed-off-by: Jason Sherman <[email protected]> --------- Signed-off-by: Jason Sherman <[email protected]>
usingtechnology · Dec 13, 2024 · e989383 · e989383
1 parent 5f75bc9
commit e989383
Show file tree

Hide file tree

Showing 4 changed files with 89 additions and 0 deletions.
diff --git a/event-stream-service/charts/event-stream-service/templates/nats-nsp.yaml b/event-stream-service/charts/event-stream-service/templates/nats-nsp.yaml
@@ -0,0 +1,69 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-chefs-to-nats
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: nats
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/name: nats
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              environment: {{ .Values.nsp.chefs.env }}
+              name: {{ .Values.nsp.chefs.namespace }}
+          podSelector:
+            matchLabels:
+              role: app
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-websocket-ingress-to-nats
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+spec:
+  podSelector: 
+    matchLabels:
+      app.kubernetes.io/component: nats
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/name: nats
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            network.openshift.io/policy-group: ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-nats-to-nats
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+spec:
+  podSelector: 
+    matchLabels:
+      app.kubernetes.io/component: nats
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/name: nats
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            environment: {{ .Values.nsp.nats.env }}
+            name: {{ .Values.nsp.nats.namespace }}
+        podSelector:
+          matchLabels:
+            app.kubernetes.io/component: nats
+            app.kubernetes.io/instance: {{ .Release.Name }}
+            app.kubernetes.io/name: nats
diff --git a/event-stream-service/charts/event-stream-service/values-prod.yaml b/event-stream-service/charts/event-stream-service/values-prod.yaml
@@ -5,6 +5,12 @@ ess:
       ingressPrefix: stream
       ingressSuffix: .apps.silver.devops.gov.bc.ca
 
+nsp:
+  nats:
+    env: prod
+  chefs:
+    env: prod
+
 nats:
   config:
     jetstream:

diff --git a/event-stream-service/charts/event-stream-service/values-test.yaml b/event-stream-service/charts/event-stream-service/values-test.yaml
@@ -5,6 +5,12 @@ ess:
       ingressPrefix: stream-test
       ingressSuffix: .apps.silver.devops.gov.bc.ca
 
+nsp:
+  nats:
+    env: test
+  chefs:
+    env: test
+
 nats:
   container:
     merge:

diff --git a/event-stream-service/charts/event-stream-service/values.yaml b/event-stream-service/charts/event-stream-service/values.yaml
@@ -18,6 +18,14 @@ ess:
         termination: edge
       wildcardPolicy: None
 
+nsp:
+  nats:
+    env: dev
+    namespace: a191b5
+  chefs:
+    env: dev
+    namespace: a12c97
+
 nats:
   fullnameOverride: ess-nats
   config: