Added network policy to data-dashboard-backend and radar-self-enrolme…

…nt-ui
RADAR-base · Oct 23, 2024 · 0f5cfeb · 0f5cfeb
1 parent d652138
commit 0f5cfeb
Show file tree

Hide file tree

Showing 8 changed files with 157 additions and 41 deletions.
diff --git a/charts/data-dashboard-backend/Chart.yaml b/charts/data-dashboard-backend/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "0.2.2"
 name: data-dashboard-backend
 description: API for data in the data dashboard
-version: 0.3.5
+version: 0.3.6
 sources: ["https://github.com/thehyve/radar-data-dashboard-backend"]
 deprecated: false
 type: application

diff --git a/charts/data-dashboard-backend/README.md b/charts/data-dashboard-backend/README.md
@@ -2,7 +2,7 @@
 
 # data-dashboard-backend
 
-![Version: 0.3.5](https://img.shields.io/badge/Version-0.3.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.2](https://img.shields.io/badge/AppVersion-0.2.2-informational?style=flat-square)
+![Version: 0.3.6](https://img.shields.io/badge/Version-0.3.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.2](https://img.shields.io/badge/AppVersion-0.2.2-informational?style=flat-square)
 
 API for data in the data dashboard
 
@@ -53,6 +53,7 @@ API for data in the data dashboard
 | autoscaling.minReplicas | int | `1` |  |
 | autoscaling.maxReplicas | int | `100` |  |
 | autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
+| networkpolicy | object | check `values.yaml` | Network policy defines who can access this application and who this applications has access to |
 | nodeSelector | object | `{}` | Node labels for pod assignment |
 | tolerations | list | `[]` | Toleration labels for pod assignment |
 | affinity | object | `{}` | Affinity labels for pod assignment |

diff --git a/charts/data-dashboard-backend/templates/networkpolicy.yaml b/charts/data-dashboard-backend/templates/networkpolicy.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.networkpolicy }}
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ template "data-dashboard-backend.fullname" . }}
+  labels:
+{{ include "data-dashboard-backend.labels" . | indent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+{{ include "data-dashboard-backend.labels" . | indent 6 }}
+    {{- tpl (toYaml .Values.networkpolicy) .  | nindent 2 }}
+{{- end -}}
diff --git a/charts/data-dashboard-backend/values.yaml b/charts/data-dashboard-backend/values.yaml
@@ -81,6 +81,48 @@ autoscaling:
   targetCPUUtilizationPercentage: 80
   # targetMemoryUtilizationPercentage: 80
 
+# -- Network policy defines who can access this application and who this applications has access to
+# @default -- check `values.yaml`
+networkpolicy:
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: '{{ .Release.Namespace }}'
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: ingress-nginx
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: '{{ .Release.Namespace }}'
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: 'management-portal'
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: '{{ .Release.Namespace }}'
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: postgresql
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+      podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+    ports:
+      - port: 53
+        protocol: UDP
+      - port: 53
+        protocol: TCP
+
 # -- Node labels for pod assignment
 nodeSelector: {}
 

diff --git a/charts/radar-self-enrolment-ui/Chart.yaml b/charts/radar-self-enrolment-ui/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 appVersion: "0.0.1"
 description: A Helm chart for ORY Kratos's example ui for Kubernetes
 name: radar-self-enrolment-ui
-version: 0.0.2
+version: 0.0.3
 type: application
diff --git a/charts/radar-self-enrolment-ui/README.md b/charts/radar-self-enrolment-ui/README.md
@@ -2,7 +2,7 @@
 
 # radar-self-enrolment-ui
 
-![Version: 0.0.2](https://img.shields.io/badge/Version-0.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.1](https://img.shields.io/badge/AppVersion-0.0.1-informational?style=flat-square)
+![Version: 0.0.3](https://img.shields.io/badge/Version-0.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.1](https://img.shields.io/badge/AppVersion-0.0.1-informational?style=flat-square)
 
 A Helm chart for ORY Kratos's example ui for Kubernetes
 
@@ -18,7 +18,7 @@ A Helm chart for ORY Kratos's example ui for Kubernetes
 | imagePullSecrets | list | `[]` |  |
 | nameOverride | string | `""` |  |
 | fullnameOverride | string | `""` |  |
-| config.csrfCookieName | string | `""` |  |
+| config.csrfCookieName | string | `"radar_csrf"` |  |
 | config.secrets | object | `{}` |  |
 | service.type | string | `"ClusterIP"` |  |
 | service.loadBalancerIP | string | `""` | The load balancer IP |
@@ -29,13 +29,14 @@ A Helm chart for ORY Kratos's example ui for Kubernetes
 | secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created |
 | secret.secretAnnotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0","helm.sh/resource-policy":"keep"}` | Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. |
 | secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods |
-| ingress.enabled | bool | `false` |  |
-| ingress.className | string | `""` |  |
-| ingress.annotations | object | `{}` |  |
-| ingress.hosts[0].host | string | `"chart-example.local"` |  |
-| ingress.hosts[0].paths[0].path | string | `"/"` |  |
+| ingress.enabled | bool | `true` |  |
+| ingress.className | string | `"nginx"` |  |
+| ingress.annotations."cert-manager.io/cluster-issuer" | string | `"letsencrypt-prod"` |  |
+| ingress.hosts[0].host | string | `"localhost"` |  |
+| ingress.hosts[0].paths[0].path | string | `"/kratos-ui/?(.*)"` |  |
 | ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` |  |
-| ingress.tls | list | `[]` |  |
+| ingress.tls[0].secretName | string | `"radar-base-tls"` |  |
+| ingress.tls[0].hosts[0] | string | `"localhost"` |  |
 | securityContext.capabilities.drop[0] | string | `"ALL"` |  |
 | securityContext.readOnlyRootFilesystem | bool | `false` |  |
 | securityContext.runAsNonRoot | bool | `true` |  |
@@ -64,22 +65,25 @@ A Helm chart for ORY Kratos's example ui for Kubernetes
 | deployment.automountServiceAccountToken | bool | `false` |  |
 | deployment.terminationGracePeriodSeconds | int | `60` |  |
 | affinity | object | `{}` |  |
-| kratosPublicUrl | string | `"http://kratos:4433"` | Set this to ORY Kratos's public URL |
-| hydraAdminUrl | string | `"http://hydra:4445"` | Set this to ORY Hydra's Admin URL |
-| hydraPublicUrl | string | `"http://hydra:4444"` | Set this to ORY Hydra's public URL |
-| basePath | string | `""` | The basePath |
-| jwksUrl | string | `"http://hydra:4445/admin/keys/hydra.jwt.access-token"` | The jwksUrl |
+| networkpolicy | object | check `values.yaml` | Network policy defines who can access this application and who this applications has access to |
+| kratosAdminUrl | string | `"kratos-admin"` | Set this to ORY Kratos's Admin URL |
+| kratosPublicUrl | string | `"https://localhost/kratos"` | Set this to ORY Kratos's public URL |
+| kratosBrowserUrl | string | `"https://localhost/kratos"` | Set this to ORY Kratos's public URL accessible from the outside world. |
+| basePath | string | `"/kratos-ui"` | The basePath |
+| jwksUrl | string | `""` | The jwksUrl |
+| deployment.extraEnv[0].name | string | `"HYDRA_ADMIN_URL"` |  |
+| deployment.extraEnv[0].value | string | `"http://hydra-admin"` |  |
 | projectName | string | `"SecureApp"` |  |
 | test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository |
 | customLivenessProbe | object | `{}` | Custom livenessProbe that overrides the default one |
-| livenessProbe.enabled | bool | `true` | Enable livenessProbe |
+| livenessProbe.enabled | bool | `false` | Enable livenessProbe |
 | livenessProbe.initialDelaySeconds | int | `3` | Initial delay seconds for livenessProbe |
 | livenessProbe.periodSeconds | int | `300` | Period seconds for livenessProbe |
 | livenessProbe.timeoutSeconds | int | `10` | Timeout seconds for livenessProbe |
 | livenessProbe.successThreshold | int | `1` | Success threshold for livenessProbe |
 | livenessProbe.failureThreshold | int | `3` | Failure threshold for livenessProbe |
 | customReadinessProbe | object | `{}` | Custom readinessProbe that overrides the default one |
-| readinessProbe.enabled | bool | `true` | Enable readinessProbe |
+| readinessProbe.enabled | bool | `false` | Enable readinessProbe |
 | readinessProbe.initialDelaySeconds | int | `5` | Initial delay seconds for readinessProbe |
 | readinessProbe.periodSeconds | int | `10` | Period seconds for readinessProbe |
 | readinessProbe.timeoutSeconds | int | `10` | Timeout seconds for readinessProbe |

diff --git a/charts/radar-self-enrolment-ui/templates/networkpolicy.yaml b/charts/radar-self-enrolment-ui/templates/networkpolicy.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.networkpolicy }}
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ template "radar-self-enrolment-ui.fullname" . }}
+  labels:
+{{ include "radar-self-enrolment-ui.labels" . | indent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+{{ include "radar-self-enrolment-ui.labels" . | indent 6 }}
+    {{- tpl (toYaml .Values.networkpolicy) .  | nindent 2 }}
+{{- end -}}
diff --git a/charts/radar-self-enrolment-ui/values.yaml b/charts/radar-self-enrolment-ui/values.yaml
@@ -20,7 +20,7 @@ fullnameOverride: ""
 
 ## -- Application config
 config:
-  csrfCookieName: ""
+  csrfCookieName: "radar_csrf"
   secrets: {}
 
 ## -- Service configuration
@@ -51,23 +51,20 @@ secret:
   # -- switch to false to prevent checksum annotations being maintained and propogated to the pods
   hashSumEnabled: true
 
-## -- Ingress configration
 ingress:
-  enabled: false
-  className: ""
+  enabled: true
+  className: "nginx"
   annotations:
-    {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
+    cert-manager.io/cluster-issuer: letsencrypt-prod
   hosts:
-    - host: chart-example.local
+    - host: localhost
       paths:
-        - path: /
+        - path: "/kratos-ui/?(.*)"
           pathType: ImplementationSpecific
-  tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
+  tls:
+    - secretName: radar-base-tls
+      hosts:
+        - localhost
 
 ## -- Container level security context
 securityContext:
@@ -166,20 +163,66 @@ deployment:
 
 affinity: {}
 
-# -- Set this to ORY Kratos's public URL
-kratosPublicUrl: http://kratos:4433
+# -- Network policy defines who can access this application and who this applications has access to
+# @default -- check `values.yaml`
+networkpolicy:
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: '{{ .Release.Namespace }}'
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: ingress-nginx
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: '{{ .Release.Namespace }}'
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: kratos-admin
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: '{{ .Release.Namespace }}'
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: hydra
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+      podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+    ports:
+      - port: 53
+        protocol: UDP
+      - port: 53
+        protocol: TCP
 
-# -- Set this to ORY Hydra's Admin URL
-hydraAdminUrl: http://hydra:4445
+# -- Set this to ORY Kratos's Admin URL
+kratosAdminUrl: "kratos-admin"
 
-# -- Set this to ORY Hydra's public URL
-hydraPublicUrl: http://hydra:4444
+# -- Set this to ORY Kratos's public URL
+kratosPublicUrl: "https://localhost/kratos"
+
+# -- Set this to ORY Kratos's public URL accessible from the outside world.
+kratosBrowserUrl: "https://localhost/kratos"
 
 # -- The basePath
-basePath: ""
+basePath: "/kratos-ui"
 
 # -- The jwksUrl
-jwksUrl: http://hydra:4445/admin/keys/hydra.jwt.access-token
+jwksUrl: ""
+
+deployment:
+  extraEnv:
+    - name: HYDRA_ADMIN_URL
+      value: http://hydra-admin
 
 projectName: SecureApp
 
@@ -194,7 +237,7 @@ customLivenessProbe: {}
 
 livenessProbe:
   # -- Enable livenessProbe
-  enabled: true
+  enabled: false
   # -- Initial delay seconds for livenessProbe
   initialDelaySeconds: 3
   # -- Period seconds for livenessProbe
@@ -211,7 +254,7 @@ customReadinessProbe: {}
 
 readinessProbe:
   # -- Enable readinessProbe
-  enabled: true
+  enabled: false
   # -- Initial delay seconds for readinessProbe
   initialDelaySeconds: 5
   # -- Period seconds for readinessProbe