| {{ if .Values.networkPolicies.enabled -}} |
| kind: NetworkPolicy |
| apiVersion: networking.k8s.io/v1 |
| metadata: |
| name: {{ .Release.Name }}-default-deny-all |
| labels: |
| chart: {{ template "gerrit-replica.chart" . }} |
| heritage: {{ .Release.Service }} |
| release: {{ .Release.Name }} |
| spec: |
| podSelector: |
| matchLabels: |
| chart: {{ template "gerrit-replica.chart" . }} |
| release: {{ .Release.Name }} |
| policyTypes: |
| - Ingress |
| - Egress |
| ingress: [] |
| egress: [] |
| --- |
| {{ if .Values.networkPolicies.dnsPorts -}} |
| apiVersion: networking.k8s.io/v1 |
| kind: NetworkPolicy |
| metadata: |
| name: {{ .Release.Name }}-allow-dns-access |
| labels: |
| chart: {{ template "gerrit-replica.chart" . }} |
| heritage: {{ .Release.Service }} |
| release: {{ .Release.Name }} |
| spec: |
| podSelector: |
| matchLabels: |
| chart: {{ template "gerrit-replica.chart" . }} |
| release: {{ .Release.Name }} |
| policyTypes: |
| - Egress |
| egress: |
| - ports: |
| {{ range .Values.networkPolicies.dnsPorts -}} |
| - port: {{ . }} |
| protocol: UDP |
| - port: {{ . }} |
| protocol: TCP |
| {{ end }} |
| {{- end }} |
| --- |
| kind: NetworkPolicy |
| apiVersion: networking.k8s.io/v1 |
| metadata: |
| name: gerrit-replica-allow-external |
| labels: |
| app: gerrit-replica |
| chart: {{ template "gerrit-replica.chart" . }} |
| heritage: {{ .Release.Service }} |
| release: {{ .Release.Name }} |
| spec: |
| podSelector: |
| matchLabels: |
| chart: {{ template "gerrit-replica.chart" . }} |
| release: {{ .Release.Name }} |
| app: gerrit-replica |
| ingress: |
| - ports: |
| - port: 8080 |
| from: [] |
| --- |
| {{ if or .Values.gitBackend.networkPolicy.ingress -}} |
| kind: NetworkPolicy |
| apiVersion: networking.k8s.io/v1 |
| metadata: |
| name: git-backend-custom-ingress-policies |
| labels: |
| app: git-backend |
| chart: {{ template "gerrit-replica.chart" . }} |
| heritage: {{ .Release.Service }} |
| release: {{ .Release.Name }} |
| spec: |
| policyTypes: |
| - Ingress |
| podSelector: |
| matchLabels: |
| chart: {{ template "gerrit-replica.chart" . }} |
| release: {{ .Release.Name }} |
| app: git-backend |
| ingress: |
| {{ toYaml .Values.gitBackend.networkPolicy.ingress | indent 2 }} |
| {{- end }} |
| --- |
| {{ if or .Values.gitBackend.networkPolicy.egress -}} |
| kind: NetworkPolicy |
| apiVersion: networking.k8s.io/v1 |
| metadata: |
| name: git-backend-custom-egress-policies |
| labels: |
| app: git-backend |
| chart: {{ template "gerrit-replica.chart" . }} |
| heritage: {{ .Release.Service }} |
| release: {{ .Release.Name }} |
| spec: |
| policyTypes: |
| - Egress |
| podSelector: |
| matchLabels: |
| chart: {{ template "gerrit-replica.chart" . }} |
| release: {{ .Release.Name }} |
| app: git-backend |
| egress: |
| {{ toYaml .Values.gitBackend.networkPolicy.egress | indent 2 }} |
| {{- end }} |
| --- |
| {{ if or .Values.gerritReplica.networkPolicy.ingress -}} |
| kind: NetworkPolicy |
| apiVersion: networking.k8s.io/v1 |
| metadata: |
| name: gerrit-replica-custom-ingress-policies |
| labels: |
| app: gerrit-replica |
| chart: {{ template "gerrit-replica.chart" . }} |
| heritage: {{ .Release.Service }} |
| release: {{ .Release.Name }} |
| spec: |
| policyTypes: |
| - Ingress |
| podSelector: |
| matchLabels: |
| chart: {{ template "gerrit-replica.chart" . }} |
| release: {{ .Release.Name }} |
| app: gerrit-replica |
| ingress: |
| {{ toYaml .Values.gerritReplica.networkPolicy.ingress | indent 2 }} |
| {{- end }} |
| --- |
| {{ if or .Values.gerritReplica.networkPolicy.egress -}} |
| kind: NetworkPolicy |
| apiVersion: networking.k8s.io/v1 |
| metadata: |
| name: gerrit-replica-custom-egress-policies |
| labels: |
| app: gerrit-replica |
| chart: {{ template "gerrit-replica.chart" . }} |
| heritage: {{ .Release.Service }} |
| release: {{ .Release.Name }} |
| spec: |
| policyTypes: |
| - Egress |
| podSelector: |
| matchLabels: |
| chart: {{ template "gerrit-replica.chart" . }} |
| release: {{ .Release.Name }} |
| app: gerrit-replica |
| egress: |
| {{ toYaml .Values.gerritReplica.networkPolicy.egress | indent 2 }} |
| {{- end }} |
| --- |
| {{ if or .Values.istio.enabled -}} |
| kind: NetworkPolicy |
| apiVersion: networking.k8s.io/v1 |
| metadata: |
| name: istio-proxy |
| labels: |
| chart: {{ template "gerrit-replica.chart" . }} |
| heritage: {{ .Release.Service }} |
| release: {{ .Release.Name }} |
| spec: |
| policyTypes: |
| - Egress |
| - Ingress |
| podSelector: |
| matchLabels: |
| chart: {{ template "gerrit-replica.chart" . }} |
| release: {{ .Release.Name }} |
| egress: |
| - ports: |
| - protocol: TCP |
| port: 15012 |
| ingress: |
| - ports: |
| - protocol: TCP |
| port: 15012 |
| --- |
| apiVersion: networking.k8s.io/v1 |
| kind: NetworkPolicy |
| metadata: |
| name: {{ .Release.Name }}-istio-ingress |
| labels: |
| chart: {{ template "gerrit-replica.chart" . }} |
| heritage: {{ .Release.Service }} |
| release: {{ .Release.Name }} |
| spec: |
| podSelector: |
| matchLabels: |
| chart: {{ template "gerrit-replica.chart" . }} |
| release: {{ .Release.Name }} |
| ingress: |
| - ports: |
| - protocol: TCP |
| port: 80 |
| {{ if .Values.istio.ssh.enabled }} |
| - protocol: TCP |
| port: {{ .Values.gerritReplica.service.ssh.port }} |
| {{- end }} |
| from: |
| - namespaceSelector: |
| matchLabels: |
| name: istio-system |
| - podSelector: |
| matchLabels: |
| istio: ingressgateway |
| |
| {{- end }} |
| {{- end }} |