Merge branch 'master' into patch-2

Author: ddecrulle

charts/argo-cd/Chart.yaml

@@ -24,7 +24,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.0.7
+version: 2.0.8
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -35,5 +35,5 @@ dependencies:
     version: 4.5.7
     repository: https://argoproj.github.io/argo-helm
   - name: library-chart
-    version: 2.0.20
+    version: 2.0.21
     repository: https://inseefrlab.github.io/helm-charts-datascience

charts/argo-cd/templates/network-policy.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.security.networkPolicy.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Release.Name }}
+  labels:
+    {{- include "library-chart.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  ingress:
+  - from:
+    - podSelector: {}
+  policyTypes:
+  - Ingress
+{{- end }}

charts/argo-cd/templates/networkpolicy-ingress.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.security.networkPolicy.enabled -}}
+{{- if .Values.ingress.enabled -}}
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ include "library-chart.fullname" . }}-2
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  ingress:
+  - from:
+    {{- toYaml .Values.security.networkPolicy.from | nindent 4 }}
+  policyTypes:
+  - Ingress
+{{- end }}
+{{- end }} 

charts/argo-cd/values.schema.json

@@ -44,6 +44,21 @@
                   }
                 }
               }
+          },
+          "networkPolicy": {
+            "type": "object",
+            "description": "Define access policy to the service",
+            "properties": {
+              "enabled": {
+                "type": "boolean",
+                "title": "Enable network policy",
+                "description": "Only pod from the same namespace will be allowed",
+                "default": true,
+                "x-form": {
+                  "value": "{{region.defaultNetworkPolicy}}"
+                }
+              }
+            }
           }
       }
     },

charts/argo-cd/values.yaml

@@ -20,6 +20,13 @@ security:
   allowlist:
     enabled: true
     ip: "0.0.0.0/0"
+  networkPolicy: 
+    enabled: true
+    from: 
+    - ipBlock:
+        cidr: 10.233.103.0/32
+    - ipBlock:
+        cidr: 10.233.111.0/32
 
 global:
   networkPolicy:

charts/argo-workflows/Chart.yaml

@@ -24,7 +24,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.0.5
+version: 2.0.6
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/argo-workflows/templates/network-policy.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.security.networkPolicy.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Release.Name }}
+  labels:
+    {{- include "library-chart.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  ingress:
+  - from:
+    - podSelector: {}
+  policyTypes:
+  - Ingress
+{{- end }}

charts/argo-workflows/templates/networkpolicy-ingress.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.security.networkPolicy.enabled -}}
+{{- if .Values.ingress.enabled -}}
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ include "library-chart.fullname" . }}-2
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  ingress:
+  - from:
+    {{- toYaml .Values.security.networkPolicy.from | nindent 4 }}
+  policyTypes:
+  - Ingress
+{{- end }}
+{{- end }} 

charts/argo-workflows/values.schema.json

@@ -45,6 +45,21 @@
                   }
                 }
               }
+          },
+          "networkPolicy": {
+            "type": "object",
+            "description": "Define access policy to the service",
+            "properties": {
+              "enabled": {
+                "type": "boolean",
+                "title": "Enable network policy",
+                "description": "Only pod from the same namespace will be allowed",
+                "default": true,
+                "x-form": {
+                  "value": "{{region.defaultNetworkPolicy}}"
+                }
+              }
+            }
           }
       }
     },

charts/argo-workflows/values.yaml

@@ -10,9 +10,16 @@ ingress:
   #      - chart-example.local
 
 security:
-    allowlist:
-      enabled: true
-      ip: "0.0.0.0/0"
+  allowlist:
+    enabled: true
+    ip: "0.0.0.0/0"
+  networkPolicy: 
+    enabled: true
+    from: 
+    - ipBlock:
+        cidr: 10.233.103.0/32
+    - ipBlock:
+        cidr: 10.233.111.0/32
 
 serviceAccount:
   create: true