Postgresql egress netpol

This patch set places in a default kubernetes egress network
policy for postgresql database chart.

Change-Id: I6caa917faf23becc3a1c09b47f457b8b2db996e4
Signed-off-by: Tin Lam <tin@irrational.io>

postgresql/templates/network_policy.yaml

@@ -0,0 +1,19 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "postgresql" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}

postgresql/values.yaml

@@ -214,6 +214,13 @@ jobs:
       success: 3
       failed: 1
 
+network_policy:
+  postgresql:
+    ingress:
+      - {}
+    egress:
+      - {}
+
 conf:
   debug: false
   postgresql:
@@ -423,6 +430,7 @@ manifests:
   configmap_bin: true
   configmap_etc: true
   job_image_repo_sync: true
+  network_policy: false
   secret_admin: true
   secret_replica: true
   secret_server: true

postgresql/values_overrides/netpol.yaml

@@ -0,0 +1,11 @@
+manifests:
+  network_policy: true
+network_policy:
+  postgresql:
+    egress:
+      - to:
+        - ipBlock:
+            cidr: %%%REPLACE_API_ADDR%%%/32
+        ports:
+          - protocol: TCP
+            port: %%%REPLACE_API_PORT%%%