From a43ae252260809d9159beca048ef662bac3bc833 Mon Sep 17 00:00:00 2001
From: Tin Lam <tin@irrational.io>
Date: Tue, 26 Nov 2019 08:50:34 -0600
Subject: [PATCH] Postgresql egress netpol

This patch set places in a default kubernetes egress network
policy for postgresql database chart.

Change-Id: I6caa917faf23becc3a1c09b47f457b8b2db996e4
Signed-off-by: Tin Lam <tin@irrational.io>
---
 postgresql/templates/network_policy.yaml | 19 +++++++++++++++++++
 postgresql/values.yaml                   |  8 ++++++++
 postgresql/values_overrides/netpol.yaml  | 11 +++++++++++
 3 files changed, 38 insertions(+)
 create mode 100644 postgresql/templates/network_policy.yaml
 create mode 100644 postgresql/values_overrides/netpol.yaml

diff --git a/postgresql/templates/network_policy.yaml b/postgresql/templates/network_policy.yaml
new file mode 100644
index 000000000..e7ae8ff23
--- /dev/null
+++ b/postgresql/templates/network_policy.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.manifests.network_policy -}}
+{{- $netpol_opts := dict "envAll" . "name" "application" "label" "postgresql" -}}
+{{ $netpol_opts | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+{{- end -}}
diff --git a/postgresql/values.yaml b/postgresql/values.yaml
index c2da1eff3..f3b58e4b6 100644
--- a/postgresql/values.yaml
+++ b/postgresql/values.yaml
@@ -214,6 +214,13 @@ jobs:
       success: 3
       failed: 1
 
+network_policy:
+  postgresql:
+    ingress:
+      - {}
+    egress:
+      - {}
+
 conf:
   debug: false
   postgresql:
@@ -423,6 +430,7 @@ manifests:
   configmap_bin: true
   configmap_etc: true
   job_image_repo_sync: true
+  network_policy: false
   secret_admin: true
   secret_replica: true
   secret_server: true
diff --git a/postgresql/values_overrides/netpol.yaml b/postgresql/values_overrides/netpol.yaml
new file mode 100644
index 000000000..c8588f530
--- /dev/null
+++ b/postgresql/values_overrides/netpol.yaml
@@ -0,0 +1,11 @@
+manifests:
+  network_policy: true
+network_policy:
+  postgresql:
+    egress:
+      - to:
+        - ipBlock:
+            cidr: %%%REPLACE_API_ADDR%%%/32
+        ports:
+          - protocol: TCP
+            port: %%%REPLACE_API_PORT%%%