chore: introduce server.networkPolicy.ingress

As suggested let users template the whole ingress object for the networkPolicy than only the podSelector. Co-authored-by: tvoran <[email protected]>
hashicorp · Jul 28, 2023 · 30b0c1e · 30b0c1e
1 parent ca0b683
commit 30b0c1e
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 19 deletions.
diff --git a/templates/server-network-policy.yaml b/templates/server-network-policy.yaml
@@ -16,18 +16,7 @@ spec:
     matchLabels:
       app.kubernetes.io/name: {{ template "vault.name" . }}
       app.kubernetes.io/instance: {{ .Release.Name }}
-  ingress:
-    - from:
-        - namespaceSelector: {}
-          {{- if .Values.server.networkPolicy.podSelector }}
-          podSelector:
-            {{- toYaml .Values.server.networkPolicy.podSelector | nindent 14 }}
-          {{- end }}
-      ports:
-      - port: 8200
-        protocol: TCP
-      - port: 8201
-        protocol: TCP
+  ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }}
   {{- if .Values.server.networkPolicy.egress }}
   egress:
   {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }}

diff --git a/test/unit/server-network-policy.bats b/test/unit/server-network-policy.bats
@@ -21,11 +21,11 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
-@test "server/network-policy: podSelector enabled by server.networkPolicy.podSelector" {
+@test "server/network-policy: ingress changed by server.networkPolicy.ingress" {
   cd `chart_dir`
   local actual=$(helm template \
       --set 'server.networkPolicy.enabled=true' \
-      --set 'server.networkPolicy.podSelector.matchLabels.foo=bar' \
+      --set 'server.networkPolicy.ingress[0].from[0].podSelector.matchLabels.foo=bar' \
       --show-only templates/server-network-policy.yaml \
       . | tee /dev/stderr |
       yq -r '.spec.ingress[0].from[0].podSelector.matchLabels.foo' | tee /dev/stderr)

diff --git a/values.yaml b/values.yaml
@@ -630,11 +630,14 @@ server:
     #   ports:
     #   - protocol: TCP
     #     port: 443
-    podSelector: {}
-    # Restrict traffic to vault pods only with given labels
-    # podSelector:
-    #   matchLabels:
-    #     vault-access: "true"
+    ingress:
+      - from:
+          - namespaceSelector: {}
+        ports:
+        - port: 8200
+          protocol: TCP
+        - port: 8201
+          protocol: TCP
 
   # Priority class for server pods
   priorityClassName: ""