From 30b0c1e48cb0755b78e376773dc7dbab9193d3ba Mon Sep 17 00:00:00 2001
From: Marco Lecheler <marco.lecheler@mercedes-benz.com>
Date: Fri, 28 Jul 2023 07:29:42 +0200
Subject: [PATCH] chore: introduce server.networkPolicy.ingress

As suggested let users template the whole ingress object for the networkPolicy than only the podSelector.

Co-authored-by: tvoran <444265+tvoran@users.noreply.github.com>
---
 templates/server-network-policy.yaml | 13 +------------
 test/unit/server-network-policy.bats |  4 ++--
 values.yaml                          | 13 ++++++++-----
 3 files changed, 11 insertions(+), 19 deletions(-)

diff --git a/templates/server-network-policy.yaml b/templates/server-network-policy.yaml
index 93ae307d1..43dcdb16f 100644
--- a/templates/server-network-policy.yaml
+++ b/templates/server-network-policy.yaml
@@ -16,18 +16,7 @@ spec:
     matchLabels:
       app.kubernetes.io/name: {{ template "vault.name" . }}
       app.kubernetes.io/instance: {{ .Release.Name }}
-  ingress:
-    - from:
-        - namespaceSelector: {}
-          {{- if .Values.server.networkPolicy.podSelector }}
-          podSelector:
-            {{- toYaml .Values.server.networkPolicy.podSelector | nindent 14 }}
-          {{- end }}
-      ports:
-      - port: 8200
-        protocol: TCP
-      - port: 8201
-        protocol: TCP
+  ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }}
   {{- if .Values.server.networkPolicy.egress }}
   egress:
   {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }}
diff --git a/test/unit/server-network-policy.bats b/test/unit/server-network-policy.bats
index 817052eca..179268577 100755
--- a/test/unit/server-network-policy.bats
+++ b/test/unit/server-network-policy.bats
@@ -21,11 +21,11 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
-@test "server/network-policy: podSelector enabled by server.networkPolicy.podSelector" {
+@test "server/network-policy: ingress changed by server.networkPolicy.ingress" {
   cd `chart_dir`
   local actual=$(helm template \
       --set 'server.networkPolicy.enabled=true' \
-      --set 'server.networkPolicy.podSelector.matchLabels.foo=bar' \
+      --set 'server.networkPolicy.ingress[0].from[0].podSelector.matchLabels.foo=bar' \
       --show-only templates/server-network-policy.yaml \
       . | tee /dev/stderr |
       yq -r '.spec.ingress[0].from[0].podSelector.matchLabels.foo' | tee /dev/stderr)
diff --git a/values.yaml b/values.yaml
index 4cc31ccb4..7c62801bf 100644
--- a/values.yaml
+++ b/values.yaml
@@ -630,11 +630,14 @@ server:
     #   ports:
     #   - protocol: TCP
     #     port: 443
-    podSelector: {}
-    # Restrict traffic to vault pods only with given labels
-    # podSelector:
-    #   matchLabels:
-    #     vault-access: "true"
+    ingress:
+      - from:
+          - namespaceSelector: {}
+        ports:
+        - port: 8200
+          protocol: TCP
+        - port: 8201
+          protocol: TCP
 
   # Priority class for server pods
   priorityClassName: ""