From e2c63ab24ac611529f58dcb25912f4ec7e89cfd1 Mon Sep 17 00:00:00 2001
From: Zirko <64951262+QuantumEnigmaa@users.noreply.github.com>
Date: Wed, 13 Dec 2023 11:51:36 +0100
Subject: [PATCH] Helm: add cilium networkpolicies (#11425)

**What this PR does / why we need it**:

This PR adds `ciliumnetworkpolicies` that are equivalent to the standard
`networkpolicies` already present in the templates. As `cilium` usage as
a CNI is rising and the usage of `ciliumnetworkpolicies` is more and
more widespread, having the possibility to deploy those directly from a
setting in the values would be a time-saving option for a lot of
deployments.

**Special notes for your reviewer**:

**Checklist**
- [x] Reviewed the
[`CONTRIBUTING.md`](https://github.com/grafana/loki/blob/main/CONTRIBUTING.md)
guide (**required**)
- [ ] Documentation added
- [ ] Tests updated
- [x] `CHANGELOG.md` updated
- [ ] If the change is worth mentioning in the release notes, add
`add-to-release-notes` label
- [ ] Changes that require user attention or interaction to upgrade are
documented in `docs/sources/setup/upgrade/_index.md`
- [x] For Helm chart changes bump the Helm chart version in
`production/helm/loki/Chart.yaml` and update
`production/helm/loki/CHANGELOG.md` and
`production/helm/loki/README.md`. [Example
PR](https://github.com/grafana/loki/commit/d10549e3ece02120974929894ee333d07755d213)
- [ ] If the change is deprecating or removing a configuration option,
update the `deprecated-config.yaml` and `deleted-config.yaml` files
respectively in the `tools/deprecated-config-checker` directory.
[Example
PR](https://github.com/grafana/loki/pull/10840/commits/0d4416a4b03739583349934b96f272fb4f685d15)

---------

Signed-off-by: QuantumEnigmaa <thibaud@giantswarm.io>
---
 docs/sources/setup/install/helm/reference.md  |   9 +
 production/helm/loki/CHANGELOG.md             |   4 +
 production/helm/loki/Chart.yaml               |   2 +-
 production/helm/loki/README.md                |   2 +-
 .../loki/templates/ciliumnetworkpolicy.yaml   | 184 ++++++++++++++++++
 .../helm/loki/templates/networkpolicy.yaml    |   2 +-
 production/helm/loki/values.yaml              |   3 +
 7 files changed, 203 insertions(+), 3 deletions(-)
 create mode 100644 production/helm/loki/templates/ciliumnetworkpolicy.yaml

diff --git a/docs/sources/setup/install/helm/reference.md b/docs/sources/setup/install/helm/reference.md
index 8252a6fd103a3..e650d0fca2fc2 100644
--- a/docs/sources/setup/install/helm/reference.md
+++ b/docs/sources/setup/install/helm/reference.md
@@ -3110,6 +3110,15 @@ false
 			<td><pre lang="json">
 []
 </pre>
+</td>
+		</tr>
+		<tr>
+			<td>networkPolicy.flavor</td>
+			<td>string</td>
+			<td>Specifies whether the policies created will be standard Network Policies (flavor: kubernetes) or Cilium Network Policies (flavor: cilium)</td>
+			<td><pre lang="json">
+"kubernetes"
+</pre>
 </td>
 		</tr>
 		<tr>
diff --git a/production/helm/loki/CHANGELOG.md b/production/helm/loki/CHANGELOG.md
index 78571b3de600d..96bebdf5aebc9 100644
--- a/production/helm/loki/CHANGELOG.md
+++ b/production/helm/loki/CHANGELOG.md
@@ -13,6 +13,10 @@ Entries should include a reference to the pull request that introduced the chang
 
 [//]: # (<AUTOMATED_UPDATES_LOCATOR> : do not remove this line. This locator is used by the CI pipeline to automatically create a changelog entry for each new Loki release. Add other chart versions and respective changelog entries bellow this line.)
 
+## 5.41.2
+
+- [FEATURE] Add ciliumnetworkpolicies.
+
 ## 5.41.1
 
 - [FEATURE] Allow topology spread constraints for Loki read deployment component.
diff --git a/production/helm/loki/Chart.yaml b/production/helm/loki/Chart.yaml
index d9cf011e4f23e..fc7e0fbacbc6e 100644
--- a/production/helm/loki/Chart.yaml
+++ b/production/helm/loki/Chart.yaml
@@ -3,7 +3,7 @@ name: loki
 description: Helm chart for Grafana Loki in simple, scalable mode
 type: application
 appVersion: 2.9.3
-version: 5.41.1
+version: 5.41.2
 home: https://grafana.github.io/helm-charts
 sources:
   - https://github.com/grafana/loki
diff --git a/production/helm/loki/README.md b/production/helm/loki/README.md
index 3caad398ada44..e1da365b5bf92 100644
--- a/production/helm/loki/README.md
+++ b/production/helm/loki/README.md
@@ -1,6 +1,6 @@
 # loki
 
-![Version: 5.41.1](https://img.shields.io/badge/Version-5.41.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.9.3](https://img.shields.io/badge/AppVersion-2.9.3-informational?style=flat-square)
+![Version: 5.41.2](https://img.shields.io/badge/Version-5.41.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.9.3](https://img.shields.io/badge/AppVersion-2.9.3-informational?style=flat-square)
 
 Helm chart for Grafana Loki in simple, scalable mode
 
diff --git a/production/helm/loki/templates/ciliumnetworkpolicy.yaml b/production/helm/loki/templates/ciliumnetworkpolicy.yaml
new file mode 100644
index 0000000000000..5633ae1945206
--- /dev/null
+++ b/production/helm/loki/templates/ciliumnetworkpolicy.yaml
@@ -0,0 +1,184 @@
+{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "cilium") }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "loki.name" . }}-namespace-only
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "loki.labels" . | nindent 4 }}
+spec:
+  endpointSelector: {}
+  egress:
+  - toEndpoints:
+    - {}
+  ingress:
+  - fromEndpoints:
+    - {}
+
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "loki.name" . }}-egress-dns
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "loki.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "loki.selectorLabels" . | nindent 6 }}
+  egress:
+  - toPorts:
+    - ports:
+      - port: dns
+        protocol: UDP
+    toEndpoints:
+    - namespaceSelector: {}
+
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "loki.name" . }}-ingress
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "loki.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchExpressions:
+      - key: app.kubernetes.io/component
+        operator: In
+        values:
+        {{- if .Values.gateway.enabled }}
+          - gateway
+        {{- else }}
+          - read
+          - write
+        {{- end }}
+    matchLabels:
+      {{- include "loki.selectorLabels" . | nindent 6 }}
+  ingress:
+  - toPorts:
+    - port: http
+      protocol: TCP
+  {{- if .Values.networkPolicy.ingress.namespaceSelector }}
+    fromEndpoints:
+    - matchLabels:
+        {{- toYaml .Values.networkPolicy.ingress.namespaceSelector | nindent 8 }}
+        {{- if .Values.networkPolicy.ingress.podSelector }}
+        {{- toYaml .Values.networkPolicy.ingress.podSelector | nindent 8 }}
+        {{- end }}
+  {{- end }}
+
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "loki.name" . }}-ingress-metrics
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "loki.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "loki.selectorLabels" . | nindent 6 }}
+  ingress:
+  - toPorts:
+    - port: http-metrics
+      protocol: TCP
+  {{- if .Values.networkPolicy.metrics.cidrs }}
+    {{- range $cidr := .Values.networkPolicy.metrics.cidrs }}
+    toCIDR:
+    - {{ $cidr }}
+    {{- end }}
+    {{- if .Values.networkPolicy.metrics.namespaceSelector }}
+    fromEndpoints:
+    - matchLabels:
+        {{- toYaml .Values.networkPolicy.metrics.namespaceSelector | nindent 8 }}
+        {{- if .Values.networkPolicy.metrics.podSelector }}
+        {{- toYaml .Values.networkPolicy.metrics.podSelector | nindent 8 }}
+        {{- end }}
+    {{- end }}
+  {{- end }}
+
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "loki.name" . }}-egress-alertmanager
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "loki.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "loki.backendSelectorLabels" . | nindent 6 }}
+  egress:
+  - toPorts:
+    - port: {{ .Values.networkPolicy.alertmanager.port }}
+      protocol: TCP
+  {{- if .Values.networkPolicy.alertmanager.namespaceSelector }}
+    toEndpoints:
+    - matchLabels:
+        {{- toYaml .Values.networkPolicy.alertmanager.namespaceSelector | nindent 8 }}
+        {{- if .Values.networkPolicy.alertmanager.podSelector }}
+        {{- toYaml .Values.networkPolicy.alertmanager.podSelector | nindent 8 }}
+        {{- end }}
+  {{- end }}
+
+{{- if .Values.networkPolicy.externalStorage.ports }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "loki.name" . }}-egress-external-storage
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "loki.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "loki.selectorLabels" . | nindent 6 }}
+  egress:
+  - toPorts:
+    {{- range $port := .Values.networkPolicy.externalStorage.ports }}
+    - port: {{ $port }}
+      protocol: TCP
+    {{- end }}
+  {{- if .Values.networkPolicy.externalStorage.cidrs }}
+    {{- range $cidr := .Values.networkPolicy.externalStorage.cidrs }}
+    toCIDR:
+    - {{ $cidr }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{- end }}
+
+{{- if .Values.networkPolicy.discovery.port }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "loki.name" . }}-egress-discovery
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "loki.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "loki.selectorLabels" . | nindent 6 }}
+  egress:
+  - toPorts:
+    - port: {{ .Values.networkPolicy.discovery.port }}
+      protocol: TCP
+  {{- if .Values.networkPolicy.discovery.namespaceSelector }}
+    toEndpoints:
+    - matchLabels:
+        {{- toYaml .Values.networkPolicy.discovery.namespaceSelector | nindent 8 }}
+        {{- if .Values.networkPolicy.discovery.podSelector }}
+        {{- toYaml .Values.networkPolicy.discovery.podSelector | nindent 8 }}
+        {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/production/helm/loki/templates/networkpolicy.yaml b/production/helm/loki/templates/networkpolicy.yaml
index 4424d90db08d4..27c85280eb08c 100644
--- a/production/helm/loki/templates/networkpolicy.yaml
+++ b/production/helm/loki/templates/networkpolicy.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.networkPolicy.enabled }}
+{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "kubernetes") }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
diff --git a/production/helm/loki/values.yaml b/production/helm/loki/values.yaml
index 738cf6ea25ae7..e82967a4efb3b 100644
--- a/production/helm/loki/values.yaml
+++ b/production/helm/loki/values.yaml
@@ -1465,6 +1465,9 @@ gateway:
 networkPolicy:
   # -- Specifies whether Network Policies should be created
   enabled: false
+  # -- Specifies whether the policies created will be standard Network Policies (flavor: kubernetes)
+  # or Cilium Network Policies (flavor: cilium)
+  flavor: kubernetes
   metrics:
     # -- Specifies the Pods which are allowed to access the metrics port.
     # As this is cross-namespace communication, you also need the namespaceSelector.