From 92165f260550230deb0942cdb0225dba633f3df0 Mon Sep 17 00:00:00 2001
From: Lukas Grossar <lukas.grossar@adfinis.com>
Date: Tue, 25 Jul 2023 22:38:58 +0200
Subject: [PATCH] feat(helm): add support for NetworkPolicies in v2 Helm chart

fixes #3160
---
 .../templates/networkpolicies.yaml            | 40 +++++++++++++++++++
 v2/charts/azure-service-operator/values.yaml  |  7 ++++
 2 files changed, 47 insertions(+)
 create mode 100644 v2/charts/azure-service-operator/templates/networkpolicies.yaml

diff --git a/v2/charts/azure-service-operator/templates/networkpolicies.yaml b/v2/charts/azure-service-operator/templates/networkpolicies.yaml
new file mode 100644
index 00000000000..689affbd019
--- /dev/null
+++ b/v2/charts/azure-service-operator/templates/networkpolicies.yaml
@@ -0,0 +1,40 @@
+{{- if .Values.networkPolicies.enable }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: azure-service-operator-allow-ingress
+  namespace: {{ .Release.namespace }}
+spec:
+  ingress:
+  - from:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+  podSelector:
+    matchLabels:
+      control-plane: controller-manager
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: azure-service-operator-allow-egress
+  namespace: {{ .Release.namespace }}
+spec:
+  egress:
+  - ports:
+    # Required for communication with the Azure API
+    - port: 443
+      protocol: TCP
+    # Required for communication with the Kubernetes API
+    - port: {{ .Values.networkPolicies.kubernetesApiPort }}
+      protocol: TCP
+    to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+  podSelector:
+    matchLabels:
+      control-plane: controller-manager
+  policyTypes:
+  - Egress
+{{- end }}
diff --git a/v2/charts/azure-service-operator/values.yaml b/v2/charts/azure-service-operator/values.yaml
index 85d0f61c994..c68aa604d5b 100644
--- a/v2/charts/azure-service-operator/values.yaml
+++ b/v2/charts/azure-service-operator/values.yaml
@@ -120,3 +120,10 @@ podAnnotations: {}
 # NOTE: 'installCRDs' should be set to false while installing a tenant.
 multitenant:
   enable: false
+
+# networkPolicies allows you to configure the NetworkPolicies deployed as part of the Chart
+networkPolicies:
+  enable: true
+  # TCP port to be configured for talking to the Kubernetes API
+  kubernetesApiPort: 6443
+