feat: Add a variable that enables/disables network policies

README.adoc

@@ -36,14 +36,14 @@ The following requirements are needed by this module:
 
 The following providers are used by this module:
 
+- [[provider_null]] <<provider_null,null>> (>= 3)
+
 - [[provider_random]] <<provider_random,random>> (>= 3)
 
 - [[provider_argocd]] <<provider_argocd,argocd>> (>= 5)
 
 - [[provider_utils]] <<provider_utils,utils>> (>= 1)
 
-- [[provider_null]] <<provider_null,null>> (>= 3)
-
 === Resources
 
 The following resources are used by this module:
@@ -270,6 +270,14 @@ Type: `bool`
 
 Default: `false`
 
+==== [[input_enable_network_policies]] <<input_enable_network_policies,enable_network_policies>>
+
+Description: Enable or disable network policy for Thanos components.
+
+Type: `bool`
+
+Default: `false`
+
 === Outputs
 
 The following outputs are exported:
@@ -302,8 +310,8 @@ Description: ID to pass other modules in order to refer to this module as a depe
 |===
 |Name |Version
 |[[provider_random]] <<provider_random,random>> |>= 3
-|[[provider_argocd]] <<provider_argocd,argocd>> |>= 5
 |[[provider_utils]] <<provider_utils,utils>> |>= 1
+|[[provider_argocd]] <<provider_argocd,argocd>> |>= 5
 |[[provider_null]] <<provider_null,null>> |>= 3
 |===
 
@@ -513,6 +521,12 @@ object({
 |`false`
 |no
 
+|[[input_enable_network_policies]] <<input_enable_network_policies,enable_network_policies>>
+|Enable or disable network policy for Thanos components.
+|`bool`
+|`false`
+|no
+
 |===
 
 = Outputs

aks/README.adoc

@@ -474,6 +474,14 @@ Type: `bool`
 
 Default: `false`
 
+==== [[input_enable_network_policies]] <<input_enable_network_policies,enable_network_policies>>
+
+Description: Enable or disable network policy for Thanos components.
+
+Type: `bool`
+
+Default: `false`
+
 === Outputs
 
 The following outputs are exported:
@@ -740,6 +748,12 @@ object({
 |`false`
 |no
 
+|[[input_enable_network_policies]] <<input_enable_network_policies,enable_network_policies>>
+|Enable or disable network policy for Thanos components.
+|`bool`
+|`false`
+|no
+
 |===
 
 = Outputs

aks/main.tf

@@ -59,18 +59,19 @@ resource "azurerm_federated_identity_credential" "thanos" {
 module "thanos" {
   source = "../"
 
-  cluster_name           = var.cluster_name
-  base_domain            = var.base_domain
-  subdomain              = var.subdomain
-  argocd_project         = var.argocd_project
-  argocd_labels          = var.argocd_labels
-  destination_cluster    = var.destination_cluster
-  target_revision        = var.target_revision
-  cluster_issuer         = var.cluster_issuer
-  deep_merge_append_list = var.deep_merge_append_list
-  enable_service_monitor = var.enable_service_monitor
-  app_autosync           = var.app_autosync
-  dependency_ids         = var.dependency_ids
+  cluster_name            = var.cluster_name
+  base_domain             = var.base_domain
+  subdomain               = var.subdomain
+  argocd_project          = var.argocd_project
+  argocd_labels           = var.argocd_labels
+  destination_cluster     = var.destination_cluster
+  target_revision         = var.target_revision
+  cluster_issuer          = var.cluster_issuer
+  deep_merge_append_list  = var.deep_merge_append_list
+  enable_service_monitor  = var.enable_service_monitor
+  app_autosync            = var.app_autosync
+  dependency_ids          = var.dependency_ids
+  enable_network_policies = var.enable_network_policies
 
   resources = var.resources
 

eks/README.adoc

@@ -503,6 +503,14 @@ Type: `bool`
 
 Default: `false`
 
+==== [[input_enable_network_policies]] <<input_enable_network_policies,enable_network_policies>>
+
+Description: Enable or disable network policy for Thanos components.
+
+Type: `bool`
+
+Default: `false`
+
 === Outputs
 
 The following outputs are exported:
@@ -768,6 +776,12 @@ object({
 |`false`
 |no
 
+|[[input_enable_network_policies]] <<input_enable_network_policies,enable_network_policies>>
+|Enable or disable network policy for Thanos components.
+|`bool`
+|`false`
+|no
+
 |===
 
 = Outputs

eks/main.tf

@@ -50,18 +50,19 @@ module "iam_assumable_role_thanos" {
 module "thanos" {
   source = "../"
 
-  cluster_name           = var.cluster_name
-  base_domain            = var.base_domain
-  subdomain              = var.subdomain
-  argocd_project         = var.argocd_project
-  argocd_labels          = var.argocd_labels
-  destination_cluster    = var.destination_cluster
-  target_revision        = var.target_revision
-  cluster_issuer         = var.cluster_issuer
-  deep_merge_append_list = var.deep_merge_append_list
-  enable_service_monitor = var.enable_service_monitor
-  app_autosync           = var.app_autosync
-  dependency_ids         = var.dependency_ids
+  cluster_name            = var.cluster_name
+  base_domain             = var.base_domain
+  subdomain               = var.subdomain
+  argocd_project          = var.argocd_project
+  argocd_labels           = var.argocd_labels
+  destination_cluster     = var.destination_cluster
+  target_revision         = var.target_revision
+  cluster_issuer          = var.cluster_issuer
+  deep_merge_append_list  = var.deep_merge_append_list
+  enable_service_monitor  = var.enable_service_monitor
+  app_autosync            = var.app_autosync
+  dependency_ids          = var.dependency_ids
+  enable_network_policies = var.enable_network_policies
 
   resources = var.resources
 

kind/README.adoc

@@ -401,6 +401,14 @@ Type: `bool`
 
 Default: `false`
 
+==== [[input_enable_network_policies]] <<input_enable_network_policies,enable_network_policies>>
+
+Description: Enable or disable network policy for Thanos components.
+
+Type: `bool`
+
+Default: `false`
+
 === Outputs
 
 The following outputs are exported:
@@ -645,6 +653,12 @@ object({
 |`false`
 |no
 
+|[[input_enable_network_policies]] <<input_enable_network_policies,enable_network_policies>>
+|Enable or disable network policy for Thanos components.
+|`bool`
+|`false`
+|no
+
 |===
 
 = Outputs

kind/main.tf

@@ -1,18 +1,19 @@
 module "thanos" {
   source = "../"
 
-  cluster_name           = var.cluster_name
-  base_domain            = var.base_domain
-  subdomain              = var.subdomain
-  argocd_project         = var.argocd_project
-  argocd_labels          = var.argocd_labels
-  destination_cluster    = var.destination_cluster
-  target_revision        = var.target_revision
-  cluster_issuer         = var.cluster_issuer
-  deep_merge_append_list = var.deep_merge_append_list
-  enable_service_monitor = var.enable_service_monitor
-  app_autosync           = var.app_autosync
-  dependency_ids         = var.dependency_ids
+  cluster_name            = var.cluster_name
+  base_domain             = var.base_domain
+  subdomain               = var.subdomain
+  argocd_project          = var.argocd_project
+  argocd_labels           = var.argocd_labels
+  destination_cluster     = var.destination_cluster
+  target_revision         = var.target_revision
+  cluster_issuer          = var.cluster_issuer
+  deep_merge_append_list  = var.deep_merge_append_list
+  enable_service_monitor  = var.enable_service_monitor
+  app_autosync            = var.app_autosync
+  dependency_ids          = var.dependency_ids
+  enable_network_policies = var.enable_network_policies
 
   resources = var.resources
 

locals.tf

@@ -44,7 +44,7 @@ locals {
           limits   = { for k, v in var.resources.storegateway.limits : k => v if v != null }
         }
         networkPolicy = {
-          enabled = false
+          enabled = var.enable_network_policies
         }
         extraFlags = [
           # Store Gateway index cache config -> https://thanos.io/tip/components/store.md/#index-cache
@@ -84,7 +84,7 @@ locals {
           limits   = { for k, v in var.resources.query.limits : k => v if v != null }
         }
         networkPolicy = {
-          enabled = false
+          enabled = var.enable_network_policies
         }
       }
 
@@ -108,7 +108,7 @@ locals {
           size = local.thanos.compactor_persistence_size
         }
         networkPolicy = {
-          enabled = false
+          enabled = var.enable_network_policies
         }
       }
 
@@ -200,7 +200,25 @@ locals {
           }]
         }
         networkPolicy = {
-          enabled = false
+          enabled = var.enable_network_policies
+          extraIngress = var.enable_network_policies ? [
+            {
+              from = [{
+                namespaceSelector = {
+                  matchLabels = {
+                    "kubernetes.io/metadata.name" = "traefik"
+                  }
+                }
+                },
+                {
+                  podSelector = {
+                    matchLabels = {
+                      "app" = "traefik"
+                    }
+                  }
+              }]
+            }
+          ] : []
         }
       }
 
@@ -334,17 +352,35 @@ locals {
           }]
         }
         networkPolicy = {
-          enabled = false
+          enabled = var.enable_network_policies
+          extraIngress = var.enable_network_policies ? [
+            {
+              from = [{
+                namespaceSelector = {
+                  matchLabels = {
+                    "kubernetes.io/metadata.name" = "traefik"
+                  }
+                }
+                },
+                {
+                  podSelector = {
+                    matchLabels = {
+                      "app" = "traefik"
+                    }
+                  }
+              }]
+            }
+          ] : []
         }
       }
       receive = {
         networkPolicy = {
-          enabled = false
+          enabled = var.enable_network_policies
         }
       }
       ruler = {
         networkPolicy = {
-          enabled = false
+          enabled = var.enable_network_policies
         }
       }
     }

sks/README.adoc

@@ -344,6 +344,14 @@ Type: `bool`
 
 Default: `false`
 
+==== [[input_enable_network_policies]] <<input_enable_network_policies,enable_network_policies>>
+
+Description: Enable or disable network policy for Thanos components.
+
+Type: `bool`
+
+Default: `false`
+
 === Outputs
 
 The following outputs are exported:
@@ -587,6 +595,12 @@ object({
 |`false`
 |no
 
+|[[input_enable_network_policies]] <<input_enable_network_policies,enable_network_policies>>
+|Enable or disable network policy for Thanos components.
+|`bool`
+|`false`
+|no
+
 |===
 
 = Outputs

sks/main.tf

@@ -1,18 +1,19 @@
 module "thanos" {
   source = "../"
 
-  cluster_name           = var.cluster_name
-  base_domain            = var.base_domain
-  subdomain              = var.subdomain
-  argocd_project         = var.argocd_project
-  argocd_labels          = var.argocd_labels
-  destination_cluster    = var.destination_cluster
-  target_revision        = var.target_revision
-  cluster_issuer         = var.cluster_issuer
-  deep_merge_append_list = var.deep_merge_append_list
-  enable_service_monitor = var.enable_service_monitor
-  app_autosync           = var.app_autosync
-  dependency_ids         = var.dependency_ids
+  cluster_name            = var.cluster_name
+  base_domain             = var.base_domain
+  subdomain               = var.subdomain
+  argocd_project          = var.argocd_project
+  argocd_labels           = var.argocd_labels
+  destination_cluster     = var.destination_cluster
+  target_revision         = var.target_revision
+  cluster_issuer          = var.cluster_issuer
+  deep_merge_append_list  = var.deep_merge_append_list
+  enable_service_monitor  = var.enable_service_monitor
+  app_autosync            = var.app_autosync
+  dependency_ids          = var.dependency_ids
+  enable_network_policies = var.enable_network_policies
 
   resources = var.resources
 

variables.tf

@@ -174,3 +174,9 @@ variable "enable_service_monitor" {
   type        = bool
   default     = false
 }
+
+variable "enable_network_policies" {
+  description = "Enable or disable network policy for Thanos components."
+  type        = bool
+  default     = false
+}