Add network-policies helm release (#507)

* Add network-policies helm release

* adjust value path

* adjust other values

* normalize schema

* Update CHANGELOG

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Add network-policies helm release.
+
 ## [0.61.0] - 2024-02-12
 
 ### Changed

helm/cluster-aws/README.md

@@ -93,6 +93,7 @@ Properties within the `.global.connectivity` object
 | `global.connectivity.dns` | **DNS**|**Type:** `object`<br/>|
 | `global.connectivity.dns.resolverRulesOwnerAccount` | **Resolver rules owner** - ID of the AWS account that created the resolver rules to be associated with the workload cluster VPC.|**Type:** `string`<br/>|
 | `global.connectivity.network` | **Network**|**Type:** `object`<br/>|
+| `global.connectivity.network.allowAllEgress` | **Allow all egress**|**Type:** `boolean`<br/>**Default:** `false`|
 | `global.connectivity.network.internetGatewayId` | **Internet Gateway ID** - ID of the Internet gateway for the VPC.|**Type:** `string`<br/>|
 | `global.connectivity.network.pods` | **Pods**|**Type:** `object`<br/>|
 | `global.connectivity.network.pods.cidrBlocks` | **Pod subnets**|**Type:** `array`<br/>**Default:** `["100.64.0.0/12"]`|

helm/cluster-aws/templates/netpol-helmrelease.yaml

@@ -0,0 +1,48 @@
+{{- if not .Values.global.connectivity.network.allowAllEgress }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: {{ include "resource.default.name" $ }}-network-policies
+  namespace: {{ $.Release.Namespace }}
+  annotations:
+    cluster.giantswarm.io/description: "{{ .Values.global.metadata.description }}"
+  labels:
+    {{- include "labels.common" . | nindent 4 }}
+spec:
+  releaseName: network-policies
+  targetNamespace: kube-system
+  storageNamespace: kube-system
+  chart:
+    spec:
+      chart: network-policies
+      version: 0.0.3
+      sourceRef:
+        kind: HelmRepository
+        name: {{ include "resource.default.name" $ }}-cluster
+  dependsOn:
+    - name: {{ include "resource.default.name" $ }}-cilium
+      namespace: {{ $.Release.Namespace }}
+  kubeConfig:
+    secretRef:
+      name: {{ include "resource.default.name" $ }}-kubeconfig
+  interval: 1m
+  install:
+    remediation:
+      retries: 30
+  # Default values
+  # https://github.com/giantswarm/network-policies-app/blob/main/helm/network-policies-app/values.yaml
+  # values:
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: {{ include "resource.default.name" $ }}-cluster
+  namespace: {{ $.Release.Namespace }}
+  annotations:
+    cluster.giantswarm.io/description: "{{ .Values.clusterDescription }}"
+  labels:
+    {{- include "labels.common" . | nindent 4 }}
+spec:
+  interval: 10m
+  url: https://giantswarm.github.io/cluster-catalog
+{{- end }}

helm/cluster-aws/values.schema.json

@@ -528,6 +528,11 @@
                             "type": "object",
                             "title": "Network",
                             "properties": {
+                                "allowAllEgress": {
+                                    "type": "boolean",
+                                    "title": "Allow all egress",
+                                    "default": false
+                                },
                                 "internetGatewayId": {
                                     "type": "string",
                                     "title": "Internet Gateway ID",

helm/cluster-aws/values.yaml

@@ -127,6 +127,7 @@ global:
     availabilityZoneUsageLimit: 3
     dns: {}
     network:
+      allowAllEgress: false
       pods:
         cidrBlocks:
           - 100.64.0.0/12