feat: add namespaces chart

morremeyer · morremeyer · commit 50414c3423b1 · 2021-05-24T16:02:00.000+02:00
diff --git a/charts/namespaces/.helmignore b/charts/namespaces/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/namespaces/Chart.yaml b/charts/namespaces/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v2
+name: namespaces
+description: Deploy namespaces with (default) networkpolicies
+type: application
+version: 0.1.0
diff --git a/charts/namespaces/README.md b/charts/namespaces/README.md
@@ -0,0 +1,43 @@
+# namespaces
+
+Deploy namespaces with (default) networkpolicies
+
+## Example
+
+```yaml
+# Disable all NetworkPolicies
+disableNetworkPolicies: false
+
+defaultNetworkPolicies:
+  # Deny all egress traffic
+  - name: default-policy
+    spec:
+      podSelector:
+        matchLabels:
+          role: db
+      policyTypes:
+        - Egress
+
+namespaces:
+  - name: test
+    labels:
+      meta.mor.re/testlabel: hallo
+    networkPolicies:
+      - name: testpolicy
+        spec:
+          podSelector:
+            matchLabels:
+              role: db
+
+  - name: no-policies
+    disableDefaultNetworkPolicies: true
+```
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| defaultNetworkPolicies | list | `[]` | NetworkPolicies that will be applied to all namespaces |
+| disableNetworkPolicies | bool | `false` | Switch to disable all NetworkPolicies |
+| namespaces | list | `[]` | List of namespaces to deploy |
+
diff --git a/charts/namespaces/README.md.gotmpl b/charts/namespaces/README.md.gotmpl
@@ -0,0 +1,41 @@
+{{ template "chart.header" . }}
+{{ template "chart.description" . }}
+
+{{ template "chart.sourcesSection" . }}
+
+{{ template "chart.requirementsSection" . }}
+
+## Example
+
+```yaml
+# Disable all NetworkPolicies
+disableNetworkPolicies: false
+
+defaultNetworkPolicies:
+  # Deny all egress traffic
+  - name: default-policy
+    spec:
+      podSelector:
+        matchLabels:
+          role: db
+      policyTypes:
+        - Egress
+
+namespaces:
+  - name: test
+    labels:
+      meta.mor.re/testlabel: hallo
+    networkPolicies:
+      - name: testpolicy
+        spec:
+          podSelector:
+            matchLabels:
+              role: db
+
+  - name: no-policies
+    disableDefaultNetworkPolicies: true
+```
+
+{{ template "chart.valuesSection" . }}
+
+{{ template "chart.maintainersSection" . }}
diff --git a/charts/namespaces/templates/_helpers.tpl b/charts/namespaces/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "namespaces.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "namespaces.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "namespaces.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "namespaces.labels" -}}
+helm.sh/chart: {{ include "namespaces.chart" . }}
+{{ include "namespaces.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "namespaces.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "namespaces.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "namespaces.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "namespaces.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/namespaces/templates/namespace.yaml b/charts/namespaces/templates/namespace.yaml
@@ -0,0 +1,15 @@
+{{- $labels := include "namespaces.labels" . -}}
+{{- range $.Values.namespaces }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .name }}
+  annotations:
+    helm.sh/resource-policy: keep
+  labels:
+    {{- $labels | nindent 4 }}
+  {{- with .labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/namespaces/templates/networkpolicy.yaml b/charts/namespaces/templates/networkpolicy.yaml
@@ -0,0 +1,27 @@
+{{ if not .Values.disableNetworkPolicies }}
+{{- range $.Values.namespaces }}
+{{- $namespaceName := .name -}}
+{{- if not .disableDefaultNetworkPolicies -}}
+{{- range $.Values.defaultNetworkPolicies }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .name }}
+  namespace: {{ $namespaceName }}
+spec:
+  {{- toYaml .spec | nindent 2}}
+{{- end }}
+{{- end }}
+{{- range .networkPolicies }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .name }}
+  namespace: {{ $namespaceName }}
+spec:
+  {{- toYaml .spec | nindent 2}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/namespaces/values.yaml b/charts/namespaces/values.yaml
@@ -0,0 +1,8 @@
+# -- List of namespaces to deploy
+namespaces: []
+
+# -- NetworkPolicies that will be applied to all namespaces
+defaultNetworkPolicies: []
+
+# -- Switch to disable all NetworkPolicies
+disableNetworkPolicies: false
