feat!: allow [templating of network policies](./docs/networking.md) i…

…n the UDS Package (#110)

## Description

Adds templating for internal vs external services in the netpol section
of the uds package CR

## Related Issue

Fixes #
[78](#78)

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [x] Other (security config, docs update, etc)

## Checklist before merging

- [ ] Test, docs, adr added or updated as needed
- [ ] [Contributor Guide
Steps](https://github.com/defenseunicorns/uds-package-gitlab/blob/main/CONTRIBUTING.md#developer-workflow)
followed

---------

Co-authored-by: Wayne Starr <[email protected]>

README.md

@@ -10,7 +10,13 @@ This package is designed for use as part of a [UDS Software Factory](https://git
 
 The GitLab Package expects to be deployed on top of [UDS Core](https://github.com/defenseunicorns/uds-core) with the dependencies listed below being configured prior to deployment.
 
-> :warning: **NOTE**: Some GitLab features (such as GitLab pages) will also require a [GitLab runner](https://github.com/defenseunicorns/uds-package-gitlab-runner) along with additional configuration such as an additional certificate SAN for `*.pages.<your-domain>`.
+> [!IMPORTANT]
+> **NOTE**: Some GitLab features (such as GitLab pages) will also require a [GitLab runner](https://github.com/defenseunicorns/uds-package-gitlab-runner) along with additional configuration such as an additional certificate SAN for `*.pages.<your-domain>`.
+
+GitLab is configured by default to assume the internal dependencies that are used for testing (see minio, redis and postgres in the [bundle](bundle/uds-bundle.yaml)).
+
+> [!IMPORTANT]
+> If you are using different internal services, cloud services or a mix you will have to configure values in the config chart accordingly via bundle overrides. See the networking [docs](docs/networking.md) for details
 
 #### Database
 
@@ -41,6 +47,7 @@ Object Storage works a bit differently as there are many kinds of file stores Gi
   - `backups`
     - This key refers to the configuration for the gitlab-toolbox backup tool. It relies on a program called `s3cmd`. The documentation for what goes in this key is located [here](https://s3tools.org/kb/item14.htm)
 - Below are the list of buckets that need to be created before starting GitLab:
+
 ```yaml
   - uds-gitlab-pages
   - uds-gitlab-registry
@@ -55,16 +62,20 @@ Object Storage works a bit differently as there are many kinds of file stores Gi
   - uds-gitlab-backups
   - uds-gitlab-tmp
 ```
+
 - These buckets can have a suffix applied via the `BUCKET_SUFFIX` Zarf variable (e.g. `-some-deployment-name` plus `uds-gitlab-backups` would be `uds-gitlab-backups-some-deployment-name`)
 
+
+
 ## Flavors
 
 | Flavor | Description | Example Creation |
 | ------ | ----------- | ---------------- |
 | upstream | Uses upstream images within the package. | `zarf package create . -f upstream` |
 | registry1 | Uses images from registry1.dso.mil within the package. | `zarf package create . -f registry1` |
 
-> :warning: **Note:** To create the registry1 flavor you will need to be logged into Iron Bank - you can find instructions on how to do this in the [Big Bang Zarf Tutorial](https://docs.zarf.dev/docs/zarf-tutorials/big-bang#setup).
+> [!IMPORTANT]
+> **NOTE:** To create the registry1 flavor you will need to be logged into Iron Bank - you can find instructions on how to do this in the [Big Bang Zarf Tutorial](https://docs.zarf.dev/tutorials/6-big-bang/#setup).
 
 ## Releases
 
@@ -74,7 +85,8 @@ The released packages can be found in [ghcr](https://github.com/defenseunicorns/
 
 *For local dev, this requires you install [uds-cli](https://github.com/defenseunicorns/uds-cli?tab=readme-ov-file#install)
 
-> :white_check_mark: **Tip:** To get a list of tasks to run you can use `uds run --list`!
+> [!TIP]
+> To get a list of tasks to run you can use `uds run --list`!
 
 ## Contributing
 

charts/config/Chart.yaml

@@ -15,4 +15,4 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0

charts/config/templates/uds-package.yaml

@@ -14,19 +14,19 @@ spec:
   network:
     expose:
       - service: gitlab-webservice-default
-        podLabels:
+        selector:
           app: webservice
         host: gitlab
         gateway: tenant
         port: 8181
       - service: gitlab-gitlab-pages
-        podLabels:
+        selector:
           app: gitlab-pages
         host: "*.pages"
         gateway: tenant
         port: 8090
       - service: gitlab-registry
-        podLabels:
+        selector:
           app: registry
         host: registry
         gateway: tenant
@@ -35,90 +35,236 @@ spec:
       - direction: Ingress
         remoteGenerated: IntraNamespace
 
+    # ingress from runner only if runner lives in cluster. Otherwise, it goes through the gateway
+    {{- if .Values.runner.internal }}
       - direction: Ingress
-        # todo: this should be scoped when we know where the runner is
-        podLabels:
+        selector:
           app: webservice
+        remoteNamespace: {{ .Values.runner.namespace | quote }}
+        remoteSelector:
+          {{ .Values.runner.selector | toYaml | nindent 10 }}
         port: 8181
         description: "Runner Ingress Workhorse"
+    {{- end }}
 
       - direction: Ingress
         remoteNamespace: monitoring
-        remotePodLabels:
+        remoteSelector:
           app: prometheus
-        podLabels:
+        selector:
           app: gitlab-exporter
         port: 9168
         description: "Monitoring Exporter"
 
-      - direction: Ingress
-        podLabels:
-          app: runner
-        remoteNamespace: monitoring
-        remotePodLabels:
-          app: prometheus
-
-        port: 9252
-        description: "Monitoring Runner"
-
       - direction: Egress
-        podLabels:
+        selector:
           app: registry
+        {{- if .Values.storage.internal }}
+        remoteNamespace: {{ .Values.storage.namespace | quote }}
+        remoteSelector:
+          {{ .Values.storage.selector | toYaml | nindent 10 }}
+        port: {{ .Values.storage.port }}
+        {{- else }}
         remoteGenerated: Anywhere
+        {{- end }}
         description: "Registry Storage"
 
+      # Sidekiq Netpols 
       - direction: Egress
-        podLabels:
+        selector:
           app: sidekiq
+        {{- if .Values.storage.internal }}
+        remoteNamespace: {{ .Values.storage.namespace | quote }}
+        remoteSelector:
+          {{ .Values.storage.selector | toYaml | nindent 10 }}
+        port: {{ .Values.storage.port }}
+        {{- else }}
         remoteGenerated: Anywhere
+        {{- end }}
         description: "Sidekiq Storage"
 
       - direction: Egress
-        podLabels:
+        selector:
+          app: sidekiq
+        {{- if .Values.redis.internal }}
+        remoteNamespace: {{ .Values.redis.namespace | quote }}
+        remoteSelector:
+          {{ .Values.redis.selector | toYaml | nindent 10 }}
+        port: {{ .Values.redis.port }}
+        {{- else }}
+        remoteGenerated: Anywhere
+        {{- end }}
+        description: "Sidekiq Redis"
+
+      - direction: Egress
+        selector:
+          app: sidekiq
+        {{- if .Values.postgres.internal }}
+        remoteNamespace: {{ .Values.postgres.namespace | quote }}
+        remoteSelector:
+          {{ .Values.postgres.selector | toYaml | nindent 10 }}
+        port: {{ .Values.postgres.port }}
+        {{- else }}
+        remoteGenerated: Anywhere
+        {{- end }}
+        description: "Sidekiq Postgres"
+
+      # Migrations Netpols
+      - direction: Egress
+        selector:
           app: migrations
+        {{- if .Values.postgres.internal }}
+        remoteNamespace: {{ .Values.postgres.namespace | quote }}
+        remoteSelector:
+          {{ .Values.postgres.selector | toYaml | nindent 10 }}
+        port: {{ .Values.postgres.port }}
+        {{- else }}
         remoteGenerated: Anywhere
-        description: "Migrations Storage"
-
+        {{- end }}
+        description: "Migrations Postgres"
+
       - direction: Egress
-        podLabels:
+        selector:
+          app: migrations
+        {{- if .Values.redis.internal }}
+        remoteNamespace: {{ .Values.redis.namespace | quote }}
+        remoteSelector:
+          {{ .Values.redis.selector | toYaml | nindent 10 }}
+        port: {{ .Values.redis.port }}
+        {{- else }}
+        remoteGenerated: Anywhere
+        {{- end }}
+        description: "Migrations Redis"
+
+      # Toolbox Netpols
+      - direction: Egress
+        selector:
           app: toolbox
+        {{- if .Values.storage.internal }}
+        remoteNamespace: {{ .Values.storage.namespace | quote }}
+        remoteSelector:
+          {{ .Values.storage.selector | toYaml | nindent 10 }}
+        port: {{ .Values.storage.port }}
+        {{- else }}
         remoteGenerated: Anywhere
-        description: "Toolbox egress to database, redis and storage"
+        {{- end }}
+        description: "Toolbox Storage"
 
+      - direction: Egress
+        selector:
+          app: toolbox
+        {{- if .Values.postgres.internal }}
+        remoteNamespace: {{ .Values.postgres.namespace | quote }}
+        remoteSelector:
+          {{ .Values.postgres.selector | toYaml | nindent 10 }}
+        port: {{ .Values.postgres.port }}
+        {{- else }}
+        remoteGenerated: Anywhere
+        {{- end }}
+        description: "Toolbox Postgres"
+
+      - direction: Egress
+        selector:
+          app: toolbox
+        {{- if .Values.redis.internal }}
+        remoteNamespace: {{ .Values.redis.namespace | quote }}
+        remoteSelector:
+          {{ .Values.redis.selector | toYaml | nindent 10 }}
+        port: {{ .Values.redis.port }}
+        {{- else }}
+        remoteGenerated: Anywhere
+        {{- end }}
+        description: "Toolbox Redis"
+
+      # Gitlab Netpols
       - direction: Egress
         remoteGenerated: IntraNamespace
 
       - direction: Egress
-        # todo: this is over permissive, need to scope it down
+        selector:
+          app: gitlab
         remoteGenerated: KubeAPI
 
-      - direction: Egress
-        remoteNamespace: tempo
-        remotePodLabels:
-          app.kubernetes.io/name: tempo
-        port: 9411
-        description: "Tempo"
 
+      # Webservice Netpols
       - direction: Egress
-        podLabels:
+        selector:
           app: webservice
         port: 443
         description: "SSO"
 
       - direction: Egress
-        podLabels:
+        selector:
           app: webservice
+        {{- if .Values.storage.internal }}
+        remoteNamespace: {{ .Values.storage.namespace | quote }}
+        remoteSelector:
+          {{ .Values.storage.selector | toYaml | nindent 10 }}
+        port: {{ .Values.storage.port }}
+        {{- else }}
         remoteGenerated: Anywhere
+        {{- end }}
         description: "Webservice Storage"
 
+      - direction: Egress
+        selector:
+          app: webservice
+        {{- if .Values.redis.internal }}
+        remoteNamespace: {{ .Values.redis.namespace | quote }}
+        remoteSelector:
+          {{ .Values.redis.selector | toYaml | nindent 10 }}
+        port: {{ .Values.redis.port }}
+        {{- else }}
+        remoteGenerated: Anywhere
+        {{- end }}
+        description: "Webservice Redis"
+
+      - direction: Egress
+        selector:
+          app: webservice
+        {{- if .Values.postgres.internal }}
+        remoteNamespace: {{ .Values.postgres.namespace | quote }}
+        remoteSelector:
+          {{ .Values.postgres.selector | toYaml | nindent 10 }}
+        port: {{ .Values.postgres.port }}
+        {{- else }}
+        remoteGenerated: Anywhere
+        {{- end }}
+        description: "Webservice Postgres"
+
+
+      # Gitlab Pages
       - direction: Ingress
-        podLabels:
+        selector:
           app: gitlab-pages
         port: 8090
         description: GitLab Pages Ingress
 
       - direction: Egress
-        podLabels:
+        selector:
           app: gitlab-pages
+        {{- if .Values.storage.internal }}
+        remoteNamespace: {{ .Values.storage.namespace | quote }}
+        remoteSelector:
+          {{ .Values.storage.selector | toYaml | nindent 10 }}
+        port: {{ .Values.storage.port }}
+        {{- else }}
         remoteGenerated: Anywhere
-        description: "GitLab Pages Storage"
+        {{- end }}
+        description: "Gitlab Pages Storage"
+
+      # Custom rules for unanticipated scenarios
+      {{- range .Values.custom }}
+      - direction: {{ .direction }}
+        selector:
+          {{ .selector | toYaml | nindent 10 }}
+        {{- if not .remoteGenerated }}
+        remoteNamespace: {{ .remoteNamespace }}
+        remoteSelector:
+          {{ .remoteSelector | toYaml | nindent 10 }}
+        port: {{ .port }}
+        {{- else }}
+        remoteGenerated: {{ .remoteGenerated }}
+        {{- end }}
+        description: {{ .description }}
+      {{- end }}

charts/config/values.yaml

@@ -1,2 +1,44 @@
 domain: "###ZARF_VAR_DOMAIN###"
 sso: true
+storage:
+  # Set to false to use external storage
+  internal: true
+  selector:
+    app: minio
+  namespace: dev-minio
+  port: 9000
+redis:
+  # Set to false to use external redis
+  internal: true
+  selector:
+    app.kubernetes.io/name: redis
+  namespace: dev-redis
+  port: 6379
+postgres:
+  # Set to false to use external postgres
+  internal: true
+  selector:
+    cluster-name: pg-cluster
+  namespace: postgres
+  port: 5432
+runner:
+  internal: true
+  selector:
+    app: gitlab-runner
+  namespace: gitlab-runner
+# custom:
+#    # Notice no `remoteGenerated` field here on custom internal rule
+#   - direction: Ingress
+#     selector:
+#       app: jenkins
+#     remoteNamespace: jenkins
+#     remoteSelector:
+#       app: jenkins
+#     port: 8180
+#     description: "Ingress to Jenkins"
+#   # No `remoteNamespace`, `remoteSelector`, or `port` fields on rule to `remoteGenerated`
+#   - direction: Egress
+#     selector:
+#       app: webservice
+#     remoteGenerated: Anywhere
+#     description: "Egress from Webservice"