feat!: allow [templating of network policies](./docs/networking.md) in the UDS Package

README.md

@@ -41,6 +41,7 @@ Object Storage works a bit differently as there are many kinds of file stores Gi
   - `backups`
     - This key refers to the configuration for the gitlab-toolbox backup tool. It relies on a program called `s3cmd`. The documentation for what goes in this key is located [here](https://s3tools.org/kb/item14.htm)
 - Below are the list of buckets that need to be created before starting GitLab:
+
 ```yaml
   - uds-gitlab-pages
   - uds-gitlab-registry
@@ -55,6 +56,7 @@ Object Storage works a bit differently as there are many kinds of file stores Gi
   - uds-gitlab-backups
   - uds-gitlab-tmp
 ```
+
 - These buckets can have a suffix applied via the `BUCKET_SUFFIX` Zarf variable (e.g. `-some-deployment-name` plus `uds-gitlab-backups` would be `uds-gitlab-backups-some-deployment-name`)
 
 ## Flavors

charts/config/Chart.yaml

@@ -15,4 +15,4 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0

charts/config/templates/uds-package.yaml

@@ -14,7 +14,7 @@ spec:
   network:
     expose:
       - service: gitlab-webservice-default
-        podLabels:
+        selector:
           app: webservice
         host: gitlab
         gateway: tenant
@@ -26,7 +26,7 @@ spec:
         gateway: tenant
         port: 8090
       - service: gitlab-registry
-        podLabels:
+        selector:
           app: registry
         host: registry
         gateway: tenant
@@ -37,53 +37,164 @@ spec:
 
       - direction: Ingress
         # todo: this should be scoped when we know where the runner is
-        podLabels:
+        selector:
           app: webservice
         port: 8181
         description: "Runner Ingress Workhorse"
 
       - direction: Ingress
         remoteNamespace: monitoring
-        remotePodLabels:
+        remoteSelector:
           app: prometheus
-        podLabels:
+        selector:
           app: gitlab-exporter
         port: 9168
         description: "Monitoring Exporter"
 
       - direction: Ingress
-        podLabels:
+        selector:
           app: runner
         remoteNamespace: monitoring
-        remotePodLabels:
+        remoteSelector:
           app: prometheus
 
         port: 9252
         description: "Monitoring Runner"
 
       - direction: Egress
-        podLabels:
+        selector:
           app: registry
+        {{- if .Values.storage.internal }}
+        remoteNamespace: {{ .Values.storage.namespace | quote }}
+        remoteSelector:
+          {{ .Values.storage.selector | toYaml | nindent 10 }}
+        port: {{ .Values.storage.port }}
+        {{- else }}
         remoteGenerated: Anywhere
+        {{- end }}
         description: "Registry Storage"
 
+      # Sidekiq Netpols 
       - direction: Egress
-        podLabels:
+        selector:
           app: sidekiq
+        {{- if .Values.storage.internal }}
+        remoteNamespace: {{ .Values.storage.namespace | quote }}
+        remoteSelector:
+          {{ .Values.storage.selector | toYaml | nindent 10 }}
+        port: {{ .Values.storage.port }}
+        {{- else }}
         remoteGenerated: Anywhere
+        {{- end }}
         description: "Sidekiq Storage"
 
       - direction: Egress
-        podLabels:
+        selector:
+          app: sidekiq
+        {{- if .Values.redis.internal }}
+        remoteNamespace: {{ .Values.redis.namespace | quote }}
+        remoteSelector:
+          {{ .Values.redis.selector | toYaml | nindent 10 }}
+        port: {{ .Values.redis.port }}
+        {{- else }}
+        remoteGenerated: Anywhere
+        {{- end }}
+        description: "Sidekiq Redis"
+
+      - direction: Egress
+        selector:
+          app: sidekiq
+        {{- if .Values.postgres.internal }}
+        remoteNamespace: {{ .Values.postgres.namespace | quote }}
+        remoteSelector:
+          {{ .Values.postgres.selector | toYaml | nindent 10 }}
+        port: {{ .Values.postgres.port }}
+        {{- else }}
+        remoteGenerated: Anywhere
+        {{- end }}
+        description: "Sidekiq Postgres"
+
+      # Migrations Netpols
+      - direction: Egress
+        selector:
           app: migrations
+        {{- if .Values.storage.internal }}
+        remoteNamespace: {{ .Values.storage.namespace | quote }}
+        remoteSelector:
+          {{ .Values.storage.selector | toYaml | nindent 10 }}
+        port: {{ .Values.storage.port }}
+        {{- else }}
         remoteGenerated: Anywhere
+        {{- end }}
         description: "Migrations Storage"
-      
+
       - direction: Egress
-        podLabels:
+        selector:
+          app: migrations
+        {{- if .Values.postgres.internal }}
+        remoteNamespace: {{ .Values.postgres.namespace | quote }}
+        remoteSelector:
+          {{ .Values.postgres.selector | toYaml | nindent 10 }}
+        port: {{ .Values.postgres.port }}
+        {{- else }}
+        remoteGenerated: Anywhere
+        {{- end }}
+        description: "Migrations Postgres"
+
+      - direction: Egress
+        selector:
+          app: migrations
+        {{- if .Values.redis.internal }}
+        remoteNamespace: {{ .Values.redis.namespace | quote }}
+        remoteSelector:
+          {{ .Values.redis.selector | toYaml | nindent 10 }}
+        port: {{ .Values.redis.port }}
+        {{- else }}
+        remoteGenerated: Anywhere
+        {{- end }}
+        description: "Migrations Redis"
+
+      # Toolbox Netpols
+      - direction: Egress
+        selector:
+          app: toolbox
+        {{- if .Values.storage.internal }}
+        remoteNamespace: {{ .Values.storage.namespace | quote }}
+        remoteSelector:
+          {{ .Values.storage.selector | toYaml | nindent 10 }}
+        port: {{ .Values.storage.port }}
+        {{- else }}
+        remoteGenerated: Anywhere
+        {{- end }}
+        description: "Toolbox Storage"
+
+      - direction: Egress
+        selector:
           app: toolbox
+        {{- if .Values.postgres.internal }}
+        remoteNamespace: {{ .Values.postgres.namespace | quote }}
+        remoteSelector:
+          {{ .Values.postgres.selector | toYaml | nindent 10 }}
+        port: {{ .Values.postgres.port }}
+        {{- else }}
         remoteGenerated: Anywhere
-        description: "Toolbox egress to database, redis and storage"
+        {{- end }}
+        description: "Toolbox Postgres"
+
+      - direction: Egress
+        selector:
+          app: toolbox
+        {{- if .Values.redis.internal }}
+        remoteNamespace: {{ .Values.redis.namespace | quote }}
+        remoteSelector:
+          {{ .Values.redis.selector | toYaml | nindent 10 }}
+        port: {{ .Values.redis.port }}
+        {{- else }}
+        remoteGenerated: Anywhere
+        {{- end }}
+        description: "Toolbox Redis"
+
+
 
       - direction: Egress
         remoteGenerated: IntraNamespace
@@ -94,31 +205,74 @@ spec:
 
       - direction: Egress
         remoteNamespace: tempo
-        remotePodLabels:
+        remoteSelector:
           app.kubernetes.io/name: tempo
         port: 9411
         description: "Tempo"
 
+      # Webservice Netpols
       - direction: Egress
-        podLabels:
+        selector:
           app: webservice
         port: 443
         description: "SSO"
 
       - direction: Egress
-        podLabels:
+        selector:
           app: webservice
+        {{- if .Values.storage.internal }}
+        remoteNamespace: {{ .Values.storage.namespace | quote }}
+        remoteSelector:
+          {{ .Values.storage.selector | toYaml | nindent 10 }}
+        port: {{ .Values.storage.port }}
+        {{- else }}
         remoteGenerated: Anywhere
+        {{- end }}
         description: "Webservice Storage"
 
+      - direction: Egress
+        selector:
+          app: webservice
+        {{- if .Values.redis.internal }}
+        remoteNamespace: {{ .Values.redis.namespace | quote }}
+        remoteSelector:
+          {{ .Values.redis.selector | toYaml | nindent 10 }}
+        port: {{ .Values.redis.port }}
+        {{- else }}
+        remoteGenerated: Anywhere
+        {{- end }}
+        description: "Webservice Redis"
+
+      - direction: Egress
+        selector:
+          app: webservice
+        {{- if .Values.postgres.internal }}
+        remoteNamespace: {{ .Values.postgres.namespace | quote }}
+        remoteSelector:
+          {{ .Values.postgres.selector | toYaml | nindent 10 }}
+        port: {{ .Values.postgres.port }}
+        {{- else }}
+        remoteGenerated: Anywhere
+        {{- end }}
+        description: "Webservice Postgres"
+
+
+      # Gitlab Pages
       - direction: Ingress
         podLabels:
           app: gitlab-pages
         port: 8090
         description: GitLab Pages Ingress
 
       - direction: Egress
-        podLabels:
+        selector:
           app: gitlab-pages
+        {{- if .Values.storage.internal }}
+        remoteNamespace: {{ .Values.storage.namespace | quote }}
+        remoteSelector:
+          {{ .Values.storage.selector | toYaml | nindent 10 }}
+        port: {{ .Values.storage.port }}
+        {{- else }}
         remoteGenerated: Anywhere
-        description: "GitLab Pages Storage"
+        {{- end }}
+        description: "Gitlab Pages Storage"

charts/config/values.yaml

@@ -1,2 +1,26 @@
 domain: "###ZARF_VAR_DOMAIN###"
 sso: true
+# storage:
+#   internal: false
+# redis:
+#   internal: false
+# postgres:
+#   internal: false
+storage:
+  internal: true
+  selector:
+    app: minio
+  namespace: dev-minio
+  port: 9000
+redis:
+  internal: true
+  selector:
+    app.kubernetes.io/name: redis
+  namespace: dev-redis
+  port: 6379
+postgres:
+  internal: true
+  selector:
+    cluster-name: pg-cluster
+  namespace: postgres
+  port: 5432

common/zarf.yaml

@@ -10,7 +10,7 @@ components:
     charts:
       - name: uds-gitlab-config
         namespace: gitlab
-        version: 0.1.0
+        version: 0.2.0
         localPath: ../charts/config
       - name: uds-gitlab-sso
         namespace: gitlab