From 8b17f459a1371d1dfefbfaee87f31954857d4a2f Mon Sep 17 00:00:00 2001
From: chainchad <96362174+chainchad@users.noreply.github.com>
Date: Mon, 5 Feb 2024 18:06:54 -0500
Subject: [PATCH] Add helm network policies back (#11940)

* Re-add back network policies.

From commit: dc9a073ab7e67a66eed49dd74e6ac0da1787b24c

* Create network policies conditionally
---
 .../templates/chainlink-db-networkpolicy.yaml | 25 +++++++++++
 .../chainlink-node-networkpolicy.yaml         | 21 +++++++++
 .../templates/geth-networkpolicy.yaml         | 27 ++++++++++++
 .../templates/mockserver-networkpolicy.yaml   | 25 +++++++++++
 .../templates/networkpolicy-default.yaml      | 43 +++++++++++++++++++
 .../templates/runner-networkpolicy.yaml       | 21 +++++++++
 charts/chainlink-cluster/values.yaml          |  3 ++
 7 files changed, 165 insertions(+)
 create mode 100644 charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml
 create mode 100644 charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml
 create mode 100644 charts/chainlink-cluster/templates/geth-networkpolicy.yaml
 create mode 100644 charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml
 create mode 100644 charts/chainlink-cluster/templates/networkpolicy-default.yaml
 create mode 100644 charts/chainlink-cluster/templates/runner-networkpolicy.yaml

diff --git a/charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml b/charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml
new file mode 100644
index 00000000000..5f7e7706ced
--- /dev/null
+++ b/charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-db
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ $.Release.Name }}-db
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        # Allow all node pods to access the database pods.
+        - podSelector:
+            matchLabels:
+              app: {{ $.Release.Name }}
+        # Allow all runner pods to access the database pods.
+        - podSelector:
+            matchLabels:
+              app: runner
+      ports:
+        - protocol: TCP
+          port: 5432
+{{- end }}
\ No newline at end of file
diff --git a/charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml b/charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml
new file mode 100644
index 00000000000..e63759a994f
--- /dev/null
+++ b/charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-node
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ $.Release.Name }}
+  policyTypes:
+    - Ingress
+  ingress:
+    # Allow all ingress traffic between the node pods and from runner pod.
+    - from:
+      - podSelector:
+          matchLabels:
+            app: {{ $.Release.Name }}
+      - podSelector:
+          matchLabels:
+            app: runner
+{{- end }}
\ No newline at end of file
diff --git a/charts/chainlink-cluster/templates/geth-networkpolicy.yaml b/charts/chainlink-cluster/templates/geth-networkpolicy.yaml
new file mode 100644
index 00000000000..025d6184501
--- /dev/null
+++ b/charts/chainlink-cluster/templates/geth-networkpolicy.yaml
@@ -0,0 +1,27 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-geth
+spec:
+  podSelector:
+    matchLabels:
+      app: geth
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        # Allow http and websocket connections from the node pods.
+        - podSelector:
+            matchLabels:
+              app: {{ $.Release.Name }}
+        # Allow http and websocket connections from the runner pods.
+        - podSelector:
+            matchLabels:
+              app: runner
+      ports:
+        - protocol: TCP
+          port: 8544
+        - protocol: TCP
+          port: 8546
+{{- end }}
\ No newline at end of file
diff --git a/charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml b/charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml
new file mode 100644
index 00000000000..6ac4f658e37
--- /dev/null
+++ b/charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-mockserver
+spec:
+  podSelector:
+    matchLabels:
+      app: mockserver
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        # Allow http traffic from the node pods.
+        - podSelector:
+            matchLabels:
+              app: {{ $.Release.Name }}
+        # Allow http traffic from the runner pods.
+        - podSelector:
+            matchLabels:
+              app: runner
+      ports:
+        - protocol: TCP
+          port: 1080
+{{- end }}
\ No newline at end of file
diff --git a/charts/chainlink-cluster/templates/networkpolicy-default.yaml b/charts/chainlink-cluster/templates/networkpolicy-default.yaml
new file mode 100644
index 00000000000..a2cc23ed7f9
--- /dev/null
+++ b/charts/chainlink-cluster/templates/networkpolicy-default.yaml
@@ -0,0 +1,43 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default
+spec:
+  podSelector:
+    matchLabels: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+  {{- if and .Values.networkPolicyDefault.ingress.allowCustomCidrs (not (empty .Values.networkPolicyDefault.ingress.customCidrs)) }}
+  # Using a comma separated list to make it easy to pass in with:
+  # `helm template ... --set networkPolicyDefault.ingress.customCidrs=...`
+  {{- $cidrs := splitList "," .Values.networkPolicyDefault.ingress.customCidrs }}
+    - from:
+      {{- range $cidr := $cidrs }}
+      - ipBlock:
+          cidr: {{ $cidr | quote }}
+      {{- end }}
+  {{- else }}
+    # Deny all ingress if no rules are specified. Rules can still be specified in other templates.
+    - {}
+  {{- end }}
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: "{{ $.Release.Namespace }}"
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+{{- end }}
\ No newline at end of file
diff --git a/charts/chainlink-cluster/templates/runner-networkpolicy.yaml b/charts/chainlink-cluster/templates/runner-networkpolicy.yaml
new file mode 100644
index 00000000000..b75a2ffa772
--- /dev/null
+++ b/charts/chainlink-cluster/templates/runner-networkpolicy.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-runner
+spec:
+  podSelector:
+    matchLabels:
+      app: runner
+  policyTypes:
+    - Ingress
+  ingress:
+    # Allow all ingress traffic between the node pods and from runner pod.
+    - from:
+      - podSelector:
+          matchLabels:
+            app: {{ $.Release.Name }}
+      - podSelector:
+          matchLabels:
+            app: runner
+{{- end }}
\ No newline at end of file
diff --git a/charts/chainlink-cluster/values.yaml b/charts/chainlink-cluster/values.yaml
index 24914a40a91..3e58cbaea24 100644
--- a/charts/chainlink-cluster/values.yaml
+++ b/charts/chainlink-cluster/values.yaml
@@ -284,6 +284,9 @@ nodeSelector:
 tolerations:
 affinity:
 
+networkPolicies:
+  enabled: true
+
 # Configure the default network policy.
 networkPolicyDefault:
   ingress: