Helm Chart: Network Policies allow server egress to apollo (#965)

* fix(helm chart): allow egress in server Network Policies to Apollo

The Cilium and Kubernetes network policies currently do not allow egress from the server to Apollo
for graphql monitoring.

Kubernetes Network Policies don't allow domain names.  We have an open support ticket with Apollo
Studio to request which CIDR to limit egress to.  Until then, we will need to open egress to
everywhere if a Kubernetes Network Policy is used.

utils/helm/speckle-server/templates/frontend/networkpolicy.cilium.yml

@@ -14,7 +14,7 @@ spec:
     - fromEndpoints:
         - matchLabels:
             io.kubernetes.pod.namespace: {{ .Values.ingress.namespace }}
-{{ include  "speckle.ingress.selector.pod" $ | indent 12 }}
+{{ include "speckle.ingress.selector.pod" $ | indent 12 }}
       toPorts:
         - ports:
             - port: "www"

utils/helm/speckle-server/templates/server/networkpolicy.cilium.yml

@@ -49,6 +49,9 @@ spec:
             dns:
               # TODO: remove egress to domain once https://github.com/specklesystems/speckle-server/issues/959 is fixed
               - matchName: {{ .Values.domain }}
+{{- if .Values.server.monitoring.apollo.enabled }}
+              - matchPattern: "*.api.apollographql.com"
+{{- end }}
 {{- if .Values.server.sentry_dns }}
               # DNS lookup for sentry
               - matchPattern: "*.ingest.sentry.io"
@@ -56,6 +59,14 @@ spec:
 {{ include "speckle.networkpolicy.dns.postgres.cilium" $ | indent 14 }}
 {{ include "speckle.networkpolicy.dns.redis.cilium" $ | indent 14 }}
 {{ include  "speckle.networkpolicy.dns.blob_storage.cilium" $ | indent 14 }}
+{{- if .Values.server.monitoring.apollo.enabled }}
+    - toFQDNs:
+        - matchPattern: "*.api.apollographql.com"
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+{{- end }}
 {{- if .Values.server.sentry_dns }}
     # egress to sentry
     - toCIDRSet:
@@ -63,6 +74,7 @@ spec:
       toPorts:
         - ports:
             - port: "443"
+              protocol: TCP
 {{- end }}
     # postgres
 {{ include "speckle.networkpolicy.egress.postgres.cilium" $ | indent 4 }}
@@ -73,7 +85,7 @@ spec:
     # allow egress to the ingress for speckle-server, so it can call itself
     # TODO: remove egress to domain once https://github.com/specklesystems/speckle-server/issues/959 is fixed
     - toFQDNs:
-        - matchPattern: {{ .Values.domain }}
+        - matchName: {{ .Values.domain }}
       toPorts:
         - ports:
           - port: "443"

utils/helm/speckle-server/templates/server/networkpolicy.kubernetes.yml

@@ -23,6 +23,16 @@ spec:
       ports:
         - port: 53
           protocol: UDP
+{{- if .Values.server.monitoring.apollo.enabled }}
+    - to:
+      - ipBlock:
+          cidr: 0.0.0.0/0
+          # except to kubernetes pods or services
+          except:
+            - 10.0.0.0/8
+      ports:
+        - port: 443
+{{- end }}
 {{- if .Values.server.sentry_dns }}
     # sentry.io https://docs.sentry.io/product/security/ip-ranges/#event-ingestion
     - to: