* fix(helm chart): allow egress in server Network Policies to Apollo
The Cilium and Kubernetes network policies currently do not allow egress from the server to Apollo
for graphql monitoring.
Kubernetes Network Policies don't allow domain names. We have an open support ticket with Apollo
Studio to request which CIDR to limit egress to. Until then, we will need to open egress to
everywhere if a Kubernetes Network Policy is used.
* fix(helm chart): remove unused values from helm chart
Previous commit introduced two additional values that are not being used for s3. This commit
removes them.
* Looks up domain or IP from secret for redis and postgres
- undertakes a kubectl get on the secret. The user or service account that deploys helm must have permissions to view the secret.
- fix: matchName for domain instead of matchPattern
- fix: typo in protocol
* Only allow monitoring ingress if monitoring is enabled
* Port can be determine from the provided secret
- updates values.yaml to only require port for postgres and redis for inCluster endpoints
* feat(helm chart): deployes Cilium Network Policies when configured
Cilium Network Policies provide more features over regular Kubernetes Network Policies, but Cilium
is not available everywhere. When selected by an operator, Cilium Network Policies will be deployed
instead of Kubernetes Network Policies.
Fixes https://github.com/specklesystems/speckle-server/issues/913
* Cilium Network Policy for fileimport service.
* tested only for external host.
* Still to test internal pod and external IP.
* Cilium network policy for file import service restricts DNS
* allows egress to service instead of endpoint
* file import service uses service url of speckle-server
* helper functions for server and dns
* DRY the prometheus selector
* CiliumNetworkPolicy for frontend
* CiliumNetworkPolicy for monitoring service
* CiliumNetworkPolicy for preview service
* CiliumNetworkPolicy for test
* CiliumNetworkPolicy for webhook_service
* CiliumNetworkPolicy for Server
* Test should egress to domain, not internally
* Test should be in tests directory to match Helm convention for tests
* Test should explicitly deny ingress from everywhere
* Server needs to egress to canonical domain (i.e. itself)
- DNS and egress for canonical domain added to Server
- As Test also egresses via canonical domain to access Server, we do not require the intra-cluster ingress to the server from the test pod
- Explicitly deny all egress from frontend
* WIP update to schema.json
* Breaking Change: inCluster network policies supported for cilium
* Breaking change: kubernetes network policy podSelector and namespaceSelector are now at a different level
* Updates schema.json
* add notes to remove egress once bug is fixed
Dimitrie Stefanescu