Add default global network policy

Author: YuryHrytsuk

charts/.gitignore

@@ -2,3 +2,5 @@ values.yaml
 values.*.yaml
 k8s_hosts.ini
 helmfile.y?ml
+
+*.tgz

charts/adminer/templates/networkpolicy.yaml

@@ -0,0 +1,20 @@
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: adminer-network-policy
+  labels:
+    {{- include "adminer.labels" . | nindent 4 }}
+spec:
+  selector: app.kubernetes.io/instance == "{{ .Release.Name }}"
+  ingress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - {{ .Values.service.port }}
+  egress:
+    - action: Allow
+      protocol: TCP
+      destination:
+        ports:
+          - 5432

charts/calico-configuration/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/calico-configuration/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: calico-configuration
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.0.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "3.26.4"

charts/calico-configuration/README.md

@@ -0,0 +1,4 @@
+## Observe network traffic
+
+https://docs.tigera.io/calico/latest/observability/enable-whisker
+https://docs.tigera.io/calico/3.30/observability/view-flow-logs

charts/calico-configuration/templates/NOTES.txt

@@ -0,0 +1 @@
+This chart configures Calico but does not deploy Calico itself. This is done via Kubespray during Kubernetes Cluster provisioning.

charts/calico-configuration/templates/globalpolicy.yaml

@@ -0,0 +1,26 @@
+# Source: https://docs.tigera.io/calico-enterprise/latest/network-policy/default-deny#best-practice-2-keep-the-scope-to-non-system-pods
+apiVersion: projectcalico.org/v3
+kind: GlobalNetworkPolicy
+metadata:
+  name: default-global-deny-network-policy
+spec:
+  # on local deployment, calico is installed in the `calico-system` namespace
+  # and the operator is in the `tigera-operator` namespace
+  namespaceSelector: kubernetes.io/metadata.name in {"adminer"}
+  types:
+  - Ingress
+  - Egress
+  egress:
+   # allow all namespaces to communicate to DNS pods
+  - action: Allow
+    protocol: UDP
+    destination:
+      selector: 'k8s-app == "kube-dns"'
+      ports:
+      - 53
+  - action: Allow
+    protocol: TCP
+    destination:
+      selector: 'k8s-app == "kube-dns"'
+      ports:
+      - 53

charts/portainer/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: portainer
+  repository: https://portainer.github.io/k8s/
+  version: 1.0.54
+digest: sha256:bafe4182881aee8c6df3d3c6f8c523a1bd7577bed04942ad3d9b857a5437d96f
+generated: "2025-07-29T11:07:15.39037387+02:00"

charts/portainer/Chart.yaml

@@ -0,0 +1,29 @@
+apiVersion: v2
+name: portainer
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.54
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: 2.21.2
+
+dependencies:
+  - name: portainer
+    version: 1.0.54
+    repository: "https://portainer.github.io/k8s/"

charts/portainer/templates/NOTES.txt

@@ -0,0 +1 @@
+Wrapper around portainer helm chart https://github.com/portainer/k8s