config: bring back ingressOverride

davidumea · lunkan93 · commit 0c8da3ed7e09 · 2025-11-18T09:59:46.000+01:00
diff --git a/config/common-config.yaml b/config/common-config.yaml
@@ -1196,6 +1196,10 @@ networkPolicies:
 
   ingressNginx:
     enabled: true
+    ingressOverride:
+      enabled: set-me
+      ips:
+        - set-me-if-(.networkPolicies.ingressNginx.ingressOverride.enabled)
 
   falco:
     enabled: true
diff --git a/config/providers/aws/common-config.yaml b/config/providers/aws/common-config.yaml
@@ -21,6 +21,9 @@ networkPolicies:
   global:
     externalLoadBalancer: false
     ingressUsingHostNetwork: false
+  ingressNginx:
+    ingressOverride:
+      enabled: false
 opa:
   rejectLoadBalancerService:
     enabled: false
diff --git a/config/providers/azure/common-config.yaml b/config/providers/azure/common-config.yaml
@@ -20,10 +20,9 @@ networkPolicies:
   global:
     externalLoadBalancer: false
     ingressUsingHostNetwork: false
-    scIngress:
-      ips:
-        - 0.0.0.0/0
-    wcIngress:
+  ingressNginx:
+    ingressOverride:
+      enabled: true
       ips:
         - 0.0.0.0/0
 opa:
diff --git a/config/providers/baremetal/common-config.yaml b/config/providers/baremetal/common-config.yaml
@@ -16,6 +16,9 @@ networkPolicies:
     ingressUsingHostNetwork: true
   rookCeph:
     enabled: true
+  ingressNginx:
+    ingressOverride:
+      enabled: false
 opa:
   rejectLoadBalancerService:
     enabled: true
diff --git a/config/providers/elastx/common-config.yaml b/config/providers/elastx/common-config.yaml
@@ -17,6 +17,9 @@ networkPolicies:
   global:
     externalLoadBalancer: false
     ingressUsingHostNetwork: false
+  ingressNginx:
+    ingressOverride:
+      enabled: false
 objectStorage:
   type: s3
   s3:
diff --git a/config/providers/openstack/common-config.yaml b/config/providers/openstack/common-config.yaml
@@ -15,6 +15,9 @@ networkPolicies:
   global:
     externalLoadBalancer: false
     ingressUsingHostNetwork: false
+  ingressNginx:
+    ingressOverride:
+      enabled: false
 objectStorage:
   type: s3
   s3:
diff --git a/config/providers/safespring/common-config.yaml b/config/providers/safespring/common-config.yaml
@@ -8,6 +8,9 @@ networkPolicies:
   global:
     externalLoadBalancer: true
     ingressUsingHostNetwork: true
+  ingressNginx:
+    ingressOverride:
+      enabled: false
   kubeSystem:
     openstack:
       enabled: true
diff --git a/config/providers/upcloud/common-config.yaml b/config/providers/upcloud/common-config.yaml
@@ -4,6 +4,9 @@ networkPolicies:
   global:
     externalLoadBalancer: true
     ingressUsingHostNetwork: false
+  ingressNginx:
+    ingressOverride:
+      enabled: false
   kubeSystem:
     upcloud:
       enabled: true
diff --git a/config/schemas/config.yaml b/config/schemas/config.yaml
@@ -1253,6 +1253,28 @@ allOf:
                     properties:
                       ips:
                         $ref: '#/$defs/iplist'
+- if:
+    properties:
+      networkPolicies:
+        properties:
+          ingressNginx:
+            properties:
+              ingressOverride:
+                properties:
+                  enabled:
+                    type: boolean
+                    const: true
+  then:
+    properties:
+      networkPolicies:
+        properties:
+          ingressNginx:
+            properties:
+              ingressOverride:
+                properties:
+                  ips:
+                    title: Network Policies Ingress Override IPs
+                    $ref: '#/$defs/iplist'
 - if:
     allOf:
       - properties:
@@ -7309,6 +7331,20 @@ properties:
             title: Network Policies Ingress NGINX Enabled
             type: boolean
             default: true
+          ingressOverride:
+            title: Network Policies Ingress Override
+            description: |-
+              Configure override to the ingress rules for Ingress NGINX.
+
+              Required when cluster ingress uses direct routing.
+            type: object
+            additionalProperties: false
+            properties:
+              enabled:
+                title: Network Policies Ingress Override Enabled
+                type: boolean
+                default: false
+              ips: true
       certManager:
         title: Network Policies cert-manager
         description: Configure cert-manager network policy rules.
diff --git a/helmfile.d/charts/networkpolicy/service-cluster/templates/ingress-nginx/controller.yaml b/helmfile.d/charts/networkpolicy/service-cluster/templates/ingress-nginx/controller.yaml
@@ -22,9 +22,14 @@ spec:
         - protocol: TCP
           port: 80
     {{- end }}
-    {{- if or  .Values.global.scNodes.ips .Values.global.scIngress.ips }}
+    {{- if or .Values.ingressNginx.ingressOverride.ips .Values.global.scNodes.ips .Values.global.scIngress.ips }}
     - from:
-      {{- if .Values.global.ingressUsingHostNetwork }}
+      {{- if and .Values.ingressNginx.ingressOverride.enabled .Values.ingressNginx.ingressOverride.ips }}
+        {{- range $IP := .Values.ingressNginx.ingressOverride.ips }}
+        - ipBlock:
+            cidr: {{ $IP }}
+        {{- end }}
+      {{- else if not (or .Values.global.externalLoadBalancer .Values.global.ingressUsingHostNetwork) }}
         {{- if .Values.global.scNodes.ips }}
         {{- range $IP := .Values.global.scNodes.ips }}
         - ipBlock:
@@ -82,9 +87,14 @@ spec:
         protocol: UDP
       - port: 53
         protocol: TCP
-    {{- if .Values.global.scIngress.ips }}
+    {{- if or .Values.ingressNginx.ingressOverride.ips .Values.global.scIngress.ips }}
     - to:
-      {{- if .Values.global.scIngress.ips }}
+      {{- if and .Values.ingressNginx.ingressOverride.enabled .Values.ingressNginx.ingressOverride.ips }}
+        {{- range $IP := .Values.ingressNginx.ingressOverride.ips }}
+        - ipBlock:
+            cidr: {{ $IP }}
+        {{- end }}
+      {{- else if .Values.global.scIngress.ips }}
         {{- range $IP := .Values.global.scIngress.ips }}
         - ipBlock:
             cidr: {{ $IP }}
diff --git a/helmfile.d/charts/networkpolicy/service-cluster/values.yaml b/helmfile.d/charts/networkpolicy/service-cluster/values.yaml
@@ -123,6 +123,10 @@ s3Exporter:
 
 ingressNginx:
   enabled: true
+  ingressOverride:
+    enabled: false
+    ips:
+      - set-me-if-enabled
 
 dex:
   enabled: true
diff --git a/helmfile.d/charts/networkpolicy/workload-cluster/templates/ingress-nginx/controller.yaml b/helmfile.d/charts/networkpolicy/workload-cluster/templates/ingress-nginx/controller.yaml
@@ -22,9 +22,14 @@ spec:
         - protocol: TCP
           port: 80
     {{- end }}
-    {{- if or .Values.global.wcNodes.ips .Values.global.wcIngress.ips }}
+    {{- if or .Values.ingressNginx.ingressOverride.ips .Values.global.wcNodes.ips .Values.global.wcIngress.ips }}
     - from:
-      {{- if .Values.global.ingressUsingHostNetwork }}
+      {{- if and .Values.ingressNginx.ingressOverride.enabled .Values.ingressNginx.ingressOverride.ips }}
+        {{- range $IP := .Values.ingressNginx.ingressOverride.ips }}
+        - ipBlock:
+            cidr: {{ $IP }}
+        {{- end }}
+      {{- else if not (or .Values.global.externalLoadBalancer .Values.global.ingressUsingHostNetwork) }}
         {{- if .Values.global.wcNodes.ips }}
         {{- range $IP := .Values.global.wcNodes.ips }}
         - ipBlock:
@@ -86,9 +91,14 @@ spec:
           protocol: UDP
         - port: 53
           protocol: TCP
-    {{- if .Values.global.wcIngress.ips }}
+    {{- if or .Values.ingressNginx.ingressOverride.ips .Values.global.wcIngress.ips }}
     - to:
-      {{- if .Values.global.wcIngress.ips }}
+      {{- if and .Values.ingressNginx.ingressOverride.enabled .Values.ingressNginx.ingressOverride.ips }}
+        {{- range $IP := .Values.ingressNginx.ingressOverride.ips }}
+        - ipBlock:
+            cidr: {{ $IP }}
+        {{- end }}
+      {{- else if .Values.global.wcIngress.ips }}
         {{- range $IP := .Values.global.wcIngress.ips }}
         - ipBlock:
             cidr: {{ $IP }}
diff --git a/helmfile.d/charts/networkpolicy/workload-cluster/values.yaml b/helmfile.d/charts/networkpolicy/workload-cluster/values.yaml
@@ -73,6 +73,10 @@ monitoring:
 
 ingressNginx:
   enabled: true
+  ingressOverride:
+    enabled : false
+    ips:
+      - set-me-if-enabled
 
 alertmanager:
   enabled: true
diff --git a/helmfile.d/values/networkpolicy/service-cluster.yaml.gotmpl b/helmfile.d/values/networkpolicy/service-cluster.yaml.gotmpl
@@ -70,6 +70,11 @@ s3Exporter:
 
 ingressNginx:
   enabled: {{ .Values.networkPolicies.ingressNginx.enabled }}
+  ingressOverride:
+    enabled : {{ .Values.networkPolicies.ingressNginx.ingressOverride.enabled }}
+    {{- if .Values.networkPolicies.ingressNginx.ingressOverride.enabled }}
+    ips: {{- toYaml .Values.networkPolicies.ingressNginx.ingressOverride.ips | nindent 4 }}
+    {{- end }}
 
 dex:
   enabled: {{ .Values.networkPolicies.dex.enabled }}
diff --git a/helmfile.d/values/networkpolicy/workload-cluster.yaml.gotmpl b/helmfile.d/values/networkpolicy/workload-cluster.yaml.gotmpl
@@ -40,6 +40,11 @@ monitoring:
 ingressNginx:
   enabled: {{ .Values.networkPolicies.ingressNginx.enabled }}
   externalTrafficPolicyLocal: {{ .Values.externalTrafficPolicy.local }}
+  ingressOverride:
+    enabled : {{ .Values.networkPolicies.ingressNginx.ingressOverride.enabled }}
+    {{- if .Values.networkPolicies.ingressNginx.ingressOverride.enabled }}
+    ips: {{- toYaml .Values.networkPolicies.ingressNginx.ingressOverride.ips | nindent 4 }}
+    {{- end }}
 
 alertmanager:
   enabled: {{ and .Values.prometheus.devAlertmanager.enabled .Values.networkPolicies.alertmanager.enabled }}
diff --git a/tests/unit/general/bin-conditional-set-me.bats b/tests/unit/general/bin-conditional-set-me.bats
@@ -98,6 +98,7 @@ _refute_condition_and_warn() {
   yq.set common .networkPolicies.coredns.enabled 'true'
   yq.set sc .networkPolicies.opensearch.enabled 'true'
   yq.set sc .objectStorage.sync.secondaryUrl \"example.com\"
+  yq.set sc .networkPolicies.ingressNginx.ingressOverride.enabled 'true'
   yq.set sc .networkPolicies.dex.enabled 'true'
 
   run _apply_normalise_sc
@@ -106,13 +107,15 @@ _refute_condition_and_warn() {
   _assert_condition_and_warn .\"networkPolicies\".\"coredns\".\"externalDns\".\"ips\"
   _assert_condition_and_warn .\"networkPolicies\".\"opensearch\".\"plugins\".\"ips\"
   _assert_condition_and_warn .\"networkPolicies\".\"rclone\".\"sync\".\"secondaryUrl\".\"ips\"
+  _assert_condition_and_warn .\"networkPolicies\".\"ingressNginx\".\"ingressOverride\".\"ips\"
   _assert_condition_and_warn .\"networkPolicies\".\"dex\".\"connectors\".\"ips\"
 
   yq.set common .trivy.enabled 'false'
   yq.set common .networkPolicies.certManager.enabled 'false'
   yq.set common .networkPolicies.coredns.enabled 'false'
   yq.set sc .networkPolicies.opensearch.enabled 'false'
   yq.set sc .objectStorage.sync.secondaryUrl \"\"
+  yq.set sc .networkPolicies.ingressNginx.ingressOverride.enabled 'false'
   yq.set sc .networkPolicies.dex.enabled 'false'
 
   run _apply_normalise_sc
@@ -121,6 +124,7 @@ _refute_condition_and_warn() {
   _refute_condition_and_warn .\"networkPolicies\".\"coredns\".\"externalDns\".\"ips\"
   _refute_condition_and_warn .\"networkPolicies\".\"opensearch\".\"plugins\".\"ips\"
   _refute_condition_and_warn .\"networkPolicies\".\"rclone\".\"sync\".\"secondaryUrl\".\"ips\"
+  _refute_condition_and_warn .\"networkPolicies\".\"ingressNginx\".\"ingressOverride\".\"ips\"
   _refute_condition_and_warn .\"networkPolicies\".\"dex\".\"connectors\".\"ips\"
 
 }
@@ -131,20 +135,24 @@ _refute_condition_and_warn() {
   yq.set common .trivy.enabled 'true'
   yq.set common .networkPolicies.certManager.enabled 'true'
   yq.set common .networkPolicies.coredns.enabled 'true'
+  yq.set wc .networkPolicies.ingressNginx.ingressOverride.enabled 'true'
 
   run _apply_normalise_wc
   _assert_condition_and_warn .\"networkPolicies\".\"global\".\"trivy\".\"ips\"
   _assert_condition_and_warn .\"networkPolicies\".\"certManager\".\"letsencrypt\".\"ips\"
   _assert_condition_and_warn .\"networkPolicies\".\"coredns\".\"externalDns\".\"ips\"
+  _assert_condition_and_warn .\"networkPolicies\".\"ingressNginx\".\"ingressOverride\".\"ips\"
 
   yq.set common .trivy.enabled 'false'
   yq.set common .networkPolicies.certManager.enabled 'false'
   yq.set common .networkPolicies.coredns.enabled 'false'
+  yq.set wc .networkPolicies.ingressNginx.ingressOverride.enabled 'false'
 
   run _apply_normalise_wc
   _refute_condition_and_warn .\"networkPolicies\".\"global\".\"trivy\".\"ips\"
   _refute_condition_and_warn .\"networkPolicies\".\"certManager\".\"letsencrypt\".\"ips\"
   _refute_condition_and_warn .\"networkPolicies\".\"coredns\".\"externalDns\".\"ips\"
+  _refute_condition_and_warn .\"networkPolicies\".\"ingressNginx\".\"ingressOverride\".\"ips\"
 }
 
 # bats test_tags=conditional_set_me_netpol_kured
