feat: add NetworkPolicy

Signed-off-by: Matheus Pimenta <[email protected]>

Author: matheuscscp

helm/oauth2-proxy/README.md

@@ -181,6 +181,8 @@ The following table lists the configurable parameters of the oauth2-proxy chart
 | `livenessProbe.initialDelaySeconds`                   | number of seconds                                                                                                                                                                                                                                                | 0                                                                                                    |
 | `livenessProbe.timeoutSeconds`                        | number of seconds                                                                                                                                                                                                                                                | 1                                                                                                    |
 | `namespaceOverride`                                   | Override the deployment namespace                                                                                                                                                                                                                                | `""`                                                                                                 |
+| `networkPolicy.create`                                | Create a NetworkPolicy resource                                                                                                                                                                                                                                  | `false`                                                                                              |
+| `networkPolicy.ingress.namespaces`                    | Namespaces to allow ingress from (if empty, allows only from the release namespace)                                                                                                                                                                              | `[]`                                                                                                 |
 | `nodeSelector`                                        | node labels for pod assignment                                                                                                                                                                                                                                   | `{}`                                                                                                 |
 | `deploymentAnnotations`                               | annotations to add to the deployment                                                                                                                                                                                                                             | `{}`                                                                                                 |
 | `podAnnotations`                                      | annotations to add to each pod                                                                                                                                                                                                                                   | `{}`                                                                                                 |

helm/oauth2-proxy/templates/networkpolicy.yaml

@@ -0,0 +1,35 @@
+{{- if .Values.networkPolicy.create }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "oauth2-proxy.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "oauth2-proxy.labels" . | nindent 4 }}
+    {{- with .Values.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  policyTypes:
+    - Ingress
+  podSelector:
+    matchLabels:
+      {{- include "oauth2-proxy.selectorLabels" . | nindent 6 }}
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Release.Namespace }}
+        {{- range $ns := .Values.networkPolicy.ingress.namespaces }}
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ $ns }}
+        {{- end }}
+      ports:
+        - protocol: TCP
+          port: {{ .Values.httpScheme }}
+{{- end }}

helm/oauth2-proxy/values.yaml

@@ -177,6 +177,14 @@ serviceAccount:
   automountServiceAccountToken: true
   annotations: {}
 
+# Network policy settings.
+networkPolicy:
+  create: false
+  ingress:
+    namespaces: []
+    #  - my-namespace-1
+    #  - my-namespace-2
+
 ingress:
   enabled: false
   # className: nginx