feat: add network policies for otomi-api (#2490)

CasLubbers · j-zimnowoda · web-flow · commit 71f740d67a8d · 2025-09-03T15:46:56.000Z
Co-authored-by: jeho &lt;17126497+j-zimnowoda@users.noreply.github.com&gt;
diff --git a/charts/apl-network-policies/templates/networkpolicies/otomi-api.yaml b/charts/apl-network-policies/templates/networkpolicies/otomi-api.yaml
@@ -0,0 +1,47 @@
+{{- if .Values.netpols.otomiApi }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: otomi-api-platform-policy
+  namespace: otomi
+  labels:
+    {{- include "apl-network-policies.labels" . | nindent 4 }}
+    app: otomi-api
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: otomi-api
+  policyTypes:
+    - Ingress
+  ingress:
+    # Allow access from Istio public ingress gateway
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: istio-system
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/instance: istio-ingressgateway-public
+    # Allow access from gitea for webhook notifications
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: gitea
+          podSelector:
+            matchLabels:
+              app: gitea
+    # Allow monitoring access for metrics scraping
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: monitoring
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/instance: po-prometheus
+    # Allow internal otomi namespace communication
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: otomi
+{{- end }}
diff --git a/charts/apl-network-policies/values.yaml b/charts/apl-network-policies/values.yaml
@@ -7,7 +7,8 @@
 # Example configuration (all commented out):
 # Simple on/off switch per application
 # netpols:
-#   gitea: true  # Enable network policies for Gitea with sensible defaults
+#   gitea: true     # Enable network policies for Gitea with sensible defaults
+#   otomiApi: true  # Enable network policies for otomi-api with sensible defaults
 
 # Network policy behavior when enabled:
 #
@@ -23,5 +24,13 @@
 #   * CNPG system (for database management)
 #   * Internal gitea namespace communication
 #
+# For otomi-api (netpols.otomiApi: true):
+# - Creates a NetworkPolicy in the otomi namespace
+# - Allows ingress from:
+#   * Istio public ingress gateway (for web access)
+#   * Gitea namespace (for webhook notifications)
+#   * Monitoring namespace (for metrics scraping)
+#   * Internal otomi namespace communication
+#
 # The complex network policy rules are baked into the chart templates,
 # so users only need to toggle network policies on/off per application.
diff --git a/helmfile.d/snippets/defaults.yaml b/helmfile.d/snippets/defaults.yaml
@@ -967,6 +967,8 @@ environments:
           otomi-api:
             editorInactivityTimeout: 1
             _rawValues: {}
+            networkPolicies:
+              enabled: true
             resources:
               api:
                 limits:
diff --git a/values-schema.yaml b/values-schema.yaml
@@ -2531,6 +2531,8 @@ properties:
                 $ref: '#/definitions/resources'
               tools:
                 $ref: '#/definitions/resources'
+          networkPolicies:
+            $ref: '#/definitions/appNetworkPolicyConfig'
       otomi-console:
         additionalProperties: false
         properties:
diff --git a/values/apl-network-policies/apl-network-policies.gotmpl b/values/apl-network-policies/apl-network-policies.gotmpl
@@ -1,6 +1,8 @@
 {{- $v := .Values }}
 {{- $a := $v.apps }}
+{{- $oa := $v.apps | get "otomi-api" }}
 
 # Simple per-app network policy configuration
 netpols:
   gitea: {{ $a.gitea.networkPolicies.enabled}}
+  otomiApi: {{ $oa.networkPolicies.enabled}}
