From b0bf24090232d1b1164f5f42f82dbca1b0d0c203 Mon Sep 17 00:00:00 2001
From: Yusuke Kadowaki <yusuke.kadowaki.1231@gmail.com>
Date: Wed, 21 Jun 2023 15:48:08 +0900
Subject: [PATCH] Add user custom network policy (#2078)

* add user custom network policy template

* add appPort to access grafana from host

* add kube-system as egress allow for agent

* add network policy settings as an example

* add stern in dev container

* add schema comments

* add network policy enabled to ci helm values

* add cluster role to deploy network policy

* style: Format code with prettier and gofumpt

* remove unnecesary network policy ci settings

* add pyroscope to ingress rule

---------

Co-authored-by: deepsource-autofix[bot] <62050782+deepsource-autofix[bot]@users.noreply.github.com>
---
 .devcontainer/devcontainer.json                     |  3 ++-
 .github/helm/values/values-lb.yaml                  |  2 ++
 .github/valdrelease/valdrelease.yaml                |  2 ++
 .../vald-helm-operator/templates/clusterrole.yaml   |  1 +
 charts/vald/templates/agent/networkpolicy.yaml      | 11 +++++++++++
 charts/vald/templates/discoverer/networkpolicy.yaml |  6 ++++++
 .../templates/gateway/filter/networkpolicy.yaml     |  7 +++++++
 charts/vald/templates/gateway/lb/networkpolicy.yaml |  6 ++++++
 .../vald/templates/manager/index/networkpolicy.yaml |  6 ++++++
 charts/vald/values.yaml                             | 10 +++++++++-
 charts/vald/values/dev-observability.yaml           | 13 +++++++++++++
 dockers/dev/Dockerfile                              |  2 +-
 12 files changed, 66 insertions(+), 3 deletions(-)

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 3e5c434ae6..e63343f2e8 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -11,5 +11,6 @@
     }
   },
   "postCreateCommand": "go version",
-  "postAttachCommand": "sudo ln -s $(pwd)/cmd/agent/core/ngt/sample.yaml /etc/server/config.yaml"
+  "postAttachCommand": "sudo ln -s $(pwd)/cmd/agent/core/ngt/sample.yaml /etc/server/config.yaml",
+  "appPort": "3000:3000"
 }
diff --git a/.github/helm/values/values-lb.yaml b/.github/helm/values/values-lb.yaml
index fee4291196..8e74c959ea 100644
--- a/.github/helm/values/values-lb.yaml
+++ b/.github/helm/values/values-lb.yaml
@@ -17,6 +17,8 @@
 defaults:
   logging:
     level: info
+  networkPolicy:
+    enabled: true
 
 gateway:
   lb:
diff --git a/.github/valdrelease/valdrelease.yaml b/.github/valdrelease/valdrelease.yaml
index 90be6becac..47f120110b 100644
--- a/.github/valdrelease/valdrelease.yaml
+++ b/.github/valdrelease/valdrelease.yaml
@@ -22,6 +22,8 @@ spec:
   defaults:
     logging:
       level: info
+    networkPolicy:
+      enabled: true
 
   gateway:
     lb:
diff --git a/charts/vald-helm-operator/templates/clusterrole.yaml b/charts/vald-helm-operator/templates/clusterrole.yaml
index 23a3a63a86..c63e9fd5db 100644
--- a/charts/vald-helm-operator/templates/clusterrole.yaml
+++ b/charts/vald-helm-operator/templates/clusterrole.yaml
@@ -112,6 +112,7 @@ rules:
       - networking.k8s.io
     resources:
       - ingresses
+      - networkpolicies
     verbs:
       - create
       - delete
diff --git a/charts/vald/templates/agent/networkpolicy.yaml b/charts/vald/templates/agent/networkpolicy.yaml
index 94820e4b26..9f72d2c856 100644
--- a/charts/vald/templates/agent/networkpolicy.yaml
+++ b/charts/vald/templates/agent/networkpolicy.yaml
@@ -44,4 +44,15 @@ spec:
           podSelector:
             matchLabels:
               app: {{ $index.name }}
+    {{- if .Values.defaults.networkPolicy.custom.ingress }}
+    {{- toYaml .Values.defaults.networkPolicy.custom.ingress | nindent 4 }}
+    {{- end }}
+  egress:
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: kube-system
+    {{- if .Values.defaults.networkPolicy.custom.egress }}
+    {{- toYaml .Values.defaults.networkPolicy.custom.egress | nindent 4 }}
+    {{- end }}
 {{- end }}
diff --git a/charts/vald/templates/discoverer/networkpolicy.yaml b/charts/vald/templates/discoverer/networkpolicy.yaml
index 4622ecf182..1cb995a2fb 100644
--- a/charts/vald/templates/discoverer/networkpolicy.yaml
+++ b/charts/vald/templates/discoverer/networkpolicy.yaml
@@ -46,9 +46,15 @@ spec:
         podSelector:
           matchLabels:
             app: {{ $index.name }}
+      {{- if .Values.defaults.networkPolicy.custom.ingress }}
+      {{- toYaml .Values.defaults.networkPolicy.custom.ingress | nindent 4 }}
+      {{- end }}
   egress:
     - to:
       - namespaceSelector:
           matchLabels:
             kubernetes.io/metadata.name: kube-system
+      {{- if .Values.defaults.networkPolicy.custom.egress }}
+      {{- toYaml .Values.defaults.networkPolicy.custom.egress | nindent 4 }}
+      {{- end }}
 {{- end }}
diff --git a/charts/vald/templates/gateway/filter/networkpolicy.yaml b/charts/vald/templates/gateway/filter/networkpolicy.yaml
index 1dc420b225..cda1938bc9 100644
--- a/charts/vald/templates/gateway/filter/networkpolicy.yaml
+++ b/charts/vald/templates/gateway/filter/networkpolicy.yaml
@@ -26,7 +26,14 @@ spec:
     matchLabels:
       app: {{ $filter.name }}
   policyTypes:
+    {{- if .Values.defaults.networkPolicy.custom.ingress }}
+    - Ingress
+    {{- end }}
     - Egress
+  {{- if .Values.defaults.networkPolicy.custom.ingress }}
+  ingress:
+    {{- toYaml .Values.defaults.networkPolicy.custom.ingress | nindent 4 }}
+  {{- end }}
   egress:
     # allow all the egress to communicate with user-defined filters
     - {}
diff --git a/charts/vald/templates/gateway/lb/networkpolicy.yaml b/charts/vald/templates/gateway/lb/networkpolicy.yaml
index 6f9172564e..aef8e2a380 100644
--- a/charts/vald/templates/gateway/lb/networkpolicy.yaml
+++ b/charts/vald/templates/gateway/lb/networkpolicy.yaml
@@ -41,6 +41,9 @@ spec:
         podSelector:
           matchLabels:
             app: {{ $filter.name }}
+    {{- if .Values.defaults.networkPolicy.custom.ingress }}
+    {{- toYaml .Values.defaults.networkPolicy.custom.ingress | nindent 4 }}
+    {{- end }}
   egress:
     - to:
       - namespaceSelector:
@@ -58,4 +61,7 @@ spec:
       - namespaceSelector:
           matchLabels:
             kubernetes.io/metadata.name: kube-system
+    {{- if .Values.defaults.networkPolicy.custom.egress }}
+    {{- toYaml .Values.defaults.networkPolicy.custom.egress | nindent 4 }}
+    {{- end }}
 {{- end }}
diff --git a/charts/vald/templates/manager/index/networkpolicy.yaml b/charts/vald/templates/manager/index/networkpolicy.yaml
index aa0fd6fa1a..a606633c3e 100644
--- a/charts/vald/templates/manager/index/networkpolicy.yaml
+++ b/charts/vald/templates/manager/index/networkpolicy.yaml
@@ -34,6 +34,9 @@ spec:
       - namespaceSelector:
           matchLabels:
             kubernetes.io/metadata.name: kube-system
+    {{- if .Values.defaults.networkPolicy.custom.ingress }}
+    {{- toYaml .Values.defaults.networkPolicy.custom.ingress | nindent 4 }}
+    {{- end }}
   egress:
     - to:
       - namespaceSelector:
@@ -51,4 +54,7 @@ spec:
       - namespaceSelector:
           matchLabels:
             kubernetes.io/metadata.name: kube-system
+    {{- if .Values.defaults.networkPolicy.custom.egress }}
+    {{- toYaml .Values.defaults.networkPolicy.custom.egress | nindent 4 }}
+    {{- end }}
 {{- end }}
diff --git a/charts/vald/values.yaml b/charts/vald/values.yaml
index 628d49555d..50e9c03cce 100644
--- a/charts/vald/values.yaml
+++ b/charts/vald/values.yaml
@@ -834,8 +834,16 @@ defaults:
   networkPolicy:
     # @schema {"name": "defaults.networkPolicy.enabled", "type": "boolean"}
     # defaults.networkPolicy.enabled -- if network policy enabled
-    # TODO: Change this to true after implementing user custom network policy parser
     enabled: false
+    # @schema {"name": "defaults.networkPolicy.custom", "type": "object"}
+    # defaults.networkPolicy.custom -- custom network policies that a user can add
+    custom:
+      # @schema {"name": "defaults.networkPolicy.custom.ingress", "type": "object"}
+      # defaults.networkPolicy.custom.ingress -- custom ingress network policies that a user can add
+      ingress: {}
+      # @schema {"name": "defaults.networkPolicy.custom.egress", "type": "object"}
+      # defaults.networkPolicy.custom.egress -- custom egress network policies that a user can add
+      egress: {}
 
 # @schema {"name": "gateway", "type": "object"}
 gateway:
diff --git a/charts/vald/values/dev-observability.yaml b/charts/vald/values/dev-observability.yaml
index 7b6f5f6c7c..ac15a47d22 100644
--- a/charts/vald/values/dev-observability.yaml
+++ b/charts/vald/values/dev-observability.yaml
@@ -40,6 +40,19 @@ defaults:
       collector_endpoint: "opentelemetry-collector-collector.default.svc.cluster.local:4317"
     trace:
       enabled: true
+  networkPolicy:
+    enabled: true
+    custom:
+      ingress:
+        - from:
+            - podSelector:
+                matchLabels:
+                  app.kubernetes.io/name: pyroscope
+      egress:
+        - to:
+            - podSelector:
+                matchLabels:
+                  app.kubernetes.io/name: opentelemetry-collector-collector
 
 gateway:
   lb:
diff --git a/dockers/dev/Dockerfile b/dockers/dev/Dockerfile
index ea227e4087..bd761f5c5b 100644
--- a/dockers/dev/Dockerfile
+++ b/dockers/dev/Dockerfile
@@ -71,4 +71,4 @@ USER vscode
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN curl -sS https://webinstall.dev/k9s | bash
 
-WORKDIR ${GOPATH}
+RUN go install github.com/stern/stern@latest