From 502b633c0ff4f533f36b96a0f10b2eaa5f9e1954 Mon Sep 17 00:00:00 2001
From: Marco Lecheler <marco.lecheler@mercedes-benz.com>
Date: Wed, 24 Jan 2024 12:02:42 +0100
Subject: [PATCH] feat(helm): add networkPolicy for miw

Signed-off-by: Marco Lecheler <marco.lecheler@mercedes-benz.com>
---
 .../templates/networkpolicy.yaml              | 38 +++++++++++++++++++
 charts/managed-identity-wallet/values.yaml    |  7 ++++
 2 files changed, 45 insertions(+)
 create mode 100644 charts/managed-identity-wallet/templates/networkpolicy.yaml

diff --git a/charts/managed-identity-wallet/templates/networkpolicy.yaml b/charts/managed-identity-wallet/templates/networkpolicy.yaml
new file mode 100644
index 000000000..9a6d9d80e
--- /dev/null
+++ b/charts/managed-identity-wallet/templates/networkpolicy.yaml
@@ -0,0 +1,38 @@
+# /********************************************************************************
+# * Copyright (c) 2024 Contributors to the Eclipse Foundation
+# *
+# * See the NOTICE file(s) distributed with this work for additional
+# * information regarding copyright ownership.
+# *
+# * This program and the accompanying materials are made available under the
+# * terms of the Apache License, Version 2.0 which is available at
+# * https://www.apache.org/licenses/LICENSE-2.0.
+# *
+# * Unless required by applicable law or agreed to in writing, software
+# * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# * License for the specific language governing permissions and limitations
+# * under the License.
+# *
+# * SPDX-License-Identifier: Apache-2.0
+# ********************************************************************************/
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "managed-identity-wallet.fullname" . }}
+  labels:
+    {{- include "managed-identity-wallet.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "managed-identity-wallet.selectorLabels" . | nindent 6 }}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    {{- toYaml .Values.networkPolicy.from | nindent 4 }}
+    ports:
+    - protocol: TCP
+      port: 8080
+{{- end }}
diff --git a/charts/managed-identity-wallet/values.yaml b/charts/managed-identity-wallet/values.yaml
index 55a2f1d4c..7defbdedf 100644
--- a/charts/managed-identity-wallet/values.yaml
+++ b/charts/managed-identity-wallet/values.yaml
@@ -142,6 +142,13 @@ podAnnotations: {}
 # -- add initContainers to the miw deployment
 initContainers: []
 
+networkPolicy:
+  # -- If `true` network policy will be created to restrict access to managed-identity-wallet
+  enabled: false
+  # -- Specify from rule network policy for miw (defaults to all namespaces)
+  from:
+  - namespaceSelector: {}
+
 ## @section Managed Identity Wallet Primary Parameters
 ##
 miw: