From a6bfccf94c9ebf53a42f824e2c7b8b6dbe496d33 Mon Sep 17 00:00:00 2001
From: jack munday <jack.charlie.munday@cern.ch>
Date: Wed, 5 Mar 2025 13:44:22 +0000
Subject: [PATCH] test: migrate to cilium based policy

---
 templates/netpol-redis.yaml | 59 +++++++++++++++++++++++++++++++++++++
 values.yaml                 | 20 +------------
 2 files changed, 60 insertions(+), 19 deletions(-)
 create mode 100644 templates/netpol-redis.yaml

diff --git a/templates/netpol-redis.yaml b/templates/netpol-redis.yaml
new file mode 100644
index 0000000..634ccf0
--- /dev/null
+++ b/templates/netpol-redis.yaml
@@ -0,0 +1,59 @@
+{{- if .Values.redis.enabled }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "kops-registry.name" . }}-redis
+  labels:
+{{- include "kops-registry.labels" . | nindent 4 }}
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: redis
+      app.kubernetes.io/name: redis
+  ingress:
+  - fromEndpoints:
+      - matchLabels:
+          redis-client: "true"
+      - matchLabels:
+          app.kubernetes.io/instance: redis
+          app.kubernetes.io/name: redis
+      - matchLabels:
+          app.kubernetes.io/component: core
+          app.kubernetes.io/name: harbor
+      - matchLabels:
+          reserved: host
+    toPorts:
+      - ports:
+          - port: "6379"
+            protocol: TCP
+      - ports:
+          - port: "26379"
+            protocol: TCP
+  - fromEndpoints:
+      - matchLabels:
+          reserved: all
+    toPorts:
+      - ports:
+          - port: "9121"
+            protocol: TCP
+  egress:
+  - toEndpoints:
+      - matchLabels:
+          app.kubernetes.io/instance: redis
+          app.kubernetes.io/name: redis
+    toPorts:
+      - ports:
+          - port: "6379"
+            protocol: TCP
+          - port: "26379"
+            protocol: TCP
+  - toEndpoints:
+      - matchLabels:
+          app.kubernetes.io/instance: redis
+          app.kubernetes.io/name: redis
+    toPorts:
+      - ports:
+          - port: "53"
+            protocol: UDP
+{{- end }}
diff --git a/values.yaml b/values.yaml
index ae0ca2e..3b15ef1 100644
--- a/values.yaml
+++ b/values.yaml
@@ -271,25 +271,7 @@ redis:
     enabled: false
     sentinel: false
   networkPolicy:
-    enabled: true
-    allowExternal: false
-    allowExternalEgress: false
-    extraIngress:
-      - ports:
-        - port: 6379
-          from:
-            - podSelector:
-              - matchLabels:
-                  app.kubernetes.io/component: core
-                  app.kubernetes.io/name: harbor
-        - port: 26379
-          from:
-            - podSelector:
-              - matchLabels:
-                  app.kubernetes.io/component: core
-                  app.kubernetes.io/name: harbor
-    metrics:
-      allowExternal: true
+    enabled: false # see ./templates/netpol-redis.yaml for cilium based policy.
   persistence:
     enabled: false
   master:
-- 
GitLab