From d7e917766e586c97f546a2a02a8f66d27497b4fb Mon Sep 17 00:00:00 2001
From: Martin Dekov <mdekov@vmware.com>
Date: Thu, 16 May 2019 09:55:30 -0700
Subject: [PATCH] Add network policies change

Adding network policies restriction to the openfaas and
the openfaas-fn namespaces introduced by Matias in the
openfaas-cloud repo

Signed-off-by: Martin Dekov <mdekov@vmware.com>
---
 README.md                          | 6 ++++++
 example.init.yaml                  | 3 +++
 main.go                            | 6 +++++-
 pkg/types/types.go                 | 1 +
 scripts/deploy-cloud-components.sh | 3 +++
 5 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 350a236..df6a3be 100644
--- a/README.md
+++ b/README.md
@@ -206,6 +206,12 @@ If you are planning on building functions using the `dockerfile` template you ne
 #### Enable scaling to zero
 If you want your functions to scale to zero then you need to set `scale_to_zero: true`.
 
+#### Toggle network policies
+
+Network policies restriction for the openfaas and openfaas-fn namespaces are applied by default. If you would like to remove that restriction set `network_policies: false`.
+
+When deployed, network policies restrict communication so that functions cannot talk to the core OpenFaaS components in the `openfaas` namespace. They also prevent functions from invoking each other directly. It is recommended to enable this feature.
+
 ### Run the `ofc-bootstrap`
 
 ```bash
diff --git a/example.init.yaml b/example.init.yaml
index 54b6544..aa589f5 100644
--- a/example.init.yaml
+++ b/example.init.yaml
@@ -242,3 +242,6 @@ enable_dockerfile_lang: false
 # Set to true to enable scaling to zero
 scale_to_zero: false
 openfaas_cloud_version: 0.9.4
+
+# Enable network policies
+network_policies: true
diff --git a/main.go b/main.go
index 56c4dd2..d67262d 100644
--- a/main.go
+++ b/main.go
@@ -607,11 +607,15 @@ func deployCloudComponents(plan types.Plan) error {
 	if plan.SCM == "gitlab" {
 		gitlabEnv = "GITLAB=true"
 	}
+	networkPoliciesEnv := ""
+	if plan.NetworkPolicies {
+		networkPoliciesEnv = "ENABLE_NETWORK_POLICIES=true"
+	}
 
 	task := execute.ExecTask{
 		Command: "./scripts/deploy-cloud-components.sh",
 		Shell:   true,
-		Env:     []string{authEnv, gitlabEnv},
+		Env:     []string{authEnv, gitlabEnv, networkPoliciesEnv},
 	}
 
 	res, err := task.Execute()
diff --git a/pkg/types/types.go b/pkg/types/types.go
index bdf8b80..a8da7d6 100644
--- a/pkg/types/types.go
+++ b/pkg/types/types.go
@@ -54,6 +54,7 @@ type Plan struct {
 	EnableDockerfileLang bool                     `yaml:"enable_dockerfile_lang"`
 	ScaleToZero          bool                     `yaml:"scale_to_zero"`
 	OpenFaaSCloudVersion string                   `yaml:"openfaas_cloud_version"`
+	NetworkPolicies      bool                     `yaml:"network_policies"`
 }
 
 // Deployment is the deployment section of YAML concerning
diff --git a/scripts/deploy-cloud-components.sh b/scripts/deploy-cloud-components.sh
index 457f8fe..e841c2f 100755
--- a/scripts/deploy-cloud-components.sh
+++ b/scripts/deploy-cloud-components.sh
@@ -23,6 +23,9 @@ kubectl apply -f ./tmp/openfaas-cloud/yaml/core/edge-router-svc.yml
 
 kubectl apply -f ./tmp/openfaas-cloud/yaml/core/edge-auth-svc.yml
 
+if [ "$ENABLE_NETWORK_POLICIES" = "true" ] ; then
+    kubectl apply -f ./tmp/openfaas-cloud/yaml/network-policy/
+fi
 
 cd ./tmp/openfaas-cloud