Adds support to explicitly configure network policy in injector

Similar to the conversion around PR hashicorp#381, network policies are useful for the injector independent of openshift. This allows support for those use cases but similarly will require some configuration changes for openshift users.
ryanmt · Mar 9, 2021 · cef9c6b · cef9c6b
1 parent ff73577
commit cef9c6b
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 1 deletion.
diff --git a/templates/injector-network-policy.yaml b/templates/injector-network-policy.yaml
@@ -1,4 +1,4 @@
-{{- if and (eq (.Values.injector.enabled | toString) "true" ) (and (eq (.Values.global.enabled | toString) "true") (eq (.Values.global.openshift | toString) "true") ) }}
+{{- if eq (.Values.injector.networkPolicy.enabled | toString) "true" }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:

diff --git a/test/unit/injector-network-policy.bats b/test/unit/injector-network-policy.bats
@@ -0,0 +1,22 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "injector/network-policy: disabled by default" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/injector-network-policy.yaml  \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "injector/network-policy: enabled by injector.networkPolicy.enabled" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --set 'injector.networkPolicy.enabled=true' \
+      --show-only templates/injector-network-policy.yaml  \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
diff --git a/values.yaml b/values.yaml
@@ -156,6 +156,10 @@ injector:
   #   beta.kubernetes.io/arch: amd64
   nodeSelector: null
 
+  # Enables network policy for injector pods
+  networkPolicy:
+    enabled: false
+
   # Priority class for injector pods
   priorityClassName: ""