feat: Add possibility to specify custom, global Network Policies (#952)

ppawlowski · web-flow · commit fdf4abc5f501 · 2026-06-26T12:25:07.000+02:00
diff --git a/helm/flowfuse/README.md b/helm/flowfuse/README.md
@@ -35,9 +35,9 @@ For other values please refer to the documentation below.
  - `forge.projectSelector` a collection of labels and values to filter nodes that Project Pods will run on (default `role: projects`)
  - `forge.projectNamespace` namespace Project Pods will run in (default `flowforge`)
  - `forge.projectDeploymentTolerations` tolerations settings for Project instances. Default is `[]`.
- - `forge.projectNetworkPolicy.enabled` specified if [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) should be created for project pods ( default `false`)
- - `forge.projectNetworkPolicy.ingress` a list of ingress rules for the [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) applied on project pods ( default `[]`)
- - `forge.projectNetworkPolicy.egress` a list of egress rules for the [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) applied in project pods ( default `[]`)
+ - `forge.projectNetworkPolicy.enabled` **DEPRECATED** (use the top-level [`networkPolicies`](#network-policies) value instead) specified if [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) should be created for project pods ( default `false`)
+ - `forge.projectNetworkPolicy.ingress` **DEPRECATED** (use the top-level [`networkPolicies`](#network-policies) value instead) a list of ingress rules for the [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) applied on project pods ( default `[]`)
+ - `forge.projectNetworkPolicy.egress` **DEPRECATED** (use the top-level [`networkPolicies`](#network-policies) value instead) a list of egress rules for the [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) applied in project pods ( default `[]`)
  - `forge.projectIngressClassName` ingress class name for project instances (default is `ingress.className` value if set, otherwise `"""`)
  - `forge.projectIngressAnnotations` ingress annotations for project instances (default is `{}`)
  - `forge.projectServiceType` service type for project instances (allowed `ClusterIP` or `NodePort`, default is `ClusterIP`)
@@ -391,6 +391,46 @@ readinessProbe:
   failureThreshold: 3
 ```
 
+### Network Policies
+
+The chart can deploy arbitrary [NetworkPolicies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) via the top-level `networkPolicies` value. It is a map keyed by policy name; each entry renders one `NetworkPolicy`. The chart owns `apiVersion`, `kind`, `metadata.name` (the map key), labels and namespace, while `spec` is rendered as-is. Full Helm templating is supported in both keys and values (`.Release.*`, `.Values.*`, helper functions), so policies can target any namespace and any pods.
+
+- `networkPolicies` map of custom NetworkPolicies to deploy as part of this release. Helm templating is supported. (default `{}`)
+  - `<name>.namespace` namespace the policy is created in (default is the release namespace)
+  - `<name>.labels` extra labels merged onto the chart labels (default `{}`)
+  - `<name>.annotations` annotations applied to the policy (default `{}`)
+  - `<name>.spec` the [NetworkPolicy spec](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/network-policy-v1/#NetworkPolicySpec), rendered verbatim (required)
+
+> **Note:** `forge.projectNetworkPolicy` is deprecated in favour of this value. To reproduce it, target the project namespace and the `nodered: "true"` pods (see the example below).
+
+Example:
+
+```yaml
+networkPolicies:
+  # Equivalent of the deprecated forge.projectNetworkPolicy
+  flowfuse-projects-policy:
+    namespace: "{{ .Values.forge.projectNamespace }}"
+    spec:
+      podSelector:
+        matchLabels:
+          nodered: "true"
+      policyTypes:
+        - Ingress
+        - Egress
+      ingress:
+        - from:
+            - podSelector: {}
+      egress:
+        - to:
+            - namespaceSelector: {}
+  # Deny all ingress to the release namespace by default
+  default-deny-ingress:
+    spec:
+      podSelector: {}
+      policyTypes:
+        - Ingress
+```
+
 ### Extra Objects
 
 The chart supports deploying arbitrary Kubernetes manifests alongside the main release via `extraObjects`. Each item is rendered as-is, with full Helm templating support (`.Release.*`, `.Values.*`, helper functions).
diff --git a/helm/flowfuse/templates/NOTES.txt b/helm/flowfuse/templates/NOTES.txt
@@ -1,3 +1,21 @@
 Thank you for installing {{ .Chart.Name }} v{{ .Chart.AppVersion }}
 
-You can complete the setup wizard at {{ if .Values.forge.entryPoint }}http{{- if .Values.forge.https -}}s{{- end -}}://{{ .Values.forge.entryPoint }}{{- else }}http{{- if .Values.forge.https -}}s{{- end -}}://forge.{{ .Values.forge.domain }}{{- end }}
+You can complete the setup wizard at {{ if .Values.forge.entryPoint }}http{{- if .Values.forge.https -}}s{{- end -}}://{{ .Values.forge.entryPoint }}{{- else }}http{{- if .Values.forge.https -}}s{{- end -}}://forge.{{ .Values.forge.domain }}{{- end }}
+{{ if (((.Values.forge).projectNetworkPolicy).enabled) }}
+[DEPRECATION WARNING] `forge.projectNetworkPolicy` is deprecated and will be
+removed in a future release. Please migrate to the top-level `networkPolicies`
+value, which can express the same policy:
+
+  networkPolicies:
+    flowfuse-projects-policy:
+      namespace: "{{ "{{" }} .Values.forge.projectNamespace {{ "}}" }}"
+      spec:
+        podSelector:
+          matchLabels:
+            nodered: "true"
+        policyTypes:
+          - Ingress
+          - Egress
+        ingress: []   # your forge.projectNetworkPolicy.ingress rules
+        egress: []    # your forge.projectNetworkPolicy.egress rules
+{{- end }}
diff --git a/helm/flowfuse/templates/network-policies.yaml b/helm/flowfuse/templates/network-policies.yaml
@@ -0,0 +1,19 @@
+{{- range $name, $policy := .Values.networkPolicies }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ tpl $name $ }}
+  namespace: {{ tpl ($policy.namespace | default $.Release.Namespace) $ }}
+  labels:
+    {{- include "forge.labels" $ | nindent 4 }}
+    {{- with $policy.labels }}
+    {{- tpl (toYaml .) $ | nindent 4 }}
+    {{- end }}
+  {{- with $policy.annotations }}
+  annotations:
+    {{- tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+spec:
+  {{- tpl (toYaml $policy.spec) $ | nindent 4 }}
+{{- end }}
diff --git a/helm/flowfuse/tests/network-policies_test.yaml b/helm/flowfuse/tests/network-policies_test.yaml
@@ -0,0 +1,146 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: test custom network policies
+templates:
+  - network-policies.yaml
+release:
+  name: flowfuse
+  namespace: default
+set:
+  forge.domain: "chart-unit-tests.com"
+
+tests:
+  - it: should not render anything when networkPolicies is empty (default)
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should render a single network policy
+    set:
+      networkPolicies:
+        deny-all-ingress:
+          spec:
+            podSelector: {}
+            policyTypes:
+              - Ingress
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: NetworkPolicy
+        documentIndex: 0
+      - isAPIVersion:
+          of: networking.k8s.io/v1
+        documentIndex: 0
+      - equal:
+          path: metadata.name
+          value: deny-all-ingress
+        documentIndex: 0
+      - equal:
+          path: spec.policyTypes
+          value:
+            - Ingress
+        documentIndex: 0
+
+  - it: should default namespace to the release namespace
+    set:
+      networkPolicies:
+        deny-all-ingress:
+          spec:
+            podSelector: {}
+            policyTypes:
+              - Ingress
+    asserts:
+      - equal:
+          path: metadata.namespace
+          value: default
+        documentIndex: 0
+
+  - it: should use the provided namespace when set
+    set:
+      networkPolicies:
+        deny-all-ingress:
+          namespace: custom-ns
+          spec:
+            podSelector: {}
+            policyTypes:
+              - Ingress
+    asserts:
+      - equal:
+          path: metadata.namespace
+          value: custom-ns
+        documentIndex: 0
+
+  - it: should inject chart labels and merge custom labels and annotations
+    set:
+      networkPolicies:
+        deny-all-ingress:
+          labels:
+            extra-label: value
+          annotations:
+            extra-annotation: value
+          spec:
+            podSelector: {}
+            policyTypes:
+              - Ingress
+    asserts:
+      - equal:
+          path: metadata.labels["app.kubernetes.io/managed-by"]
+          value: Helm
+        documentIndex: 0
+      - equal:
+          path: metadata.labels["extra-label"]
+          value: value
+        documentIndex: 0
+      - equal:
+          path: metadata.annotations["extra-annotation"]
+          value: value
+        documentIndex: 0
+
+  - it: should render multiple network policies
+    set:
+      networkPolicies:
+        deny-all-ingress:
+          spec:
+            podSelector: {}
+            policyTypes:
+              - Ingress
+        allow-egress:
+          spec:
+            podSelector: {}
+            policyTypes:
+              - Egress
+    asserts:
+      - hasDocuments:
+          count: 2
+      - containsDocument:
+          apiVersion: networking.k8s.io/v1
+          kind: NetworkPolicy
+          name: deny-all-ingress
+          any: true
+      - containsDocument:
+          apiVersion: networking.k8s.io/v1
+          kind: NetworkPolicy
+          name: allow-egress
+          any: true
+
+  - it: should support Helm templating in namespace and spec
+    set:
+      forge.projectNamespace: my-projects
+      networkPolicies:
+        flowfuse-projects-policy:
+          namespace: "{{ .Values.forge.projectNamespace }}"
+          spec:
+            podSelector:
+              matchLabels:
+                nodered: "true"
+            policyTypes:
+              - Ingress
+    asserts:
+      - equal:
+          path: metadata.namespace
+          value: my-projects
+        documentIndex: 0
+      - equal:
+          path: spec.podSelector.matchLabels.nodered
+          value: "true"
+        documentIndex: 0
diff --git a/helm/flowfuse/values.schema.json b/helm/flowfuse/values.schema.json
@@ -144,6 +144,7 @@
                 },
                 "projectNetworkPolicy": {
                     "type": "object",
+                    "description": "DEPRECATED: use the top-level `networkPolicies` value instead. This block still works but will be removed in a future release.",
                     "properties": {
                         "egress": {
                             "type": "array"
@@ -1367,6 +1368,29 @@
             }
         }
     },
+    "networkPolicies": {
+        "type": "object",
+        "description": "Custom NetworkPolicies to deploy as part of this release, keyed by policy name. Helm templating is supported.",
+        "default": {},
+        "additionalProperties": {
+            "type": "object",
+            "properties": {
+                "namespace": {
+                    "type": "string"
+                },
+                "labels": {
+                    "type": "object"
+                },
+                "annotations": {
+                    "type": "object"
+                },
+                "spec": {
+                    "type": "object"
+                }
+            },
+            "required": ["spec"]
+        }
+    },
     "extraObjects": {
         "type": "array",
         "description": "Extra Kubernetes manifests to deploy as part of this release. Helm templating is supported.",
diff --git a/helm/flowfuse/values.yaml b/helm/flowfuse/values.yaml
@@ -8,6 +8,8 @@ forge:
   projectSelector:
     role: projects
   projectDeploymentTolerations: []
+  # DEPRECATED: use the top-level `networkPolicies` value instead.
+  # This block still works but will be removed in a future release.
   projectNetworkPolicy:
     enabled: false
   projectIngressAnnotations: {}
@@ -412,6 +414,25 @@ ingressMigration:
   # Tolerations
   tolerations: []
 
+# Custom NetworkPolicies to deploy as part of this release.
+# A map keyed by policy name; each entry renders a single NetworkPolicy.
+# `namespace` defaults to the release namespace. `spec` is rendered verbatim.
+# Supports Helm templating in keys and values (e.g. .Release.Name, .Values.*).
+networkPolicies: {}
+# allow-projects-ingress:
+#   namespace: "{{ .Values.forge.projectNamespace }}"
+#   labels: {}
+#   annotations: {}
+#   spec:
+#     podSelector:
+#       matchLabels:
+#         nodered: "true"
+#     policyTypes:
+#       - Ingress
+#     ingress:
+#       - from:
+#           - podSelector: {}
+
 # Extra Kubernetes manifests to deploy as part of this release.
 # Supports Helm templating (e.g. .Release.Name, .Values.*).
 extraObjects: []
