From b679b66f86820372afd7cb53b1cce346e2c0de69 Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Wed, 24 Jun 2026 16:56:50 +0200 Subject: [PATCH 1/5] Add NetworkPolicy resources template --- helm/flowfuse/templates/network-policies.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 helm/flowfuse/templates/network-policies.yaml diff --git a/helm/flowfuse/templates/network-policies.yaml b/helm/flowfuse/templates/network-policies.yaml new file mode 100644 index 00000000..33ba5fdb --- /dev/null +++ b/helm/flowfuse/templates/network-policies.yaml @@ -0,0 +1,19 @@ +{{- range $name, $policy := .Values.networkPolicies }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ tpl $name $ }} + namespace: {{ tpl ($policy.namespace | default $.Release.Namespace) $ }} + labels: + {{- include "forge.labels" $ | nindent 4 }} + {{- with $policy.labels }} + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} + {{- with $policy.annotations }} + annotations: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} +spec: + {{- tpl (toYaml $policy.spec) $ | nindent 4 }} +{{- end }} From c94d842416df1ce54aef7f9276b3927d6d79282e Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Wed, 24 Jun 2026 16:57:14 +0200 Subject: [PATCH 2/5] Add values and schema files --- helm/flowfuse/values.schema.json | 24 ++++++++++++++++++++++++ helm/flowfuse/values.yaml | 21 +++++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/helm/flowfuse/values.schema.json b/helm/flowfuse/values.schema.json index 0679b41f..29fa8949 100644 --- a/helm/flowfuse/values.schema.json +++ b/helm/flowfuse/values.schema.json @@ -144,6 +144,7 @@ }, "projectNetworkPolicy": { "type": "object", + "description": "DEPRECATED: use the top-level `networkPolicies` value instead. This block still works but will be removed in a future release.", "properties": { "egress": { "type": "array" @@ -1367,6 +1368,29 @@ } } }, + "networkPolicies": { + "type": "object", + "description": "Custom NetworkPolicies to deploy as part of this release, keyed by policy name. Helm templating is supported.", + "default": {}, + "additionalProperties": { + "type": "object", + "properties": { + "namespace": { + "type": "string" + }, + "labels": { + "type": "object" + }, + "annotations": { + "type": "object" + }, + "spec": { + "type": "object" + } + }, + "required": ["spec"] + } + }, "extraObjects": { "type": "array", "description": "Extra Kubernetes manifests to deploy as part of this release. Helm templating is supported.", diff --git a/helm/flowfuse/values.yaml b/helm/flowfuse/values.yaml index f6564046..e6c08e53 100644 --- a/helm/flowfuse/values.yaml +++ b/helm/flowfuse/values.yaml @@ -8,6 +8,8 @@ forge: projectSelector: role: projects projectDeploymentTolerations: [] + # DEPRECATED: use the top-level `networkPolicies` value instead. + # This block still works but will be removed in a future release. projectNetworkPolicy: enabled: false projectIngressAnnotations: {} @@ -412,6 +414,25 @@ ingressMigration: # Tolerations tolerations: [] +# Custom NetworkPolicies to deploy as part of this release. +# A map keyed by policy name; each entry renders a single NetworkPolicy. +# `namespace` defaults to the release namespace. `spec` is rendered verbatim. +# Supports Helm templating in keys and values (e.g. .Release.Name, .Values.*). +networkPolicies: {} +# allow-projects-ingress: +# namespace: "{{ .Values.forge.projectNamespace }}" +# labels: {} +# annotations: {} +# spec: +# podSelector: +# matchLabels: +# nodered: "true" +# policyTypes: +# - Ingress +# ingress: +# - from: +# - podSelector: {} + # Extra Kubernetes manifests to deploy as part of this release. # Supports Helm templating (e.g. .Release.Name, .Values.*). extraObjects: [] From 7f26ba875ec3274181c2efa9bb4593e1755cad25 Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Wed, 24 Jun 2026 16:57:36 +0200 Subject: [PATCH 3/5] Add deprecation warning to the notes file --- helm/flowfuse/templates/NOTES.txt | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/helm/flowfuse/templates/NOTES.txt b/helm/flowfuse/templates/NOTES.txt index ad6cf2fd..a8b4fdb4 100644 --- a/helm/flowfuse/templates/NOTES.txt +++ b/helm/flowfuse/templates/NOTES.txt @@ -1,3 +1,21 @@ Thank you for installing {{ .Chart.Name }} v{{ .Chart.AppVersion }} -You can complete the setup wizard at {{ if .Values.forge.entryPoint }}http{{- if .Values.forge.https -}}s{{- end -}}://{{ .Values.forge.entryPoint }}{{- else }}http{{- if .Values.forge.https -}}s{{- end -}}://forge.{{ .Values.forge.domain }}{{- end }} \ No newline at end of file +You can complete the setup wizard at {{ if .Values.forge.entryPoint }}http{{- if .Values.forge.https -}}s{{- end -}}://{{ .Values.forge.entryPoint }}{{- else }}http{{- if .Values.forge.https -}}s{{- end -}}://forge.{{ .Values.forge.domain }}{{- end }} +{{ if (((.Values.forge).projectNetworkPolicy).enabled) }} +[DEPRECATION WARNING] `forge.projectNetworkPolicy` is deprecated and will be +removed in a future release. Please migrate to the top-level `networkPolicies` +value, which can express the same policy: + + networkPolicies: + flowfuse-projects-policy: + namespace: "{{ "{{" }} .Values.forge.projectNamespace {{ "}}" }}" + spec: + podSelector: + matchLabels: + nodered: "true" + policyTypes: + - Ingress + - Egress + ingress: [] # your forge.projectNetworkPolicy.ingress rules + egress: [] # your forge.projectNetworkPolicy.egress rules +{{- end }} \ No newline at end of file From 95ebf3d644193fb1a24d8cf79ec9aee03fc15077 Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Wed, 24 Jun 2026 16:57:45 +0200 Subject: [PATCH 4/5] Add unit tests --- .../flowfuse/tests/network-policies_test.yaml | 146 ++++++++++++++++++ 1 file changed, 146 insertions(+) create mode 100644 helm/flowfuse/tests/network-policies_test.yaml diff --git a/helm/flowfuse/tests/network-policies_test.yaml b/helm/flowfuse/tests/network-policies_test.yaml new file mode 100644 index 00000000..e61eb1ba --- /dev/null +++ b/helm/flowfuse/tests/network-policies_test.yaml @@ -0,0 +1,146 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json +suite: test custom network policies +templates: + - network-policies.yaml +release: + name: flowfuse + namespace: default +set: + forge.domain: "chart-unit-tests.com" + +tests: + - it: should not render anything when networkPolicies is empty (default) + asserts: + - hasDocuments: + count: 0 + + - it: should render a single network policy + set: + networkPolicies: + deny-all-ingress: + spec: + podSelector: {} + policyTypes: + - Ingress + asserts: + - hasDocuments: + count: 1 + - isKind: + of: NetworkPolicy + documentIndex: 0 + - isAPIVersion: + of: networking.k8s.io/v1 + documentIndex: 0 + - equal: + path: metadata.name + value: deny-all-ingress + documentIndex: 0 + - equal: + path: spec.policyTypes + value: + - Ingress + documentIndex: 0 + + - it: should default namespace to the release namespace + set: + networkPolicies: + deny-all-ingress: + spec: + podSelector: {} + policyTypes: + - Ingress + asserts: + - equal: + path: metadata.namespace + value: default + documentIndex: 0 + + - it: should use the provided namespace when set + set: + networkPolicies: + deny-all-ingress: + namespace: custom-ns + spec: + podSelector: {} + policyTypes: + - Ingress + asserts: + - equal: + path: metadata.namespace + value: custom-ns + documentIndex: 0 + + - it: should inject chart labels and merge custom labels and annotations + set: + networkPolicies: + deny-all-ingress: + labels: + extra-label: value + annotations: + extra-annotation: value + spec: + podSelector: {} + policyTypes: + - Ingress + asserts: + - equal: + path: metadata.labels["app.kubernetes.io/managed-by"] + value: Helm + documentIndex: 0 + - equal: + path: metadata.labels["extra-label"] + value: value + documentIndex: 0 + - equal: + path: metadata.annotations["extra-annotation"] + value: value + documentIndex: 0 + + - it: should render multiple network policies + set: + networkPolicies: + deny-all-ingress: + spec: + podSelector: {} + policyTypes: + - Ingress + allow-egress: + spec: + podSelector: {} + policyTypes: + - Egress + asserts: + - hasDocuments: + count: 2 + - containsDocument: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: deny-all-ingress + any: true + - containsDocument: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: allow-egress + any: true + + - it: should support Helm templating in namespace and spec + set: + forge.projectNamespace: my-projects + networkPolicies: + flowfuse-projects-policy: + namespace: "{{ .Values.forge.projectNamespace }}" + spec: + podSelector: + matchLabels: + nodered: "true" + policyTypes: + - Ingress + asserts: + - equal: + path: metadata.namespace + value: my-projects + documentIndex: 0 + - equal: + path: spec.podSelector.matchLabels.nodered + value: "true" + documentIndex: 0 From 8fcbae89d16deaa352146ed4b705276ddf02668c Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Wed, 24 Jun 2026 16:58:05 +0200 Subject: [PATCH 5/5] Update readme --- helm/flowfuse/README.md | 46 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 43 insertions(+), 3 deletions(-) diff --git a/helm/flowfuse/README.md b/helm/flowfuse/README.md index 3e50483b..f460d76b 100644 --- a/helm/flowfuse/README.md +++ b/helm/flowfuse/README.md @@ -35,9 +35,9 @@ For other values please refer to the documentation below. - `forge.projectSelector` a collection of labels and values to filter nodes that Project Pods will run on (default `role: projects`) - `forge.projectNamespace` namespace Project Pods will run in (default `flowforge`) - `forge.projectDeploymentTolerations` tolerations settings for Project instances. Default is `[]`. - - `forge.projectNetworkPolicy.enabled` specified if [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) should be created for project pods ( default `false`) - - `forge.projectNetworkPolicy.ingress` a list of ingress rules for the [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) applied on project pods ( default `[]`) - - `forge.projectNetworkPolicy.egress` a list of egress rules for the [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) applied in project pods ( default `[]`) + - `forge.projectNetworkPolicy.enabled` **DEPRECATED** (use the top-level [`networkPolicies`](#network-policies) value instead) specified if [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) should be created for project pods ( default `false`) + - `forge.projectNetworkPolicy.ingress` **DEPRECATED** (use the top-level [`networkPolicies`](#network-policies) value instead) a list of ingress rules for the [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) applied on project pods ( default `[]`) + - `forge.projectNetworkPolicy.egress` **DEPRECATED** (use the top-level [`networkPolicies`](#network-policies) value instead) a list of egress rules for the [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) applied in project pods ( default `[]`) - `forge.projectIngressClassName` ingress class name for project instances (default is `ingress.className` value if set, otherwise `"""`) - `forge.projectIngressAnnotations` ingress annotations for project instances (default is `{}`) - `forge.projectServiceType` service type for project instances (allowed `ClusterIP` or `NodePort`, default is `ClusterIP`) @@ -391,6 +391,46 @@ readinessProbe: failureThreshold: 3 ``` +### Network Policies + +The chart can deploy arbitrary [NetworkPolicies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) via the top-level `networkPolicies` value. It is a map keyed by policy name; each entry renders one `NetworkPolicy`. The chart owns `apiVersion`, `kind`, `metadata.name` (the map key), labels and namespace, while `spec` is rendered as-is. Full Helm templating is supported in both keys and values (`.Release.*`, `.Values.*`, helper functions), so policies can target any namespace and any pods. + +- `networkPolicies` map of custom NetworkPolicies to deploy as part of this release. Helm templating is supported. (default `{}`) + - `.namespace` namespace the policy is created in (default is the release namespace) + - `.labels` extra labels merged onto the chart labels (default `{}`) + - `.annotations` annotations applied to the policy (default `{}`) + - `.spec` the [NetworkPolicy spec](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/network-policy-v1/#NetworkPolicySpec), rendered verbatim (required) + +> **Note:** `forge.projectNetworkPolicy` is deprecated in favour of this value. To reproduce it, target the project namespace and the `nodered: "true"` pods (see the example below). + +Example: + +```yaml +networkPolicies: + # Equivalent of the deprecated forge.projectNetworkPolicy + flowfuse-projects-policy: + namespace: "{{ .Values.forge.projectNamespace }}" + spec: + podSelector: + matchLabels: + nodered: "true" + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: {} + egress: + - to: + - namespaceSelector: {} + # Deny all ingress to the release namespace by default + default-deny-ingress: + spec: + podSelector: {} + policyTypes: + - Ingress +``` + ### Extra Objects The chart supports deploying arbitrary Kubernetes manifests alongside the main release via `extraObjects`. Each item is rendered as-is, with full Helm templating support (`.Release.*`, `.Values.*`, helper functions).