Network policy for the qtodo (#126)

p-rog · Przemyslaw Roguski · web-flow · commit 66b276659662 · 2026-04-23T17:02:20.000-05:00
* Fixing db network policy bug, adding new qtodo egress network policies and default deny network policy

* cleaning all changes

* db network policy file change

* feat: add qtodo egress NetworkPolicy (port-restricted, no default-deny)

* fixing the namespace name

* changing the ingress policy, to allow qtodo correct network communication

* NP tweaks

* removing egress qtodo network policies due to problems with OVN-K and later broken DNS

* sync with PR#125

* Pushing correct, fully covered network polices, with correct DNS port and Keycloak port

* openshift-ingress labels update, because policy-group.network.openshift.io/ingress: triggers OVN-K's special ACL handling for host-network traffic

* changing the namespaceSelector: for Keycloak, because here Keycloak asnwers on both an internal hostname (for back-channel) and an external hostname (for browser redirects)

* Adding default deny policy

---------

Co-authored-by: Przemyslaw Roguski &lt;proguski@proguski-thinkpadp1gen7.rmtpl.csb&gt;
diff --git a/charts/qtodo/templates/db-network-policy.yaml b/charts/qtodo/templates/db-network-policy.yaml
diff --git a/charts/qtodo/templates/default-deny-network-policy.yaml b/charts/qtodo/templates/default-deny-network-policy.yaml
@@ -0,0 +1,10 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-in-namespace-qtodo
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
diff --git a/charts/qtodo/templates/network-policy.yaml b/charts/qtodo/templates/network-policy.yaml
diff --git a/charts/qtodo/templates/qtodo-db-network-policy.yaml b/charts/qtodo/templates/qtodo-db-network-policy.yaml
@@ -0,0 +1,32 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: qtodo-db-network-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: qtodo-db
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # PostgreSQL — only from qtodo app pods in the same namespace
+  - ports:
+    - protocol: TCP
+      port: 5432
+    from:
+    - podSelector:
+        matchLabels:
+          app: qtodo
+  egress:
+  # DNS resolution via CoreDNS — OCP uses port 5353 (not 53)
+  - ports:
+    - protocol: UDP
+      port: 5353
+    - protocol: TCP
+      port: 5353
+    to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-dns
diff --git a/charts/qtodo/templates/qtodo-network-policy.yaml b/charts/qtodo/templates/qtodo-network-policy.yaml
@@ -0,0 +1,57 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: qtodo-network-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: qtodo
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Only allow inbound traffic from the OpenShift router.
+  # Router pods use hostNetwork:true so traffic arrives from node IPs, not pod IPs.
+  # OVN-K requires the policy-group.network.openshift.io/ingress label (empty value)
+  # to generate the correct ACLs for host-network ingress traffic.
+  - ports:
+    - protocol: TCP
+      port: 8080
+    from:
+    - namespaceSelector:
+        matchLabels:
+          policy-group.network.openshift.io/ingress: ""
+  egress:
+  # DNS resolution via CoreDNS — OCP uses port 5353 (not 53)
+  - ports:
+    - protocol: UDP
+      port: 5353
+    - protocol: TCP
+      port: 5353
+    to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-dns
+  # PostgreSQL — qtodo-db pod in the same namespace
+  - ports:
+    - protocol: TCP
+      port: 5432
+    to:
+    - podSelector:
+        matchLabels:
+          app: qtodo-db
+  # Vault API — SPIFFE JWT auth for DB credentials retrieval
+  - ports:
+    - protocol: TCP
+      port: 8200
+    to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: vault
+  # Keycloak OIDC back-channel — external Route resolves to the router's load-balancer IP,
+  # which is not a pod IP in any namespace. namespaceSelector cannot match external IPs,
+  # so a port-only rule is required for the code-to-token exchange POST to work.
+  - ports:
+    - protocol: TCP
+      port: 443
diff --git a/charts/ztvp-certificates/values.yaml b/charts/ztvp-certificates/values.yaml
@@ -119,7 +119,7 @@ configMapName: ztvp-trusted-ca
 # are auto-injected into all workloads via the cluster network operator.
 # Required for workloads that verify TLS of routes (e.g., ACS Central reaching Keycloak).
 proxyCA:
-  enabled: false
+  enabled: true
   configMapName: ztvp-proxy-ca
 
 # Automatic rollout configuration
