Vault network policy - update (#128)

* Fixing db network policy bug, adding new qtodo egress network policies and default deny network policy

* cleaning all changes

* db network policy file change

* feat: add qtodo egress NetworkPolicy (port-restricted, no default-deny)

* fixing the namespace name

* changing the ingress policy, to allow qtodo correct network communication

* NP tweaks

* removing egress qtodo network policies due to problems with OVN-K and later broken DNS

* sync with PR#125

* Pushing correct, fully covered network polices, with correct DNS port and Keycloak port

* openshift-ingress labels update, because policy-group.network.openshift.io/ingress: triggers OVN-K's special ACL handling for host-network traffic

* changing the namespaceSelector: for Keycloak, because here Keycloak asnwers on both an internal hostname (for back-channel) and an external hostname (for browser redirects)

* Adding default deny policy

* Testing Vault ingress/egress network policies

* Testing Vault network policies

* adding Vault network policies

---------

Co-authored-by: Przemyslaw Roguski <proguski@proguski-thinkpadp1gen7.rmtpl.csb>

Author: p-rog

overrides/values-vault-network-policy.yaml

@@ -0,0 +1,72 @@
+defaultDenyNetworkPolicy:
+  enabled: true
+
+vault:
+  server:
+    networkPolicy:
+      enabled: true
+      ingress:
+        # OCP router — vault Route (reencrypt TLS, UI and API)
+        # Router pods use hostNetwork:true — requires OVN-K policy-group label
+        - ports:
+          - protocol: TCP
+            port: 8200
+          from:
+          - namespaceSelector:
+              matchLabels:
+                policy-group.network.openshift.io/ingress: ""
+        # qtodo namespace — spiffe-vault-client sidecar authenticates via SPIFFE JWT
+        - ports:
+          - protocol: TCP
+            port: 8200
+          from:
+          - namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: qtodo
+        # Vault cluster replication port — HA readiness
+        - ports:
+          - protocol: TCP
+            port: 8201
+          from:
+          - podSelector:
+              matchLabels:
+                app.kubernetes.io/name: vault
+                component: server
+      egress:
+        # DNS resolution via CoreDNS — OCP uses port 5353
+        - ports:
+          - protocol: UDP
+            port: 5353
+          - protocol: TCP
+            port: 5353
+          to:
+          - namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: openshift-dns
+        # SPIRE OIDC discovery provider — Vault JWT auth fetches JWKS
+        # Service port 443 -> pod port 8443, both included for OVN-K DNAT
+        - ports:
+          - protocol: TCP
+            port: 443
+          - protocol: TCP
+            port: 8443
+          to:
+          - namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: zero-trust-workload-identity-manager
+        # Vault cluster replication — outbound to peer Vault pods (HA readiness)
+        - ports:
+          - protocol: TCP
+            port: 8201
+          to:
+          - podSelector:
+              matchLabels:
+                app.kubernetes.io/name: vault
+                component: server
+        # Kubernetes API server — TokenReview for ESO service account validation
+        # ClusterIP service is 172.x:443, DNAT to node IPs on 6443
+        - ports:
+          - protocol: TCP
+            port: 443
+          - protocol: TCP
+            port: 6443

values-hub.yaml

@@ -320,6 +320,8 @@ clusterGroup:
       project: hub
       chart: hashicorp-vault
       chartVersion: 0.1.*
+      extraValueFiles:
+        - /overrides/values-vault-network-policy.yaml
       annotations:
         argocd.argoproj.io/sync-wave: "25"
       # Custom Vault policies for least-privilege access