From 144143f33a0035e6afc10f06a367a2edd7a3e995 Mon Sep 17 00:00:00 2001
From: chainchad <96362174+chainchad@users.noreply.github.com>
Date: Mon, 5 Feb 2024 17:11:35 -0500
Subject: [PATCH 1/2] Re-add back network policies.

From commit: dc9a073ab7e67a66eed49dd74e6ac0da1787b24c
---
 .../templates/chainlink-db-networkpolicy.yaml | 23 +++++++++++
 .../chainlink-node-networkpolicy.yaml         | 19 +++++++++
 .../templates/geth-networkpolicy.yaml         | 25 +++++++++++
 .../templates/mockserver-networkpolicy.yaml   | 23 +++++++++++
 .../templates/networkpolicy-default.yaml      | 41 +++++++++++++++++++
 .../templates/runner-networkpolicy.yaml       | 19 +++++++++
 6 files changed, 150 insertions(+)
 create mode 100644 charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml
 create mode 100644 charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml
 create mode 100644 charts/chainlink-cluster/templates/geth-networkpolicy.yaml
 create mode 100644 charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml
 create mode 100644 charts/chainlink-cluster/templates/networkpolicy-default.yaml
 create mode 100644 charts/chainlink-cluster/templates/runner-networkpolicy.yaml

diff --git a/charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml b/charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml
new file mode 100644
index 00000000000..e5d029b7865
--- /dev/null
+++ b/charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml
@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-db
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ $.Release.Name }}-db
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        # Allow all node pods to access the database pods.
+        - podSelector:
+            matchLabels:
+              app: {{ $.Release.Name }}
+        # Allow all runner pods to access the database pods.
+        - podSelector:
+            matchLabels:
+              app: runner
+      ports:
+        - protocol: TCP
+          port: 5432
diff --git a/charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml b/charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml
new file mode 100644
index 00000000000..321bc531626
--- /dev/null
+++ b/charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml
@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-node
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ $.Release.Name }}
+  policyTypes:
+    - Ingress
+  ingress:
+    # Allow all ingress traffic between the node pods and from runner pod.
+    - from:
+      - podSelector:
+          matchLabels:
+            app: {{ $.Release.Name }}
+      - podSelector:
+          matchLabels:
+            app: runner
diff --git a/charts/chainlink-cluster/templates/geth-networkpolicy.yaml b/charts/chainlink-cluster/templates/geth-networkpolicy.yaml
new file mode 100644
index 00000000000..5be59136251
--- /dev/null
+++ b/charts/chainlink-cluster/templates/geth-networkpolicy.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-geth
+spec:
+  podSelector:
+    matchLabels:
+      app: geth
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        # Allow http and websocket connections from the node pods.
+        - podSelector:
+            matchLabels:
+              app: {{ $.Release.Name }}
+        # Allow http and websocket connections from the runner pods.
+        - podSelector:
+            matchLabels:
+              app: runner
+      ports:
+        - protocol: TCP
+          port: 8544
+        - protocol: TCP
+          port: 8546
diff --git a/charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml b/charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml
new file mode 100644
index 00000000000..074b1ab089a
--- /dev/null
+++ b/charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml
@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-mockserver
+spec:
+  podSelector:
+    matchLabels:
+      app: mockserver
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        # Allow http traffic from the node pods.
+        - podSelector:
+            matchLabels:
+              app: {{ $.Release.Name }}
+        # Allow http traffic from the runner pods.
+        - podSelector:
+            matchLabels:
+              app: runner
+      ports:
+        - protocol: TCP
+          port: 1080
diff --git a/charts/chainlink-cluster/templates/networkpolicy-default.yaml b/charts/chainlink-cluster/templates/networkpolicy-default.yaml
new file mode 100644
index 00000000000..f2d9416cf15
--- /dev/null
+++ b/charts/chainlink-cluster/templates/networkpolicy-default.yaml
@@ -0,0 +1,41 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default
+spec:
+  podSelector:
+    matchLabels: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+  {{- if and .Values.networkPolicyDefault.ingress.allowCustomCidrs (not (empty .Values.networkPolicyDefault.ingress.customCidrs)) }}
+  # Using a comma separated list to make it easy to pass in with:
+  # `helm template ... --set networkPolicyDefault.ingress.customCidrs=...`
+  {{- $cidrs := splitList "," .Values.networkPolicyDefault.ingress.customCidrs }}
+    - from:
+      {{- range $cidr := $cidrs }}
+      - ipBlock:
+          cidr: {{ $cidr | quote }}
+      {{- end }}
+  {{- else }}
+    # Deny all ingress if no rules are specified. Rules can still be specified in other templates.
+    - {}
+  {{- end }}
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: "{{ $.Release.Namespace }}"
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
diff --git a/charts/chainlink-cluster/templates/runner-networkpolicy.yaml b/charts/chainlink-cluster/templates/runner-networkpolicy.yaml
new file mode 100644
index 00000000000..2bb6ac98625
--- /dev/null
+++ b/charts/chainlink-cluster/templates/runner-networkpolicy.yaml
@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ $.Release.Name }}-runner
+spec:
+  podSelector:
+    matchLabels:
+      app: runner
+  policyTypes:
+    - Ingress
+  ingress:
+    # Allow all ingress traffic between the node pods and from runner pod.
+    - from:
+      - podSelector:
+          matchLabels:
+            app: {{ $.Release.Name }}
+      - podSelector:
+          matchLabels:
+            app: runner

From fe578d8789eb25ab4279b30980ec4fdaddd240dd Mon Sep 17 00:00:00 2001
From: chainchad <96362174+chainchad@users.noreply.github.com>
Date: Mon, 5 Feb 2024 17:19:07 -0500
Subject: [PATCH 2/2] Create network policies conditionally

---
 .../templates/chainlink-db-networkpolicy.yaml                  | 2 ++
 .../templates/chainlink-node-networkpolicy.yaml                | 2 ++
 charts/chainlink-cluster/templates/geth-networkpolicy.yaml     | 2 ++
 .../chainlink-cluster/templates/mockserver-networkpolicy.yaml  | 2 ++
 charts/chainlink-cluster/templates/networkpolicy-default.yaml  | 2 ++
 charts/chainlink-cluster/templates/runner-networkpolicy.yaml   | 2 ++
 charts/chainlink-cluster/values.yaml                           | 3 +++
 7 files changed, 15 insertions(+)

diff --git a/charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml b/charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml
index e5d029b7865..5f7e7706ced 100644
--- a/charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml
+++ b/charts/chainlink-cluster/templates/chainlink-db-networkpolicy.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.networkPolicies.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -21,3 +22,4 @@ spec:
       ports:
         - protocol: TCP
           port: 5432
+{{- end }}
\ No newline at end of file
diff --git a/charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml b/charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml
index 321bc531626..e63759a994f 100644
--- a/charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml
+++ b/charts/chainlink-cluster/templates/chainlink-node-networkpolicy.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.networkPolicies.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -17,3 +18,4 @@ spec:
       - podSelector:
           matchLabels:
             app: runner
+{{- end }}
\ No newline at end of file
diff --git a/charts/chainlink-cluster/templates/geth-networkpolicy.yaml b/charts/chainlink-cluster/templates/geth-networkpolicy.yaml
index 5be59136251..025d6184501 100644
--- a/charts/chainlink-cluster/templates/geth-networkpolicy.yaml
+++ b/charts/chainlink-cluster/templates/geth-networkpolicy.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.networkPolicies.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -23,3 +24,4 @@ spec:
           port: 8544
         - protocol: TCP
           port: 8546
+{{- end }}
\ No newline at end of file
diff --git a/charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml b/charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml
index 074b1ab089a..6ac4f658e37 100644
--- a/charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml
+++ b/charts/chainlink-cluster/templates/mockserver-networkpolicy.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.networkPolicies.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -21,3 +22,4 @@ spec:
       ports:
         - protocol: TCP
           port: 1080
+{{- end }}
\ No newline at end of file
diff --git a/charts/chainlink-cluster/templates/networkpolicy-default.yaml b/charts/chainlink-cluster/templates/networkpolicy-default.yaml
index f2d9416cf15..a2cc23ed7f9 100644
--- a/charts/chainlink-cluster/templates/networkpolicy-default.yaml
+++ b/charts/chainlink-cluster/templates/networkpolicy-default.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.networkPolicies.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -39,3 +40,4 @@ spec:
           port: 53
         - protocol: UDP
           port: 53
+{{- end }}
\ No newline at end of file
diff --git a/charts/chainlink-cluster/templates/runner-networkpolicy.yaml b/charts/chainlink-cluster/templates/runner-networkpolicy.yaml
index 2bb6ac98625..b75a2ffa772 100644
--- a/charts/chainlink-cluster/templates/runner-networkpolicy.yaml
+++ b/charts/chainlink-cluster/templates/runner-networkpolicy.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.networkPolicies.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -17,3 +18,4 @@ spec:
       - podSelector:
           matchLabels:
             app: runner
+{{- end }}
\ No newline at end of file
diff --git a/charts/chainlink-cluster/values.yaml b/charts/chainlink-cluster/values.yaml
index 24914a40a91..3e58cbaea24 100644
--- a/charts/chainlink-cluster/values.yaml
+++ b/charts/chainlink-cluster/values.yaml
@@ -284,6 +284,9 @@ nodeSelector:
 tolerations:
 affinity:
 
+networkPolicies:
+  enabled: true
+
 # Configure the default network policy.
 networkPolicyDefault:
   ingress: