fix network policies for anvil and non-root-geth (#846)

* fix network policies for anvil and non-root-geth
* add omitempty to avoid adding blank value  during unmarshalling (#845)

Co-authored-by: Anindita Ghosh <[email protected]>

charts/foundry/README.md

@@ -16,4 +16,24 @@ anvil:
   forkTimeout: "45000"
   forkComputeUnitsPerSecond: "330"
   # forkNoRateLimit: "true"
+```
+
+By default ingress is disabled, so remember to enable it in `values.yaml`.
+Sample command:
+```bash
+export RELEASE_NAME="your-release-name"
+export NAMESPACE="your-namespace"
+export INGRESS_BASE_DOMAIN="your-ingress-base-domain"
+export INGRESS_CERT_ARN="your-ingress-certificate"
+export INGRESS_CIDRS="allowed-cidrs"
+
+helm install "${RELEASE_NAME}" . -f ./values.yaml \
+--set ingress.annotation_certificate_arn="${INGRESS_CERT_ARN}" \
+--set "ingress.hosts[0].host"="${NAMESPACE}-anvil.${INGRESS_BASE_DOMAIN}" \
+--set "ingress.annotation_group_name"="${NAMESPACE}" \
+--set "ingress.enabled"=true \
+--set "networkPolicyDefault.ingress.allowCustomCidrs"=true \
+--set "networkPolicyDefault.ingress.customCidrs"="${INGRESS_CIDRS}"
+# to override default chain id uncomment the following line
+# --set "anvil.chainId"="2337"
 ```

charts/foundry/templates/ingress.yaml

@@ -1,61 +1,44 @@
 {{- if .Values.ingress.enabled -}}
-{{- $fullName := include "foundry.fullname" . -}}
-{{- $svcPort := .Values.service.port -}}
-{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
-  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
-  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
-  {{- end }}
-{{- end }}
-{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1
-{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1beta1
-{{- else -}}
-apiVersion: extensions/v1beta1
-{{- end }}
 kind: Ingress
 metadata:
-  name: {{ $fullName }}
+  name: {{ .Release.Name }}
   labels:
-    {{- include "foundry.labels" . | nindent 4 }}
-  {{- with .Values.ingress.annotations }}
+    app: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+    {{- range $key, $value := .Values.labels }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
   annotations:
-    {{- toYaml . | nindent 4 }}
+    alb.ingress.kubernetes.io/backend-protocol: HTTP
+    alb.ingress.kubernetes.io/certificate-arn: {{ .Values.ingress.annotation_certificate_arn | quote }}
+    alb.ingress.kubernetes.io/group.name: {{ .Values.ingress.annotation_group_name | quote }}
+    alb.ingress.kubernetes.io/scheme: internal
+    alb.ingress.kubernetes.io/target-type: ip
+    external-dns.alpha.kubernetes.io/ttl: "120"
+  {{- if .Values.ingress.extra_annotations }}
+  {{- range $key, $value := .Values.ingress.extra_annotations }}
+    {{ $key }}: {{ $value | quote }}
   {{- end }}
-spec:
-  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
-  ingressClassName: {{ .Values.ingress.className }}
   {{- end }}
-  {{- if .Values.ingress.tls }}
-  tls:
-    {{- range .Values.ingress.tls }}
-    - hosts:
-        {{- range .hosts }}
-        - {{ . | quote }}
-        {{- end }}
-      secretName: {{ .secretName }}
-    {{- end }}
+spec:
+  {{- with .Values.ingress.ingressClassName }}
+  ingressClassName: {{ . }}
   {{- end }}
   rules:
-    {{- range .Values.ingress.hosts }}
-    - host: {{ .host | quote }}
+  {{- $root := . -}}
+  {{- range .Values.ingress.hosts }}
+    - host: {{ .host }}
       http:
         paths:
-          {{- range .paths }}
-          - path: {{ .path }}
-            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
-            pathType: {{ .pathType }}
-            {{- end }}
+        {{- range .http.paths }}
+          - path: "/*"
+            pathType: ImplementationSpecific
             backend:
-              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
               service:
-                name: {{ $fullName }}
+                name: {{ include "foundry.fullname" $root }}
                 port:
-                  number: {{ $svcPort }}
-              {{- else }}
-              serviceName: {{ $fullName }}
-              servicePort: {{ $svcPort }}
-              {{- end }}
-          {{- end }}
-    {{- end }}
-{{- end }}
+                  number: {{ .backend.service.port.number }}
+        {{- end }}
+  {{- end }}
+{{- end -}}

charts/foundry/templates/networkpolicy-default.yml

@@ -0,0 +1,25 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default
+spec:
+  podSelector:
+    matchLabels: {}
+  policyTypes:
+    - Ingress
+  ingress:
+  {{- if and .Values.networkPolicyDefault.ingress.allowCustomCidrs (not (empty .Values.networkPolicyDefault.ingress.customCidrs)) }}
+  # Using a comma separated list to make it easy to pass in with:
+  # `helm template ... --set networkPolicyDefault.ingress.customCidrs=...`
+  {{- $cidrs := splitList "," .Values.networkPolicyDefault.ingress.customCidrs }}
+    - from:
+      {{- range $cidr := $cidrs }}
+      - ipBlock:
+          cidr: {{ $cidr | quote }}
+      {{- end }}
+  {{- else }}
+    # Deny all ingress if no rules are specified. Rules can still be specified in other templates.
+    - {}
+  {{- end }}
+{{- end }}

charts/foundry/values.yaml

@@ -10,12 +10,12 @@ anvil:
   chainId: 1337
   blockTime: 1
   runAsOptimism: false
-  forkURL: 'https://goerli.infura.io/v3/...'
-  forkBlockNumber: "10448829"
-  forkRetries: "5"
-  forkTimeout: "45000"
-  forkComputeUnitsPerSecond: "330"
-  forkNoRateLimit: "true"
+  # forkURL: 'https://goerli.infura.io/v3/...'
+  # forkBlockNumber: "10448829"
+  # forkRetries: "5"
+  # forkTimeout: "45000"
+  # forkComputeUnitsPerSecond: "330"
+  # forkNoRateLimit: "true"
 
 image:
   repository: ghcr.io/foundry-rs/foundry
@@ -60,19 +60,31 @@ service:
 
 ingress:
   enabled: false
-  className: ''
   annotations: {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: 'true'
+  ingressClassName: alb
+  annotation_certificate_arn: ''
+  annotation_group_name: ''
   hosts:
-    - host: chart-example.local
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
+    - host: chainlink-anvil.local
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: anvil
+                port:
+                  number: 8545
+
+networkPolicies:
+  enabled: true
+
+# Configure the default network policy.
+networkPolicyDefault:
+  ingress:
+    allowCustomCidrs: false
+    # List of custom CIDRs to allow ingress from. If allowCustomCidrs is true, this list will be appended to the default list of CIDRs.
+    customCidrs: ''
 
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious

charts/geth-non-root/Readme.md

@@ -1,28 +1,23 @@
 # Raison d'etre
 
-This chart allows to run a geth node as a non-root user, which is esential for running it on more secure clusters. Geth is running as Proof-of-Authority private network with a single node.
-
-# Deploying with ingress
-
-By default ingress is disabled. To enable it you need to override a couple of values in the values.yaml file. You can easily do it from command-line when installing the chart.
-
-Currently ingress created for CRIB doesn't work, even though there are no errors or warnings in Kubernetes. Hopefuly soon we will have some eyes on it.
+This chart allows to run a geth node as a non-root user, which is esential for running it on more secure clusters. Geth is running as Proof-of-Authority private network with a single node. By default ingress is disabled, so remember to enable it in `values.yaml`.
 
 Sample command:
 ```bash
 export RELEASE_NAME="your-release-name"
 export NAMESPACE="your-namespace"
 export INGRESS_BASE_DOMAIN="your-ingress-base-domain"
-export INGRESS_CERT="your-ingress-certificate"
-export INGRESS_CIDRS="your-ingress-cidrs"
+export INGRESS_CERT_ARN="your-ingress-certificate"
+export INGRESS_CIDRS="allowed-cidrs"
 
 helm install "${RELEASE_NAME}" . -f ./values.yaml \
---set ingress.annotation_certificate_arn="${INGRESS_CERT}"\
---set "ingress.hosts[0].host"="${NAMESPACE}-geth-http.${INGRESS_BASE_DOMAIN}"\
---set "ingress.hosts[1].host"="${NAMESPACE}-geth-ws.${INGRESS_BASE_DOMAIN}"\
---set "ingress.annotation_group_name"="${NAMESPACE}"\
---set "ingress.enabled"=true\
+--set ingress.annotation_certificate_arn="${INGRESS_CERT_ARN}" \
+--set "ingress.hosts[0].host"="${NAMESPACE}-geth-http.${INGRESS_BASE_DOMAIN}" \
+--set "ingress.hosts[1].host"="${NAMESPACE}-geth-ws.${INGRESS_BASE_DOMAIN}" \
+--set "ingress.annotation_group_name"="${NAMESPACE}" \
+--set "ingress.enabled"=true \
+--set "networkPolicyDefault.ingress.allowCustomCidrs"=true \
+--set "networkPolicyDefault.ingress.customCidrs"="${INGRESS_CIDRS}"
 # to override default chain id uncomment the following line
 # --set "geth.networkId"="2337"
---set "networkPolicy.ingress.allowCustomCidrs=${INGRESS_CIDRS}"
 ```

charts/geth-non-root/templates/geth-deployment.yml → charts/geth-non-root/templates/deployment.yml

@@ -7,20 +7,22 @@ spec:
   selector:
     matchLabels:
       app: geth
+      release: {{ .Release.Name }}
+      instance: geth
       # Used for testing.
       # havoc-component-group and havoc-network-group are used by "havoc" chaos testing tool
       havoc-component-group: "blockchain"
       havoc-network-group: "blockchain"
-      release: {{ .Release.Name }}
   template:
     metadata:
       labels:
         app: geth
+        instance: geth
+        release: {{ .Release.Name }}
         # Used for testing.
         # havoc-component-group and havoc-network-group are used by "havoc" chaos testing tool
         havoc-component-group: "blockchain"
         havoc-network-group: "blockchain"
-        release: {{ .Release.Name }}
       annotations:
         {{- range $key, $value := .Values.podAnnotations }}
         {{ $key }}: {{ $value | quote }}
@@ -33,11 +35,11 @@ spec:
       - name: devchain-volume
         emptyDir: {}
       securityContext:
-        {{- toYaml $.Values.geth.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.geth.podSecurityContext | nindent 8 }}
       containers:
       - name: geth-network
         securityContext:
-          {{- toYaml $.Values.geth.securityContext | nindent 12 }}
+          {{- toYaml .Values.geth.securityContext | nindent 12 }}
         image: "{{ default "ethereum/client-go" .Values.geth.image }}:{{ default "stable" .Values.geth.version }}"
         command: [ "sh", "/chain/init.sh" ]
         volumeMounts:
@@ -88,15 +90,15 @@ spec:
           - '--rpc.txfeecap'
           - '0'
           - '--dev.period'
-          - '{{ .Values.geth.blocktime }}'
+          - '{{ $.Values.geth.blocktime }}'
           - '--miner.gasprice'
           - '10000000000'
         ports:
         - name: http-rpc
           containerPort: 8544
         - name: ws-rpc
           containerPort: 8546
-        {{ if (hasKey .Values.geth "resources") }}
+        {{ if (hasKey $.Values.geth "resources") }}
         resources:
           requests:
             memory: {{ default "1024Mi" .Values.geth.resources.requests.memory }}
@@ -118,4 +120,4 @@ spec:
       tolerations:
 {{ toYaml . | indent 8 }}
 {{- end }}
-{{ end }}
+{{ end }}

charts/geth-non-root/templates/ingress.yaml

@@ -2,19 +2,20 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: {{ $.Release.Name }}
+  name: {{ .Release.Name }}
   labels:
-    app: {{ $.Release.Name }}
-    release: {{ $.Release.Name }}
-    {{- range $key, $value := $.Values.labels }}
+    app: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+    {{- range $key, $value := .Values.labels }}
     {{ $key }}: {{ $value | quote }}
     {{- end }}
   annotations:
     alb.ingress.kubernetes.io/backend-protocol: HTTP
-    alb.ingress.kubernetes.io/certificate-arn: {{ $.Values.ingress.annotation_certificate_arn | quote }}
-    alb.ingress.kubernetes.io/group.name: {{ $.Values.ingress.annotation_group_name | quote }}
+    alb.ingress.kubernetes.io/certificate-arn: {{ .Values.ingress.annotation_certificate_arn | quote }}
+    alb.ingress.kubernetes.io/group.name: {{ .Values.ingress.annotation_group_name | quote }}
     alb.ingress.kubernetes.io/scheme: internal
     alb.ingress.kubernetes.io/target-type: ip
+    external-dns.alpha.kubernetes.io/ttl: "120"
   {{- if .Values.ingress.extra_annotations }}
   {{- range $key, $value := .Values.ingress.extra_annotations }}
     {{ $key }}: {{ $value | quote }}

charts/geth-non-root/templates/networkpolicy-default.yml

@@ -0,0 +1,25 @@
+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default
+spec:
+  podSelector:
+    matchLabels: {}
+  policyTypes:
+    - Ingress
+  ingress:
+  {{- if and .Values.networkPolicyDefault.ingress.allowCustomCidrs (not (empty .Values.networkPolicyDefault.ingress.customCidrs)) }}
+  # Using a comma separated list to make it easy to pass in with:
+  # `helm template ... --set networkPolicyDefault.ingress.customCidrs=...`
+  {{- $cidrs := splitList "," .Values.networkPolicyDefault.ingress.customCidrs }}
+    - from:
+      {{- range $cidr := $cidrs }}
+      - ipBlock:
+          cidr: {{ $cidr | quote }}
+      {{- end }}
+  {{- else }}
+    # Deny all ingress if no rules are specified. Rules can still be specified in other templates.
+    - {}
+  {{- end }}
+{{- end }}