feat: add conditional netpol for coredns

.github/bundles/rke2/uds-bundle.yaml

@@ -57,6 +57,11 @@ packages:
               value:
                 service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
                 service.beta.kubernetes.io/aws-load-balancer-target-node-labels: "kubernetes.io/os=linux"
+      kube-prometheus-stack:
+        uds-prometheus-config:
+          values:
+            - path: rke2CorednsNetpol.enabled
+              value: true
       velero:
         velero:
           variables:

src/prometheus-stack/chart/templates/coredns-netpol.yaml

@@ -0,0 +1,26 @@
+# Copyright 2025 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+{{- if .Values.rke2CorednsNetpol.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-prometheus-to-kube-dns
+  namespace: kube-system
+spec:
+  podSelector:
+    matchLabels:
+      k8s-app: kube-dns
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: monitoring
+          podSelector:
+            matchLabels:
+              app: prometheus
+      ports:
+        - protocol: TCP
+          port: 9153
+{{- end -}}

src/prometheus-stack/chart/values.yaml

@@ -10,3 +10,5 @@ additionalNetworkAllow: []
 #     remoteGenerated: Anywhere
 #     description: "from alertmanager to anywhere"
 #     port: 443
+rke2CorednsNetpol:
+  enabled: false

tasks/iac.yaml

@@ -65,9 +65,6 @@ tasks:
               break
             fi
           done
-      - task: util:rke2-allow-prom-kube-dns
-        dir: .github/test-infra/aws/rke2/
-        maxTotalSeconds: 600
 
   - name: create-iac
     actions:

tasks/utils.yaml

@@ -50,34 +50,6 @@ tasks:
             namespace: kube-system
           EOF
             uds zarf tools kubectl -n kube-system rollout restart deployment coredns
-  - name: rke2-allow-prom-kube-dns
-    actions:
-      - description: Create NetworkPolicy to allow Prometheus to scrape kube-dns
-        cmd: |
-          uds zarf tools kubectl apply -f - <<EOF
-          apiVersion: networking.k8s.io/v1
-          kind: NetworkPolicy
-          metadata:
-            name: allow-prometheus-to-kube-dns
-            namespace: kube-system
-          spec:
-            podSelector:
-              matchLabels:
-                k8s-app: kube-dns
-            policyTypes:
-              - Ingress
-            ingress:
-              - from:
-                  - namespaceSelector:
-                      matchLabels:
-                        kubernetes.io/metadata.name: monitoring
-                    podSelector:
-                      matchLabels:
-                        app: prometheus
-                ports:
-                  - protocol: TCP
-                    port: 9153
-          EOF
   - name: eks-storageclass-setup
     actions:
       - description: Setup GP3 Storage Class