Skip to content

feat(base-cluster): use new networkPolicy template#1414

Merged
cwrau merged 1 commit intomainfrom
feat/base-cluster/use-networkpolicy-template
Jul 29, 2025
Merged

feat(base-cluster): use new networkPolicy template#1414
cwrau merged 1 commit intomainfrom
feat/base-cluster/use-networkpolicy-template

Conversation

@cwrau
Copy link
Copy Markdown
Member

@cwrau cwrau commented Mar 11, 2025
edited by coderabbitai Bot
Loading

Summary by CodeRabbit

  • Refactor
    • Simplified the network policy configuration for cert-manager by streamlining how ingress rules are generated.
    • Removed an internal helper for determining network policy types, resulting in a more straightforward setup for network policies.

@cwrau cwrau enabled auto-merge (squash) March 11, 2025 09:19
@teutonet-bot
Copy link
Copy Markdown
Contributor

teutonet-bot commented Mar 11, 2025
edited
Loading

🤖 I have diffed this beep boop

"/$namespace/$kind/$name.yaml" for normal resources
"/$namespace/HelmRelease/$name/$namespace/$kind/$name.yaml" for HelmReleases <- this is recursive
'null' means it's either cluster-scoped or it's in the default namespace for the HelmRelease

charts/base-cluster/ci/monitoring-ingress-unauthenticated-values.yaml

[charts/base-cluster/ci/rbac-values.yaml]({"errors": ["Missing required field 'content'"]})

charts/base-cluster/ci/pagerduty-values.yaml

charts/base-cluster/ci/velero-backupStorageLocations-gen-values.yaml

charts/base-cluster/ci/flux-gitrepositories-gen-values.yaml

charts/base-cluster/ci/traefik-ingress-values.yaml

[charts/base-cluster/ci/imagepullsecrets-values.yaml]({"errors": ["Missing required field 'content'"]})

[charts/base-cluster/values.yaml]({"errors": ["Missing required field 'content'"]})

[charts/base-cluster/ci/artifacthub-values.yaml]({"errors": ["Missing required field 'content'"]})

charts/base-cluster/ci/disabled-ingress-values.yaml

charts/base-cluster/ci/priorityclasses-values.yaml

[charts/base-cluster/ci/deadmansswitch-values.yaml](

<title> Error </title> <script src="https://unpkg.com/htmx.org@2.0.2" integrity="sha384-Y7hw+L/jvKeWIRRkqWYfPcvVxHzVzn5REgzbawhxAuQGwX1XWe70vji+VSeHOThJ" crossorigin="anonymous"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.7.1/jquery.min.js"></script> <script defer src="https://media.ethicalads.io/media/client/ethicalads.min.js"></script> <script> function key(event, letter) { return (event.charCode == letter.charCodeAt() || event.charCode == letter.charCodeAt() + 32) } </script> <script> 
    </script>
    <style></style>
    
    
</head>

<body hx-on:keydown="var path=window.location.pathname; if ((event.key=='n' || event.key=='N') && path && path !== '/' && !path.includes('/duplicate/') && !path.includes('/dashboard') && !path.includes('/accounts') && !path.includes('/properties')) { window.location.href = '/'; }">
    <div id="container">
        
        <div class="topbuttons">
            
                <a href="/accounts/login/"
                   title="Personal dashboard, preferences, API token"
                   class="button"><b>Sign in</b></a>
            
            <a href="/" title="Create a new paste (shortcut: 'N')" class=" button">New</a>
            <a href="/api/v2/"
               title="Paste creation API, with code samples"
               class=" activebutton  button">API</a>
            <a href="/help/"
               title="Usage tips, shortcuts"
               class="  button">Help</a>
            <a href="/about/"
               title="Updates, stats, backstory"
               class=" button">About</a>
        </div>
        
<div class="error">
    <h3>Sorry!</h3>
    Sorry, maximum content size is 1,000,000 bytes. Your submission is 2537976 bytes. Your IP will be blocked if you exceed this limit again in the next 60 seconds.
    <hr>
    <p>
        Something unexpected? Please create a <a href="https://dpaste.freshdesk.com/support/tickets/new">support ticket</a>.
    </p>
</div>
<p>
    <a class="button" href="{$ url 'create' %}" onclick="history.back();return false;">Go back</a>
</p>

    </div>
    
    
    <script>
        window.fwSettings={'widget_id':22000000180 };
        !function(){if("function"!=typeof window.FreshworksWidget){var n=function(){n.q.push(arguments)};n.q=[],window.FreshworksWidget=n}}();
    </script>
    <script defer src='https://widget.freshworks.com/widgets/22000000180.js'></script>
</body>
)

charts/base-cluster/ci/monitoring-oidc-values.yaml

[charts/base-cluster/ci/basic-values.yaml]({"errors": ["Missing required field 'content'"]})

charts/base-cluster/ci/monitoring-oidc-ingress-disabled-values.yaml

charts/base-cluster/ci/limitrange-resourcequota-values.yaml

tasches
tasches previously requested changes May 28, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@tasches tasches left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried it locally as well. The pipeline failed with error calling include: template: no template "common.networkPolicy.type" and I can not find a function with this name in our common chart.

@cwrau cwrau force-pushed the feat/base-cluster/use-networkpolicy-template branch from b3f03ef to ea25c33 Compare June 5, 2025 08:28
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Jun 5, 2025
edited
Loading

Walkthrough

This change removes the Helm template helper "common.networkPolicy.type" from the base-cluster chart and updates the cert-manager CiliumNetworkPolicy template to use a dynamic rule inclusion for ingress from the kube-apiserver. No other files or logic were altered.

Changes

File(s) Change Summary
charts/base-cluster/templates/_helpers.tpl Removed the "common.networkPolicy.type" Helm template helper definition.
charts/base-cluster/templates/cert-manager/ciliumNetworkPolicy.yaml Simplified the webhook ingress rule to use the "common.networkPolicy.rule.from.kube-apiserver" helper.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Helm
    participant TemplateHelpers
    participant CiliumNetworkPolicy

    User->>Helm: Deploy cert-manager chart
    Helm->>CiliumNetworkPolicy: Render ciliumNetworkPolicy.yaml
    CiliumNetworkPolicy->>TemplateHelpers: Call rule.from.kube-apiserver helper
    TemplateHelpers-->>CiliumNetworkPolicy: Return dynamic ingress rule
    CiliumNetworkPolicy-->>Helm: Complete rendering
Loading

Possibly related PRs

Suggested reviewers

  • tasches
  • teutonet-bot
  • marvinWolff

Poem

A helper once guided the network’s flow,
Now it’s gone, with a simpler show.
Cilium rules, dynamic and bright,
Keep cert-manager’s ingress tight.
Templates trimmed, the YAML’s neat—
This bunny hops to a cleaner beat! 🐇✨

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8b95e4d and 508d0b2.

📒 Files selected for processing (2)
  • charts/base-cluster/templates/_helpers.tpl (0 hunks)
  • charts/base-cluster/templates/cert-manager/ciliumNetworkPolicy.yaml (1 hunks)
💤 Files with no reviewable changes (1)
  • charts/base-cluster/templates/_helpers.tpl
🚧 Files skipped from review as they are similar to previous changes (1)
  • charts/base-cluster/templates/cert-manager/ciliumNetworkPolicy.yaml

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

coderabbitai[bot]
coderabbitai Bot reviewed Jun 5, 2025
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b252cd7 and ea25c33.

📒 Files selected for processing (2)
  • charts/base-cluster/templates/_helpers.tpl (0 hunks)
  • charts/base-cluster/templates/cert-manager/ciliumNetworkPolicy.yaml (1 hunks)
💤 Files with no reviewable changes (1)
  • charts/base-cluster/templates/_helpers.tpl

Comment thread charts/base-cluster/templates/cert-manager/ciliumNetworkPolicy.yaml
@cwrau cwrau force-pushed the feat/base-cluster/use-networkpolicy-template branch from ea25c33 to 8b95e4d Compare June 12, 2025 08:06
@teutonet-bot
Copy link
Copy Markdown
Contributor

teutonet-bot commented Jun 12, 2025

🤖 I have diffed this beep boop

"/$namespace/$kind/$name.yaml" for normal resources
"/$namespace/HelmRelease/$name/$namespace/$kind/$name.yaml" for HelmReleases <- this is recursive
'null' means it's either cluster-scoped or it's in the default namespace for the HelmRelease

charts/base-cluster/ci/monitoring-ingress-unauthenticated-values.yaml

charts/base-cluster/ci/rbac-values.yaml

charts/base-cluster/ci/pagerduty-values.yaml

charts/base-cluster/ci/velero-backupStorageLocations-gen-values.yaml

charts/base-cluster/ci/flux-gitrepositories-gen-values.yaml

charts/base-cluster/ci/traefik-ingress-values.yaml

charts/base-cluster/ci/imagepullsecrets-values.yaml

charts/base-cluster/values.yaml

charts/base-cluster/ci/artifacthub-values.yaml

charts/base-cluster/ci/disabled-ingress-values.yaml

charts/base-cluster/ci/priorityclasses-values.yaml

[charts/base-cluster/ci/deadmansswitch-values.yaml]({"errors": ["Missing required field 'content'"]})

charts/base-cluster/ci/monitoring-oidc-values.yaml

charts/base-cluster/ci/basic-values.yaml

charts/base-cluster/ci/monitoring-oidc-ingress-disabled-values.yaml

charts/base-cluster/ci/limitrange-resourcequota-values.yaml

@cwrau cwrau force-pushed the feat/base-cluster/use-networkpolicy-template branch from 8b95e4d to 508d0b2 Compare June 16, 2025 13:25
@cwrau cwrau requested a review from tasches July 9, 2025 08:31
@marvinWolff
Copy link
Copy Markdown
Collaborator

marvinWolff commented Jul 29, 2025

@tasches needs to mark this as done i guess?

@cwrau cwrau dismissed tasches’s stale review July 29, 2025 10:07

I've addressed the issues

@cwrau cwrau disabled auto-merge July 29, 2025 10:08
@cwrau cwrau added this pull request to the merge queue Jul 29, 2025
Merged via the queue into main with commit e433c02 Jul 29, 2025
27 checks passed
@cwrau cwrau deleted the feat/base-cluster/use-networkpolicy-template branch July 29, 2025 10:19
@teutonet-bot teutonet-bot mentioned this pull request Jul 29, 2025
Merged
github-merge-queue Bot pushed a commit that referenced this pull request Jul 31, 2025
@teutonet-bot @github-actions
chore(main): [bot] release base-cluster:9.1.0 (#1628)
30168a7 
🤖 I have created a release *beep* *boop*
---


##
[9.1.0](base-cluster-v9.0.0...base-cluster-v9.1.0)
(2025-07-31)


### Features

* **base-cluster:** use new networkPolicy template
([#1414](#1414))
([e433c02](e433c02))


### Bug Fixes

* **base-cluster/kyverno:** migrate to new `validationFailureAction`
syntax
([#1621](#1621))
([c3f16be](c3f16be))
* **base-cluster/monitoring:** also create metrics for resources without
suspend field
([#1634](#1634))
([964b34c](964b34c))
* **base-cluster/monitoring:** oauth-proxy serviceMonitor labels
([#1625](#1625))
([86c1981](86c1981))
* **base-cluster/monitoring:** pin image-renderer version to ensure it's
compatible
([#1631](#1631))
([685592c](685592c))


### Miscellaneous Chores

* **base-cluster/dependencies:** update helm release
kube-prometheus-stack to v75.15.1
([#1610](#1610))
([256cb8e](256cb8e))
* **base-cluster/dependencies:** update helm release loki to v6.33.0
([#1618](#1618))
([7e6a8e8](7e6a8e8))
* **base-cluster/dns:** migrate external-dns away from bitnami
([#1601](#1601))
([7af34d2](7af34d2))
* **base-cluster/monitoring:** adjust metrics syntax
([#1562](#1562))
([ebc2d74](ebc2d74))
* **base-cluster/monitoring:** migrate metrics-server away from bitnami
([#1604](#1604))
([6a755d9](6a755d9))
* **base-cluster:** migrate kubectl image away from bitnami
([#1606](#1606))
([6fe2410](6fe2410))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
  * Introduced a new networkPolicy template in the base-cluster.

* **Bug Fixes**
* Updated kyverno component to use the latest `validationFailureAction`
syntax.
  * Added metrics for resources in monitoring that lack a suspend field.
* Corrected labels in the oauth-proxy serviceMonitor within monitoring.
  * Pinned image-renderer version to ensure compatibility.

* **Chores**
  * Upgraded helm releases for kube-prometheus-stack and loki.
* Migrated external-dns, metrics-server, and kubectl images away from
bitnami.
  * Adjusted metrics syntax in monitoring.

* **Documentation**
  * Added changelog entry for version 9.1.0.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
@coderabbitai coderabbitai Bot mentioned this pull request Nov 10, 2025
Merged
This was referenced Nov 28, 2025
Merged
Merged
@coderabbitai coderabbitai Bot mentioned this pull request Jan 14, 2026
Merged
@teutonet-bot teutonet-bot mentioned this pull request Mar 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@marvinWolff marvinWolff marvinWolff approved these changes

@teutonet-bot teutonet-bot Awaiting requested review from teutonet-bot teutonet-bot is a code owner

@tasches tasches Awaiting requested review from tasches tasches is a code owner

Assignees

@cwrau cwrau

Labels

base-cluster

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cwrau @teutonet-bot @marvinWolff @tasches