bcgov · IanKWatts · Jul 8, 2024 · Jul 26, 2024 · Jul 26, 2024 · Jul 26, 2024
diff --git a/charts/crunchy-postgres/README.md b/charts/crunchy-postgres/README.md
@@ -10,7 +10,8 @@ A chart to provision a [Crunchy Postgres](https://www.crunchydata.com/) cluster.
 | ------------------ | ---------------------- | ------------------ |
 | `fullnameOverride` | Override release name  | `crunchy-postgres` |
 | `crunchyImage`     | Crunchy Postgres image |                    |
-| `postgresVersion`  | Postgres version       | `14`               |
+| `postgresVersion`  | Postgres version       | `15`               |
+| `isNSX`            | Cluster networking     | `false`            |
 
 ---
 

diff --git a/charts/crunchy-postgres/templates/_helpers.tpl b/charts/crunchy-postgres/templates/_helpers.tpl
@@ -40,6 +40,9 @@ helm.sh/chart: {{ include "crunchy-postgres.chart" . }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.isNSX }}
+DataClass: Medium
+{{- end }}
 {{- end }}
 
 {{/*

diff --git a/charts/crunchy-postgres/values.yaml b/charts/crunchy-postgres/values.yaml
@@ -3,6 +3,10 @@ fullnameOverride: crunchy-postgres
 crunchyImage: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default
 #crunchyImage: artifacts.developer.gov.bc.ca/bcgov-docker-local/crunchy-postgres-gis:ubi8-15.2-3.3-0 # use this image for POSTGIS
 postgresVersion: 15
+#
+# Set isNSX to true when deploying to an NSX cluster (Emerald, KLAB2)
+isNSX: false
+#
 #postGISVersion: '3.3' # use this version of POSTGIS. both crunchyImage and this property needs to have valid values for POSTGIS to be enabled.
 imagePullPolicy: IfNotPresent
 

diff --git a/charts/tools/README.md b/charts/tools/README.md
@@ -61,6 +61,16 @@ Pod network policy to allow pods to accept traffic from other pods in this names
 
 ---
 
+#### Additional network configuration for NSX clusters
+
+Set to 'true' to enable network configuration required in the NSX clusters (Emerald, KLAB2)
+
+| Parameter           | Description                                  | Default |
+| ------------------- | -------------------------------------------- | ------- |
+| `networking.isNSX`  | Enable operator ingress and DataClass labels | `false` |
+
+---
+
 #### Route
 
 OpenShift route whitch allows you to host your application at a public URL.

diff --git a/charts/tools/templates/networking/networkPolicy.yaml b/charts/tools/templates/networking/networkPolicy.yaml
@@ -11,6 +11,7 @@ spec:
   # to accept traffic from the OpenShift router pods. This is
   # required for things outside of OpenShift (like the Internet)
   # to reach your pods.
+{{- if not .Values.networking.isNSX }}
   ingress:
     - from:
         - namespaceSelector:
@@ -19,5 +20,20 @@ spec:
   podSelector: {}
   policyTypes:
     - Ingress
-
+{{- else }}
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              network.openshift.io/policy-group: ingress
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              network.openshift.io/policy-group: ingress
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+{{- end -}}
 {{- end }}
diff --git a/charts/tools/templates/networking/operatorPolicy.yaml b/charts/tools/templates/networking/operatorPolicy.yaml
@@ -0,0 +1,33 @@
+{{- if and .Values.networking.networkPolicy.enabled .Values.networking.isNSX (ne .Release.Namespace .Values.provisioner.namespace) }}
+
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ or .Values.deploymentName .Release.Name }}-operator
+  labels:
+{{ include "crunchy-postgres-tools.labels" . | indent 4}}
+spec:
+  # This policy allows the operator to reach the Crunchy pods
+  egress:
+    - ports:
+        - port: 8432
+          protocol: TCP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-bcgov-crunchy
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-bcgov-crunchy
+      ports:
+        - port: 8432
+          protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: crunchy-postgres
+  policyTypes:
+    - Egress
+    - Ingress
+{{- end }}
diff --git a/charts/tools/templates/networking/podNetworkPolicy.yaml b/charts/tools/templates/networking/podNetworkPolicy.yaml
@@ -7,10 +7,24 @@ metadata:
   labels:
 {{ include "crunchy-postgres-tools.labels" . | indent 4}}
 spec:
+{{- if not .Values.networking.isNSX }}
   # This policy allows pods to accept traffic from other pods in this namespace
   ingress:
     - from:
         - podSelector: {}
   podSelector: {}
+{{- else }}
+  # This policy allows pods to accept traffic from other pods in this namespace
+  egress:
+  - to:
+    - podSelector: {}
+  ingress:
+  - from:
+    - podSelector: {}
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+{{- end -}}
 
 {{ end }}
diff --git a/charts/tools/values.yaml b/charts/tools/values.yaml
@@ -8,7 +8,7 @@ deployer:
 # Enable the provisioner service account which is used to deploy services to our other namespaces (dev/test/prod)
 # The tools namespace needs to be passed in so we know which namespace to install the service account in and the rolebindings get proper permissions
 provisioner:
-  namespace: #tools-namespace
+  namespace: #
   serviceAccount:
     enabled: true
 
@@ -18,6 +18,10 @@ linter:
     enabled: true
 
 networking:
+  #
+  # Set isNSX to true if deploying to KLAB2 or Emerald, otherwise leave false
+  isNSX: false
+  #
   # Network policy to allow traffic from outside the namespace (like the internet)
   networkPolicy:
     enabled: true