feat: whitelist all ingress traffic if team network policies are disa… (#1540)

Author: j-zimnowoda

charts/team-ns/templates/networkpolicy.yaml

@@ -2,7 +2,21 @@
 {{- $v := .Values | merge (dict) }}
 {{- $prometheus := dig "managedMonitoring" "prometheus" false $v }}
 {{- $alertmng := dig "managedMonitoring" "alertmanager" false $v }}
-{{- if and (not (eq $v.teamId "admin")) (dig "networkPolicy" "ingressPrivate" true $v) }}
+{{- if (not (dig "networkPolicy" "ingressPrivate" true $v)) }}
+---
+# If team network policies are disabled then we whitelist all traffic to prevent undesired blocking while deploying team workloads
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-ingress-allow-all
+  labels: {{- include "team-ns.chart-labels" $ | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels: {}
+  ingress:
+  - from:
+    - namespaceSelector: {}
+{{- else if and (not (eq $v.teamId "admin")) (dig "networkPolicy" "ingressPrivate" true $v) }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy

tests/fixtures/env/teams.yaml

@@ -30,7 +30,7 @@ teamConfig:
             prometheus: true
         networkPolicy:
             egressPublic: true
-            ingressPrivate: true
+            ingressPrivate: false
         oidc:
             groupMapping: somesecretvalue
         resourceQuota: