1
// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
2
// Licensed under the GNU Affero General Public License (AGPL).
3
// See License.AGPL.txt in the project root for license information.
4

5
package image_builder_mk3
6

7
import (
8
	"github.com/gitpod-io/gitpod/installer/pkg/common"
9
	"github.com/gitpod-io/gitpod/installer/pkg/components/server"
10
	"github.com/gitpod-io/gitpod/installer/pkg/config/v1"
11

12
	networkingv1 "k8s.io/api/networking/v1"
13
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
14
	"k8s.io/apimachinery/pkg/runtime"
15
)
16

17
func networkpolicy(ctx *common.RenderContext) ([]runtime.Object, error) {
18
	labels := common.DefaultLabels(Component)
19
	var ingressRules []networkingv1.NetworkPolicyPeer
20
	// Allow all ingress in workspace clusters
21
	// until https://github.com/gitpod-io/ops/issues/6905 is fixed.
22
	if ctx.Config.Kind != config.InstallationWorkspace {
23
		ingressRules = []networkingv1.NetworkPolicyPeer{
24
			{
25
				PodSelector: &metav1.LabelSelector{
26
					MatchLabels: map[string]string{
27
						"component": server.Component,
28
					},
29
				},
30
			},
31
			{
32
				PodSelector: &metav1.LabelSelector{
33
					MatchLabels: map[string]string{
34
						"component": common.WSManagerMk2Component,
35
					},
36
				},
37
			},
38
		}
39
	}
40

41
	return []runtime.Object{
42
		&networkingv1.NetworkPolicy{
43
			TypeMeta: common.TypeMetaNetworkPolicy,
44
			ObjectMeta: metav1.ObjectMeta{
45
				Name:      Component,
46
				Namespace: ctx.Namespace,
47
				Labels:    labels,
48
			},
49
			Spec: networkingv1.NetworkPolicySpec{
50
				PodSelector: metav1.LabelSelector{MatchLabels: labels},
51
				PolicyTypes: []networkingv1.PolicyType{"Ingress"},
52
				Ingress: []networkingv1.NetworkPolicyIngressRule{
53
					{
54
						From: ingressRules,
55
					},
56
				},
57
			},
58
		},
59
	}, nil
60
}
61

62