feat: chart Helm parent lions-app v1.0.0 — templates hardened (secretKeyRef, readOnlyRootFS, NetworkPolicy, ExternalSecret, PDB, SM, HPA)

2026-04-22 14:22:00 +00:00
commit ab865631fe
16 changed files with 1074 additions and 0 deletions
--- a/templates/networkpolicy.yaml
+++ b/templates/networkpolicy.yaml
@@ -0,0 +1,79 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "lions-app.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "lions-app.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "lions-app.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # Ingress depuis les namespaces autorisés
+    {{- range .Values.networkPolicy.allowIngressFrom }}
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              {{- toYaml .namespaceSelector | nindent 14 }}
+      {{- with .ports }}
+      ports:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
+    # Ingress depuis pods du même namespace (pour communication intra-ns)
+    - from:
+        - podSelector: {}
+  egress:
+    # DNS (CoreDNS dans kube-system)
+    {{- if .Values.networkPolicy.allowEgressDNS }}
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+    {{- end }}
+    # K8s API (nécessaire si l'app utilise l'API via ServiceAccount)
+    {{- if .Values.networkPolicy.allowEgressKubeAPI }}
+    - to:
+        - ipBlock:
+            cidr: 10.96.0.0/12   # service CIDR
+      ports:
+        - port: 443
+          protocol: TCP
+        - port: 6443
+          protocol: TCP
+    {{- end }}
+    # Egress spécifique de l'app (Postgres, Keycloak, Kafka, etc.)
+    {{- range .Values.networkPolicy.allowEgressTo }}
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              {{- toYaml .namespaceSelector | nindent 14 }}
+      {{- with .ports }}
+      ports:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
+    # Sortie HTTPS vers Internet (Let's Encrypt ACME, external APIs)
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+            except:
+              - 10.0.0.0/8
+              - 172.16.0.0/12
+              - 192.168.0.0/16
+      ports:
+        - port: 443
+          protocol: TCP
+        - port: 80
+          protocol: TCP
+{{- end }}