fix: network policies fixed so confluence can be hit

README.md

@@ -12,7 +12,7 @@ The Confluence Package expects to be deployed on top of [UDS Core](https://githu
 
 Confluence is configured by default to assume the internal dependencies that are used for testing (see postgres in the [bundle](bundle/uds-bundle.yaml)).
 
-#### Database
+### Database
 
 - A Postgres database is running on port `5432` and accessible to the cluster via the `CONFLUENCE_DB_ENDPOINT` Zarf var.
 - This database can be logged into via the username configured with the Zarf var `CONFLUENCE_DB_USERNAME`. Default is `confluence.confluence`
@@ -38,7 +38,7 @@ The released packages can be found in [ghcr](https://github.com/defenseunicorns/
 *For local dev, this requires you install [uds-cli](https://github.com/defenseunicorns/uds-cli?tab=readme-ov-file#install)
 
 > [!TIP]
-> To get a list of tasks to run you can use `uds run --list`!
+> To get a list of tasks to run you can use `uds run --list`! To set your flavor try `--set FLAVOR=<your choice>`, example: `uds run --set FLAVOR=registry1`.
 
 ## Contributing
 

chart/templates/uds-package.yaml

@@ -9,8 +9,9 @@ spec:
     - name: Confluence Login
       clientId: uds-package-confluence
       redirectUris:
-        - "https://confluence.{{ .Values.domain }}/plugins/servlet/oidc/callback"
+        - "https://{{ .Values.subdomain }}.{{ .Values.domain }}/plugins/servlet/oidc/callback"
   {{- end }}
+  # Customize network policies and expose services via istio
   network:
     expose:
       - service: confluence
@@ -22,19 +23,58 @@ spec:
         targetPort: 8090
     allow:
       - direction: Ingress
-        remoteGenerated: IntraNamespace
-      - direction: Egress
-        remoteGenerated: IntraNamespace
-      - direction: Egress
-        podLabels:
+        selector:
+          app.kubernetes.io/name: confluence
+        remoteSelector:
           app.kubernetes.io/name: confluence
-        port: 443
-        description: "SSO"
+        remoteNamespace: {{ .Release.Namespace }}
+        port: 5801  # Hazelcast (used by nodes to form cluster)
       - direction: Egress
-        # todo: this is over permissive, need to scope it down
-        remoteGenerated: KubeAPI
-      # Todo: wide open for hitting in-cluster or external postgres
+        selector:
+          app.kubernetes.io/name: confluence
+        remoteSelector:
+          app.kubernetes.io/name: confluence
+        remoteNamespace: {{ .Release.Namespace }}
+        port: 5801  # Hazelcast (used by nodes to form cluster)
+        # TODO: Add 5701 for Synchrony once enabled.
+
       - direction: Egress
-        podLabels:
+        selector:
           app.kubernetes.io/name: confluence
+        port: {{ .Values.postgres.port }}
+      {{- if .Values.postgres.internal }}
+        remoteNamespace: {{ .Values.postgres.namespace }}
+        remoteSelector:
+          {{ .Values.postgres.selector | toYaml | indent 10 }}
+      {{- else }}
+        # TODO: Once https://github.com/defenseunicorns/uds-core/issues/558 is resolved, this should instead be taking the external Postgres IP or domain
+        # And only permitting access to that service. Right now, it permits egress to anyone, on the right port.
         remoteGenerated: Anywhere
+      {{- end }}
+
+      ### Allow monitoring to export metrics ###
+      - direction: Ingress
+        remoteNamespace: monitoring
+        remoteSelector:
+          app: prometheus
+        selector:
+          app: confluence
+          app.kubernetes.io/component: exporter
+        port: 8001 # TODO: this port number needs verified.
+        description: "Confluence Exporter Monitor"
+
+      # Custom rules for unanticipated scenarios
+      {{- range .Values.custom }}
+      - direction: {{ .direction }}
+        selector:
+          {{ .selector | toYaml | nindent 10 }}
+        {{- if not .remoteGenerated }}
+        remoteNamespace: {{ .remoteNamespace }}
+        remoteSelector:
+          {{ .remoteSelector | toYaml | nindent 10 }}
+        port: {{ .port }}
+        {{- else }}
+        remoteGenerated: {{ .remoteGenerated }}
+        {{- end }}
+        description: {{ .description }}
+      {{- end }}

chart/values.yaml

@@ -1,2 +1,14 @@
 domain: "###ZARF_VAR_DOMAIN###"
+subdomain: "confluence"
 sso: true
+
+postgres:
+  # Set to false to use external postgres
+  internal: true
+  selector:  # Ignored if external
+    cluster-name: pg-cluster
+  namespace: postgres  # Ignored if external
+  port: 5432
+
+# Custom network policies
+custom: []