fix: restrict network policies closer to what is minimum required access

README.md

@@ -4,21 +4,20 @@
 [![Build Status](https://img.shields.io/github/actions/workflow/status/defenseunicorns/uds-package-confluence/tag-and-release.yaml)](https://github.com/defenseunicorns/uds-package-confluence/actions/workflows/tag-and-release.yaml)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/defenseunicorns/uds-package-confluence/badge)](https://api.securityscorecards.dev/projects/github.com/defenseunicorns/uds-package-confluence)
 
-This package is designed to be deployed on [UDS Core](https://github.com/defenseunicorns/uds-core), and is based on the upstream [Confluence](https://github.com/jfrog/charts/tree/master/stable/confluence) chart.
+This package is designed to be deployed on [UDS Core](https://github.com/defenseunicorns/uds-core), and is based on the registry1 [Confluence](https://repo1.dso.mil/big-bang/product/community/confluence/-/tree/main/chart?ref_type=heads) chart.
 
 ## Pre-requisites
 
 The Confluence Package expects to be deployed on top of [UDS Core](https://github.com/defenseunicorns/uds-core) with the dependencies listed below being configured prior to deployment.
 
 Confluence is configured by default to assume the internal dependencies that are used for testing (see postgres in the [bundle](bundle/uds-bundle.yaml)).
 
-#### Database
+### Database
 
 - A Postgres database is running on port `5432` and accessible to the cluster via the `CONFLUENCE_DB_ENDPOINT` Zarf var.
 - This database can be logged into via the username configured with the Zarf var `CONFLUENCE_DB_USERNAME`. Default is `confluence.confluence`
 - This database instance has a psql database created matching what is defined in the Zarf var `CONFLUENCE_DB_NAME`. Default is `confluencedb`
 - The user has read/write access to the above mentioned database
-- Create `confluence-postgres` service in `confluence` namespace that points to the psql database
 - Create `confluence-postgres` secret in `confluence` namespace with the key `password` that contains the password to the user for the psql database
 
 ## Flavors
@@ -39,8 +38,8 @@ The released packages can be found in [ghcr](https://github.com/defenseunicorns/
 *For local dev, this requires you install [uds-cli](https://github.com/defenseunicorns/uds-cli?tab=readme-ov-file#install)
 
 > [!TIP]
-> To get a list of tasks to run you can use `uds run --list`!
+> To get a list of tasks to run you can use `uds run --list`! To set your flavor try `--set FLAVOR=<your choice>`, example: `uds run --set FLAVOR=registry1`.
 
 ## Contributing
 
-Please see the [CONTRIBUTING.md](./CONTRIBUTING.md)
+Please see the [CONTRIBUTING.md](./CONTRIBUTING.md)

bundle/uds-bundle.yaml

@@ -13,7 +13,7 @@ packages:
 
   - name: postgres-operator
     repository: ghcr.io/defenseunicorns/packages/uds/postgres-operator
-    ref: 1.10.1-uds.4-upstream
+    ref: 1.12.2-uds.1-upstream
     overrides:
       postgres-operator:
         uds-postgres-config:

chart/templates/uds-package.yaml

@@ -9,8 +9,9 @@ spec:
     - name: Confluence Login
       clientId: uds-package-confluence
       redirectUris:
-        - "https://confluence.{{ .Values.domain }}/plugins/servlet/oidc/callback"
+        - "https://{{ .Values.subdomain }}.{{ .Values.domain }}/plugins/servlet/oidc/callback"
   {{- end }}
+  # Customize network policies and expose services via istio
   network:
     expose:
       - service: confluence
@@ -22,19 +23,58 @@ spec:
         targetPort: 8090
     allow:
       - direction: Ingress
-        remoteGenerated: IntraNamespace
-      - direction: Egress
-        remoteGenerated: IntraNamespace
-      - direction: Egress
-        podLabels:
+        selector:
+          app.kubernetes.io/name: confluence
+        remoteSelector:
           app.kubernetes.io/name: confluence
-        port: 443
-        description: "SSO"
+        remoteNamespace: {{ .Release.Namespace }}
+        port: 5801  # Hazelcast (used by nodes to form cluster)
       - direction: Egress
-        # todo: this is over permissive, need to scope it down
-        remoteGenerated: KubeAPI
-      # Todo: wide open for hitting in-cluster or external postgres
+        selector:
+          app.kubernetes.io/name: confluence
+        remoteSelector:
+          app.kubernetes.io/name: confluence
+        remoteNamespace: {{ .Release.Namespace }}
+        port: 5801  # Hazelcast (used by nodes to form cluster)
+        # TODO: Add 5701 for Synchrony once enabled.
+
       - direction: Egress
-        podLabels:
+        selector:
           app.kubernetes.io/name: confluence
+        port: {{ .Values.postgres.port }}
+      {{- if .Values.postgres.internal }}
+        remoteNamespace: {{ .Values.postgres.namespace }}
+        remoteSelector:
+          {{ .Values.postgres.selector | toYaml | indent 10 }}
+      {{- else }}
+        # TODO: Once https://github.com/defenseunicorns/uds-core/issues/558 is resolved, this should instead be taking the external Postgres IP or domain
+        # And only permitting access to that service. Right now, it permits egress to anyone, on the right port.
         remoteGenerated: Anywhere
+      {{- end }}
+
+      ### Allow monitoring to export metrics ###
+      - direction: Ingress
+        remoteNamespace: monitoring
+        remoteSelector:
+          app: prometheus
+        selector:
+          app: confluence
+          app.kubernetes.io/component: exporter
+        port: 8001 # TODO: this port number needs verified.
+        description: "Confluence Exporter Monitor"
+
+      # Custom rules for unanticipated scenarios
+      {{- range .Values.custom }}
+      - direction: {{ .direction }}
+        selector:
+          {{ .selector | toYaml | nindent 10 }}
+        {{- if not .remoteGenerated }}
+        remoteNamespace: {{ .remoteNamespace }}
+        remoteSelector:
+          {{ .remoteSelector | toYaml | nindent 10 }}
+        port: {{ .port }}
+        {{- else }}
+        remoteGenerated: {{ .remoteGenerated }}
+        {{- end }}
+        description: {{ .description }}
+      {{- end }}

chart/values.yaml

@@ -1,2 +1,14 @@
 domain: "###ZARF_VAR_DOMAIN###"
+subdomain: "confluence"
 sso: true
+
+postgres:
+  # Set to false to use external postgres
+  internal: true
+  selector:  # Ignored if external
+    cluster-name: pg-cluster
+  namespace: postgres  # Ignored if external
+  port: 5432
+
+# Custom network policies
+custom: []

values/registry1-values.yaml

@@ -11,6 +11,8 @@ image:
 synchrony:
   enabled: false
 
+replicaCount: 1
+
 confluence:
   resources:
     container: