Skip to content

Vault network policy - update#128

Merged
mlorenzofr merged 18 commits into
validatedpatterns:mainfrom
p-rog:network-policy
May 8, 2026
Merged

Vault network policy - update#128
mlorenzofr merged 18 commits into
validatedpatterns:mainfrom
p-rog:network-policy

Conversation

@p-rog
Copy link
Copy Markdown
Collaborator

@p-rog p-rog commented May 7, 2026

Add NetworkPolicy for the Vault namespace.

  • add overrides/values-vault-network-policy.yaml with ingress/egress rules for Vault server pods and a default-deny policy for the vault namespace
  • enable the policies via extraValueFiles in values-hub.yaml for the vault application
  • Ingress: allows OCP router (UI/API via Route), qtodo namespace (SPIFFE JWT auth on port 8200), and intra-cluster Vault HA replication (port 8201)
  • Egress: allows CoreDNS (port 5353), SPIRE OIDC discovery provider (JWKS fetching), Vault HA replication, and Kubernetes API server (TokenReview for ESO)

Depends on validatedpatterns/hashicorp-vault-chart#18 which adds the default-deny NetworkPolicy template to the wrapper chart.

Przemyslaw Roguski and others added 18 commits April 9, 2026 19:04
Fixing db network policy bug, adding new qtodo egress network policie…
139b81f 
…s and default deny network policy
cleaning all changes
0e270ec
db network policy file change
e3d7b40
feat: add qtodo egress NetworkPolicy (port-restricted, no default-deny)
e460c98
fixing the namespace name
eb893da
changing the ingress policy, to allow qtodo correct network communica…
df49c66 
…tion
NP tweaks
41b8407
removing egress qtodo network policies due to problems with OVN-K and…
95968d2 
… later broken DNS
Merge branch 'main' of github.com:validatedpatterns/layered-zero-trus…
ddf1f4f 
…t into network-policy
sync with PR#125
6e845a9
Pushing correct, fully covered network polices, with correct DNS port…
53cfef9 
… and Keycloak port
openshift-ingress labels update, because policy-group.network.openshi…
edc5e46 
…ft.io/ingress: triggers OVN-K's special ACL handling for host-network traffic
changing the namespaceSelector: for Keycloak, because here Keycloak a…
a545391 
…snwers on both an internal hostname (for back-channel) and an external hostname (for browser redirects)
Adding default deny policy
bed618b
@p-rog
Merge branch 'validatedpatterns:main' into network-policy
b495244
Testing Vault ingress/egress network policies
8706879
Testing Vault network policies
ad649cf
@p-rog
adding Vault network policies
33d9f5b
sabre1041
sabre1041 approved these changes May 8, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@sabre1041 sabre1041 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

mlorenzofr
mlorenzofr approved these changes May 8, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@mlorenzofr mlorenzofr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

everything worked fine in my test cluster

LGTM

@mlorenzofr mlorenzofr merged commit 6f0eb1d into validatedpatterns:main May 8, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sabre1041 sabre1041 sabre1041 approved these changes

@mlorenzofr mlorenzofr mlorenzofr approved these changes

@minmzzhang minmzzhang Awaiting requested review from minmzzhang

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@p-rog @sabre1041 @mlorenzofr