From 221c9bf598f53ff19d7978f4c4649d4b80a780c4 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Mon, 18 May 2026 23:50:33 +0600
Subject: [PATCH] Add networkPolicy.flavor with cilium support to petset and
 sidekick

Adds a new networkPolicy.flavor helm value (default "kubernetes") to
the petset and sidekick charts, mirroring the same toggle added to the
KubeDB installer. The helper layer (security.useKubernetesNetworkPolicy,
security.useCiliumNetworkPolicy, security.networkPolicyFlavor) reads
both the chart-local value and the global namespaced value so the
toggle propagates correctly when these charts are pulled in as
subcharts of the kubedb umbrella.

When flavor=cilium and networkPolicy.enabled=true:
  - petset emits an ingress CiliumNetworkPolicy from remote-node/host
    on 9443 (webhook conversion / validation) and an egress to
    remote-node/host on 6443.
  - sidekick emits an egress CiliumNetworkPolicy to remote-node/host
    on 6443.

Driven by a Cilium-managed default-deny customer of KubeDB who needs
the subchart-emitted NetworkPolicies to match the rest of the
operator-namespace policy set.

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 apis/installer/v1alpha1/types.go              | 13 ++++++
 charts/petset/templates/_helpers.tpl          | 33 +++++++++++++++
 .../templates/cilium-network-policy.yaml      | 40 +++++++++++++++++++
 charts/petset/templates/network-policy.yaml   |  2 +-
 charts/petset/values.openapiv3_schema.yaml    |  5 +++
 charts/petset/values.yaml                     |  3 ++
 charts/sidekick/templates/_helpers.tpl        | 33 +++++++++++++++
 .../templates/cilium-network-policy.yaml      | 20 ++++++++++
 charts/sidekick/templates/network-policy.yaml |  2 +-
 charts/sidekick/values.openapiv3_schema.yaml  |  5 +++
 charts/sidekick/values.yaml                   |  3 ++
 11 files changed, 157 insertions(+), 2 deletions(-)
 create mode 100644 charts/petset/templates/cilium-network-policy.yaml
 create mode 100644 charts/sidekick/templates/cilium-network-policy.yaml

diff --git a/apis/installer/v1alpha1/types.go b/apis/installer/v1alpha1/types.go
index e7225bab..acd3f2e6 100644
--- a/apis/installer/v1alpha1/types.go
+++ b/apis/installer/v1alpha1/types.go
@@ -121,6 +121,19 @@ type TLSConfig struct {
 	InsecureSkipTLSVerify bool   `json:"insecureSkipTLSVerify"`
 }
 
+// NetworkPolicyFlavor selects which API flavor is used when network policies
+// are emitted. Defaults to "kubernetes".
+// +kubebuilder:validation:Enum=kubernetes;cilium
+type NetworkPolicyFlavor string
+
+const (
+	NetworkPolicyFlavorKubernetes NetworkPolicyFlavor = "kubernetes"
+	NetworkPolicyFlavorCilium     NetworkPolicyFlavor = "cilium"
+)
+
 type NetworkPolicySpec struct {
 	Enabled bool `json:"enabled"`
+	// +optional
+	// +kubebuilder:default=kubernetes
+	Flavor NetworkPolicyFlavor `json:"flavor,omitempty"`
 }
diff --git a/charts/petset/templates/_helpers.tpl b/charts/petset/templates/_helpers.tpl
index 8c2d63e3..6b15dba1 100644
--- a/charts/petset/templates/_helpers.tpl
+++ b/charts/petset/templates/_helpers.tpl
@@ -113,6 +113,39 @@ Returns whether the NetworkPolicy should be enabled
 {{- ternary "true" "false" .Values.networkPolicy.enabled -}}
 {{- end }}
 
+{{/*
+Returns the configured NetworkPolicy flavor.
+"cilium" emits cilium.io/v2 CiliumNetworkPolicy; anything else emits the
+default networking.k8s.io/v1 NetworkPolicy. The local chart's
+networkPolicy.flavor wins over the global value.
+*/}}
+{{- define "security.networkPolicyFlavor" -}}
+{{- $globalFlavor := "" -}}
+{{- if and .Values.global .Values.global.networkPolicy -}}
+{{- $globalFlavor = .Values.global.networkPolicy.flavor -}}
+{{- end -}}
+{{- $localFlavor := "" -}}
+{{- if and .Values.networkPolicy .Values.networkPolicy.flavor -}}
+{{- $localFlavor = .Values.networkPolicy.flavor -}}
+{{- end -}}
+{{- default (default "kubernetes" $globalFlavor) $localFlavor -}}
+{{- end }}
+
+{{/*
+Returns "true" when CiliumNetworkPolicy resources should be emitted.
+*/}}
+{{- define "security.useCiliumNetworkPolicy" -}}
+{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (eq "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}}
+{{- end }}
+
+{{/*
+Returns "true" when the built-in networking.k8s.io/v1 NetworkPolicy resources
+should be emitted (the default flavor).
+*/}}
+{{- define "security.useKubernetesNetworkPolicy" -}}
+{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (ne "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}}
+{{- end }}
+
 {{/*
 Returns whether the OpenShift distribution is used
 */}}
diff --git a/charts/petset/templates/cilium-network-policy.yaml b/charts/petset/templates/cilium-network-policy.yaml
new file mode 100644
index 00000000..ca5ec73a
--- /dev/null
+++ b/charts/petset/templates/cilium-network-policy.yaml
@@ -0,0 +1,40 @@
+{{- if eq "true" ( include "security.useCiliumNetworkPolicy" . ) }}
+# Allow the kube-apiserver (via host / remote-node identities in Cilium) to
+# reach the PetSet webhook server's conversion and validation endpoints.
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "petset.fullname" . }}-ingress-from-apiserver
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "petset.selectorLabels" . | nindent 6 }}
+  ingress:
+  - fromEntities:
+    - remote-node
+    - host
+    toPorts:
+    - ports:
+      - port: "9443"
+        protocol: TCP
+---
+# Allow the petset operator pods to reach the Kubernetes API server.
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "petset.fullname" . }}-egress-kubernetes-api
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "petset.selectorLabels" . | nindent 6 }}
+  egress:
+  - toEntities:
+    - remote-node
+    - host
+    toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP
+{{- end }}
diff --git a/charts/petset/templates/network-policy.yaml b/charts/petset/templates/network-policy.yaml
index 52a610f0..96cff253 100644
--- a/charts/petset/templates/network-policy.yaml
+++ b/charts/petset/templates/network-policy.yaml
@@ -1,4 +1,4 @@
-{{- if eq "true" ( include "security.enableNetworkPolicy" . ) }}
+{{- if eq "true" ( include "security.useKubernetesNetworkPolicy" . ) }}
 
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
diff --git a/charts/petset/values.openapiv3_schema.yaml b/charts/petset/values.openapiv3_schema.yaml
index fee526be..3ad90ebf 100644
--- a/charts/petset/values.openapiv3_schema.yaml
+++ b/charts/petset/values.openapiv3_schema.yaml
@@ -1729,6 +1729,11 @@ properties:
     properties:
       enabled:
         type: boolean
+      flavor:
+        enum:
+        - kubernetes
+        - cilium
+        type: string
     required:
     - enabled
     type: object
diff --git a/charts/petset/values.yaml b/charts/petset/values.yaml
index 2883de35..8db6ef1f 100644
--- a/charts/petset/values.yaml
+++ b/charts/petset/values.yaml
@@ -109,6 +109,9 @@ monitoring:
 
 networkPolicy:
   enabled: false
+  # flavor selects which network policy API is used.
+  # Accepted values: "kubernetes" (default) or "cilium".
+  flavor: kubernetes
 
 distro:
   # Set true, if installed in OpenShift
diff --git a/charts/sidekick/templates/_helpers.tpl b/charts/sidekick/templates/_helpers.tpl
index 3906a48e..b790c838 100644
--- a/charts/sidekick/templates/_helpers.tpl
+++ b/charts/sidekick/templates/_helpers.tpl
@@ -113,6 +113,39 @@ Returns whether the NetworkPolicy should be enabled
 {{- ternary "true" "false" .Values.networkPolicy.enabled -}}
 {{- end }}
 
+{{/*
+Returns the configured NetworkPolicy flavor.
+"cilium" emits cilium.io/v2 CiliumNetworkPolicy; anything else emits the
+default networking.k8s.io/v1 NetworkPolicy. The local chart's
+networkPolicy.flavor wins over the global value.
+*/}}
+{{- define "security.networkPolicyFlavor" -}}
+{{- $globalFlavor := "" -}}
+{{- if and .Values.global .Values.global.networkPolicy -}}
+{{- $globalFlavor = .Values.global.networkPolicy.flavor -}}
+{{- end -}}
+{{- $localFlavor := "" -}}
+{{- if and .Values.networkPolicy .Values.networkPolicy.flavor -}}
+{{- $localFlavor = .Values.networkPolicy.flavor -}}
+{{- end -}}
+{{- default (default "kubernetes" $globalFlavor) $localFlavor -}}
+{{- end }}
+
+{{/*
+Returns "true" when CiliumNetworkPolicy resources should be emitted.
+*/}}
+{{- define "security.useCiliumNetworkPolicy" -}}
+{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (eq "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}}
+{{- end }}
+
+{{/*
+Returns "true" when the built-in networking.k8s.io/v1 NetworkPolicy resources
+should be emitted (the default flavor).
+*/}}
+{{- define "security.useKubernetesNetworkPolicy" -}}
+{{- and (eq "true" (include "security.enableNetworkPolicy" .)) (ne "cilium" (include "security.networkPolicyFlavor" .)) | ternary "true" "false" -}}
+{{- end }}
+
 {{/*
 Returns whether the OpenShift distribution is used
 */}}
diff --git a/charts/sidekick/templates/cilium-network-policy.yaml b/charts/sidekick/templates/cilium-network-policy.yaml
new file mode 100644
index 00000000..4e5720ff
--- /dev/null
+++ b/charts/sidekick/templates/cilium-network-policy.yaml
@@ -0,0 +1,20 @@
+{{- if eq "true" ( include "security.useCiliumNetworkPolicy" . ) }}
+# Allow the sidekick operator pods to reach the Kubernetes API server.
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: {{ include "sidekick.fullname" . }}-egress-kubernetes-api
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpointSelector:
+    matchLabels:
+      {{- include "sidekick.selectorLabels" . | nindent 6 }}
+  egress:
+  - toEntities:
+    - remote-node
+    - host
+    toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP
+{{- end }}
diff --git a/charts/sidekick/templates/network-policy.yaml b/charts/sidekick/templates/network-policy.yaml
index 215cc9a7..84b2d10b 100644
--- a/charts/sidekick/templates/network-policy.yaml
+++ b/charts/sidekick/templates/network-policy.yaml
@@ -1,4 +1,4 @@
-{{- if eq "true" ( include "security.enableNetworkPolicy" . ) }}
+{{- if eq "true" ( include "security.useKubernetesNetworkPolicy" . ) }}
 
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
diff --git a/charts/sidekick/values.openapiv3_schema.yaml b/charts/sidekick/values.openapiv3_schema.yaml
index f588787e..52b1fa8d 100644
--- a/charts/sidekick/values.openapiv3_schema.yaml
+++ b/charts/sidekick/values.openapiv3_schema.yaml
@@ -1706,6 +1706,11 @@ properties:
     properties:
       enabled:
         type: boolean
+      flavor:
+        enum:
+        - kubernetes
+        - cilium
+        type: string
     required:
     - enabled
     type: object
diff --git a/charts/sidekick/values.yaml b/charts/sidekick/values.yaml
index 0d842da9..2ce4450b 100644
--- a/charts/sidekick/values.yaml
+++ b/charts/sidekick/values.yaml
@@ -109,6 +109,9 @@ monitoring:
 
 networkPolicy:
   enabled: false
+  # flavor selects which network policy API is used.
+  # Accepted values: "kubernetes" (default) or "cilium".
+  flavor: kubernetes
 
 distro:
   # Set true, if installed in OpenShift