From 21409f112dc299966a3beca89ead13f5045ecc33 Mon Sep 17 00:00:00 2001
From: Johannes Horn <117528519+hornjo@users.noreply.github.com>
Date: Sun, 8 Jun 2025 18:14:18 +0200
Subject: [PATCH] add networkpolicy for job and add possibility to define
 egress ports (#20951)

---
 helm/minio/templates/networkpolicy.yaml | 40 ++++++++++++++++++
 helm/minio/values.yaml                  | 54 ++++++++++++++++++++-----
 2 files changed, 84 insertions(+), 10 deletions(-)

diff --git a/helm/minio/templates/networkpolicy.yaml b/helm/minio/templates/networkpolicy.yaml
index b9c077171..bb45a6c63 100644
--- a/helm/minio/templates/networkpolicy.yaml
+++ b/helm/minio/templates/networkpolicy.yaml
@@ -16,11 +16,51 @@ spec:
   ingress:
     - ports:
         - port: {{ .Values.minioAPIPort }}
+          protocol: TCP
         - port: {{ .Values.minioConsolePort }}
+          protocol: TCP
       {{- if not .Values.networkPolicy.allowExternal }}
       from:
         - podSelector:
             matchLabels:
               {{ template "minio.name" . }}-client: "true"
       {{- end }}
+  {{- if .Values.networkPolicy.egress.enabled }}
+  egress:
+    - ports:
+        {{ .Values.networkPolicy.egress.ports | toJson }}
+      {{- with .Values.networkPolicy.egress.to }}
+      to:
+        {{- toYaml . | nindent 12 }}
+      {{- end }}
+  {{- end }}
+---
+kind: NetworkPolicy
+apiVersion: {{ template "minio.networkPolicy.apiVersion" . }}
+metadata:
+  name: {{ template "minio.fullname" . }}-post-job
+  labels:
+    app: {{ template "minio.name" . }}-post-job
+    chart: {{ template "minio.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ template "minio.name" . }}-job
+      release: {{ .Release.Name }}
+  egress:
+    - ports:
+        - port: {{ .Values.minioAPIPort }}
+          protocol: TCP
+        - port: {{ .Values.minioConsolePort }}
+          protocol: TCP
+    {{- if .Values.networkPolicy.egress.enabled }}
+    - ports:
+        {{ .Values.networkPolicy.egress.ports | toJson }}
+      {{- with .Values.networkPolicy.egress.to }}
+      to:
+        {{- toYaml . | nindent 12 }}
+      {{- end }}
+    {{- end }}
 {{- end }}
diff --git a/helm/minio/values.yaml b/helm/minio/values.yaml
index 4c9714ea9..82b3dd8bb 100644
--- a/helm/minio/values.yaml
+++ b/helm/minio/values.yaml
@@ -200,9 +200,11 @@ service:
 ingress:
   enabled: false
   ingressClassName: ~
-  labels: {}
+  labels:
+    {}
     # node-role.kubernetes.io/ingress: platform
-  annotations: {}
+  annotations:
+    {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
     # kubernetes.io/ingress.allow-http: "false"
@@ -241,9 +243,11 @@ consoleService:
 consoleIngress:
   enabled: false
   ingressClassName: ~
-  labels: {}
+  labels:
+    {}
     # node-role.kubernetes.io/ingress: platform
-  annotations: {}
+  annotations:
+    {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
     # kubernetes.io/ingress.allow-http: "false"
@@ -391,7 +395,8 @@ makeUserJob:
 
 ## List of service accounts to be created after minio install
 ##
-svcaccts: []
+svcaccts:
+  []
   ## accessKey, secretKey and parent user to be assigned to the service accounts
   ## Add new service accounts as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management/minio-user-management.html#service-accounts
   # - accessKey: console-svcacct
@@ -430,7 +435,8 @@ makeServiceAccountJob:
 
 ## List of buckets to be created after minio install
 ##
-buckets: []
+buckets:
+  []
   #   # Name of the bucket
   # - name: bucket1
   #   # Policy to be set on the
@@ -479,13 +485,15 @@ customCommandJob:
     requests:
       memory: 128Mi
   ## Additional volumes to add to the post-job.
-  extraVolumes: []
+  extraVolumes:
+    []
     # - name: extra-policies
     #   configMap:
     #     name: my-extra-policies-cm
   ## Additional volumeMounts to add to the custom commands container when
   ## running the post-job.
-  extraVolumeMounts: []
+  extraVolumeMounts:
+    []
     # - name: extra-policies
     #   mountPath: /mnt/extras/
   # Command to run after the main command on exit
@@ -542,10 +550,35 @@ networkPolicy:
   # Specifies whether the policies created will be standard Network Policies (flavor: kubernetes)
   # or Cilium Network Policies (flavor: cilium)
   flavor: kubernetes
+  # allows external access to the minio api
   allowExternal: true
+  ## @params networkPolicy.egress configuration of the egress traffic
+  egress:
+    ## @param networkPolicy.egress.enabled When enabled, an egress network policy will be
+    ## created allowing minio to connect to external data sources from kubernetes cluster.
+    ##
+    enabled: false
+    ## @param networkPolicy.egress.ports Add individual ports to be allowed by the egress
+    ## Add ports to the egress by specifying - port: <port number>
+    ## E.X.
+    ## - port: 80
+    ## - port: 443
+    ## - port: 53
+    ##   protocol: UDP
+    ##
+    ports: []
+    ## @param networkPolicy.egress.to Allow egress traffic to specific destinations
+    ## Add destinations to the egress by specifying - ipBlock: <CIDR>
+    ## E.X.
+    ## to:
+    ##  - namespaceSelector:
+    ##    matchExpressions:
+    ##    - {key: role, operator: In, values: [minio]}
+    ##
+    to: []
   # only when using flavor: cilium
   egressEntities:
-   - kube-apiserver
+    - kube-apiserver
 
 ## PodDisruptionBudget settings
 ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
@@ -573,7 +606,8 @@ metrics:
     # for node metrics
     relabelConfigs: {}
     # for cluster metrics
-    relabelConfigsCluster: {}
+    relabelConfigsCluster:
+      {}
       # metricRelabelings:
       #   - regex: (server|pod)
       #     action: labeldrop