From e6c6998483435b799f7e46826100be6fc8917ae9 Mon Sep 17 00:00:00 2001
From: Guilherme Santos <guilherme.santos@kantar.com>
Date: Mon, 19 Aug 2024 15:36:10 +0200
Subject: [PATCH 1/2] [FEAT] add netpol template to fluentbit

---
 .../templates/netpol-fluentbit.yaml           | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 argocd-helm-charts/fluent-bit/templates/netpol-fluentbit.yaml

diff --git a/argocd-helm-charts/fluent-bit/templates/netpol-fluentbit.yaml b/argocd-helm-charts/fluent-bit/templates/netpol-fluentbit.yaml
new file mode 100644
index 000000000..6648e24a2
--- /dev/null
+++ b/argocd-helm-charts/fluent-bit/templates/netpol-fluentbit.yaml
@@ -0,0 +1,36 @@
+{{ if .Values.networkpolicies }}
+apiVersion: crd.projectcalico.org/v1
+kind: NetworkPolicy
+metadata:
+  name: default.fluentbit
+  namespace: logging
+spec:
+  order: 100
+  selector:
+    app.kubernetes.io/name == 'fluent-bit'
+  types:
+  - Egress
+  egress:
+  - action: Allow
+    protocol: TCP
+    destination:
+      ports:
+      - 5555
+  # Connect to kube2iam, and allow filebeat to get k8s node metadata
+  - action: Allow
+    protocol: TCP
+    destination:
+      ports:
+      - 8181
+      - 443
+      selector: kubernetes.io/role in { 'node', 'master' }
+      namespaceSelector: global()
+  # Allow access to EC2 metadata endpoint
+  - action: Allow
+    protocol: TCP
+    destination:
+      ports:
+      - 443
+      nets:
+      - 169.254.169.254/32
+{{ end }}

From 1c8c9ab0b7724c3a964c29905a2b670d6434c1c2 Mon Sep 17 00:00:00 2001
From: Guilherme Santos <guilherme.santos@kantar.com>
Date: Thu, 22 Aug 2024 10:32:13 +0200
Subject: [PATCH 2/2] [FEAT] add default value for networkpolicies

---
 argocd-helm-charts/fluent-bit/values.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/argocd-helm-charts/fluent-bit/values.yaml b/argocd-helm-charts/fluent-bit/values.yaml
index d881b9bb3..74e89dae1 100644
--- a/argocd-helm-charts/fluent-bit/values.yaml
+++ b/argocd-helm-charts/fluent-bit/values.yaml
@@ -1,3 +1,4 @@
+networkpolicies: false
 fluent-bit:
   image:
     pullPolicy: IfNotPresent