chore(charts): allow local oidc provider

Signed-off-by: Thibault Camalon <135698225+thbcmlowk@users.noreply.github.com>

charts/substra-backend/templates/networkpolicy-server.yaml

@@ -25,6 +25,9 @@ kind: NetworkPolicy
 metadata:
   name: {{ template "substra.name" . }}-server-egress
 spec:
+  podSelector:
+    matchLabels:
+      role-server-client: 'true'
   egress:
   - ports:
     - port: {{ .Values.server.service.port }}
@@ -38,11 +41,22 @@ spec:
     # Allow communication between backends in same cluster
     - ipBlock:
         cidr: 10.0.0.0/8
+    - ipBlock:
+        cidr: 192.168.0.0/16
     - ipBlock:
         cidr: 172.16.0.0/20
       {{- end }}
-  podSelector:
-    matchLabels:
-      role-server-client: 'true'
+  {{- if .Values.oidc.provider.sameCluster }}
+  - ports:
+    - port: {{ .Values.oidc.provider.port }}
+      protocol: TCP
+    to:
+    - ipBlock:
+        cidr: 10.0.0.0/8
+    - ipBlock:
+        cidr: 192.168.0.0/16
+    - ipBlock:
+        cidr: 172.16.0.0/20
+    {{- end }}
   policyTypes:
   - Egress

charts/substra-backend/values.yaml

@@ -881,8 +881,12 @@ oidc:
   provider:
     ## @param oidc.provider.url The identity provider URL (with scheme).
     url: null
+    ## @param oidc.provider.port The identity provider port
+    port: 443
     ## @param oidc.provider.displayName The name of the provider as displayed in the interface ("Sign in with X")
     displayName: null
+    ## @param oidc.provider.sameCluster Turn this setting to on when the OIDC client is hosted on the same cluster to allow a more relaxed network policy
+    sameCluster: false
     # @param oidc.provider.endpoints The endpoints are appended to the given provider domain. If not given, they are read from `/.well-known/openid-configuration` at startup.
     endpoints:
       ## @param oidc.provider.endpoints.authorization Typically https://provider/auth