diff --git a/run_helm_test.sh b/run_helm_test.sh
new file mode 100755
index 0000000000000000000000000000000000000000..7324e7d118cdd0dd4d8815201c07089ea5122d12
--- /dev/null
+++ b/run_helm_test.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+helm template ./src/main/helm/ -f src/test/unit-values.yaml
+helm lint -f src/test/unit-values.yaml ./src/main/helm/
+cd src/main/helm && helm unittest --helm3 -f '../../test/helm/*.yaml' -v '../../test/unit-values.yaml' .
\ No newline at end of file
diff --git a/src/main/helm/templates/network_policy_alfa.yaml b/src/main/helm/templates/network_policy_alfa.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..2cf22a422e33f657b4f0fcae024f04556772596f
--- /dev/null
+++ b/src/main/helm/templates/network_policy_alfa.yaml
@@ -0,0 +1,47 @@
+{{- if not (.Values.network_policy).disabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: network-policy-alfa
+ namespace: {{ .Release.Namespace }}
+spec:
+ podSelector:
+ matchLabels:
+ component: goofy
+ policyTypes:
+ - Ingress
+ - Egress
+ ingress:
+ - ports:
+ - port: 8080
+ {{- with (.Values.network_policy).additional_ingress_config }}
+ - from:
+{{ toYaml . | indent 8 }}
+ {{- end }}
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ component: pluto
+ ports:
+ - port: 9090
+ protocol: TCP
+ # public keycloak ip
+ - to:
+ - ipBlock:
+ cidr: {{ required "Keycloak public IP must be set" (.Values.network_policy).sso_public_ip }}
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ matchExpressions:
+ - key: kubernetes.io/metadata.name
+ operator: In
+ values:
+ - kube-system
+ ports:
+ - port: 53
+ protocol: UDP
+ - port: 53
+ protocol: TCP
+{{- end }}
\ No newline at end of file
diff --git a/src/test/helm/network_policy_alfa_test.yaml b/src/test/helm/network_policy_alfa_test.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..da664cced07ff31f841b66ccdf1e8170aaa02494
--- /dev/null
+++ b/src/test/helm/network_policy_alfa_test.yaml
@@ -0,0 +1,119 @@
+#
+# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den
+# Ministerpräsidenten des Landes Schleswig-Holstein
+# Staatskanzlei
+# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
+#
+# Lizenziert unter der EUPL, Version 1.2 oder - sobald
+# diese von der Europäischen Kommission genehmigt wurden -
+# Folgeversionen der EUPL ("Lizenz");
+# Sie dürfen dieses Werk ausschließlich gemäß
+# dieser Lizenz nutzen.
+# Eine Kopie der Lizenz finden Sie hier:
+#
+# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+#
+# Sofern nicht durch anwendbare Rechtsvorschriften
+# gefordert oder in schriftlicher Form vereinbart, wird
+# die unter der Lizenz verbreitete Software "so wie sie
+# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
+# ausdrücklich oder stillschweigend - verbreitet.
+# Die sprachspezifischen Genehmigungen und Beschränkungen
+# unter der Lizenz sind dem Lizenztext zu entnehmen.
+#
+
+suite: network policy alfa test
+release:
+ name: alfa
+ namespace: by-helm-test
+templates:
+ - templates/network_policy_alfa.yaml
+tests:
+ - it: should match apiVersion
+ asserts:
+ - isAPIVersion:
+ of: networking.k8s.io/v1
+ - it: should match kind
+ asserts:
+ - isKind:
+ of: NetworkPolicy
+ - it: validate metadata
+ asserts:
+ - equal:
+ path: metadata
+ value:
+ name: network-policy-alfa
+ namespace: by-helm-test
+ - it: validate spec
+ asserts:
+ - equal:
+ path: spec
+ value:
+ podSelector:
+ matchLabels:
+ component: goofy
+ policyTypes:
+ - Ingress
+ - Egress
+ ingress:
+ - ports:
+ - port: 8080
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ component: pluto
+ ports:
+ - port: 9090
+ protocol: TCP
+ # public keycloak ip
+ - to:
+ - ipBlock:
+ cidr: 51.89.117.53/32
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ matchExpressions:
+ - key: kubernetes.io/metadata.name
+ operator: In
+ values:
+ - kube-system
+ ports:
+ - port: 53
+ protocol: UDP
+ - port: 53
+ protocol: TCP
+ - it: add ingress rule by values
+ set:
+ network_policy:
+ additional_ingress_config:
+ - podSelector:
+ matchLabels:
+ component: client2
+ asserts:
+ - equal:
+ path: spec.ingress
+ value:
+ - ports:
+ - port: 8080
+ - from:
+ - podSelector:
+ matchLabels:
+ component: client2
+
+ - it: test network policy disabled
+ set:
+ network_policy:
+ disabled: true
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: test network policy unset should be disabled
+ set:
+ network_policy:
+ disabled: false
+ asserts:
+ - hasDocuments:
+ count: 1
\ No newline at end of file
diff --git a/src/test/unit-values.yaml b/src/test/unit-values.yaml
index 12b8a491175b4c09eec2bbae06724996947d1d9b..23a29bbdbc67b13c1cbc2bed9d9ea6c286f8bfff 100644
--- a/src/test/unit-values.yaml
+++ b/src/test/unit-values.yaml
@@ -42,3 +42,7 @@ baseUrl: test.sh.ozg-cloud.de
image:
path: docker.ozg-sh.de/goofy
tag: snapshot-latest
+
+network_policy:
+ sso_public_ip: 51.89.117.53/32
+ additional_ingress_config: