fix(helm chart): remove unnecessary values from helm chart (#964)

* fix(helm chart): remove unused values from helm chart Previous commit introduced two additional values that are not being used for s3. This commit removes them. * Looks up domain or IP from secret for redis and postgres - undertakes a kubectl get on the secret. The user or service account that deploys helm must have permissions to view the secret. - fix: matchName for domain instead of matchPattern - fix: typo in protocol * Only allow monitoring ingress if monitoring is enabled * Port can be determine from the provided secret - updates values.yaml to only require port for postgres and redis for inCluster endpoints
2022-08-25 09:36:15 +01:00 · 2022-08-25 09:36:15 +01:00 · d6f6a64630
--- a/utils/helm/speckle-server/templates/_helpers.tpl
+++ b/utils/helm/speckle-server/templates/_helpers.tpl
@ -100,11 +100,14 @@ Creates a network policy egress definition for connecting to Redis
 Expects the global context "$" to be passed as the parameter
 */}}
 {{- define "speckle.networkpolicy.egress.redis" -}}
-{{- $port := (default "6379" .Values.redis.networkPolicy.port ) -}}
 {{- if .Values.redis.networkPolicy.inCluster.enabled -}}
+  {{- $port := (default "6379" .Values.redis.networkPolicy.inCluster.port ) -}}
 {{ include "speckle.networkpolicy.egress.internal" (dict "podSelector" .Values.redis.networkPolicy.inCluster.kubernetes.podSelector "namespaceSelector" .Values.redis.networkPolicy.inCluster.kubernetes.namespaceSelector "port" $port) }}
 {{- else if .Values.redis.networkPolicy.externalToCluster.enabled -}}
-{{ include "speckle.networkpolicy.egress.external" (dict "ip" .Values.redis.networkPolicy.externalToCluster.ipv4 "port" $port) }}
+  {{- $secret := ( include "speckle.getSecret" (dict "secret_key" "redis_url" "context" . ) ) -}}
+  {{- $domain := ( include "speckle.networkPolicy.domainFromUrl" $secret ) -}}
+  {{- $port := ( default "6379" ( include "speckle.networkPolicy.portFromUrl" $secret ) ) -}}
+{{ include "speckle.networkpolicy.egress.external" (dict "ip" $domain "port" $port) }}
 {{- end -}}
 {{- end }}

@ -114,11 +117,14 @@ Creates a Cilium Network Policy egress definition for connecting to Redis
 Expects the global context "$" to be passed as the parameter
 */}}
 {{- define "speckle.networkpolicy.egress.redis.cilium" -}}
-{{- $port := (default "6379" .Values.redis.networkPolicy.port ) -}}
 {{- if .Values.redis.networkPolicy.inCluster.enabled -}}
+  {{- $port := (default "6379" .Values.redis.networkPolicy.inCluster.port ) -}}
 {{ include "speckle.networkpolicy.egress.internal.cilium" (dict "endpointSelector" .Values.redis.networkPolicy.inCluster.cilium.endpointSelector "serviceSelector" .Values.redis.networkPolicy.inCluster.cilium.serviceSelector "port" $port) }}
 {{- else if .Values.redis.networkPolicy.externalToCluster.enabled -}}
-{{ include "speckle.networkpolicy.egress.external.cilium" (dict "ip" .Values.redis.networkPolicy.externalToCluster.ipv4 "fqdn" .Values.redis.networkPolicy.externalToCluster.host "port" $port) }}
+  {{- $secret := ( include "speckle.getSecret" (dict "secret_key" "redis_url" "context" . ) ) -}}
+  {{- $domain := ( include "speckle.networkPolicy.domainFromUrl" $secret ) -}}
+  {{- $port := ( default "6379" ( include "speckle.networkPolicy.portFromUrl" $secret ) ) -}}
+{{ include "speckle.networkpolicy.egress.external.cilium" (dict "ip" $domain "port" $port) }}
 {{- end -}}
 {{- end }}

@ -126,11 +132,14 @@ Expects the global context "$" to be passed as the parameter
 Creates a Kubernetes Network Policy egress definition for connecting to Postgres
 */}}
 {{- define "speckle.networkpolicy.egress.postgres" -}}
-{{- $port := (default "5432" .Values.db.networkPolicy.port ) -}}
 {{- if .Values.db.networkPolicy.inCluster.enabled -}}
+  {{- $port := (default "5432" .Values.db.networkPolicy.inCluster.port ) -}}
 {{ include "speckle.networkpolicy.egress.internal" (dict "podSelector" .Values.db.networkPolicy.inCluster.kubernetes.podSelector "namespaceSelector" .Values.db.networkPolicy.inCluster.kubernetes.namespaceSelector "port" $port) }}
 {{- else if .Values.db.networkPolicy.externalToCluster.enabled -}}
-{{ include "speckle.networkpolicy.egress.external" (dict "ip" .Values.db.networkPolicy.externalToCluster.ipv4 "port" $port) }}
+  {{- $secret := ( include "speckle.getSecret" (dict "secret_key" "postgres_url" "context" . ) ) -}}
+  {{- $domain := ( include "speckle.networkPolicy.domainFromUrl" $secret ) -}}
+  {{- $port := ( default "5432" ( include "speckle.networkPolicy.portFromUrl" $secret ) ) -}}
+{{ include "speckle.networkpolicy.egress.external" (dict "ip" $domain "port" $port) }}
 {{- end -}}
 {{- end }}

@ -138,11 +147,14 @@ Creates a Kubernetes Network Policy egress definition for connecting to Postgres
 Creates a Cilium network policy egress definition for connecting to Postgres
 */}}
 {{- define "speckle.networkpolicy.egress.postgres.cilium" -}}
-{{- $port := (default "5432" .Values.db.networkPolicy.port ) -}}
 {{- if .Values.db.networkPolicy.inCluster.enabled -}}
+  {{- $port := (default "5432" .Values.db.networkPolicy.inCluster.port ) -}}
 {{ include "speckle.networkpolicy.egress.internal.cilium" (dict "endpointSelector" .Values.db.networkPolicy.inCluster.cilium.endpointSelector "serviceSelector" .Values.db.networkPolicy.inCluster.cilium.serviceSelector "port" $port) }}
 {{- else if .Values.db.networkPolicy.externalToCluster.enabled -}}
-{{ include "speckle.networkpolicy.egress.external.cilium" (dict "ip" .Values.db.networkPolicy.externalToCluster.ipv4 "fqdn" .Values.db.networkPolicy.externalToCluster.host "port" $port) }}
+  {{- $secret := ( include "speckle.getSecret" (dict "secret_key" "postgres_url" "context" . ) ) -}}
+  {{- $domain := ( include "speckle.networkPolicy.domainFromUrl" $secret ) -}}
+  {{- $port := ( default "5432" ( include "speckle.networkPolicy.portFromUrl" $secret ) ) -}}
+{{ include "speckle.networkpolicy.egress.external.cilium" (dict "ip" $domain "port" $port) }}
 {{- end -}}
 {{- end }}

@ -150,74 +162,60 @@ Creates a Cilium network policy egress definition for connecting to Postgres
 Creates a Kubernetes network policy egress definition for connecting to S3 compatible storage
 */}}
 {{- define "speckle.networkpolicy.egress.blob_storage" -}}
-{{- $port := (default "443" .Values.s3.networkPolicy.port ) -}}
-{{- if .Values.s3.networkPolicy.inCluster.enabled -}}
+  {{- $port := (default "443" .Values.s3.networkPolicy.port ) -}}
+  {{- if .Values.s3.networkPolicy.inCluster.enabled -}}
 {{ include "speckle.networkpolicy.egress.internal" (dict "podSelector" .Values.s3.networkPolicy.inCluster.kubernetes.podSelector "namespaceSelector" .Values.s3.networkPolicy.inCluster.kubernetes.namespaceSelector "port" $port) }}
-{{- else if .Values.s3.networkPolicy.externalToCluster.enabled -}}
-  {{- $host := ( include "speckle.networkPolicy.domainFromUrl" .Values.s3.endpoint ) -}}
-  {{- $ip := "" -}}
-  {{- if eq (include "speckle.isIPv4" $host) "true" -}}
-    {{- $ip = $host -}}
-  {{- end -}}
+  {{- else if .Values.s3.networkPolicy.externalToCluster.enabled -}}
+    {{- $ip := ( include "speckle.networkPolicy.domainFromUrl" .Values.s3.endpoint ) -}}
 {{ include "speckle.networkpolicy.egress.external" (dict "ip" $ip "port" $port) }}
-{{- end -}}
+  {{- end -}}
 {{- end }}

 {{/*
 Creates a Cilium Network Policy egress definition for connecting to S3 compatible storage
 */}}
 {{- define "speckle.networkpolicy.egress.blob_storage.cilium" -}}
-{{- $port := (default "443" .Values.s3.networkPolicy.port ) -}}
-{{- if .Values.s3.networkPolicy.inCluster.enabled -}}
+  {{- $port := (default "443" .Values.s3.networkPolicy.port ) -}}
+  {{- if .Values.s3.networkPolicy.inCluster.enabled -}}
 {{ include "speckle.networkpolicy.egress.internal.cilium" (dict "endpointSelector" .Values.s3.networkPolicy.inCluster.cilium.endpointSelector "serviceSelector" .Values.s3.networkPolicy.inCluster.cilium.serviceSelector "port" $port) }}
-{{- else if .Values.s3.networkPolicy.externalToCluster.enabled -}}
-  {{- $host := ( include "speckle.networkPolicy.domainFromUrl" .Values.s3.endpoint ) -}}
-  {{- $ip := "" -}}
-  {{- $fqdn := "" -}}
-  {{- if eq (include "speckle.isIPv4" $host) "true" -}}
-    {{- $ip = $host -}}
-  {{- else -}}
-    {{- $fqdn = $host -}}
+  {{- else if .Values.s3.networkPolicy.externalToCluster.enabled -}}
+    {{- $host := ( include "speckle.networkPolicy.domainFromUrl" .Values.s3.endpoint ) -}}
+{{ include "speckle.networkpolicy.egress.external.cilium" (dict "ip" $host "port" $port) }}
  {{- end -}}
-{{ include "speckle.networkpolicy.egress.external.cilium" (dict "ip" $ip "fqdn" $fqdn "port" $port) }}
-{{- end -}}
 {{- end }}

 {{/*
-Extracts the domain name from a url
-*/}}
-{{- define "speckle.networkPolicy.domainFromUrl" -}}
-{{- $host := ( urlParse . ).host -}}
-{{- if (contains ":" $host) -}}
-  {{- $host = first (mustRegexSplit ":" $host) -}}
-{{- end -}}
-{{ printf "%s" $host }}
-{{- end }}
-
-{{/*
-Creates a DNS match pattern for Cilium Network Policies.
+Creates a DNS match pattern for discovering the postgres IP

 Usage:
-{{ include "speckle.networkpolicy.dns.cilium" (list .Values.db.networkPolicy.externalToCluster .Values.redis.networkPolicy.externalToCluster) }}
+{{ include "speckle.networkpolicy.dns.postgres.cilium" $ }}

 Params:
-  - domain names - List of dictionaries containing `ipv4` and `host` string values - Required - If IP exists, domain is not added.  Otherwise host is used to match domain excactly or match a pattern (domain with a glob).
+  - context - Required, global context should be provided.
 */}}
-{{- define "speckle.networkpolicy.dns.cilium" -}}
-{{- $catchAll := false -}}
-{{- range . -}}
-  {{- if ( and .enabled ( not .ipv4 ) ) }}
-    {{- if .host -}}
-{{ include "speckle.networkpolicy.matchNameOrPattern" .host }}
-    {{- else }}
-      # only add catch all match pattern if there is no ipv4 or host, and only add it one time.
-      {{- if not $catchAll }}
- matchPattern: "*"
-        {{- $catchAll = true }}
-      {{- end }}
-    {{- end }}
+{{- define "speckle.networkpolicy.dns.postgres.cilium" -}}
+{{- $secret := ( include "speckle.getSecret" (dict "secret_key" "postgres_url" "context" . ) ) -}}
+{{- $domain := ( include "speckle.networkPolicy.domainFromUrl" $secret ) -}}
+  {{- if (and .Values.db.networkPolicy.externalToCluster.enabled ( ne ( include "speckle.isIPv4" $domain ) "true" ) ) -}}
+{{ include "speckle.networkpolicy.matchNameOrPattern" $domain }}
  {{- end }}
 {{- end }}
+
+{{/*
+Creates a DNS match pattern for discovering redis store IP
+
+Usage:
+{{ include "speckle.networkpolicy.dns.redis.cilium" $ }}
+
+Params:
+  - context - Required, global context should be provided.
+*/}}
+{{- define "speckle.networkpolicy.dns.redis.cilium" -}}
+{{- $secret := ( include "speckle.getSecret" (dict "secret_key" "redis_url" "context" . ) ) -}}
+{{- $domain := ( include "speckle.networkPolicy.domainFromUrl" $secret ) -}}
+  {{- if (and .Values.redis.networkPolicy.externalToCluster.enabled ( ne ( include "speckle.isIPv4" $domain ) "true" ) ) -}}
+{{ include "speckle.networkpolicy.matchNameOrPattern" $domain }}
+  {{- end }}
 {{- end }}

 {{/*
@ -237,7 +235,7 @@ Usage:
 {{ include "speckle.networkpolicy.egress.external" (dict "ip" "" "port" "6379") }}

 Params:
-  - ip - String - Optional - If the IP is not known, then egress is allowed to 0.0.0.0/0.
+  - ip - String - Optional - IP or Domain of the endpoint to allow egress to. Can provide either ip, fqdn or neither. If neither fqdn or ip is provided then egress is allowed to 0.0.0.0/0 (i.e. everywhere!)
  - port - String - Required

 Limitations:
@ -251,7 +249,7 @@ Limitations:
 {{- end -}}
 - to:
    - ipBlock:
-    {{- if .ip }}
+    {{- if ( eq ( include "speckle.isIPv4" .ip ) "true" ) }}
        cidr: {{ printf "%s/32" .ip }}
    {{- else }}
        # Kubernetes network policy does not support fqdn, so we have to allow egress anywhere
@ -268,11 +266,10 @@ Limitations:
 Creates a Cilium network policy egress definition for connecting to an external Layer 3/Layer 4 endpoint i.e. ip:port

 Usage:
-{{ include "speckle.networkpolicy.egress.external.cilium" (dict "ip" "" "fqdn" "myredis.example.org" "port" "6379") }}
+{{ include "speckle.networkpolicy.egress.external.cilium" (dict "ip" "" "port" "6379") }}

 Params:
-  - ip - String - Optional - IP of the endpoint to allow egress to. Can provide either ip, fqdn or neither. If both IP or FQDN are provided, IP takes precedence. If neither fqdn or ip is provided then egress is allowed to 0.0.0.0/0 (i.e. everywhere!)
-  - fpdn - String - Optional - Domain name of the endpoint to allow egress to.  Can include a pattern matching glob '*'.  Can provide either ip, fqdn, or neither. If both IP or FQDN are provided, IP takes precedence. If neigher, then egress is allowed to 0.0.0.0/0 (i.e. everywhere!)
+  - ip - String - Optional - IP or Domain of the endpoint to allow egress to. Can provide either ip, fqdn or neither. If neither fqdn or ip is provided then egress is allowed to 0.0.0.0/0 (i.e. everywhere!)
  - port - String - Required

 Limitations:
@ -282,12 +279,12 @@ Limitations:
 {{- if not .port -}}
    {{- printf "\nNETWORKPOLICY ERROR: The port was not provided \"%s\"\n" .port | fail -}}
 {{- end -}}
-{{- if .ip }}
+{{- if ( eq ( include "speckle.isIPv4" .ip ) "true" ) }}
 - toCIDR:
    - {{ printf "%s/32" .ip }}
-{{- else if .fqdn }}
+{{- else if .ip }}
 - toFQDNs:
-{{ include "speckle.networkpolicy.matchNameOrPattern" .fqdn | indent 4 }}
+{{ include "speckle.networkpolicy.matchNameOrPattern" .ip | indent 4 }}
 {{- else }}
 - toCIDRSet:
      # Kubernetes network policy does not support fqdn, so we have to allow egress anywhere
@ -299,10 +296,13 @@ Limitations:
  toPorts:
    - ports:
      - port: {{ printf "%s" .port | quote }}
-        protcol: TCP
+        protocol: TCP
 {{- end }}

 {{- define "speckle.networkpolicy.matchNameOrPattern" -}}
+{{- if not . -}}
+    {{- printf "\nNETWORKPOLICY ERROR: The name or glob pattern was not provided \"%s\"\n" . | fail -}}
+{{- end -}}
  {{- if ( contains "*" . ) }}
 - matchPattern: {{ printf "%s" . }}
  {{- else }}
@ -374,7 +374,7 @@ Params:
  toPorts:
    - ports:
      - port: {{ printf "%s" .port | quote }}
-        protcol: TCP
+        protocol: TCP
 {{- end }}
 {{- end }}

@ -394,6 +394,32 @@ Params:
 {{- end -}}
 {{- end -}}

+{{/*
+Extracts the domain name from a url
+*/}}
+{{- define "speckle.networkPolicy.domainFromUrl" -}}
+  {{- if not . -}}
+      {{- printf "\nERROR: The url was not provided as the context \"%s\"\n" . | fail -}}
+  {{- end -}}
+  {{- $host := ( urlParse . ).host -}}
+  {{- if (contains ":" $host) -}}
+    {{- $host = first (mustRegexSplit ":" $host -1) -}}
+  {{- end -}}
+{{ printf "%s" $host }}
+{{- end }}
+
+{{/*
+Extracts the port from a url
+*/}}
+{{- define "speckle.networkPolicy.portFromUrl" -}}
+  {{- if not . -}}
+      {{- printf "\nERROR: The url was not provided as the context \"%s\"\n" . | fail -}}
+  {{- end -}}
+  {{- $host := ( urlParse . ).host -}}
+  {{- if (contains ":" $host) -}}
+{{ printf "%s" ( index (mustRegexSplit ":" $host -1) 1 ) }}
+  {{- end -}}
+{{- end }}
 {{/*
 Renders a value that contains template.
 Usage:
@ -428,3 +454,20 @@ Ingress pod selector
 {{- define "speckle.ingress.selector.pod" -}}
 app.kubernetes.io/name: {{ .Values.ingress.controllerName }}
 {{- end }}
+
+{{/*
+Retrieves an existing secret
+
+Usage:
+{{ include "speckle.getSecret" (dict "secret_key" "postgres_url" "context" $ )}}
+
+Params:
+  - secret_key - Required, the key within the secret.
+  - context - Required, must be global context.  Values of global context must include 'namespace' and 'secretName' keys.
+*/}}
+{{- define "speckle.getSecret" -}}
+{{- $secretResource := (lookup "v1" "Secret" .context.Values.namespace .context.Values.secretName ) -}}
+{{- $secret := ( index $secretResource.data .secret_key ) -}}
+{{- $secretDecoded := (b64dec $secret) -}}
+{{- printf "%s" $secretDecoded }}
+{{- end }}
--- a/utils/helm/speckle-server/templates/fileimport_service/networkpolicy.cilium.yml
+++ b/utils/helm/speckle-server/templates/fileimport_service/networkpolicy.cilium.yml
@ -10,6 +10,7 @@ spec:
  endpointSelector:
    matchLabels:
 {{ include "fileimport_service.selectorLabels" . | indent 6 }}
+{{- if .Values.enable_prometheus_monitoring }}
  ingress:
    - fromEndpoints:
        - matchLabels:
@ -18,6 +19,11 @@ spec:
        - ports:
            - port: "metrics"
              protocol: TCP
+{{- else }}
+  ingressDeny:
+    - fromEntities:
+      - "all"
+{{- end }}
  egress:
    - toEndpoints:
        - matchLabels:
@ -30,7 +36,7 @@ spec:
          rules:
            dns:
              - matchName: {{ include "server.service.fqdn" $ }}
-{{ include "speckle.networkpolicy.dns.cilium" (list .Values.db.networkPolicy.externalToCluster) | indent 14 }}
+{{ include "speckle.networkpolicy.dns.postgres.cilium" $ | indent 14 }}
    # allow egress to speckle-server
    - toServices:
        - k8sServiceSelector:
--- a/utils/helm/speckle-server/templates/fileimport_service/networkpolicy.kubernetes.yml
+++ b/utils/helm/speckle-server/templates/fileimport_service/networkpolicy.kubernetes.yml
@ -13,6 +13,7 @@ spec:
  policyTypes:
    - Egress
    - Ingress
+{{- if .Values.enable_prometheus_monitoring }}
  ingress:
    - from:
        - namespaceSelector:
@ -23,6 +24,10 @@ spec:
              {{ include  "speckle.prometheus.selectorLabels.release" $ | indent 14 }}
      ports:
        - port: metrics
+{{- else }}
+  # deny all ingress
+  ingress: []
+{{- end }}
  egress:
    # allow access to DNS
    - to:
--- a/utils/helm/speckle-server/templates/monitoring/networkpolicy.cilium.yml
+++ b/utils/helm/speckle-server/templates/monitoring/networkpolicy.cilium.yml
@ -10,6 +10,7 @@ spec:
  endpointSelector:
    matchLabels:
 {{ include "monitoring.selectorLabels" . | indent 6 }}
+{{- if .Values.enable_prometheus_monitoring }}
  ingress:
    - fromEndpoints:
        - matchLabels:
@ -18,6 +19,11 @@ spec:
        - ports:
            - port: "metrics"
              protocol: TCP
+{{- else }}
+  ingressDeny:
+    - fromEntities:
+      - "all"
+{{- end }}
  egress:
    - toEndpoints:
        - matchLabels:
@ -29,7 +35,7 @@ spec:
              protocol: UDP
          rules:
            dns:
-{{ include "speckle.networkpolicy.dns.cilium" (list .Values.db.networkPolicy.externalToCluster) | indent 14 }}
+{{ include "speckle.networkpolicy.dns.postgres.cilium" $ | indent 14 }}
    # postgres
 {{ include "speckle.networkpolicy.egress.postgres.cilium" $ | indent 4 }}
 {{- end }}
--- a/utils/helm/speckle-server/templates/monitoring/networkpolicy.kubernetes.yml
+++ b/utils/helm/speckle-server/templates/monitoring/networkpolicy.kubernetes.yml
@ -13,6 +13,7 @@ spec:
  policyTypes:
    - Egress
    - Ingress
+{{- if .Values.enable_prometheus_monitoring }}
  ingress:
    - from:
        - namespaceSelector:
@ -23,6 +24,10 @@ spec:
              {{ include  "speckle.prometheus.selectorLabels.release" $ | indent 14 }}
      ports:
        - port: metrics
+{{- else }}
+  # deny all ingress
+  ingress: []
+{{- end }}
  egress:
    # allow access to DNS
    - to:
--- a/utils/helm/speckle-server/templates/preview_service/networkpolicy.cilium.yml
+++ b/utils/helm/speckle-server/templates/preview_service/networkpolicy.cilium.yml
@ -10,6 +10,7 @@ spec:
  endpointSelector:
    matchLabels:
 {{ include "preview_service.selectorLabels" . | indent 6 }}
+{{- if .Values.enable_prometheus_monitoring }}
  ingress:
    - fromEndpoints:
        - matchLabels:
@ -18,6 +19,11 @@ spec:
        - ports:
            - port: "metrics"
              protocol: TCP
+{{- else }}
+  ingressDeny:
+    - fromEntities:
+      - "all"
+{{- end }}
  egress:
    - toEndpoints:
        - matchLabels:
@ -29,7 +35,7 @@ spec:
              protocol: UDP
          rules:
            dns:
-{{ include "speckle.networkpolicy.dns.cilium" (list .Values.db.networkPolicy.externalToCluster) | indent 14 }}
+{{ include "speckle.networkpolicy.dns.postgres.cilium" $ | indent 14 }}
    # postgres
 {{ include "speckle.networkpolicy.egress.postgres.cilium" $ | indent 4 }}
 {{- end }}
--- a/utils/helm/speckle-server/templates/preview_service/networkpolicy.kubernetes.yml
+++ b/utils/helm/speckle-server/templates/preview_service/networkpolicy.kubernetes.yml
@ -13,6 +13,7 @@ spec:
  policyTypes:
    - Egress
    - Ingress
+{{- if .Values.enable_prometheus_monitoring }}
  ingress:
    - from:
        - namespaceSelector:
@ -23,6 +24,10 @@ spec:
              {{ include  "speckle.prometheus.selectorLabels.release" $ | indent 14 }}
      ports:
        - port: metrics
+{{- else }}
+  # deny all ingress
+  ingress: []
+{{- end }}
  egress:
    # allow access to DNS
    - to:
--- a/utils/helm/speckle-server/templates/server/networkpolicy.cilium.yml
+++ b/utils/helm/speckle-server/templates/server/networkpolicy.cilium.yml
@ -19,6 +19,7 @@ spec:
        - ports:
            - port: http
              protocol: TCP
+{{- if .Values.enable_prometheus_monitoring }}
    - fromEndpoints:
        - matchLabels:
 {{ include "speckle.prometheus.selectorLabels" $ | indent 12 }}
@ -26,6 +27,7 @@ spec:
        - ports:
            - port: http
              protocol: TCP
+{{- end }}
    # ingress from file import service
    - fromEndpoints:
        - matchLabels:
@ -46,12 +48,13 @@ spec:
          rules:
            dns:
              # TODO: remove egress to domain once https://github.com/specklesystems/speckle-server/issues/959 is fixed
-              - matchPattern: {{ .Values.domain }}
+              - matchName: {{ .Values.domain }}
 {{- if .Values.server.sentry_dns }}
              # DNS lookup for sentry
              - matchPattern: "*.ingest.sentry.io"
 {{- end }}
-{{ include "speckle.networkpolicy.dns.cilium" (list .Values.db.networkPolicy.externalToCluster .Values.redis.networkPolicy.externalToCluster ) | indent 14 }}
+{{ include "speckle.networkpolicy.dns.postgres.cilium" $ | indent 14 }}
+{{ include "speckle.networkpolicy.dns.redis.cilium" $ | indent 14 }}
 {{ include  "speckle.networkpolicy.dns.blob_storage.cilium" $ | indent 14 }}
 {{- if .Values.server.sentry_dns }}
    # egress to sentry
--- a/utils/helm/speckle-server/templates/server/networkpolicy.kubernetes.yml
+++ b/utils/helm/speckle-server/templates/server/networkpolicy.kubernetes.yml
@ -48,6 +48,7 @@ spec:
              app.kubernetes.io/name: {{ .Values.ingress.controllerName }}
      ports:
        - port: http
+{{- if .Values.enable_prometheus_monitoring }}
    # allow ingress from servicemonitor/prometheus
    - from:
        - namespaceSelector:
@ -58,6 +59,7 @@ spec:
              {{ include  "speckle.prometheus.selectorLabels.release" $ | indent 14 }}
      ports:
        - port: http
+{{- end }}
    # allow ingress from the fileimport service
    - from:
        - podSelector:
--- a/utils/helm/speckle-server/templates/tests/networkpolicy.cilium.yml
+++ b/utils/helm/speckle-server/templates/tests/networkpolicy.cilium.yml
@ -11,8 +11,8 @@ spec:
    matchLabels:
 {{ include "test.selectorLabels" . | indent 6 }}
  ingressDeny:
-  - fromEntities:
-    - "all"
+    - fromEntities:
+      - "all"
  egress:
    - toEndpoints:
        - matchLabels:
--- a/utils/helm/speckle-server/templates/webhook_service/networkpolicy.cilium.yml
+++ b/utils/helm/speckle-server/templates/webhook_service/networkpolicy.cilium.yml
@ -10,6 +10,7 @@ spec:
  endpointSelector:
    matchLabels:
 {{ include "webhook_service.selectorLabels" . | indent 6 }}
+{{- if .Values.enable_prometheus_monitoring }}
  ingress:
    - fromEndpoints:
        - matchLabels:
@ -18,6 +19,11 @@ spec:
        - ports:
            - port: "metrics"
              protocol: TCP
+{{- else }}
+  ingressDeny:
+    - fromEntities:
+      - "all"
+{{- end }}
  egress:
    - toEndpoints:
        - matchLabels:
@ -31,7 +37,7 @@ spec:
            dns:
              # allow dns discoverability for all entities
              - matchPattern: "*"
-{{ include "speckle.networkpolicy.dns.cilium" (list .Values.db.networkPolicy.externalToCluster) | indent 14 }}
+{{ include "speckle.networkpolicy.dns.postgres.cilium" $ | indent 14 }}
    # postgres
 {{ include "speckle.networkpolicy.egress.postgres.cilium" $ | indent 4 }}
    # allow access to all entities outside of the cluster
--- a/utils/helm/speckle-server/templates/webhook_service/networkpolicy.kubernetes.yml
+++ b/utils/helm/speckle-server/templates/webhook_service/networkpolicy.kubernetes.yml
@ -13,6 +13,7 @@ spec:
  policyTypes:
    - Egress
    - Ingress
+{{- if .Values.enable_prometheus_monitoring }}
  ingress:
    - from:
        - namespaceSelector:
@ -23,6 +24,10 @@ spec:
              {{ include  "speckle.prometheus.selectorLabels.release" $ | indent 14 }}
      ports:
        - port: metrics
+{{- else }}
+  # deny all ingress
+  ingress: []
+{{- end }}
  egress:
    # webhook can call anything external, but is blocked from egress elsewhere within the cluster
    - to:
--- a/utils/helm/speckle-server/values.schema.json
+++ b/utils/helm/speckle-server/values.schema.json
@ -118,11 +118,6 @@
        "networkPolicy": {
          "type": "object",
          "properties": {
-            "port": {
-              "type": "string",
-              "description": "the port on the server providing the Postgres database (default: \"5432\")",
-              "default": ""
-            },
            "externalToCluster": {
              "type": "object",
              "properties": {
@ -130,16 +125,6 @@
                  "type": "boolean",
                  "description": "If enabled, indicates that the Postgres database is hosted externally to the Kubernetes cluster",
                  "default": true
-                },
-                "host": {
-                  "type": "string",
-                  "description": "The domain name at which the Postgres database is hosted.",
-                  "default": ""
-                },
-                "ipv4": {
-                  "type": "string",
-                  "description": "The IP address at which the Postgres database is hosted",
-                  "default": ""
                }
              }
            },
@ -151,6 +136,11 @@
                  "description": "If enabled, indicates that the Postgres database is hosted withing the same Kubernetes cluster in which Speckle will be deployed",
                  "default": false
                },
+                "port": {
+                  "type": "string",
+                  "description": "the port on the server providing the Postgres database (default: \"5432\")",
+                  "default": ""
+                },
                "kubernetes": {
                  "type": "object",
                  "properties": {
@ -230,16 +220,6 @@
                  "type": "boolean",
                  "description": "If enabled, indicates that the s3 compatible storage is hosted externally to the Kubernetes cluster",
                  "default": true
-                },
-                "host": {
-                  "type": "string",
-                  "description": "The domain name at which the s3 compatible storage is hosted.",
-                  "default": ""
-                },
-                "ipv4": {
-                  "type": "string",
-                  "description": "The IP address at which the s3 compatible storage is hosted",
-                  "default": ""
                }
              }
            },
@ -293,11 +273,6 @@
        "networkPolicy": {
          "type": "object",
          "properties": {
-            "port": {
-              "type": "string",
-              "description": "the port on the server providing the Redis store (default: \"6379\")",
-              "default": ""
-            },
            "externalToCluster": {
              "type": "object",
              "properties": {
@ -305,16 +280,6 @@
                  "type": "boolean",
                  "description": "If enabled, indicates that the Redis store is hosted externally to the Kubernetes cluster",
                  "default": true
-                },
-                "host": {
-                  "type": "string",
-                  "description": "The domain name at which the Redis store is hosted.",
-                  "default": ""
-                },
-                "ipv4": {
-                  "type": "string",
-                  "description": "The IP address at which the Redis store is hosted",
-                  "default": ""
                }
              }
            },
@ -326,6 +291,11 @@
                  "description": "If enabled, indicates that the Redis store is hosted withing the same Kubernetes cluster in which Speckle will be deployed",
                  "default": false
                },
+                "port": {
+                  "type": "string",
+                  "description": "the port on the server providing the Redis store (default: \"6379\")",
+                  "default": ""
+                },
                "kubernetes": {
                  "type": "object",
                  "properties": {
--- a/utils/helm/speckle-server/values.yaml
+++ b/utils/helm/speckle-server/values.yaml
@ -132,9 +132,6 @@ db:
  ## @extra db.networkPolicy If networkPolicy is enabled for any service, this provides the NetworkPolicy with the necessary details to allow egress connections to the Postgres database
  ##
  networkPolicy:
-    ## @param db.networkPolicy.port the port on the server providing the Postgres database (default: "5432")
-    ##
-    port: ''
    ## @extra db.networkPolicy.externalToCluster Only required if the Postgres database is not hosted within the Kubernetes cluster in which Speckle will be deployed.
    ##
    externalToCluster:
@ -142,16 +139,6 @@ db:
      ## Only one of externalToCluster or inCluster should be enabled. If both are enabled then inCluster takes precedence and is the only one deployed
      ##
      enabled: true
-      ## @param db.networkPolicy.externalToCluster.host The domain name at which the Postgres database is hosted.
-      ## This should match the value provided within the connection string.
-      ## Provide the IP address if available (use the `ipv4` parameter), as the IP address takes precedence.
-      ##
-      host: ''
-      ## @param db.networkPolicy.externalToCluster.ipv4 The IP address at which the Postgres database is hosted
-      ## This should be an IP address not within the Kubernetes Cluster Pod or Service IP ranges.
-      ## If both host and ipv4 parameters are provided, ipv4 takes precedence and host is ignored.
-      ##
-      ipv4: ''
    ## @extra db.networkPolicy.inCluster Only required if the Postgres database is hosted within the Kubernetes cluster in which Speckle will be deployed.
    ##
    inCluster:
@ -159,6 +146,9 @@ db:
      ## Only one of externalToCluster or inCluster should be enabled. If both are enabled then inCluster takes precedence and is the only set of egress network policy rules deployed.
      ##
      enabled: false
+      ## @param db.networkPolicy.inCluster.port the port on the server providing the Postgres database (default: "5432")
+      ##
+      port: ''
      kubernetes:
        ## @param db.networkPolicy.inCluster.kubernetes.podSelector (Kubernetes Network Policy only) The pod Selector yaml object used to uniquely select the postgres compatible database pods within the cluster and given namespace
        ## For Kubernetes Network Policies this is a podSelector object.
@ -228,16 +218,6 @@ s3:
      ## Only one of externalToCluster or inCluster should be enabled. If both are enabled then inCluster takes precedence and is the only one deployed
      ##
      enabled: true
-      ## @param s3.networkPolicy.externalToCluster.host The domain name at which the s3 compatible storage is hosted.
-      ## This should match the value provided within the connection string.
-      ## Provide the IP address if available (use the `ipv4` parameter), as the IP address takes precedence.
-      ##
-      host: ''
-      ## @param s3.networkPolicy.externalToCluster.ipv4 The IP address at which the s3 compatible storage is hosted
-      ## This should be an IP address not within the Kubernetes Cluster Pod or Service IP ranges.
-      ## If both host and ipv4 parameters are provided, ipv4 takes precedence and host is ignored.
-      ##
-      ipv4: ''
    ## @extra s3.networkPolicy.inCluster Only required if the s3 compatible storage is hosted within the Kubernetes cluster in which Speckle will be deployed.
    ##
    inCluster:
@ -284,9 +264,6 @@ redis:
  ## @extra redis.networkPolicy If networkPolicy is enabled for Speckle server, this provides the NetworkPolicy with the necessary details to allow egress connections to the Redis store
  ##
  networkPolicy:
-    ## @param redis.networkPolicy.port the port on the server providing the Redis store (default: "6379")
-    ##
-    port: ''
    ## @extra redis.networkPolicy.externalToCluster Only required if the Redis store is not hosted within the Kubernetes cluster in which Speckle will be deployed.
    ##
    externalToCluster:
@ -294,16 +271,6 @@ redis:
      ## Only one of externalToCluster or inCluster should be enabled. If both are enabled then inCluster takes precedence and is the only one deployed
      ##
      enabled: true
-      ## @param redis.networkPolicy.externalToCluster.host The domain name at which the Redis store is hosted.
-      ## This should match the value provided within the connection string.
-      ## Provide the IP address if available (use the `ipv4` parameter), as the IP address takes precedence.
-      ##
-      host: ''
-      ## @param redis.networkPolicy.externalToCluster.ipv4 The IP address at which the Redis store is hosted
-      ## This should be an IP address not within the Kubernetes Cluster Pod or Service IP ranges.
-      ## If both host and ipv4 parameters are provided, ipv4 takes precedence and host is ignored.
-      ##
-      ipv4: ''
    ## @extra redis.networkPolicy.inCluster is only required if the Redis store is hosted within the Kubernetes cluster in which Speckle will be deployed.
    ##
    inCluster:
@ -311,6 +278,9 @@ redis:
      ## Only one of externalToCluster or inCluster should be enabled. If both are enabled then inCluster takes precedence and is the only set of egress network policy rules deployed.
      ##
      enabled: false
+      ## @param redis.networkPolicy.inCluster.port the port on the server providing the Redis store (default: "6379")
+      ##
+      port: ''
      kubernetes:
        ## @param redis.networkPolicy.inCluster.kubernetes.podSelector (Kubernetes Network Policy only) The pod Selector yaml object used to uniquely select the redis store pods within the cluster and given namespace
        ## For Kubernetes Network Policies this is a podSelector object.