From f2d37aa467826713aae7fa23c203f0624fa4957b Mon Sep 17 00:00:00 2001
From: treydock <tdockendorf@osc.edu>
Date: Wed, 15 Dec 2021 08:43:05 -0500
Subject: [PATCH] Ensure Helm chart networkpolicy is valid by default (#2827)

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

Co-authored-by: shuting <shutting06@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
---
 charts/kyverno/ci/test-networkpolicy.yaml   |  3 +++
 charts/kyverno/templates/networkpolicy.yaml | 30 +++++++++++++++------
 charts/kyverno/values.yaml                  |  4 +--
 3 files changed, 27 insertions(+), 10 deletions(-)
 create mode 100644 charts/kyverno/ci/test-networkpolicy.yaml

diff --git a/charts/kyverno/ci/test-networkpolicy.yaml b/charts/kyverno/ci/test-networkpolicy.yaml
new file mode 100644
index 0000000000..dccffd6e58
--- /dev/null
+++ b/charts/kyverno/ci/test-networkpolicy.yaml
@@ -0,0 +1,3 @@
+---
+networkPolicy:
+  enabled: true
diff --git a/charts/kyverno/templates/networkpolicy.yaml b/charts/kyverno/templates/networkpolicy.yaml
index 6c79e02ac5..edfbf20086 100644
--- a/charts/kyverno/templates/networkpolicy.yaml
+++ b/charts/kyverno/templates/networkpolicy.yaml
@@ -12,30 +12,44 @@ spec:
       app: kyverno
   policyTypes:
   - Ingress
+  {{- if or .Values.networkPolicy.namespaceExpressions .Values.networkPolicy.namespaceLabels .Values.networkPolicy.podExpressions .Values.networkPolicy.podLabels }}
   ingress:
   - from:
-      {{- with .Values.networkPolicy }}
+    {{- if or .Values.networkPolicy.namespaceExpressions .Values.networkPolicy.namespaceLabels }}
       - namespaceSelector:
+        {{- with .Values.networkPolicy.namespaceExpressions }}
           matchExpressions:
-            {{- toYaml .namespaceExpressions | nindent 10 }}
+            {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.networkPolicy.namespaceLabels }}
           matchLabels:
-            {{- range $key, $value := .namespaceLabels }}
+            {{- range $key, $value := . }}
             {{ $key | quote }}: {{ $value | quote }}
             {{- end }}
+        {{- end }}
+    {{- end }}
+    {{- if or .Values.networkPolicy.podExpressions .Values.networkPolicy.podLabels }}
         podSelector:
+          {{- with .Values.networkPolicy.podExpressions }}
           matchExpressions:
-            {{- toYaml .podExpressions | nindent 10 }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+          {{- with .Values.networkPolicy.podLabels }}
           matchLabels:
-            {{- range $key, $value := .podLabels }}
+            {{- range $key, $value := . }}
             {{ $key | quote }}: {{ $value | quote }}
             {{- end }}
-      {{- end }}
+          {{- end }}
+    {{- end }}
     ports:
     - protocol: TCP
       port: 9443 # webhook access
   # Allow prometheus scrapes for metrics
   {{- if .Values.metricsService.create }}
-  - ports:
-      - port: {{ .Values.metricsService.port }}
+    - protocol: TCP
+      port: {{ .Values.metricsService.port }}
+  {{- end }}
+  {{- else }}
+  ingress: {}
   {{- end }}
 {{- end }}
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index dad994f2b4..65359b3796 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -247,7 +247,7 @@ installCRDs: true
 # policies in a default-deny setup.
 networkPolicy:
   enabled: false
-  namespaceExpressions: [{}]
+  namespaceExpressions: []
   namespaceLabels: {}
-  podExpressions: [{}]
+  podExpressions: []
   podLabels: {}