Remove squid proxy from backend operator

[ecolternv]

Description

Remove squid-proxy from backend-operator helm chart

• Egress firewalls for backend traffic are outside the scope of OSMO
• Replace with a simple NetworkPolicy to allow blocking in-cluster requests from the workflows namespace

Issue - None

Checklist

• I am familiar with the Contributing Guidelines.
• New or existing tests cover these changes.
• The documentation is up to date with these changes.

Summary by CodeRabbit

• Refactor
  • Removed the squid proxy-based egress allowlist and its associated Deployment/Service/ConfigMap.
  • Replaced legacy allowlist with a NetworkPolicy-based egress model and renamed the policy.
  • Migrated configuration from the old network block to a new networkPolicy block with enabled toggle, cluster CIDR exclusions, DNS namespace, allowed namespaces, and custom additional egress rules.
  • Users must update Helm values to the new configuration structure.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: dd1e8928-0fbb-4363-a6b6-c0a9db8c1174

📥 Commits

Reviewing files that changed from the base of the PR and between 358d3ab and 9109676.

📒 Files selected for processing (1)

• deployments/charts/backend-operator/templates/backend-egress-allowlist.yaml

💤 Files with no reviewable changes (1)

• deployments/charts/backend-operator/templates/backend-egress-allowlist.yaml

---

📝 Walkthrough

Walkthrough

Removes the squid-proxy-based egress allowlist Helm template and legacy global.network values; adds a new global.networkPolicy values block and updates the NetworkPolicy template to use global.networkPolicy.enabled with new egress rules (clusterCIDRs exclusion, DNS namespace, allowed namespaces, additional egress rules).

Changes

Cohort / File(s)	Summary
Egress Allowlist Removal deployments/charts/backend-operator/templates/backend-egress-allowlist.yaml	Deleted entire Helm template that rendered the squid-proxy Deployment, Service, and ConfigMap; no longer produces squid-based egress allowlist resources.
Network Policy Configuration deployments/charts/backend-operator/templates/backend-network-policy.yaml	Switched enablement from global.network.restrictEgress to global.networkPolicy.enabled, renamed policy to osmo-workflow-network-policy, and reworked egress rules to support cluster CIDR exclusions, dnsNamespace, dynamic allowedNamespaces, and additionalEgressRules injection.
Values Configuration deployments/charts/backend-operator/values.yaml	Removed legacy global.network block (including restrictEgress and allowlistEgress/squid settings); added global.networkPolicy block with enabled, clusterCIDRs, dnsNamespace, allowedNamespaces, and additionalEgressRules.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I nudged the squid aside with a twitchy paw,
Policies planted where proxies once saw.
CIDRs and DNS in tidy array,
Namespaces hopping where rules hold sway.
A little rabbit cheers the network's new law.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Remove squid proxy from backend operator' directly and accurately describes the main change: deletion of the squid-proxy template and replacement with a NetworkPolicy-based approach.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ecolter/remove-squid-proxy

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 42.71%. Comparing base (15312c3) to head (9109676).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #823      +/-   ##
==========================================
- Coverage   42.89%   42.71%   -0.19%     
==========================================
  Files         203      203              
  Lines       26922    26922              
  Branches     7614     7614              
==========================================
- Hits        11548    11499      -49     
- Misses      15262    15316      +54     
+ Partials      112      107       -5     

Flag	Coverage Δ
backend	44.95% <ø> (-0.20%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 27 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

🧹 Nitpick comments (1)

deployments/charts/backend-operator/templates/backend-network-policy.yaml (1)

29-39: Consider IPv6 support for dual-stack clusters.

The external egress rule only covers IPv4 (0.0.0.0/0). In dual-stack Kubernetes clusters, external IPv6 traffic would be blocked by this policy.

If dual-stack support is needed, add the IPv6 equivalent:

♻️ Proposed fix for dual-stack support

   - to:
     - ipBlock:
         cidr: 0.0.0.0/0
         {{- if .Values.global.networkPolicy.clusterCIDRs }}
         except:
         {{- range .Values.global.networkPolicy.clusterCIDRs }}
         - {{ . }}
         {{- end }}
         {{- end }}
+    - ipBlock:
+        cidr: ::/0
+        {{- if .Values.global.networkPolicy.clusterCIDRs }}
+        except:
+        {{- range .Values.global.networkPolicy.clusterCIDRs }}
+        - {{ . }}
+        {{- end }}
+        {{- end }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deployments/charts/backend-operator/templates/backend-network-policy.yaml`
around lines 29 - 39, The network policy only allows IPv4 egress (ipBlock cidr:
0.0.0.0/0); add IPv6 dual-stack support by adding a second ipBlock with cidr:
::/0 and an accompanying except block sourced from a dedicated values key (e.g.
.Values.global.networkPolicy.clusterCIDRsIPv6) to mirror the existing IPv4
except logic; update the template in backend-network-policy.yaml near the
existing "ipBlock: cidr: 0.0.0.0/0" block to insert the ::/0 ipBlock and
conditionally render its except entries exactly like the IPv4 block so IPv6
cluster-internal CIDRs are excluded when provided.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@deployments/charts/backend-operator/templates/backend-network-policy.yaml`:
- Around line 29-39: The network policy only allows IPv4 egress (ipBlock cidr:
0.0.0.0/0); add IPv6 dual-stack support by adding a second ipBlock with cidr:
::/0 and an accompanying except block sourced from a dedicated values key (e.g.
.Values.global.networkPolicy.clusterCIDRsIPv6) to mirror the existing IPv4
except logic; update the template in backend-network-policy.yaml near the
existing "ipBlock: cidr: 0.0.0.0/0" block to insert the ::/0 ipBlock and
conditionally render its except entries exactly like the IPv4 block so IPv6
cluster-internal CIDRs are excluded when provided.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5f8c1ed1-caa2-4cce-b76d-b17cca6fd68d

📥 Commits

Reviewing files that changed from the base of the PR and between 15312c3 and 358d3ab.

📒 Files selected for processing (3)

• deployments/charts/backend-operator/templates/backend-egress-allowlist.yaml
• deployments/charts/backend-operator/templates/backend-network-policy.yaml
• deployments/charts/backend-operator/values.yaml

💤 Files with no reviewable changes (1)

• deployments/charts/backend-operator/templates/backend-egress-allowlist.yaml