Skip to content

Remove squid proxy from backend operator#823

Merged
ecolternv merged 4 commits intomainfrom
ecolter/remove-squid-proxy
Apr 9, 2026
Merged

Remove squid proxy from backend operator#823
ecolternv merged 4 commits intomainfrom
ecolter/remove-squid-proxy

Conversation

@ecolternv
Copy link
Copy Markdown
Contributor

@ecolternv ecolternv commented Apr 7, 2026
edited by coderabbitai bot
Loading

Description

Remove squid-proxy from backend-operator helm chart

  • Egress firewalls for backend traffic are outside the scope of OSMO
  • Replace with a simple NetworkPolicy to allow blocking in-cluster requests from the workflows namespace

Issue - None

Checklist

  • I am familiar with the Contributing Guidelines.
  • New or existing tests cover these changes.
  • The documentation is up to date with these changes.

Summary by CodeRabbit

  • Refactor
    • Removed the proxy-based egress allowlist and replaced it with a NetworkPolicy-based egress model.
    • Renamed the network policy, changed its enablement/egress semantics, and added cluster CIDR exclusions, DNS namespace, allowed namespaces, and support for arbitrary additional egress rules.
    • Users must migrate Helm values from the old network block to the new networkPolicy structure.
  • Documentation
    • README updated to describe the new NetworkPolicy settings.

@ecolternv ecolternv requested a review from a team as a code owner April 7, 2026 14:58
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Apr 7, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2e59b915-1372-42f7-81c9-fd82e564e99f

📥 Commits

Reviewing files that changed from the base of the PR and between f9c8d61 and a11c9db.

📒 Files selected for processing (1)
  • deployments/charts/backend-operator/README.md
📝 Walkthrough

Walkthrough

Removes the squid-proxy-based egress allowlist Helm template and legacy global.network values; introduces global.networkPolicy values and updates the NetworkPolicy template to use global.networkPolicy.enabled with egress rules supporting clusterCIDR exclusions, DNS namespace, allowed namespaces, and raw additional egress rules.

Changes

Cohort / File(s) Summary
Egress Allowlist Removal
deployments/charts/backend-operator/templates/backend-egress-allowlist.yaml		 Deleted the Helm template that rendered the squid-proxy Deployment, Service, and ConfigMap; chart no longer emits squid-based egress allowlist resources.
Network Policy Configuration
deployments/charts/backend-operator/templates/backend-network-policy.yaml		 Enablement moved from global.network.restrictEgress to global.networkPolicy.enabled, policy renamed to osmo-workflow-network-policy, and egress rules reworked to: allow internet egress excluding global.networkPolicy.clusterCIDRs, allow backend-namespace egress, allow DNS to global.networkPolicy.dnsNamespace on port 53, include global.networkPolicy.allowedNamespaces, and render global.networkPolicy.additionalEgressRules as YAML.
Values and Docs
deployments/charts/backend-operator/values.yaml, deployments/charts/backend-operator/README.md		 Removed legacy global.network block (including restrictEgress and allowlistEgress/squid settings); added global.networkPolicy block with enabled, clusterCIDRs, dnsNamespace, allowedNamespaces, and additionalEgressRules; README updated to document the NetworkPolicy-based configuration.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I nudged the squid aside with a twitchy paw,
Rules now hop where proxies once saw.
CIDRs, DNS, and namespaces align,
I stitch small gates in orderly design.
A rabbit cheers for networks made fine.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly and clearly describes the main change: removing the squid proxy from the backend operator Helm chart, which aligns with the primary objective of the PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ecolter/remove-squid-proxy

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 7, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 42.83%. Comparing base (15312c3) to head (a11c9db).
⚠️ Report is 12 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #823      +/-   ##
==========================================
- Coverage   42.89%   42.83%   -0.07%     
==========================================
  Files         203      203              
  Lines       26922    27121     +199     
  Branches     7614     7759     +145     
==========================================
+ Hits        11548    11616      +68     
- Misses      15262    15397     +135     
+ Partials      112      108       -4
Flag Coverage Δ
backend 44.90% <ø> (-0.26%) ⬇️
ui 21.08% <ø> (+1.77%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 48 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

coderabbitai[bot]
coderabbitai bot reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
deployments/charts/backend-operator/templates/backend-network-policy.yaml (1)

29-39: Consider IPv6 support for dual-stack clusters.

The external egress rule only covers IPv4 (0.0.0.0/0). In dual-stack Kubernetes clusters, external IPv6 traffic would be blocked by this policy.

If dual-stack support is needed, add the IPv6 equivalent:

♻️ Proposed fix for dual-stack support 
   - to:
     - ipBlock:
         cidr: 0.0.0.0/0
         {{- if .Values.global.networkPolicy.clusterCIDRs }}
         except:
         {{- range .Values.global.networkPolicy.clusterCIDRs }}
         - {{ . }}
         {{- end }}
         {{- end }}
+    - ipBlock:
+        cidr: ::/0
+        {{- if .Values.global.networkPolicy.clusterCIDRs }}
+        except:
+        {{- range .Values.global.networkPolicy.clusterCIDRs }}
+        - {{ . }}
+        {{- end }}
+        {{- end }}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@deployments/charts/backend-operator/templates/backend-network-policy.yaml`
around lines 29 - 39, The network policy only allows IPv4 egress (ipBlock cidr:
0.0.0.0/0); add IPv6 dual-stack support by adding a second ipBlock with cidr:
::/0 and an accompanying except block sourced from a dedicated values key (e.g.
.Values.global.networkPolicy.clusterCIDRsIPv6) to mirror the existing IPv4
except logic; update the template in backend-network-policy.yaml near the
existing "ipBlock: cidr: 0.0.0.0/0" block to insert the ::/0 ipBlock and
conditionally render its except entries exactly like the IPv4 block so IPv6
cluster-internal CIDRs are excluded when provided.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@deployments/charts/backend-operator/templates/backend-network-policy.yaml`:
- Around line 29-39: The network policy only allows IPv4 egress (ipBlock cidr:
0.0.0.0/0); add IPv6 dual-stack support by adding a second ipBlock with cidr:
::/0 and an accompanying except block sourced from a dedicated values key (e.g.
.Values.global.networkPolicy.clusterCIDRsIPv6) to mirror the existing IPv4
except logic; update the template in backend-network-policy.yaml near the
existing "ipBlock: cidr: 0.0.0.0/0" block to insert the ::/0 ipBlock and
conditionally render its except entries exactly like the IPv4 block so IPv6
cluster-internal CIDRs are excluded when provided.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5f8c1ed1-caa2-4cce-b76d-b17cca6fd68d

📥 Commits

Reviewing files that changed from the base of the PR and between 15312c3 and 358d3ab.

📒 Files selected for processing (3)
  • deployments/charts/backend-operator/templates/backend-egress-allowlist.yaml
  • deployments/charts/backend-operator/templates/backend-network-policy.yaml
  • deployments/charts/backend-operator/values.yaml
💤 Files with no reviewable changes (1)
  • deployments/charts/backend-operator/templates/backend-egress-allowlist.yaml

cypres
cypres previously approved these changes Apr 9, 2026
View reviewed changes
coderabbitai[bot]
coderabbitai bot reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@deployments/charts/backend-operator/README.md`:
- Line 53: Update the README wording to clarify that the NetworkPolicy’s
blocking of cross-namespace cluster traffic only occurs when cluster internal
CIDRs are configured: explicitly mention that NetworkPolicy (applied to
global.backendNamespace) allows unrestricted external egress but will block
cross-namespace cluster traffic only if global.networkPolicy.clusterCIDRs is set
(default [] means internal cluster egress may still match the 0.0.0.0/0 rule).
Also update the note referenced near the existing NetworkPolicy explanation to
warn readers that with global.networkPolicy.clusterCIDRs: [] the policy will not
exclude cluster-internal ranges and thus will not enforce cross-namespace
blocking.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b871e731-f2a4-4683-964e-4b5c7f12cef4

📥 Commits

Reviewing files that changed from the base of the PR and between 9109676 and f9c8d61.

📒 Files selected for processing (1)
  • deployments/charts/backend-operator/README.md

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 9, 2026
edited
Loading

📖 Docs preview: https://d3in15bfzp49i0.cloudfront.net/823/index.html

@ecolternv ecolternv merged commit 3904aae into main Apr 9, 2026
16 checks passed
@ecolternv ecolternv deleted the ecolter/remove-squid-proxy branch April 9, 2026 20:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@cypres cypres cypres approved these changes

@elookpotts-nvidia elookpotts-nvidia elookpotts-nvidia approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ecolternv @cypres @elookpotts-nvidia