validatedpatterns · mlorenzofr · Jun 16, 2026
diff --git a/charts/qtodo/templates/app-deployment.yaml b/charts/qtodo/templates/app-deployment.yaml
@@ -21,6 +21,9 @@ spec:
 {{- if .Values.app.spire.enabled }}
         checksum/app-spiffe-helper-config: {{ include (print $.Template.BasePath "/spiffe-helper-config.yaml") . | sha256sum }}
         checksum/app-spiffe-vault-client-config: {{ include (print $.Template.BasePath "/spiffe-vault-client-config.yaml") . | sha256sum }}
+{{- end }}
+{{- if .Values.app.udn.enabled }}
+        k8s.v1.cni.cncf.io/networks: {{ .Release.Namespace }}/{{ .Values.app.udn.nadName }}
 {{- end }}
       labels:
         app: qtodo

diff --git a/charts/qtodo/templates/postgresql-statefulset.yaml b/charts/qtodo/templates/postgresql-statefulset.yaml
@@ -20,6 +20,10 @@ spec:
   serviceName: qtodo-db
   template:
     metadata:
+{{- if .Values.app.udn.enabled }}
+      annotations:
+        k8s.v1.cni.cncf.io/networks: {{ .Release.Namespace }}/{{ .Values.app.udn.nadName }}
+{{- end }}
       labels:
         app: qtodo-db
     spec:

diff --git a/charts/qtodo/templates/udn-admin-network-policy.yaml b/charts/qtodo/templates/udn-admin-network-policy.yaml
@@ -0,0 +1,118 @@
+{{- if and .Values.app.udn.enabled .Values.app.udn.networkPolicy.enabled }}
+# AdminNetworkPolicy for qtodo UDN
+# Controls traffic on the secondary (UDN) interface with explicit allow-lists
+# Primary network policies (cluster network) are in qtodo-network-policy.yaml
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: AdminNetworkPolicy
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '37'
+  name: qtodo-udn-policy
+spec:
+  priority: 50
+  subject:
+    namespaces:
+      matchLabels:
+        kubernetes.io/metadata.name: {{ .Release.Namespace }}
+  ingress:
+  {{- if .Values.app.udn.networkPolicy.ingress.router.enabled }}
+  # Allow ingress from OpenShift router on primary network (not UDN)
+  # Router traffic comes through the cluster network interface
+  - name: allow-router-ingress
+    action: Allow
+    from:
+    - namespaces:
+        matchLabels:
+          policy-group.network.openshift.io/ingress: ""
+    ports:
+    - portNumber:
+        protocol: TCP
+        port: {{ .Values.app.udn.networkPolicy.ingress.router.port }}
+  {{- end }}
+  {{- if .Values.app.udn.networkPolicy.egress.postgresql.enabled }}
+  # Allow ingress to PostgreSQL from qtodo pods within same namespace on UDN
+  - name: allow-postgresql-ingress
+    action: Allow
+    from:
+    - pods:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .Release.Namespace }}
+        podSelector:
+          matchLabels:
+            app: qtodo
+    ports:
+    - portNumber:
+        protocol: TCP
+        port: {{ .Values.app.udn.networkPolicy.egress.postgresql.port }}
+  {{- end }}
+  # Deny all other ingress by default on UDN
+  - name: deny-all-ingress
+    action: Deny
+    from:
+    - namespaces: {}
+  egress:
+  {{- if .Values.app.udn.networkPolicy.egress.dns.enabled }}
+  # Allow DNS resolution via CoreDNS
+  - name: allow-dns
+    action: Allow
+    to:
+    - namespaces:
+        matchLabels:
+          kubernetes.io/metadata.name: {{ .Values.app.udn.networkPolicy.egress.dns.namespace }}
+    ports:
+    - portNumber:
+        protocol: UDP
+        port: {{ .Values.app.udn.networkPolicy.egress.dns.port }}
+    - portNumber:
+        protocol: TCP
+        port: {{ .Values.app.udn.networkPolicy.egress.dns.port }}
+  {{- end }}
+  {{- if .Values.app.udn.networkPolicy.egress.postgresql.enabled }}
+  # Allow PostgreSQL access within same namespace on UDN
+  - name: allow-postgresql
+    action: Allow
+    to:
+    - pods:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .Release.Namespace }}
+        podSelector:
+          matchLabels:
+            app: qtodo-db
+    ports:
+    - portNumber:
+        protocol: TCP
+        port: {{ .Values.app.udn.networkPolicy.egress.postgresql.port }}
+  {{- end }}
+  {{- if .Values.app.udn.networkPolicy.egress.vault.enabled }}
+  # Allow Vault API access (SPIFFE JWT auth) via cluster network
+  - name: allow-vault
+    action: Allow
+    to:
+    - namespaces:
+        matchLabels:
+          kubernetes.io/metadata.name: {{ .Values.app.udn.networkPolicy.egress.vault.namespace }}
+    ports:
+    - portNumber:
+        protocol: TCP
+        port: {{ .Values.app.udn.networkPolicy.egress.vault.port }}
+  {{- end }}
+  {{- if .Values.app.udn.networkPolicy.egress.https.enabled }}
+  # Allow OIDCs (HTTPS connections) via cluster network (external route)
+  - name: allow-https
+    action: Allow
+    to:
+    - networks:
+      - 0.0.0.0/0  # External route, cannot match by namespace
+    ports:
+    - portNumber:
+        protocol: TCP
+        port: {{ .Values.app.udn.networkPolicy.egress.https.port }}
+  {{- end }}
+  # Deny all other egress by default on UDN
+  - name: deny-all-egress
+    action: Deny
+    to:
+    - namespaces: {}
+{{- end }}
diff --git a/charts/qtodo/templates/udn-network-attachment-definition.yaml b/charts/qtodo/templates/udn-network-attachment-definition.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.app.udn.enabled }}
+apiVersion: k8s.cni.cncf.io/v1
+kind: NetworkAttachmentDefinition
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '36'
+    description: "Network attachment for qtodo UDN isolation"
+  name: {{ .Values.app.udn.nadName }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  config: |
+    {
+      "cniVersion": "0.4.0",
+      "type": "ovn-k8s-cni-overlay",
+      "name": "{{ .Values.app.udn.name }}",
+      "topology": "{{ lower .Values.app.udn.topology }}",
+      "netAttachDefName": "{{ .Release.Namespace }}/{{ .Values.app.udn.nadName }}",
+      {{- if eq .Values.app.udn.topology "Layer2" }}
+      "subnets": "{{ .Values.app.udn.subnet }}",
+      {{- end }}
+      "mtu": {{ .Values.app.udn.mtu }}
+    }
+{{- end }}
diff --git a/charts/qtodo/templates/udn-user-defined-network.yaml b/charts/qtodo/templates/udn-user-defined-network.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.app.udn.enabled }}
+apiVersion: k8s.ovn.org/v1
+kind: UserDefinedNetwork
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '35'
+  name: {{ .Values.app.udn.name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  topology: {{ .Values.app.udn.topology }}
+  {{- if eq .Values.app.udn.topology "Layer2" }}
+  layer2:
+    role: Primary
+    subnets:
+    - {{ .Values.app.udn.subnet }}
+    {{- if .Values.app.udn.mtu }}
+    mtu: {{ .Values.app.udn.mtu }}
+    {{- end }}
+  {{- else if eq .Values.app.udn.topology "Layer3" }}
+  layer3:
+    role: Primary
+    subnets:
+    - {{ .Values.app.udn.subnet }}
+    {{- if .Values.app.udn.joinSubnet }}
+    joinSubnets:
+    - {{ .Values.app.udn.joinSubnet }}
+    {{- end }}
+    {{- if .Values.app.udn.mtu }}
+    mtu: {{ .Values.app.udn.mtu }}
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/charts/qtodo/values.yaml b/charts/qtodo/values.yaml
@@ -91,6 +91,59 @@ app:
     # QTodo truststore password path (app-level isolation)
     vaultPath: "secret/data/apps/qtodo/qtodo-truststore"
 
+  # User-Defined Network (UDN) configuration for network isolation
+  # Provides layer 2/3 network segmentation following Zero Trust principles
+  udn:
+    enabled: false
+    # Network name
+    name: qtodo-isolated-network
+    # NetworkAttachmentDefinition name
+    nadName: qtodo-udn-nad
+    # Topology: Layer2 or Layer3
+    # Layer2: Same subnet, pods can communicate directly
+    # Layer3: Different subnets per node, requires routing
+    topology: Layer2
+    # CIDR for the UDN subnet (Layer2 only)
+    subnet: "10.100.0.0/16"
+    # Join subnet (for Layer3, optional)
+    # joinSubnet: "100.64.0.0/16"
+    # MTU for the network (default: 1400 to avoid fragmentation)
+    mtu: 1400
+    # IPAM configuration
+    ipam:
+      type: static
+    # Network Policy for UDN
+    # UDN requires policies on both primary (cluster network) and secondary (UDN) interfaces
+    networkPolicy:
+      # Enable network policies on the UDN
+      enabled: true
+      # Allowed egress destinations from qtodo pods on the UDN
+      egress:
+        # DNS resolution
+        dns:
+          enabled: true
+          port: 5353
+          namespace: openshift-dns
+        # PostgreSQL database
+        postgresql:
+          enabled: true
+          port: 5432
+        # Vault for secrets (via primary network, not UDN)
+        vault:
+          enabled: true
+          port: 8200
+          namespace: vault
+        # Allow HTTPS connections to any destination, used for OIDCs (via primary network for external route)
+        https:
+          enabled: true
+          port: 443
+      # Allowed ingress sources to qtodo pods on the UDN
+      ingress:
+        # OpenShift router (via primary network, not UDN)
+        router:
+          enabled: true
+          port: 8080
+
 # PostgreSQL database configuration
 postgresql:
   name: qtodo-db

diff --git a/docs/SYNC-WAVE-INVENTORY.md b/docs/SYNC-WAVE-INVENTORY.md
@@ -41,16 +41,18 @@ Every sync-wave in the repository, in order. **App** = hub-level Argo CD Applica
 | 34 | └ rhtpa-operator | chart | oidc-cli-secret |
 | 34 | └ noobaa-mcg | chart | bucket-class |
 | 35 | rh-keycloak | **App** | |
+| 35 | └ qtodo | chart | udn-user-defined-network (UserDefinedNetwork CR for network isolation) |
 | 36 | noobaa-mcg | **App** | |
 | 36 | └ rhtpa-operator | chart | postgresql-serviceaccount, postgresql-external-secret, object-bucket-claim |
 | 36 | └ keycloak | chart | keycloak.yaml (Keycloak CR) |
 | 36 | └ quay-registry | chart | object-bucket-claim |
 | 36 | └ acs-central | chart | admin-password-secret, central-htpasswd-external-secret, keycloak-client-secret-external-secret |
-| 36 | └ qtodo | chart | truststore-secret-external-secret, registry-external-secret |
+| 36 | └ qtodo | chart | udn-network-attachment-definition (NAD), truststore-secret-external-secret, registry-external-secret |
 | 38+0 | └ qtodo | chart | registry-seed SA, ClusterRole, ClusterRoleBinding |
 | 38+5 | └ qtodo | chart (hook) | registry-seed-image (Sync hook Job -- mirrors upstream image to configured registry) |
 | 37 | └ quay-registry | chart | quay-s3-setup-serviceaccount (5 resources) |
 | 37 | └ acs-central | chart | create-htpasswd-field (Job) |
+| 37 | └ qtodo | chart | udn-admin-network-policy (AdminNetworkPolicy for UDN traffic control) |
 | 38 | qtodo | **App** | |
 | 38 | └ quay-registry | chart | quay-config-bundle-secret |
 | 39 | └ rhtpa-operator | chart | s3-credentials-secret |
@@ -243,8 +245,11 @@ Charts marked **(external)** have been externalized to standalone repositories m
 | --- | ---: | ---: |
 | registry-seed-job.yaml (SA, ClusterRole, ClusterRoleBinding) | --- | 0 |
 | registry-seed-job.yaml (Sync hook Job) | --- | 5 |
+| udn-user-defined-network.yaml | --- | 35 |
+| udn-network-attachment-definition.yaml | --- | 36 |
 | truststore-secret-external-secret.yaml | 5 | 36 |
 | registry-external-secret.yaml | --- | 36 |
+| udn-admin-network-policy.yaml (AdminNetworkPolicy) | --- | 37 |
 | postgresql-statefulset.yaml | 10 | 41 |
 | postgresql-service.yaml | 10 | 41 |
 | qtodo-truststore-config.yaml | 10 | 41 |