From fbd846784cc91924a0a6c27f2b1eb2932fa9fc92 Mon Sep 17 00:00:00 2001 From: Markus Pesch Date: Sun, 12 Oct 2025 17:21:05 +0200 Subject: [PATCH] fix(networkPolicy): use single network policy --- README.md | 445 +++++------------- templates/_networkPolicies.tpl | 19 - templates/_networkPolicy.tpl | 19 + templates/networkPolicies.yaml | 36 -- templates/networkPolicy.yaml | 32 ++ .../networkPolicy.yaml} | 58 +-- values.yaml | 130 +++-- 7 files changed, 243 insertions(+), 496 deletions(-) delete mode 100644 templates/_networkPolicies.tpl create mode 100644 templates/_networkPolicy.tpl delete mode 100644 templates/networkPolicies.yaml create mode 100644 templates/networkPolicy.yaml rename unittests/{networkPolicies/default.yaml => networkPolicy/networkPolicy.yaml} (55%) diff --git a/README.md b/README.md index 95bd847..e86be94 100644 --- a/README.md +++ b/README.md @@ -2,371 +2,146 @@ [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/volker-raschek)](https://artifacthub.io/packages/search?repo=volker-raschek) -This is an inofficial helm chart of the go-proxy -[athens](https://github.com/gomods/athens) which supports more complex -configuration options. +> [!NOTE] +> This is not the official helm chart of Athens Go Proxy. If you are looking for the official helm chart, checkout the +> GitHub project [gomods/athens-charts](https://github.com/gomods/athens-charts). -This helm chart can be found on [artifacthub.io](https://artifacthub.io/) and -can be installed via helm. +This helm chart enables the deployment of [Athens Go Proxy](https://github.com/gomods/athens), a module datastore and +proxy for Golang. + +The helm chart supports the individual configuration of additional containers/initContainers, mounting of volumes, +defining additional environment variables and much more. + +Chapter [configuration and installation](#helm-configuration-and-installation) describes the basics how to configure +helm and use it to deploy the exporter. It also contains further configuration examples. + +Furthermore, this helm chart contains unit tests to detect regressions and stabilize the deployment. Additionally, this +helm chart is tested for deployment scenarios with **ArgoCD**, but please keep in mind, that this chart supports the +*[Automatically Roll Deployment](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments)* +concept of Helm, which can trigger unexpected rolling releases. Further configuration instructions are described in a +separate [chapter](#argocd). + +## Helm: configuration and installation + +1. A helm chart repository must be configured, to pull the helm charts from. +2. All available [parameters](#parameters) are documented in detail below. The parameters can be defined via the helm + `--set` flag or directly as part of a `values.yaml` file. The following example defines the repository and use the + `--set` flag for a basic deployment. ```bash helm repo add volker.raschek https://charts.cryptic.systems/volker.raschek +helm repo update helm install athens-proxy volker.raschek/athens-proxy ``` -## Customization +Instead of passing all parameters via the *set* flag, it is also possible to define them as part of the `values.yaml`. +The following command downloads the `values.yaml` for a specific version of this chart. Please keep in mind, that the +version of the chart must be in sync with the `values.yaml`. Newer *minor* versions can have new features. New *major* +versions can break something! -The complete deployment can be adapted via the `values.yaml` files. The -configuration of the proxy can be done via the environment variables described -below or via mounting the config.toml as additional persistent volume to -`/config/config.toml` - -## Access private repositories via SSH - -Create a `configmap.yaml` with multiple keys. One key describe the content of -the `.gitconfig` file and another of `config` of the ssh client. All requests -Git clone comands with the prefix `http://github.com/` will be replaced by -`git@github.com:` to use SSH instead of HTTPS. The SSH keys are stored in a -separate secret. - -```yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: custom-configs -data: - sshconfig: | - Host github.com - IdentityFile /root/.ssh/id_ed25519 - StrictHostKeyChecking no - gitconfig: | - [url "git@github.com:"] - insteadOf = https://github.com/ +```bash +CHART_VERSION=0.3.0 +helm show values volker.raschek/athens-proxy --version "${CHART_VERSION}" > values.yaml ``` -The secret definition below contains the SSH private and public key. +A complete list of available helm chart versions can be displayed via the following command: -```yaml -apiVersion: v1 -kind: Secret -metadata: - name: custom-ssh-keys -type: Opaque -stringData: - id_ed25519: | - -----BEGIN OPENSSH PRIVATE KEY----- - b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW - QyNTUxOQAAACCpf/10TWlksg6/5mZF067fTGvW71I5QVJEp/nyC8hVHgAAAJgwWWNdMFlj - XQAAAAtzc2gtZWQyNTUxOQAAACCpf/10TWlksg6/5mZF067fTGvW71I5QVJEp/nyC8hVHg - AAAEDzTPitanzgl6iThoFCx8AXwsGLS5Q+3+K66ZOmN0p6+6l//XRNaWSyDr/mZkXTrt9M - a9bvUjlBUkSn+fILyFUeAAAAEG1hcmt1c0BtYXJrdXMtcGMBAgMEBQ== - -----END OPENSSH PRIVATE KEY----- - id_ed25519.pub: | - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKl//XRNaWSyDr/mZkXTrt9Ma9bvUjlBUkSn+fILyFUe +```bash +helm search repo reposilite --versions ``` -The item `config` of the configmap will be merged with the items of the secret -as virtual volume. This volume can than be mounted with special permissions -required for the ssh client. +The helm chart also contains a persistent volume claim definition. It persistent volume claim is not enabled by default. +Use the `--set` argument to persist your data. -```yaml -extraVolumes: -- name: ssh - projected: - defaultMode: 0644 - sources: - - configMap: - name: custom-configs - items: - - key: sshconfig - path: config - - secret: - name: custom-ssh-keys - items: - - key: id_ed25519 - path: id_ed25519 - mode: 0600 - - key: id_ed25519.pub - path: id_ed25519.pub -- name: gitconfig - configMap: - name: custom-configs - items: - - key: gitconfig - path: config - mode: 0644 - -extraVolumeMounts: -- name: ssh - mountPath: /root/.ssh -- name: gitconfig - mountPath: /root/.config/git +```bash +CHART_VERSION=0.3.0 +helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \ + persistence.enabled=true ``` -## Access private GitHub.com repositories via developer token +### Examples -Another way to access private GitHub repositories is via a GitHub token, which -can be set via the environment variable `GITHUB_TOKEN`. Athens automatically -creates a `.netrc` file to access private GitHub repositories. +The following examples serve as individual configurations and as inspiration for how deployment problems can be solved. -## Access private repositories via .netrc configuration +#### Network policies -As describe above, a `.netrc` file is responsible for the authentication via -HTTP. The file can also be defined via a custom secret and mounted into the home -directory of `root` for general authentication purpose. +Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom +network policy implementation of CNI plugins. It's support only the official API resource of `networking.k8s.io/v1`. -The example below describe the definition and mounting of a custom `.netrc` file -to access private repositories hosted on GitHub and GitLab. +The example below is an excerpt of the `values.yaml` file. The network policy contains ingress rules to allow incoming +traffic from an ingress controller. Additionally two egress rules are defined. The first one to allow the application +outgoing access to the internal running DNS server `core-dns`. The second rule to be able to access the Apache Maven +Central repository via HTTPS. + +> [!IMPORTANT] +> Please keep in mind, that the namespace and pod selector labels can be different from environment to environment. For +> this reason, there is are not default network policy rules defined. ```yaml -apiVersion: v1 -kind: Secret -metadata: - name: custom-netrc -type: Opaque -stringData: - netrc: | - machine github.com login USERNAME password API-KEY - machine gitlab.com login USERNAME password API-KEY +networkPolicies: + enabled: true + annotations: {} + labels: {} + policyTypes: + - Egress + - Ingress + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + - ports: + - port: 443 + protocol: TCP + + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: ingress-nginx + podSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + ports: + - port: http + protocol: TCP ``` -The file must then be mounted via extraVolumes and extraVolumeMounts. +## ArgoCD -```yaml -extraVolumes: -- name: netrc - secret: - secretName: custom-netrc - items: - - key: netrc - path: .netrc - mode: 0600 +### Daily execution of rolling updates -extraVolumeMounts: -- name: netrc - mountPath: /root -``` +The behavior whereby ArgoCD triggers a rolling update even though nothing appears to have changed often occurs in +connection with the helm concept `checksum/secret`, `checksum/configmap` or more generally, [Automatically Roll +Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments). -## Persistent storage +The problem with combining this concept with ArgoCD is that ArgoCD re-renders the Helm chart every time. Even if the +content of the config map or secret has not changed, there may be minimal differences (e.g., whitespace, chart version, +Helm render order, different timestamps). -Unlike the athens default, the default here is `disk` - i.e. the files are -written to the container. Therefore, it is advisable to outsource the -corresponding storage location to persistent storage. The following example -describes the integration of a persistent storage claim. +This changes the SHA256 hash, Argo sees a drift and trigger a rolling update of the deployment. Among other things, this +can lead to unnecessary notifications from ArgoCD. -```yaml -extraVolumes: -- name: gomodules - persistentVolumeClaim: - claimName: custom-gomodules-pvc +To avoid this, the annotation with the shasum must be ignored. Below is a diff that adds the `Application` to ignore all +annotations with the prefix `checksum`. -extraVolumeMounts: -- name: gomodules - mountPath: /var/lib/athens +```diff + apiVersion: argoproj.io/v1alpha1 + kind: Application + spec: ++ ignoreDifferences: ++ - group: apps/v1 ++ kind: Deployment ++ jqPathExpressions: ++ - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("checksum")))' ``` ## Parameters - -### Global - -| Name | Description | Value | -| ------------------ | ----------------------------------------- | ----- | -| `nameOverride` | Individual release name suffix. | `""` | -| `fullnameOverride` | Override the complete release name logic. | `""` | - -### Configuration - -| Name | Description | Value | -| ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `config.env.existingSecret.enabled` | Mount an existing secret containing the application specific environment variables. | `false` | -| `config.env.existingSecret.secretName` | Name of the existing secret containing the application specific environment variables. | `""` | -| `config.env.secret.annotations` | Additional annotations of the secret containing the database credentials. | `{}` | -| `config.env.secret.labels` | Additional labels of the secret containing the database credentials. | `{}` | -| `config.env.secret.envs` | List of environment variables stored in a secret and mounted into the container. | `{}` | -| `config.downloadMode.enabled` | Enable mounting of a download mode file into the container file system. If enabled, the env `ATHENS_DOWNLOAD_MODE` will automatically be defined. | `false` | -| `config.downloadMode.existingConfigMap.enabled` | Enable to use an external config map for mounting the download mode file. | `false` | -| `config.downloadMode.existingConfigMap.configMapName` | The name of the existing config map which should be used to mount the download mode file. | `""` | -| `config.downloadMode.existingConfigMap.downloadModeKey` | The name of the key inside the config map where the content of the download mode file is stored. | `downloadMode` | -| `config.downloadMode.configMap.annotations` | Additional annotations of the config map containing the download mode file. | `{}` | -| `config.downloadMode.configMap.labels` | Additional labels of the config map containing the download mode file. | `{}` | -| `config.downloadMode.configMap.content` | The content of the download mode file. | `downloadURL = "https://proxy.golang.org" - -mode = "async_redirect" - -# download "github.com/gomods/*" { -# mode = "sync" -# } -# -# download "golang.org/x/*" { -# mode = "none" -# } -# -# download "github.com/pkg/*" { -# mode = "redirect" -# downloadURL = "https://gocenter.io" -# } -` | -| `config.gitConfig.enabled` | Enable mounting of a .gitconfig file into the container file system. | `false` | -| `config.gitConfig.existingConfigMap.enabled` | Enable to use an external config map for mounting the .gitconfig file. | `false` | -| `config.gitConfig.existingConfigMap.configMapName` | The name of the existing config map which should be used to mount the .gitconfig file. | `""` | -| `config.gitConfig.existingConfigMap.gitConfigKey` | The name of the key inside the config map where the content of the .gitconfig file is stored. | `nil` | -| `config.gitConfig.configMap.annotations` | Additional annotations of the config map containing the .gitconfig file. | `{}` | -| `config.gitConfig.configMap.labels` | Additional labels of the config map containing the .gitconfig file. | `{}` | -| `config.gitConfig.configMap.content` | The content of the .gitconfig file. | `# The .gitconfig file -# -# The .gitconfig file contains the user specific git configuration. It generally resides in the user's home -# directory. -# -# [url "git@github.com:"] insteadOf = https://github.com/ -` | -| `config.netrc.enabled` | Enable mounting of a .netrc file into the container file system. | `false` | -| `config.netrc.existingSecret.enabled` | Enable to use an external secret for mounting the .netrc file. | `false` | -| `config.netrc.existingSecret.secretName` | The name of the existing secret which should be used to mount the .netrc file. | `""` | -| `config.netrc.existingSecret.netrcKey` | The name of the key inside the secret where the content of the .netrc file is stored. | `.netrc` | -| `config.netrc.secret.annotations` | Additional annotations of the secret containing the database credentials. | `{}` | -| `config.netrc.secret.labels` | Additional labels of the secret containing the database credentials. | `{}` | -| `config.netrc.secret.content` | The content of the .netrc file. | `# The .netrc file -# -# The .netrc file contains login and initialization information used by the auto-login process. It generally -# resides in the user's home directory, but a location outside of the home directory can be set using the -# environment variable NETRC. Both locations are overridden by the command line option -N. The selected file -# must be a regular file, or access will be denied. -# -# https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-file.html -# -# default login [name] password [password/token] -# machine github.com [octocat] password [PAT] -# machine api.github.com [octocat] password [PAT] -` | -| `config.ssh.enabled` | Enable mounting of a .netrc file into the container file system. | `false` | -| `config.ssh.existingSecret.enabled` | Enable to use an external secret for mounting the public and private SSH key files. | `false` | -| `config.ssh.existingSecret.secretName` | The name of the existing secret which should be used to mount the public and private SSH key files. | `""` | -| `config.ssh.existingSecret.configKey` | The name of the key inside the secret where the content of the SSH client config file is stored. | `config` | -| `config.ssh.existingSecret.id_ed25519Key` | The name of the key inside the secret where the content of the id_ed25519 key file is stored. | `id_ed25519` | -| `config.ssh.existingSecret.id_ed25519PubKey` | The name of the key inside the secret where the content of the id_ed25519.pub key file is stored. | `id_ed25519.pub` | -| `config.ssh.existingSecret.id_rsaKey` | The name of the key inside the secret where the content of the id_rsa key file is stored. | `id_rsa` | -| `config.ssh.existingSecret.id_rsaPubKey` | The name of the key inside the secret where the content of the id_ed25519.pub key file is stored. | `id_rsa.pub` | -| `config.ssh.secret.annotations` | Additional annotations of the secret containing the public and private SSH key files. | `{}` | -| `config.ssh.secret.labels` | Additional labels of the secret containing the public and private SSH key files. | `{}` | -| `config.ssh.secret.config` | The content of the SSH client config file. | `# Host * -# IdentityFile ~/.ssh/id_ed25519 -# IdentityFile ~/.ssh/id_rsa -` | - -### Deployment - -| Name | Description | Value | -| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------- | -| `deployment.annotations` | Additional deployment annotations. | `{}` | -| `deployment.labels` | Additional deployment labels. | `{}` | -| `deployment.additionalContainers` | List of additional containers. | `[]` | -| `deployment.affinity` | Affinity for the athens-proxy deployment. | `{}` | -| `deployment.initContainers` | List of additional init containers. | `[]` | -| `deployment.dnsConfig` | dnsConfig of the athens-proxy deployment. | `{}` | -| `deployment.dnsPolicy` | dnsPolicy of the athens-proxy deployment. | `""` | -| `deployment.hostname` | Individual hostname of the pod. | `""` | -| `deployment.subdomain` | Individual domain of the pod. | `""` | -| `deployment.hostNetwork` | Use the kernel network namespace of the host system. | `false` | -| `deployment.imagePullSecrets` | Secret to use for pulling the image. | `[]` | -| `deployment.athensProxy.args` | Arguments passed to the athens-proxy container. | `[]` | -| `deployment.athensProxy.command` | Command passed to the athens-proxy container. | `[]` | -| `deployment.athensProxy.env` | List of environment variables for the athens-proxy container. | `[]` | -| `deployment.athensProxy.envFrom` | List of environment variables mounted from configMaps or secrets for the athens-proxy container. | `[]` | -| `deployment.athensProxy.image.registry` | Image registry, eg. `docker.io`. | `docker.io` | -| `deployment.athensProxy.image.repository` | Image repository, eg. `library/busybox`. | `gomods/athens` | -| `deployment.athensProxy.image.tag` | Custom image tag, eg. `0.1.0`. Defaults to `appVersion`. | `""` | -| `deployment.athensProxy.image.pullPolicy` | Image pull policy. | `IfNotPresent` | -| `deployment.athensProxy.resources` | CPU and memory resources of the pod. | `{}` | -| `deployment.athensProxy.securityContext` | Security context of the container of the deployment. | `{}` | -| `deployment.athensProxy.volumeMounts` | Additional volume mounts. | `[]` | -| `deployment.nodeSelector` | NodeSelector of the athens-proxy deployment. | `{}` | -| `deployment.priorityClassName` | PriorityClassName of the athens-proxy deployment. | `""` | -| `deployment.replicas` | Number of replicas for the athens-proxy deployment. | `1` | -| `deployment.restartPolicy` | Restart policy of the athens-proxy deployment. | `""` | -| `deployment.securityContext` | Security context of the athens-proxy deployment. | `{}` | -| `deployment.strategy.type` | Strategy type - `Recreate` or `RollingUpdate`. | `RollingUpdate` | -| `deployment.strategy.rollingUpdate.maxSurge` | The maximum number of pods that can be scheduled above the desired number of pods during a rolling update. | `1` | -| `deployment.strategy.rollingUpdate.maxUnavailable` | The maximum number of pods that can be unavailable during a rolling update. | `1` | -| `deployment.terminationGracePeriodSeconds` | How long to wait until forcefully kill the pod. | `60` | -| `deployment.tolerations` | Tolerations of the athens-proxy deployment. | `[]` | -| `deployment.topologySpreadConstraints` | TopologySpreadConstraints of the athens-proxy deployment. | `[]` | -| `deployment.volumes` | Additional volumes to mount into the pods of the prometheus-exporter deployment. | `[]` | - -### Horizontal Pod Autoscaler (HPA) - -| Name | Description | Value | -| ----------------- | -------------------------------------------------------------------------------------------------- | ----------- | -| `hpa.enabled` | Enable the horizontal pod autoscaler (HPA). | `false` | -| `hpa.annotations` | Additional annotations for the HPA. | `{}` | -| `hpa.labels` | Additional labels for the HPA. | `{}` | -| `hpa.metrics` | Metrics contains the specifications for which to use to calculate the desired replica count. | `undefined` | -| `hpa.minReplicas` | Min replicas is the lower limit for the number of replicas to which the autoscaler can scale down. | `1` | -| `hpa.maxReplicas` | Upper limit for the number of pods that can be set by the autoscaler. | `10` | - -### Ingress - -| Name | Description | Value | -| --------------------- | -------------------------------------------------------------------------------------------------------------------- | ------- | -| `ingress.enabled` | Enable creation of an ingress resource. Requires, that the http service is also enabled. | `false` | -| `ingress.className` | Ingress class. | `nginx` | -| `ingress.annotations` | Additional ingress annotations. | `{}` | -| `ingress.labels` | Additional ingress labels. | `{}` | -| `ingress.hosts` | Ingress specific configuration. Specification only required when another ingress controller is used instead of `t1k. | `[]` | -| `ingress.tls` | Ingress TLS settings. Specification only required when another ingress controller is used instead of `t1k``. | `[]` | - -### Persistence - -| Name | Description | Value | -| -------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | -| `persistence.enabled` | Enable the feature to store the data on a persistent volume claim. If enabled, the volume will be automatically be mounted into the pod. Furthermore, the env `ATHENS_STORAGE_TYPE=disk` will automatically be defined. | `false` | -| `persistence.data.mountPath` | The path where the persistent volume should be mounted in the container file system. This variable controls `ATHENS_DISK_STORAGE_ROOT`. | `/var/www/athens-proxy/data` | -| `persistence.data.existingPersistentVolumeClaim.enabled` | TODO | `false` | -| `persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName` | TODO | `""` | -| `persistence.data.persistentVolumeClaim.annotations` | Additional persistent volume claim annotations. | `{}` | -| `persistence.data.persistentVolumeClaim.labels` | Additional persistent volume claim labels. | `{}` | -| `persistence.data.persistentVolumeClaim.accessModes` | Access modes of the persistent volume claim. | `["ReadWriteMany"]` | -| `persistence.data.persistentVolumeClaim.storageClass` | Storage class of the persistent volume claim. | `""` | -| `persistence.data.persistentVolumeClaim.storageSize` | Size of the persistent volume claim. | `5Gi` | - -### NetworkPolicies - -| Name | Description | Value | -| ------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------- | -| `networkPolicies.enabled` | Enable network policies in general. | `false` | -| `networkPolicies.default.enabled` | Enable the network policy for accessing the application by default. For example to scape the metrics. | `false` | -| `networkPolicies.default.annotations` | Additional network policy annotations. | `{}` | -| `networkPolicies.default.labels` | Additional network policy labels. | `{}` | -| `networkPolicies.default.policyTypes` | List of policy types. Supported is ingress, egress or ingress and egress. | `[]` | -| `networkPolicies.default.egress` | Concrete egress network policy implementation. | `[]` | -| `networkPolicies.default.ingress` | Concrete ingress network policy implementation. | `[]` | - -### Service - -| Name | Description | Value | -| ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| `services.http.enabled` | Enable the service. | `true` | -| `services.http.annotations` | Additional service annotations. | `{}` | -| `services.http.externalIPs` | External IPs for the service. | `[]` | -| `services.http.externalTrafficPolicy` | If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation. | `Cluster` | -| `services.http.internalTrafficPolicy` | If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster internal traffic. | `Cluster` | -| `services.http.ipFamilies` | IPFamilies is list of IP families (e.g. `IPv4`, `IPv6`) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization. | `[]` | -| `services.http.labels` | Additional service labels. | `{}` | -| `services.http.loadBalancerClass` | LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type `LoadBalancer`. | `""` | -| `services.http.loadBalancerIP` | LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`. | `""` | -| `services.http.loadBalancerSourceRanges` | Source range filter for LoadBalancer. Requires service from type `LoadBalancer`. | `[]` | -| `services.http.port` | Port to forward the traffic to. | `3000` | -| `services.http.sessionAffinity` | Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`. | `None` | -| `services.http.sessionAffinityConfig` | Contains the configuration of the session affinity. | `{}` | -| `services.http.type` | Kubernetes service type for the traffic. | `ClusterIP` | - -### ServiceAccount - -| Name | Description | Value | -| ------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `serviceAccount.existing.enabled` | Use an existing service account instead of creating a new one. Assumes that the user has all the necessary kubernetes API authorizations. | `false` | -| `serviceAccount.existing.serviceAccountName` | Name of the existing service account. | `""` | -| `serviceAccount.new.annotations` | Additional service account annotations. | `{}` | -| `serviceAccount.new.labels` | Additional service account labels. | `{}` | -| `serviceAccount.new.automountServiceAccountToken` | Enable/disable auto mounting of the service account token. | `true` | -| `serviceAccount.new.imagePullSecrets` | ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images in pods that reference this serviceAccount. | `[]` | -| `serviceAccount.new.secrets` | Secrets is the list of secrets allowed to be used by pods running using this ServiceAccount. | `[]` | diff --git a/templates/_networkPolicies.tpl b/templates/_networkPolicies.tpl deleted file mode 100644 index adaca16..0000000 --- a/templates/_networkPolicies.tpl +++ /dev/null @@ -1,19 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{/* annotations */}} - -{{- define "athens-proxy.networkPolicies.annotations" -}} -{{ include "athens-proxy.annotations" .context }} -{{- if .networkPolicy.annotations }} -{{ toYaml .networkPolicy.annotations }} -{{- end }} -{{- end }} - -{{/* labels */}} - -{{- define "athens-proxy.networkPolicies.labels" -}} -{{ include "athens-proxy.labels" .context }} -{{- if .networkPolicy.labels }} -{{ toYaml .networkPolicy.labels }} -{{- end }} -{{- end }} diff --git a/templates/_networkPolicy.tpl b/templates/_networkPolicy.tpl new file mode 100644 index 0000000..f6d73b8 --- /dev/null +++ b/templates/_networkPolicy.tpl @@ -0,0 +1,19 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* annotations */}} + +{{- define "athens-proxy.networkPolicy.annotations" -}} +{{ include "athens-proxy.annotations" . }} +{{- if .Values.networkPolicy.annotations }} +{{ toYaml .Values.networkPolicy.annotations }} +{{- end }} +{{- end }} + +{{/* labels */}} + +{{- define "athens-proxy.networkPolicy.labels" -}} +{{ include "athens-proxy.labels" . }} +{{- if .Values.networkPolicy.labels }} +{{ toYaml .Values.networkPolicy.labels }} +{{- end }} +{{- end }} diff --git a/templates/networkPolicies.yaml b/templates/networkPolicies.yaml deleted file mode 100644 index e92e9fd..0000000 --- a/templates/networkPolicies.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{- if .Values.networkPolicies.enabled }} -{{- range $key, $value := .Values.networkPolicies -}} -{{- if and (not (eq $key "enabled")) $value.enabled }} ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - {{- with (include "athens-proxy.networkPolicies.annotations" (dict "networkPolicy" $value "context" $) | fromYaml) }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with (include "athens-proxy.networkPolicies.labels" (dict "networkPolicy" $value "context" $) | fromYaml) }} - labels: - {{- toYaml . | nindent 4 }} - {{- end }} - name: {{ printf "%s-%s" (include "athens-proxy.fullname" $ ) $key }} - namespace: {{ $.Release.Namespace }} -spec: - podSelector: - matchLabels: - {{- include "athens-proxy.pod.selectorLabels" $ | nindent 6 }} - {{- with $value.policyTypes }} - policyTypes: - {{- toYaml . | nindent 2 }} - {{- end }} - {{- with $value.egress }} - egress: - {{- toYaml . | nindent 2 }} - {{- end }} - {{- with $value.ingress }} - ingress: - {{- toYaml . | nindent 2 }} - {{- end }} -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/templates/networkPolicy.yaml b/templates/networkPolicy.yaml new file mode 100644 index 0000000..8b1f85c --- /dev/null +++ b/templates/networkPolicy.yaml @@ -0,0 +1,32 @@ +{{- if .Values.networkPolicy.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + {{- with (include "athens-proxy.networkPolicy.annotations" . | fromYaml) }} + annotations: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} + {{- with (include "athens-proxy.networkPolicy.labels" . | fromYaml) }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "athens-proxy.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + {{- include "athens-proxy.pod.selectorLabels" $ | nindent 6 }} + {{- with .Values.networkPolicy.policyTypes }} + policyTypes: + {{- toYaml . | nindent 2 }} + {{- end }} + {{- with .Values.networkPolicy.egress }} + egress: + {{- toYaml . | nindent 2 }} + {{- end }} + {{- with .Values.networkPolicy.ingress }} + ingress: + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/unittests/networkPolicies/default.yaml b/unittests/networkPolicy/networkPolicy.yaml similarity index 55% rename from unittests/networkPolicies/default.yaml rename to unittests/networkPolicy/networkPolicy.yaml index fe8067b..d80ec82 100644 --- a/unittests/networkPolicies/default.yaml +++ b/unittests/networkPolicy/networkPolicy.yaml @@ -1,49 +1,30 @@ chart: appVersion: 0.1.0 version: 0.1.0 -suite: NetworkPolicies template +suite: NetworkPolicy template release: name: athens-proxy-unittest namespace: testing templates: -- templates/networkPolicies.yaml +- templates/networkPolicy.yaml tests: -- it: Skip networkPolicies in general disabled. +- it: Skip rendering networkPolicy set: - networkPolicies.enabled: false + networkPolicy.enabled: false asserts: - hasDocuments: count: 0 -- it: Skip networkPolicy 'default' when disabled. +- it: Render default networkPolicy set: - networkPolicies.enabled: true - networkPolicies.default.enabled: false + networkPolicy.enabled: true asserts: - hasDocuments: - count: 0 - -- it: Loop over networkPolicies - set: - networkPolicies.enabled: true - networkPolicies.default.enabled: false - networkPolicies.nginx.enabled: true - networkPolicies.prometheus.enabled: true - asserts: - - hasDocuments: - count: 2 - -- it: Template networkPolicy 'default' without policyTypes, egress and ingress configuration - set: - networkPolicies.enabled: true - networkPolicies.default.enabled: true - asserts: - - hasDocuments: - count: 1 + count: 1 - containsDocument: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy - name: athens-proxy-unittest-default + name: athens-proxy-unittest namespace: testing - notExists: path: metadata.annotations @@ -67,29 +48,28 @@ tests: - notExists: path: spec.ingress -- it: Template networkPolicy 'default' with policyTypes, egress and ingress configuration +- it: Template networkPolicy with policyTypes, egress and ingress configuration set: - networkPolicies.enabled: true - networkPolicies.default.enabled: true - networkPolicies.default.policyTypes: + networkPolicy.enabled: true + networkPolicy.policyTypes: - Egress - Ingress - networkPolicies.default.ingress: + networkPolicy.ingress: - from: - namespaceSelector: matchLabels: - kubernetes.io/metadata.name: khv-production + kubernetes.io/metadata.name: monitoring podSelector: matchLabels: app.kubernetes.io/name: prometheus - networkPolicies.default.egress: + networkPolicy.egress: - to: - namespaceSelector: matchLabels: - kubernetes.io/metadata.name: database + kubernetes.io/metadata.name: ingress-nginx podSelector: matchLabels: - app.kubernetes.io/name: oracle + app.kubernetes.io/name: ingress-nginx asserts: - equal: path: spec.policyTypes @@ -102,17 +82,17 @@ tests: - to: - namespaceSelector: matchLabels: - kubernetes.io/metadata.name: database + kubernetes.io/metadata.name: ingress-nginx podSelector: matchLabels: - app.kubernetes.io/name: oracle + app.kubernetes.io/name: ingress-nginx - equal: path: spec.ingress value: - from: - namespaceSelector: matchLabels: - kubernetes.io/metadata.name: khv-production + kubernetes.io/metadata.name: monitoring podSelector: matchLabels: app.kubernetes.io/name: prometheus diff --git a/values.yaml b/values.yaml index 099c213..fe9f4f1 100644 --- a/values.yaml +++ b/values.yaml @@ -497,77 +497,73 @@ persistence: storageClass: "" storageSize: "5Gi" -## @section NetworkPolicies -## @param networkPolicies.enabled Enable network policies in general. -networkPolicies: +## @section Network Policy +networkPolicy: + ## @param networkPolicy.enabled Enable network policies in general. + ## @param networkPolicy.annotations Additional network policy annotations. + ## @param networkPolicy.labels Additional network policy labels. + ## @param networkPolicy.policyTypes List of policy types. Supported is ingress, egress or ingress and egress. + ## @param networkPolicy.egress Concrete egress network policy implementation. + ## @skip networkPolicy.egress Skip individual egress configuration. + ## @param networkPolicy.ingress Concrete ingress network policy implementation. + ## @skip networkPolicy.ingress Skip individual ingress configuration. enabled: false + annotations: {} + labels: {} + policyTypes: [] + # - Egress + # - Ingress + egress: [] + # Allow outgoing traffic to database host + # + # - to: + # - ipBlock: + # cidr: 192.168.179.1/32 + # ports: + # - port: 5432 + # protocol: TCP - ## @param networkPolicies.default.enabled Enable the network policy for accessing the application by default. For example to scape the metrics. - ## @param networkPolicies.default.annotations Additional network policy annotations. - ## @param networkPolicies.default.labels Additional network policy labels. - ## @param networkPolicies.default.policyTypes List of policy types. Supported is ingress, egress or ingress and egress. - ## @param networkPolicies.default.egress Concrete egress network policy implementation. - ## @skip networkPolicies.default.egress Skip individual egress configuration. - ## @param networkPolicies.default.ingress Concrete ingress network policy implementation. - ## @skip networkPolicies.default.ingress Skip individual ingress configuration. - default: - enabled: false - annotations: {} - labels: {} - policyTypes: [] - # - Egress - # - Ingress - egress: [] - # Allow outgoing traffic to database host - # - # - to: - # - ipBlock: - # cidr: 192.168.179.1/32 - # ports: - # - port: 5432 - # protocol: TCP + # Allow outgoing DNS traffic to the internal running DNS-Server. For example core-dns. + # + # - to: + # - namespaceSelector: + # matchLabels: + # kubernetes.io/metadata.name: kube-system + # podSelector: + # matchLabels: + # k8s-app: kube-dns + # ports: + # - port: 53 + # protocol: TCP + # - port: 53 + # protocol: UDP - # Allow outgoing DNS traffic to the internal running DNS-Server. For example core-dns. - # - # - to: - # - namespaceSelector: - # matchLabels: - # kubernetes.io/metadata.name: kube-system - # podSelector: - # matchLabels: - # k8s-app: kube-dns - # ports: - # - port: 53 - # protocol: TCP - # - port: 53 - # protocol: UDP + ingress: [] + # Allow incoming HTTP traffic from prometheus. + # + # - from: + # - namespaceSelector: + # matchLabels: + # kubernetes.io/metadata.name: monitoring + # podSelector: + # matchLabels: + # app.kubernetes.io/name: prometheus + # ports: + # - port: http + # protocol: TCP - ingress: [] - # Allow incoming HTTP traffic from prometheus. - # - # - from: - # - namespaceSelector: - # matchLabels: - # kubernetes.io/metadata.name: monitoring - # podSelector: - # matchLabels: - # app.kubernetes.io/name: prometheus - # ports: - # - port: http - # protocol: TCP - - # Allow incoming HTTP traffic from ingress-nginx. - # - # - from: - # - namespaceSelector: - # matchLabels: - # kubernetes.io/metadata.name: ingress-nginx - # podSelector: - # matchLabels: - # app.kubernetes.io/name: ingress-nginx - # ports: - # - port: http - # protocol: TCP + # Allow incoming HTTP traffic from ingress-nginx. + # + # - from: + # - namespaceSelector: + # matchLabels: + # kubernetes.io/metadata.name: ingress-nginx + # podSelector: + # matchLabels: + # app.kubernetes.io/name: ingress-nginx + # ports: + # - port: http + # protocol: TCP ## @section Service ## @param services.http.enabled Enable the service.