volker.raschek/athens-proxy-charts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(networkPolicy): use single network policy
Some checks failed
Helm / helm-lint (push) Successful in 6s
Details
Helm / helm-unittest (push) Successful in 7s
Details
Markdown linter / markdown-link-checker (push) Successful in 11s
Details
Generate README / generate-parameters (push) Failing after 28s
Details
Markdown linter / markdown-lint (push) Successful in 17s
Details

Browse Source
This commit is contained in:
Markus Pesch
2025-10-12 17:21:05 +02:00
parent bab5282617
commit fbd846784c
7 changed files with 243 additions and 496 deletions
Download Patch File Download Diff File Expand all files Collapse all files

445
README.md
View File

@@ -2,371 +2,146 @@
[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/volker-raschek)](https://artifacthub.io/packages/search?repo=volker-raschek) [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/volker-raschek)](https://artifacthub.io/packages/search?repo=volker-raschek)
This is an inofficial helm chart of the go-proxy > [!NOTE]
[athens](https://github.com/gomods/athens) which supports more complex > This is not the official helm chart of Athens Go Proxy. If you are looking for the official helm chart, checkout the
configuration options. > GitHub project [gomods/athens-charts](https://github.com/gomods/athens-charts).
This helm chart can be found on [artifacthub.io](https://artifacthub.io/) and This helm chart enables the deployment of [Athens Go Proxy](https://github.com/gomods/athens), a module datastore and
can be installed via helm. proxy for Golang.
The helm chart supports the individual configuration of additional containers/initContainers, mounting of volumes,
defining additional environment variables and much more.
Chapter [configuration and installation](#helm-configuration-and-installation) describes the basics how to configure
helm and use it to deploy the exporter. It also contains further configuration examples.
Furthermore, this helm chart contains unit tests to detect regressions and stabilize the deployment. Additionally, this
helm chart is tested for deployment scenarios with **ArgoCD**, but please keep in mind, that this chart supports the
*[Automatically Roll Deployment](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments)*
concept of Helm, which can trigger unexpected rolling releases. Further configuration instructions are described in a
separate [chapter](#argocd).
## Helm: configuration and installation
1. A helm chart repository must be configured, to pull the helm charts from.
2. All available [parameters](#parameters) are documented in detail below. The parameters can be defined via the helm
`--set` flag or directly as part of a `values.yaml` file. The following example defines the repository and use the
`--set` flag for a basic deployment.
```bash ```bash
helm repo add volker.raschek https://charts.cryptic.systems/volker.raschek helm repo add volker.raschek https://charts.cryptic.systems/volker.raschek
helm repo update
helm install athens-proxy volker.raschek/athens-proxy helm install athens-proxy volker.raschek/athens-proxy
``` ```
## Customization Instead of passing all parameters via the *set* flag, it is also possible to define them as part of the `values.yaml`.
The following command downloads the `values.yaml` for a specific version of this chart. Please keep in mind, that the
version of the chart must be in sync with the `values.yaml`. Newer *minor* versions can have new features. New *major*
versions can break something!
The complete deployment can be adapted via the `values.yaml` files. The ```bash
configuration of the proxy can be done via the environment variables described CHART_VERSION=0.3.0
below or via mounting the config.toml as additional persistent volume to helm show values volker.raschek/athens-proxy --version "${CHART_VERSION}" > values.yaml
`/config/config.toml`
## Access private repositories via SSH
Create a `configmap.yaml` with multiple keys. One key describe the content of
the `.gitconfig` file and another of `config` of the ssh client. All requests
Git clone comands with the prefix `http://github.com/` will be replaced by
`git@github.com:` to use SSH instead of HTTPS. The SSH keys are stored in a
separate secret.
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: custom-configs
data:
sshconfig: |
Host github.com
IdentityFile /root/.ssh/id_ed25519
StrictHostKeyChecking no
gitconfig: |
[url "git@github.com:"]
insteadOf = https://github.com/
``` ```
The secret definition below contains the SSH private and public key. A complete list of available helm chart versions can be displayed via the following command:
```yaml ```bash
apiVersion: v1 helm search repo reposilite --versions
kind: Secret
metadata:
name: custom-ssh-keys
type: Opaque
stringData:
id_ed25519: |
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACCpf/10TWlksg6/5mZF067fTGvW71I5QVJEp/nyC8hVHgAAAJgwWWNdMFlj
XQAAAAtzc2gtZWQyNTUxOQAAACCpf/10TWlksg6/5mZF067fTGvW71I5QVJEp/nyC8hVHg
AAAEDzTPitanzgl6iThoFCx8AXwsGLS5Q+3+K66ZOmN0p6+6l//XRNaWSyDr/mZkXTrt9M
a9bvUjlBUkSn+fILyFUeAAAAEG1hcmt1c0BtYXJrdXMtcGMBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
id_ed25519.pub: |
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKl//XRNaWSyDr/mZkXTrt9Ma9bvUjlBUkSn+fILyFUe
``` ```
The item `config` of the configmap will be merged with the items of the secret The helm chart also contains a persistent volume claim definition. It persistent volume claim is not enabled by default.
as virtual volume. This volume can than be mounted with special permissions Use the `--set` argument to persist your data.
required for the ssh client.
```yaml ```bash
extraVolumes: CHART_VERSION=0.3.0
- name: ssh helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-proxy \
projected: persistence.enabled=true
defaultMode: 0644
sources:
- configMap:
name: custom-configs
items:
- key: sshconfig
path: config
- secret:
name: custom-ssh-keys
items:
- key: id_ed25519
path: id_ed25519
mode: 0600
- key: id_ed25519.pub
path: id_ed25519.pub
- name: gitconfig
configMap:
name: custom-configs
items:
- key: gitconfig
path: config
mode: 0644
extraVolumeMounts:
- name: ssh
mountPath: /root/.ssh
- name: gitconfig
mountPath: /root/.config/git
``` ```
## Access private GitHub.com repositories via developer token ### Examples
Another way to access private GitHub repositories is via a GitHub token, which The following examples serve as individual configurations and as inspiration for how deployment problems can be solved.
can be set via the environment variable `GITHUB_TOKEN`. Athens automatically
creates a `.netrc` file to access private GitHub repositories.
## Access private repositories via .netrc configuration #### Network policies
As describe above, a `.netrc` file is responsible for the authentication via Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom
HTTP. The file can also be defined via a custom secret and mounted into the home network policy implementation of CNI plugins. It's support only the official API resource of `networking.k8s.io/v1`.
directory of `root` for general authentication purpose.
The example below describe the definition and mounting of a custom `.netrc` file The example below is an excerpt of the `values.yaml` file. The network policy contains ingress rules to allow incoming
to access private repositories hosted on GitHub and GitLab. traffic from an ingress controller. Additionally two egress rules are defined. The first one to allow the application
outgoing access to the internal running DNS server `core-dns`. The second rule to be able to access the Apache Maven
Central repository via HTTPS.
> [!IMPORTANT]
> Please keep in mind, that the namespace and pod selector labels can be different from environment to environment. For
> this reason, there is are not default network policy rules defined.
```yaml ```yaml
apiVersion: v1 networkPolicies:
kind: Secret enabled: true
metadata: annotations: {}
name: custom-netrc labels: {}
type: Opaque policyTypes:
stringData: - Egress
netrc: | - Ingress
machine github.com login USERNAME password API-KEY egress:
machine gitlab.com login USERNAME password API-KEY - to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
- ports:
- port: 443
protocol: TCP
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ingress-nginx
podSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
ports:
- port: http
protocol: TCP
``` ```
The file must then be mounted via extraVolumes and extraVolumeMounts. ## ArgoCD
```yaml ### Daily execution of rolling updates
extraVolumes:
- name: netrc
secret:
secretName: custom-netrc
items:
- key: netrc
path: .netrc
mode: 0600
extraVolumeMounts: The behavior whereby ArgoCD triggers a rolling update even though nothing appears to have changed often occurs in
- name: netrc connection with the helm concept `checksum/secret`, `checksum/configmap` or more generally, [Automatically Roll
mountPath: /root Deployments](https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).
```
## Persistent storage The problem with combining this concept with ArgoCD is that ArgoCD re-renders the Helm chart every time. Even if the
content of the config map or secret has not changed, there may be minimal differences (e.g., whitespace, chart version,
Helm render order, different timestamps).
Unlike the athens default, the default here is `disk` - i.e. the files are This changes the SHA256 hash, Argo sees a drift and trigger a rolling update of the deployment. Among other things, this
written to the container. Therefore, it is advisable to outsource the can lead to unnecessary notifications from ArgoCD.
corresponding storage location to persistent storage. The following example
describes the integration of a persistent storage claim.
```yaml To avoid this, the annotation with the shasum must be ignored. Below is a diff that adds the `Application` to ignore all
extraVolumes: annotations with the prefix `checksum`.
- name: gomodules
persistentVolumeClaim:
claimName: custom-gomodules-pvc
extraVolumeMounts: ```diff
- name: gomodules apiVersion: argoproj.io/v1alpha1
mountPath: /var/lib/athens kind: Application
spec:
+ ignoreDifferences:
+ - group: apps/v1
+ kind: Deployment
+ jqPathExpressions:
+ - '.spec.template.metadata.annotations | with_entries(select(.key | startswith("checksum")))'
``` ```
## Parameters ## Parameters
### Global
| Name | Description | Value |
| ------------------ | ----------------------------------------- | ----- |
| `nameOverride` | Individual release name suffix. | `""` |
| `fullnameOverride` | Override the complete release name logic. | `""` |
### Configuration
| Name | Description | Value |
| ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `config.env.existingSecret.enabled` | Mount an existing secret containing the application specific environment variables. | `false` |
| `config.env.existingSecret.secretName` | Name of the existing secret containing the application specific environment variables. | `""` |
| `config.env.secret.annotations` | Additional annotations of the secret containing the database credentials. | `{}` |
| `config.env.secret.labels` | Additional labels of the secret containing the database credentials. | `{}` |
| `config.env.secret.envs` | List of environment variables stored in a secret and mounted into the container. | `{}` |
| `config.downloadMode.enabled` | Enable mounting of a download mode file into the container file system. If enabled, the env `ATHENS_DOWNLOAD_MODE` will automatically be defined. | `false` |
| `config.downloadMode.existingConfigMap.enabled` | Enable to use an external config map for mounting the download mode file. | `false` |
| `config.downloadMode.existingConfigMap.configMapName` | The name of the existing config map which should be used to mount the download mode file. | `""` |
| `config.downloadMode.existingConfigMap.downloadModeKey` | The name of the key inside the config map where the content of the download mode file is stored. | `downloadMode` |
| `config.downloadMode.configMap.annotations` | Additional annotations of the config map containing the download mode file. | `{}` |
| `config.downloadMode.configMap.labels` | Additional labels of the config map containing the download mode file. | `{}` |
| `config.downloadMode.configMap.content` | The content of the download mode file. | `downloadURL = "https://proxy.golang.org"
mode = "async_redirect"
# download "github.com/gomods/*" {
# mode = "sync"
# }
#
# download "golang.org/x/*" {
# mode = "none"
# }
#
# download "github.com/pkg/*" {
# mode = "redirect"
# downloadURL = "https://gocenter.io"
# }
` |
| `config.gitConfig.enabled` | Enable mounting of a .gitconfig file into the container file system. | `false` |
| `config.gitConfig.existingConfigMap.enabled` | Enable to use an external config map for mounting the .gitconfig file. | `false` |
| `config.gitConfig.existingConfigMap.configMapName` | The name of the existing config map which should be used to mount the .gitconfig file. | `""` |
| `config.gitConfig.existingConfigMap.gitConfigKey` | The name of the key inside the config map where the content of the .gitconfig file is stored. | `nil` |
| `config.gitConfig.configMap.annotations` | Additional annotations of the config map containing the .gitconfig file. | `{}` |
| `config.gitConfig.configMap.labels` | Additional labels of the config map containing the .gitconfig file. | `{}` |
| `config.gitConfig.configMap.content` | The content of the .gitconfig file. | `# The .gitconfig file
#
# The .gitconfig file contains the user specific git configuration. It generally resides in the user's home
# directory.
#
# [url "git@github.com:"] insteadOf = https://github.com/
` |
| `config.netrc.enabled` | Enable mounting of a .netrc file into the container file system. | `false` |
| `config.netrc.existingSecret.enabled` | Enable to use an external secret for mounting the .netrc file. | `false` |
| `config.netrc.existingSecret.secretName` | The name of the existing secret which should be used to mount the .netrc file. | `""` |
| `config.netrc.existingSecret.netrcKey` | The name of the key inside the secret where the content of the .netrc file is stored. | `.netrc` |
| `config.netrc.secret.annotations` | Additional annotations of the secret containing the database credentials. | `{}` |
| `config.netrc.secret.labels` | Additional labels of the secret containing the database credentials. | `{}` |
| `config.netrc.secret.content` | The content of the .netrc file. | `# The .netrc file
#
# The .netrc file contains login and initialization information used by the auto-login process. It generally
# resides in the user's home directory, but a location outside of the home directory can be set using the
# environment variable NETRC. Both locations are overridden by the command line option -N. The selected file
# must be a regular file, or access will be denied.
#
# https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-file.html
#
# default login [name] password [password/token]
# machine github.com [octocat] password [PAT]
# machine api.github.com [octocat] password [PAT]
` |
| `config.ssh.enabled` | Enable mounting of a .netrc file into the container file system. | `false` |
| `config.ssh.existingSecret.enabled` | Enable to use an external secret for mounting the public and private SSH key files. | `false` |
| `config.ssh.existingSecret.secretName` | The name of the existing secret which should be used to mount the public and private SSH key files. | `""` |
| `config.ssh.existingSecret.configKey` | The name of the key inside the secret where the content of the SSH client config file is stored. | `config` |
| `config.ssh.existingSecret.id_ed25519Key` | The name of the key inside the secret where the content of the id_ed25519 key file is stored. | `id_ed25519` |
| `config.ssh.existingSecret.id_ed25519PubKey` | The name of the key inside the secret where the content of the id_ed25519.pub key file is stored. | `id_ed25519.pub` |
| `config.ssh.existingSecret.id_rsaKey` | The name of the key inside the secret where the content of the id_rsa key file is stored. | `id_rsa` |
| `config.ssh.existingSecret.id_rsaPubKey` | The name of the key inside the secret where the content of the id_ed25519.pub key file is stored. | `id_rsa.pub` |
| `config.ssh.secret.annotations` | Additional annotations of the secret containing the public and private SSH key files. | `{}` |
| `config.ssh.secret.labels` | Additional labels of the secret containing the public and private SSH key files. | `{}` |
| `config.ssh.secret.config` | The content of the SSH client config file. | `# Host *
# IdentityFile ~/.ssh/id_ed25519
# IdentityFile ~/.ssh/id_rsa
` |
### Deployment
| Name | Description | Value |
| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------- |
| `deployment.annotations` | Additional deployment annotations. | `{}` |
| `deployment.labels` | Additional deployment labels. | `{}` |
| `deployment.additionalContainers` | List of additional containers. | `[]` |
| `deployment.affinity` | Affinity for the athens-proxy deployment. | `{}` |
| `deployment.initContainers` | List of additional init containers. | `[]` |
| `deployment.dnsConfig` | dnsConfig of the athens-proxy deployment. | `{}` |
| `deployment.dnsPolicy` | dnsPolicy of the athens-proxy deployment. | `""` |
| `deployment.hostname` | Individual hostname of the pod. | `""` |
| `deployment.subdomain` | Individual domain of the pod. | `""` |
| `deployment.hostNetwork` | Use the kernel network namespace of the host system. | `false` |
| `deployment.imagePullSecrets` | Secret to use for pulling the image. | `[]` |
| `deployment.athensProxy.args` | Arguments passed to the athens-proxy container. | `[]` |
| `deployment.athensProxy.command` | Command passed to the athens-proxy container. | `[]` |
| `deployment.athensProxy.env` | List of environment variables for the athens-proxy container. | `[]` |
| `deployment.athensProxy.envFrom` | List of environment variables mounted from configMaps or secrets for the athens-proxy container. | `[]` |
| `deployment.athensProxy.image.registry` | Image registry, eg. `docker.io`. | `docker.io` |
| `deployment.athensProxy.image.repository` | Image repository, eg. `library/busybox`. | `gomods/athens` |
| `deployment.athensProxy.image.tag` | Custom image tag, eg. `0.1.0`. Defaults to `appVersion`. | `""` |
| `deployment.athensProxy.image.pullPolicy` | Image pull policy. | `IfNotPresent` |
| `deployment.athensProxy.resources` | CPU and memory resources of the pod. | `{}` |
| `deployment.athensProxy.securityContext` | Security context of the container of the deployment. | `{}` |
| `deployment.athensProxy.volumeMounts` | Additional volume mounts. | `[]` |
| `deployment.nodeSelector` | NodeSelector of the athens-proxy deployment. | `{}` |
| `deployment.priorityClassName` | PriorityClassName of the athens-proxy deployment. | `""` |
| `deployment.replicas` | Number of replicas for the athens-proxy deployment. | `1` |
| `deployment.restartPolicy` | Restart policy of the athens-proxy deployment. | `""` |
| `deployment.securityContext` | Security context of the athens-proxy deployment. | `{}` |
| `deployment.strategy.type` | Strategy type - `Recreate` or `RollingUpdate`. | `RollingUpdate` |
| `deployment.strategy.rollingUpdate.maxSurge` | The maximum number of pods that can be scheduled above the desired number of pods during a rolling update. | `1` |
| `deployment.strategy.rollingUpdate.maxUnavailable` | The maximum number of pods that can be unavailable during a rolling update. | `1` |
| `deployment.terminationGracePeriodSeconds` | How long to wait until forcefully kill the pod. | `60` |
| `deployment.tolerations` | Tolerations of the athens-proxy deployment. | `[]` |
| `deployment.topologySpreadConstraints` | TopologySpreadConstraints of the athens-proxy deployment. | `[]` |
| `deployment.volumes` | Additional volumes to mount into the pods of the prometheus-exporter deployment. | `[]` |
### Horizontal Pod Autoscaler (HPA)
| Name | Description | Value |
| ----------------- | -------------------------------------------------------------------------------------------------- | ----------- |
| `hpa.enabled` | Enable the horizontal pod autoscaler (HPA). | `false` |
| `hpa.annotations` | Additional annotations for the HPA. | `{}` |
| `hpa.labels` | Additional labels for the HPA. | `{}` |
| `hpa.metrics` | Metrics contains the specifications for which to use to calculate the desired replica count. | `undefined` |
| `hpa.minReplicas` | Min replicas is the lower limit for the number of replicas to which the autoscaler can scale down. | `1` |
| `hpa.maxReplicas` | Upper limit for the number of pods that can be set by the autoscaler. | `10` |
### Ingress
| Name | Description | Value |
| --------------------- | -------------------------------------------------------------------------------------------------------------------- | ------- |
| `ingress.enabled` | Enable creation of an ingress resource. Requires, that the http service is also enabled. | `false` |
| `ingress.className` | Ingress class. | `nginx` |
| `ingress.annotations` | Additional ingress annotations. | `{}` |
| `ingress.labels` | Additional ingress labels. | `{}` |
| `ingress.hosts` | Ingress specific configuration. Specification only required when another ingress controller is used instead of `t1k. | `[]` |
| `ingress.tls` | Ingress TLS settings. Specification only required when another ingress controller is used instead of `t1k``. | `[]` |
### Persistence
| Name | Description | Value |
| -------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- |
| `persistence.enabled` | Enable the feature to store the data on a persistent volume claim. If enabled, the volume will be automatically be mounted into the pod. Furthermore, the env `ATHENS_STORAGE_TYPE=disk` will automatically be defined. | `false` |
| `persistence.data.mountPath` | The path where the persistent volume should be mounted in the container file system. This variable controls `ATHENS_DISK_STORAGE_ROOT`. | `/var/www/athens-proxy/data` |
| `persistence.data.existingPersistentVolumeClaim.enabled` | TODO | `false` |
| `persistence.data.existingPersistentVolumeClaim.persistentVolumeClaimName` | TODO | `""` |
| `persistence.data.persistentVolumeClaim.annotations` | Additional persistent volume claim annotations. | `{}` |
| `persistence.data.persistentVolumeClaim.labels` | Additional persistent volume claim labels. | `{}` |
| `persistence.data.persistentVolumeClaim.accessModes` | Access modes of the persistent volume claim. | `["ReadWriteMany"]` |
| `persistence.data.persistentVolumeClaim.storageClass` | Storage class of the persistent volume claim. | `""` |
| `persistence.data.persistentVolumeClaim.storageSize` | Size of the persistent volume claim. | `5Gi` |
### NetworkPolicies
| Name | Description | Value |
| ------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------- |
| `networkPolicies.enabled` | Enable network policies in general. | `false` |
| `networkPolicies.default.enabled` | Enable the network policy for accessing the application by default. For example to scape the metrics. | `false` |
| `networkPolicies.default.annotations` | Additional network policy annotations. | `{}` |
| `networkPolicies.default.labels` | Additional network policy labels. | `{}` |
| `networkPolicies.default.policyTypes` | List of policy types. Supported is ingress, egress or ingress and egress. | `[]` |
| `networkPolicies.default.egress` | Concrete egress network policy implementation. | `[]` |
| `networkPolicies.default.ingress` | Concrete ingress network policy implementation. | `[]` |
### Service
| Name | Description | Value |
| ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
| `services.http.enabled` | Enable the service. | `true` |
| `services.http.annotations` | Additional service annotations. | `{}` |
| `services.http.externalIPs` | External IPs for the service. | `[]` |
| `services.http.externalTrafficPolicy` | If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation. | `Cluster` |
| `services.http.internalTrafficPolicy` | If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster internal traffic. | `Cluster` |
| `services.http.ipFamilies` | IPFamilies is list of IP families (e.g. `IPv4`, `IPv6`) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization. | `[]` |
| `services.http.labels` | Additional service labels. | `{}` |
| `services.http.loadBalancerClass` | LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type `LoadBalancer`. | `""` |
| `services.http.loadBalancerIP` | LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`. | `""` |
| `services.http.loadBalancerSourceRanges` | Source range filter for LoadBalancer. Requires service from type `LoadBalancer`. | `[]` |
| `services.http.port` | Port to forward the traffic to. | `3000` |
| `services.http.sessionAffinity` | Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`. | `None` |
| `services.http.sessionAffinityConfig` | Contains the configuration of the session affinity. | `{}` |
| `services.http.type` | Kubernetes service type for the traffic. | `ClusterIP` |
### ServiceAccount
| Name | Description | Value |
| ------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `serviceAccount.existing.enabled` | Use an existing service account instead of creating a new one. Assumes that the user has all the necessary kubernetes API authorizations. | `false` |
| `serviceAccount.existing.serviceAccountName` | Name of the existing service account. | `""` |
| `serviceAccount.new.annotations` | Additional service account annotations. | `{}` |
| `serviceAccount.new.labels` | Additional service account labels. | `{}` |
| `serviceAccount.new.automountServiceAccountToken` | Enable/disable auto mounting of the service account token. | `true` |
| `serviceAccount.new.imagePullSecrets` | ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images in pods that reference this serviceAccount. | `[]` |
| `serviceAccount.new.secrets` | Secrets is the list of secrets allowed to be used by pods running using this ServiceAccount. | `[]` |

19
templates/_networkPolicies.tpl
View File

@@ -1,19 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{/* annotations */}}
{{- define "athens-proxy.networkPolicies.annotations" -}}
{{ include "athens-proxy.annotations" .context }}
{{- if .networkPolicy.annotations }}
{{ toYaml .networkPolicy.annotations }}
{{- end }}
{{- end }}
{{/* labels */}}
{{- define "athens-proxy.networkPolicies.labels" -}}
{{ include "athens-proxy.labels" .context }}
{{- if .networkPolicy.labels }}
{{ toYaml .networkPolicy.labels }}
{{- end }}
{{- end }}

19
templates/_networkPolicy.tpl Normal file
View File

@@ -0,0 +1,19 @@
{{/* vim: set filetype=mustache: */}}
{{/* annotations */}}
{{- define "athens-proxy.networkPolicy.annotations" -}}
{{ include "athens-proxy.annotations" . }}
{{- if .Values.networkPolicy.annotations }}
{{ toYaml .Values.networkPolicy.annotations }}
{{- end }}
{{- end }}
{{/* labels */}}
{{- define "athens-proxy.networkPolicy.labels" -}}
{{ include "athens-proxy.labels" . }}
{{- if .Values.networkPolicy.labels }}
{{ toYaml .Values.networkPolicy.labels }}
{{- end }}
{{- end }}

36
templates/networkPolicies.yaml
View File

@@ -1,36 +0,0 @@
{{- if .Values.networkPolicies.enabled }}
{{- range $key, $value := .Values.networkPolicies -}}
{{- if and (not (eq $key "enabled")) $value.enabled }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
{{- with (include "athens-proxy.networkPolicies.annotations" (dict "networkPolicy" $value "context" $) | fromYaml) }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with (include "athens-proxy.networkPolicies.labels" (dict "networkPolicy" $value "context" $) | fromYaml) }}
labels:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ printf "%s-%s" (include "athens-proxy.fullname" $ ) $key }}
namespace: {{ $.Release.Namespace }}
spec:
podSelector:
matchLabels:
{{- include "athens-proxy.pod.selectorLabels" $ | nindent 6 }}
{{- with $value.policyTypes }}
policyTypes:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with $value.egress }}
egress:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with $value.ingress }}
ingress:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

32
templates/networkPolicy.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if .Values.networkPolicy.enabled }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
{{- with (include "athens-proxy.networkPolicy.annotations" . | fromYaml) }}
annotations:
{{- tpl (toYaml .) $ | nindent 4 }}
{{- end }}
{{- with (include "athens-proxy.networkPolicy.labels" . | fromYaml) }}
labels:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "athens-proxy.fullname" . }}
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
{{- include "athens-proxy.pod.selectorLabels" $ | nindent 6 }}
{{- with .Values.networkPolicy.policyTypes }}
policyTypes:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.networkPolicy.egress }}
egress:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.networkPolicy.ingress }}
ingress:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}

58
unittests/networkPolicies/default.yaml → unittests/networkPolicy/networkPolicy.yaml
View File

@@ -1,49 +1,30 @@
chart: chart:
appVersion: 0.1.0 appVersion: 0.1.0
version: 0.1.0 version: 0.1.0
suite: NetworkPolicies template suite: NetworkPolicy template
release: release:
name: athens-proxy-unittest name: athens-proxy-unittest
namespace: testing namespace: testing
templates: templates:
- templates/networkPolicies.yaml - templates/networkPolicy.yaml
tests: tests:
- it: Skip networkPolicies in general disabled. - it: Skip rendering networkPolicy
set: set:
networkPolicies.enabled: false networkPolicy.enabled: false
asserts: asserts:
- hasDocuments: - hasDocuments:
count: 0 count: 0
- it: Skip networkPolicy 'default' when disabled. - it: Render default networkPolicy
set: set:
networkPolicies.enabled: true networkPolicy.enabled: true
networkPolicies.default.enabled: false
asserts: asserts:
- hasDocuments: - hasDocuments:
count: 0 count: 1
- it: Loop over networkPolicies
set:
networkPolicies.enabled: true
networkPolicies.default.enabled: false
networkPolicies.nginx.enabled: true
networkPolicies.prometheus.enabled: true
asserts:
- hasDocuments:
count: 2
- it: Template networkPolicy 'default' without policyTypes, egress and ingress configuration
set:
networkPolicies.enabled: true
networkPolicies.default.enabled: true
asserts:
- hasDocuments:
count: 1
- containsDocument: - containsDocument:
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: NetworkPolicy kind: NetworkPolicy
name: athens-proxy-unittest-default name: athens-proxy-unittest
namespace: testing namespace: testing
- notExists: - notExists:
path: metadata.annotations path: metadata.annotations
@@ -67,29 +48,28 @@ tests:
- notExists: - notExists:
path: spec.ingress path: spec.ingress
- it: Template networkPolicy 'default' with policyTypes, egress and ingress configuration - it: Template networkPolicy with policyTypes, egress and ingress configuration
set: set:
networkPolicies.enabled: true networkPolicy.enabled: true
networkPolicies.default.enabled: true networkPolicy.policyTypes:
networkPolicies.default.policyTypes:
- Egress - Egress
- Ingress - Ingress
networkPolicies.default.ingress: networkPolicy.ingress:
- from: - from:
- namespaceSelector: - namespaceSelector:
matchLabels: matchLabels:
kubernetes.io/metadata.name: khv-production kubernetes.io/metadata.name: monitoring
podSelector: podSelector:
matchLabels: matchLabels:
app.kubernetes.io/name: prometheus app.kubernetes.io/name: prometheus
networkPolicies.default.egress: networkPolicy.egress:
- to: - to:
- namespaceSelector: - namespaceSelector:
matchLabels: matchLabels:
kubernetes.io/metadata.name: database kubernetes.io/metadata.name: ingress-nginx
podSelector: podSelector:
matchLabels: matchLabels:
app.kubernetes.io/name: oracle app.kubernetes.io/name: ingress-nginx
asserts: asserts:
- equal: - equal:
path: spec.policyTypes path: spec.policyTypes
@@ -102,17 +82,17 @@ tests:
- to: - to:
- namespaceSelector: - namespaceSelector:
matchLabels: matchLabels:
kubernetes.io/metadata.name: database kubernetes.io/metadata.name: ingress-nginx
podSelector: podSelector:
matchLabels: matchLabels:
app.kubernetes.io/name: oracle app.kubernetes.io/name: ingress-nginx
- equal: - equal:
path: spec.ingress path: spec.ingress
value: value:
- from: - from:
- namespaceSelector: - namespaceSelector:
matchLabels: matchLabels:
kubernetes.io/metadata.name: khv-production kubernetes.io/metadata.name: monitoring
podSelector: podSelector:
matchLabels: matchLabels:
app.kubernetes.io/name: prometheus app.kubernetes.io/name: prometheus

130
values.yaml
View File

@@ -497,77 +497,73 @@ persistence:
storageClass: "" storageClass: ""
storageSize: "5Gi" storageSize: "5Gi"
## @section NetworkPolicies ## @section Network Policy
## @param networkPolicies.enabled Enable network policies in general. networkPolicy:
networkPolicies: ## @param networkPolicy.enabled Enable network policies in general.
## @param networkPolicy.annotations Additional network policy annotations.
## @param networkPolicy.labels Additional network policy labels.
## @param networkPolicy.policyTypes List of policy types. Supported is ingress, egress or ingress and egress.
## @param networkPolicy.egress Concrete egress network policy implementation.
## @skip networkPolicy.egress Skip individual egress configuration.
## @param networkPolicy.ingress Concrete ingress network policy implementation.
## @skip networkPolicy.ingress Skip individual ingress configuration.
enabled: false enabled: false
annotations: {}
labels: {}
policyTypes: []
# - Egress
# - Ingress
egress: []
# Allow outgoing traffic to database host
#
# - to:
# - ipBlock:
# cidr: 192.168.179.1/32
# ports:
# - port: 5432
# protocol: TCP
## @param networkPolicies.default.enabled Enable the network policy for accessing the application by default. For example to scape the metrics. # Allow outgoing DNS traffic to the internal running DNS-Server. For example core-dns.
## @param networkPolicies.default.annotations Additional network policy annotations. #
## @param networkPolicies.default.labels Additional network policy labels. # - to:
## @param networkPolicies.default.policyTypes List of policy types. Supported is ingress, egress or ingress and egress. # - namespaceSelector:
## @param networkPolicies.default.egress Concrete egress network policy implementation. # matchLabels:
## @skip networkPolicies.default.egress Skip individual egress configuration. # kubernetes.io/metadata.name: kube-system
## @param networkPolicies.default.ingress Concrete ingress network policy implementation. # podSelector:
## @skip networkPolicies.default.ingress Skip individual ingress configuration. # matchLabels:
default: # k8s-app: kube-dns
enabled: false # ports:
annotations: {} # - port: 53
labels: {} # protocol: TCP
policyTypes: [] # - port: 53
# - Egress # protocol: UDP
# - Ingress
egress: []
# Allow outgoing traffic to database host
#
# - to:
# - ipBlock:
# cidr: 192.168.179.1/32
# ports:
# - port: 5432
# protocol: TCP
# Allow outgoing DNS traffic to the internal running DNS-Server. For example core-dns. ingress: []
# # Allow incoming HTTP traffic from prometheus.
# - to: #
# - namespaceSelector: # - from:
# matchLabels: # - namespaceSelector:
# kubernetes.io/metadata.name: kube-system # matchLabels:
# podSelector: # kubernetes.io/metadata.name: monitoring
# matchLabels: # podSelector:
# k8s-app: kube-dns # matchLabels:
# ports: # app.kubernetes.io/name: prometheus
# - port: 53 # ports:
# protocol: TCP # - port: http
# - port: 53 # protocol: TCP
# protocol: UDP
ingress: [] # Allow incoming HTTP traffic from ingress-nginx.
# Allow incoming HTTP traffic from prometheus. #
# # - from:
# - from: # - namespaceSelector:
# - namespaceSelector: # matchLabels:
# matchLabels: # kubernetes.io/metadata.name: ingress-nginx
# kubernetes.io/metadata.name: monitoring # podSelector:
# podSelector: # matchLabels:
# matchLabels: # app.kubernetes.io/name: ingress-nginx
# app.kubernetes.io/name: prometheus # ports:
# ports: # - port: http
# - port: http # protocol: TCP
# protocol: TCP
# Allow incoming HTTP traffic from ingress-nginx.
#
# - from:
# - namespaceSelector:
# matchLabels:
# kubernetes.io/metadata.name: ingress-nginx
# podSelector:
# matchLabels:
# app.kubernetes.io/name: ingress-nginx
# ports:
# - port: http
# protocol: TCP
## @section Service ## @section Service
## @param services.http.enabled Enable the service. ## @param services.http.enabled Enable the service.