feat: automatically roll deployments

The following patch extends the chart to automatically roll the deployment, when
one of the configurations, stored in a config map or secret, has been changed.

The implementation add annotations which triggers `helm update` or ArgoCD to
roll the deployment. Further information can be found on the official helm
website:

  https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments

.gitea/workflows/generate-readme.yaml

@@ -15,7 +15,7 @@ on:
 jobs:
   generate-parameters:
     container:
-      image: docker.io/library/node:22.13.1-alpine
+      image: docker.io/library/node:24.1.0-alpine
     runs-on:
     - ubuntu-latest
     steps:

.gitea/workflows/helm.yaml

@@ -13,7 +13,7 @@ on:
 jobs:
   helm-lint:
     container:
-      image: docker.io/volkerraschek/helm:3.16.4
+      image: docker.io/volkerraschek/helm:3.18.0
     runs-on:
     - ubuntu-latest
     steps:
@@ -28,7 +28,7 @@ jobs:
 
   helm-unittest:
     container:
-      image: docker.io/volkerraschek/helm:3.16.4
+      image: docker.io/volkerraschek/helm:3.18.0
     runs-on:
     - ubuntu-latest
     steps:

.gitea/workflows/markdown-linters.yaml

@@ -15,7 +15,7 @@ on:
 jobs:
   markdown-link-checker:
     container:
-      image: docker.io/library/node:22.13.1-alpine
+      image: docker.io/library/node:24.1.0-alpine
     runs-on:
     - ubuntu-latest
     steps:
@@ -31,7 +31,7 @@ jobs:
 
   markdown-lint:
     container:
-      image: docker.io/library/node:22.13.1-alpine
+      image: docker.io/library/node:24.1.0-alpine
     runs-on:
     - ubuntu-latest
     steps:

.gitea/workflows/release.yaml

@@ -8,7 +8,7 @@ on:
 jobs:
   publish-chart:
     container:
-      image: docker.io/volkerraschek/helm:3.16.4
+      image: docker.io/volkerraschek/helm:3.18.0
     runs-on: ubuntu-latest
     steps:
       - name: Install tooling

Chart.yaml

@@ -2,9 +2,8 @@ apiVersion: v2
 name: prometheus-fail2ban-exporter
 description: Prometheus metric exporter for Fail2Ban
 type: application
-kubeVersion: ">=1.20.0"
 version: "0.1.0"
-appVersion: "0.1.0"
+appVersion: "0.1.1"
 
 # icon: https://annotations.example.com/icon.png
 

Makefile

@@ -4,13 +4,13 @@ CONTAINER_RUNTIME?=$(shell which podman)
 # HELM_IMAGE
 HELM_IMAGE_REGISTRY_HOST?=docker.io
 HELM_IMAGE_REPOSITORY?=volkerraschek/helm
-HELM_IMAGE_VERSION?=3.16.1 # renovate: datasource=docker registryUrl=https://docker.io depName=volkerraschek/helm
+HELM_IMAGE_VERSION?=3.18.0 # renovate: datasource=docker registryUrl=https://docker.io depName=volkerraschek/helm
 HELM_IMAGE_FULLY_QUALIFIED=${HELM_IMAGE_REGISTRY_HOST}/${HELM_IMAGE_REPOSITORY}:${HELM_IMAGE_VERSION}
 
 # NODE_IMAGE
 NODE_IMAGE_REGISTRY_HOST?=docker.io
 NODE_IMAGE_REPOSITORY?=library/node
-NODE_IMAGE_VERSION?=22.9.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=library/node
+NODE_IMAGE_VERSION?=24.1.0-alpine # renovate: datasource=docker registryUrl=https://docker.io depName=docker.io/library/node packageName=library/node
 NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}:${NODE_IMAGE_VERSION}
 
 # MISSING DOT

README.md

@@ -1,6 +1,5 @@
 # Prometheus Fail2Ban exporter
 
-[![Build Status](https://drone.cryptic.systems/api/badges/volker.raschek/prometheus-fail2ban-exporter/status.svg)](https://drone.cryptic.systems/volker.raschek/prometheus-fail2ban-exporter)
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/prometheus-exporters)](https://artifacthub.io/packages/search?repo=prometheus-exporters)
 
 This helm chart enables the deployment of a Prometheus metrics exporter for Fail2Ban and allows the individual
@@ -20,7 +19,7 @@ helm chart is tested for deployment scenarios with **ArgoCD**.
 ## Helm: configuration and installation
 
 1. A helm chart repository must be configured, to pull the helm charts from.
-2. All available parameters are [here](#parameters) in detail documented. The parameters can be defined via the helm
+2. All available [parameters](#parameters) are documented in detail below. The parameters can be defined via the helm
    `--set` flag or directly as part of a `values.yaml` file. The following example defines the `prometheus-exporter`
    repository and use the `--set` flag for a basic deployment.
 
@@ -43,7 +42,7 @@ version of the chart must be in sync with the `values.yaml`. Newer *minor* versi
 versions can break something!
 
 ```bash
-CHART_VERSION=0.2.0
+CHART_VERSION=0.3.1
 helm show values prometheus-exporters/prometheus-fail2ban-exporter --version "${CHART_VERSION}" > values.yaml
 ```
 
@@ -68,14 +67,17 @@ cannot use the available CPU time to perform computing operations.
 
 The application must be informed that despite several CPUs only a part (limit) of the available computing time is
 available. As this is a Golang application, this can be implemented using `GOMAXPROCS`. The following example is one way
-of defining `GOMAXPROCS` automatically based on the defined CPU limit like `100m`. Please keep in mind, that the CFS
+of defining `GOMAXPROCS` automatically based on the defined CPU limit like `1000m`. Please keep in mind, that the CFS
 rate of `100ms` - default on each kubernetes node, is also very important to avoid CPU throttling.
 
-Further information about this topic can be found [here](https://kanishk.io/posts/cpu-throttling-in-containerized-go-apps/).
+Further information about this topic can be found in one of Kanishk's blog
+[posts](https://kanishk.io/posts/cpu-throttling-in-containerized-go-apps/).
 
 > [!NOTE]
 > The environment variable `GOMAXPROCS` is set automatically, when a CPU limit is defined. An explicit configuration is
 > not anymore required.
+>
+> Please take care the a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
 
 ```bash
 helm install prometheus-fail2ban-exporter prometheus-exporters/prometheus-fail2ban-exporter \
@@ -83,7 +85,7 @@ helm install prometheus-fail2ban-exporter prometheus-exporters/prometheus-fail2b
   --set 'prometheus.metrics.serviceMonitor.enabled=true' \
   --set 'daemonSet.fail2banExporter.env.name=GOMAXPROCS' \
   --set 'daemonSet.fail2banExporter.env.valueFrom.resourceFieldRef.resource=limits.cpu' \
-  --set 'daemonSet.fail2banExporter.resources.limits.cpu=100m'
+  --set 'daemonSet.fail2banExporter.resources.limits.cpu=1000m'
 ```
 
 <!--
@@ -146,6 +148,56 @@ helm install prometheus-fail2ban-exporter prometheus-exporters/prometheus-fail2b
   --set 'grafana.enabled=true'
 ```
 
+### Network policies
+
+Network policies can only take effect, when the used CNI plugin support network policies. The chart supports no custom
+network policy implementation of CNI plugins. It's support only the official API resource of `networking.k8s.io/v1`.
+
+The object networkPolicies can contains multiple networkPolicy definitions. There is currently only one example
+predefined - it's named `default`. Further networkPolicy rules can easy be added by defining additional objects. For example:
+
+> [!NOTE]
+> The structure of each custom network policy must be equal like that of default. For this reason don't forget to define
+> `annotations`, `labels` and the other properties as well.
+
+```yaml
+networkPolicies:
+  enabled: false
+  default: {}
+  my-custom-network-policy: {}
+```
+
+The example below is an excerpt of the `values.yaml` file. The network policy `default` contains ingress rules to allow
+incoming traffic from Prometheus.
+
+> [!IMPORTANT]
+> Please keep in mind, that the namespace and pod selector labels can be different from environment to environment. For
+> this reason, there is are not default network policy rules defined.
+
+```yaml
+networkPolicies:
+  enabled: true
+  default:
+    enabled: true
+    annotations: {}
+    labels: {}
+    policyTypes:
+    - Egress
+    - Ingress
+    egress: []
+    ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: monitoring
+        podSelector:
+          matchLabels:
+            app.kubernetes.io/name: prometheus
+      ports:
+      - port: http
+        protocol: TCP
+```
+
 ## Parameters
 
 ### Global
@@ -229,11 +281,17 @@ helm install prometheus-fail2ban-exporter prometheus-exporters/prometheus-fail2b
 | --------------------- | ---------------------- | ----- |
 | `podDisruptionBudget` | Pod disruption budget. | `{}`  |
 
-### Network
+### NetworkPolicies
 
-| Name              | Description                                                                                                        | Value |
-| ----------------- | ------------------------------------------------------------------------------------------------------------------ | ----- |
-| `networkPolicies` | Deploy network policies based on the used container network interface (CNI) implementation - like calico or weave. | `{}`  |
+| Name                                  | Description                                                                                           | Value   |
+| ------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------- |
+| `networkPolicies.enabled`             | Enable network policies in general.                                                                   | `false` |
+| `networkPolicies.default.enabled`     | Enable the network policy for accessing the application by default. For example to scape the metrics. | `false` |
+| `networkPolicies.default.annotations` | Additional network policy annotations.                                                                | `{}`    |
+| `networkPolicies.default.labels`      | Additional network policy labels.                                                                     | `{}`    |
+| `networkPolicies.default.policyTypes` | List of policy types. Supported is ingress, egress or ingress and egress.                             | `[]`    |
+| `networkPolicies.default.egress`      | Concrete egress network policy implementation.                                                        | `[]`    |
+| `networkPolicies.default.ingress`     | Concrete ingress network policy implementation.                                                       | `[]`    |
 
 ### Prometheus
 

package.json

@@ -16,6 +16,6 @@
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.5.0",
     "markdown-link-check": "^3.13.6",
-    "markdownlint-cli": "^0.44.0"
+    "markdownlint-cli": "^0.45.0"
   }
 }

renovate.json

@@ -1,6 +1,12 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "assignees": [ "volker.raschek" ],
+  "extends": [
+    "local>volker.raschek/renovate-config:default#master",
+    "local>volker.raschek/renovate-config:container#master",
+    "local>volker.raschek/renovate-config:actions#master",
+    "local>volker.raschek/renovate-config:npm#master",
+    "local>volker.raschek/renovate-config:regexp#master"
+  ],
   "customManagers": [
     {
       "fileMatch": [
@@ -25,24 +31,12 @@
       "versioningTemplate": "semver"
     }
   ],
-  "labels": [ "renovate" ],
-  "lockFileMaintenance": {
-    "enabled": true
-  },
   "packageRules": [
     {
-      "addLabels": [ "renovate/automerge", "renovate/npm" ],
-      "automerge": true,
-      "matchPackageNames": [
-        "markdownlint-cli",
-        "markdown-link-check",
-        "@bitnami/readme-generator-for-helm"
+      "addLabels": [
+        "renovate/automerge",
+        "renovate/container"
       ],
-      "matchManagers": [ "npm" ],
-      "matchUpdateTypes": [ "minor", "patch"]
-    },
-    {
-      "addLabels": [ "renovate/automerge", "renovate/container" ],
       "automerge": true,
       "excludePackagePatterns": [
         "volker.raschek/prometheus-fail2ban-exporter"
@@ -54,8 +48,21 @@
         "minor",
         "patch"
       ]
+    },
+    {
+      "addLabels": [
+        "renovate/automerge",
+        "renovate/documentation"
+      ],
+      "automerge": true,
+      "matchDepNames": [
+        "volker.raschek/prometheus-fail2ban-exporter-charts"
+      ],
+      "matchUpdateTypes": [
+        "major",
+        "minor",
+        "patch"
+      ]
     }
-  ],
-  "rebaseLabel": "renovate/rebase",
-  "rebaseWhen": "behind-base-branch"
+  ]
 }

templates/prometheus-fail2ban-exporter/_networkPolicies.tpl

@@ -0,0 +1,19 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* annotations */}}
+
+{{- define "prometheus-fail2ban-exporter.networkPolicies.annotations" -}}
+{{ include "prometheus-fail2ban-exporter.annotations" .context }}
+{{- if .networkPolicy.annotations }}
+{{ toYaml .networkPolicy.annotations }}
+{{- end }}
+{{- end }}
+
+{{/* labels */}}
+
+{{- define "prometheus-fail2ban-exporter.networkPolicies.labels" -}}
+{{ include "prometheus-fail2ban-exporter.labels" .context }}
+{{- if .networkPolicy.labels }}
+{{ toYaml .networkPolicy.labels }}
+{{- end }}
+{{- end }}

templates/prometheus-fail2ban-exporter/_pod.tpl

@@ -4,6 +4,21 @@
 
 {{- define "prometheus-fail2ban-exporter.pod.annotations" -}}
 {{ include "prometheus-fail2ban-exporter.annotations" . }}
+
+# The following annotations are required to trigger a rolling update. Further information can be found in the official
+# documentation of helm:
+#
+#   https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
+#
+
+{{/* web config */}}
+{{- if and .Values.config.webConfig.existingSecret.enabled .Values.config.webConfig.existingSecret.secretName }}
+{{- $secret := default (dict "data" (dict)) (lookup "v1" "Secret" .Release.Namespace .Values.config.webConfig.existingSecret.secretName ) }}
+checksum/secret-web-config: {{ print $secret.spec | sha256sum }}
+{{- else }}
+checksum/secret-web-config: {{ include (print $.Template.BasePath "/prometheus-fail2ban-exporter/secretWebConfig.yaml") . | sha256sum }}
+{{- end }}
+
 {{- end }}
 
 {{/* labels */}}

templates/prometheus-fail2ban-exporter/configMapGrafanaDashboardFail2BanExporter.yaml

@@ -5,7 +5,7 @@ kind: ConfigMap
 metadata:
   {{- with (include "prometheus-fail2ban-exporter.configMap.grafanaDashboards.fail2banExporter.annotations" . | fromYaml) }}
   annotations:
-    {{- tpl (. | toYaml) $ | nindent 4 }}
+    {{- tpl (toYaml .) $ | nindent 4 }}
   {{- end }}
   {{- with (include "prometheus-fail2ban-exporter.configMap.grafanaDashboards.fail2banExporter.labels" . | fromYaml) }}
   labels:

templates/prometheus-fail2ban-exporter/daemonSet.yaml

@@ -3,7 +3,7 @@ kind: DaemonSet
 metadata:
   {{- with (include "prometheus-fail2ban-exporter.daemonSet.annotations" . | fromYaml) }}
   annotations:
-    {{- tpl (. | toYaml) $ | nindent 4 }}
+    {{- tpl (toYaml .) $ | nindent 4 }}
   {{- end }}
   {{- with (include "prometheus-fail2ban-exporter.daemonSet.labels" . | fromYaml) }}
   labels:
@@ -17,6 +17,8 @@ spec:
       {{- include "prometheus-fail2ban-exporter.pod.selectorLabels" . | nindent 6 }}
   template:
     metadata:
+      annotations:
+        {{- include "prometheus-fail2ban-exporter.pod.annotations" . | nindent 8 }}
       labels:
         {{- include "prometheus-fail2ban-exporter.pod.labels" . | nindent 8 }}
     spec:

templates/prometheus-fail2ban-exporter/ingress.yaml

@@ -5,7 +5,7 @@ kind: Ingress
 metadata:
   {{- with (include "prometheus-fail2ban-exporter.ingress.annotations" . | fromYaml) }}
   annotations:
-    {{- tpl (. | toYaml) $ | nindent 4 }}
+    {{- tpl (toYaml .) $ | nindent 4 }}
   {{- end }}
   {{- with (include "prometheus-fail2ban-exporter.ingress.labels" . | fromYaml) }}
   labels:

templates/prometheus-fail2ban-exporter/networkPolicies.yaml

@@ -0,0 +1,36 @@
+{{- if .Values.networkPolicies.enabled }}
+{{- range $key, $value := .Values.networkPolicies -}}
+{{- if and (not (eq $key "enabled")) $value.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  {{- with (include "prometheus-fail2ban-exporter.networkPolicies.annotations" (dict "networkPolicy" $value "context" $) | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with (include "prometheus-fail2ban-exporter.networkPolicies.labels" (dict "networkPolicy" $value "context" $) | fromYaml) }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ printf "%s-%s" (include "prometheus-fail2ban-exporter.fullname" $ ) $key }}
+  namespace: {{ $.Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "prometheus-fail2ban-exporter.pod.selectorLabels" $ | nindent 6 }}
+  {{- with $value.policyTypes }}
+  policyTypes:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+  {{- with $value.egress }}
+  egress:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+  {{- with $value.ingress }}
+  ingress:
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

unittests/daemonset/daemonset.yaml

@@ -7,18 +7,22 @@ release:
   namespace: testing
 templates:
 - templates/prometheus-fail2ban-exporter/daemonSet.yaml
+- templates/prometheus-fail2ban-exporter/secretWebConfig.yaml
 tests:
 - it: Rendering default
   asserts:
   - hasDocuments:
       count: 1
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - containsDocument:
       apiVersion: apps/v1
       kind: DaemonSet
       name: prometheus-fail2ban-exporter-unittest
       namespace: testing
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - notExists:
       path: metadata.annotations
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - equal:
       path: metadata.labels
       value:
@@ -27,15 +31,31 @@ tests:
         app.kubernetes.io/name: prometheus-fail2ban-exporter
         app.kubernetes.io/version: 0.1.0
         helm.sh/chart: prometheus-fail2ban-exporter-0.1.0
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+  - exists:
+      path: spec.template.metadata.annotations.checksum/secret-web-config
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
+  - equal:
+      path: spec.template.metadata.labels
+      value:
+        app.kubernetes.io/instance: prometheus-fail2ban-exporter-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: prometheus-fail2ban-exporter
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: prometheus-fail2ban-exporter-0.1.0
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - notExists:
       path: spec.template.spec.affinity
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - notExists:
       path: spec.template.spec.containers[0].envFrom
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - equal:
       path: spec.template.spec.containers[0].args
       value:
       # - --web.config.file=/etc/prometheus-fail2ban-exporter/config.d/webConfig.yaml
       - --web.listen-address=:9191
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - equal:
       path: spec.template.spec.containers[0].volumeMounts
       value:
@@ -43,6 +63,7 @@ tests:
         name: socket
       - mountPath: /etc/prometheus-fail2ban-exporter/config.d
         name: config-d
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - equal:
       path: spec.template.spec.volumes
       value:
@@ -53,42 +74,59 @@ tests:
       - name: config-d
         secret:
           secretName: prometheus-fail2ban-exporter-unittest-web-config
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - equal:
       path: spec.template.spec.containers[0].image
       value: git.cryptic.systems/volker.raschek/prometheus-fail2ban-exporter:0.1.0
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - equal:
       path: spec.template.spec.containers[0].imagePullPolicy
       value: IfNotPresent
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - notExists:
       path: spec.template.spec.containers[0].resources
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - notExists:
       path: spec.template.spec.containers[0].securityContext
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - notExists:
       path: spec.template.spec.dnsConfig
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - notExists:
       path: spec.template.spec.dnsPolicy
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - notExists:
       path: spec.template.spec.hostname
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - equal:
       path: spec.template.spec.hostNetwork
       value: false
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - notExists:
       path: spec.template.spec.imagePullSecrets
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - notExists:
       path: spec.template.spec.nodeSelector
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - notExists:
       path: spec.template.spec.priorityClassName
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - notExists:
       path: spec.template.spec.restartPolicy
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - notExists:
       path: spec.template.spec.subdomain
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - equal:
       path: spec.template.spec.terminationGracePeriodSeconds
       value: 60
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - notExists:
       path: spec.template.spec.tolerations
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - notExists:
       path: spec.template.spec.topologySpreadConstraints
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - equal:
       path: spec.updateStrategy
       value:
@@ -96,6 +134,7 @@ tests:
           maxSurge: 1
           maxUnavailable: 0
         type: "RollingUpdate"
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
 
 - it: Test custom affinity
   set:
@@ -122,6 +161,7 @@ tests:
                 values:
                 - antarctica-east1
                 - antarctica-west1
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
 
 - it: Test additional arguments
   set:
@@ -136,6 +176,7 @@ tests:
       - --web.listen-address=:9191
       - --foo=bar
       - --bar=foo
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
 
 - it: Test custom imageRegistry and imageRepository
   set:
@@ -145,6 +186,7 @@ tests:
   - equal:
       path: spec.template.spec.containers[0].image
       value: registry.example.local/path/special/prometheus-fail2ban-exporter:0.1.0
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
 
 - it: Test custom imagePullPolicy
   set:
@@ -153,6 +195,7 @@ tests:
   - equal:
       path: spec.template.spec.containers[0].imagePullPolicy
       value: Always
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
 
 - it: Test config.webConfig.existingSecret
   set:
@@ -166,6 +209,7 @@ tests:
         name: socket
       - mountPath: /etc/prometheus-fail2ban-exporter/config.d
         name: config-d
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - equal:
       path: spec.template.spec.volumes
       value:
@@ -176,6 +220,7 @@ tests:
       - name: config-d
         secret:
           secretName: web-config-secret
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
 
 - it: Test custom resource limits and requests
   set:
@@ -195,6 +240,7 @@ tests:
           resourceFieldRef:
             divisor: "1"
             resource: limits.cpu
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - equal:
       path: spec.template.spec.containers[0].resources
       value:
@@ -204,6 +250,7 @@ tests:
         requests:
           cpu: 25m
           memory: 100MB
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
 
 - it: Test custom securityContext
   set:
@@ -230,6 +277,7 @@ tests:
         readOnlyRootFilesystem: true
         runAsNonRoot: true
         runAsUser: 1000
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
 
 - it: Test dnsConfig
   set:
@@ -244,6 +292,7 @@ tests:
         nameservers:
         - "8.8.8.8"
         - "8.8.4.4"
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
 
 - it: Test dnsPolicy
   set:
@@ -252,6 +301,7 @@ tests:
   - equal:
       path: spec.template.spec.dnsPolicy
       value: ClusterFirst
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
 
 - it: Test hostNetwork, hostname, subdomain
   set:
@@ -262,12 +312,15 @@ tests:
   - equal:
       path: spec.template.spec.hostNetwork
       value: true
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - equal:
       path: spec.template.spec.hostname
       value: pg-exporter
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - equal:
       path: spec.template.spec.subdomain
       value: exporters.internal
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
 
 - it: Test imagePullSecrets
   set:
@@ -280,6 +333,7 @@ tests:
       value:
       - name: my-pull-secret
       - name: my-special-secret
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
 
 - it: Test nodeSelector
   set:
@@ -290,6 +344,7 @@ tests:
       path: spec.template.spec.nodeSelector
       value:
         foo: bar
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
 
 - it: Test priorityClassName
   set:
@@ -298,6 +353,7 @@ tests:
   - equal:
       path: spec.template.spec.priorityClassName
       value: my-priority
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
 
 - it: Test restartPolicy
   set:
@@ -306,6 +362,7 @@ tests:
   - equal:
       path: spec.template.spec.restartPolicy
       value: Always
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
 
 - it: Test terminationGracePeriodSeconds
   set:
@@ -314,6 +371,7 @@ tests:
   - equal:
       path: spec.template.spec.terminationGracePeriodSeconds
       value: 120
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
 
 - it: Test tolerations
   set:
@@ -330,6 +388,7 @@ tests:
         operator: Equal
         value: fail2ban
         effect: NoSchedule
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
 
 - it: Test topologySpreadConstraints
   set:
@@ -348,6 +407,7 @@ tests:
         labelSelector:
           matchLabels:
             app.kubernetes.io/instance: prometheus-fail2ban-exporter
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
 
 - it: Test additional volumeMounts and volumes
   set:
@@ -366,6 +426,7 @@ tests:
         mountPath: /usr/lib/prometheus-fail2ban-exporter/data
       - name: config-d
         mountPath: /etc/prometheus-fail2ban-exporter/config.d
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml
   - equal:
       path: spec.template.spec.volumes
       value:
@@ -374,4 +435,5 @@ tests:
           path: /usr/lib/prometheus-fail2ban-exporter/data
       - name: config-d
         secret:
-          secretName: prometheus-fail2ban-exporter-unittest-web-config
+          secretName: prometheus-fail2ban-exporter-unittest-web-config
+    template: templates/prometheus-fail2ban-exporter/daemonSet.yaml

unittests/networkPolicies/default.yaml

@@ -0,0 +1,118 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: NetworkPolicies template (basic)
+release:
+  name: prometheus-fail2ban-exporter-unittest
+  namespace: testing
+templates:
+- templates/prometheus-fail2ban-exporter/networkPolicies.yaml
+tests:
+- it: Skip networkPolicies in general disabled.
+  set:
+    networkPolicies.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Skip networkPolicy 'default' when disabled.
+  set:
+    networkPolicies.enabled: true
+    networkPolicies.default.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+
+- it: Loop over networkPolicies
+  set:
+    networkPolicies.enabled: true
+    networkPolicies.default.enabled: false
+    networkPolicies.nginx.enabled: true
+    networkPolicies.prometheus.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 2
+
+- it: Template networkPolicy 'default' without policyTypes, egress and ingress configuration
+  set:
+    networkPolicies.enabled: true
+    networkPolicies.default.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 1
+  - containsDocument:
+      apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      name: prometheus-fail2ban-exporter-unittest-default
+      namespace: testing
+  - notExists:
+      path: metadata.annotations
+  - equal:
+      path: metadata.labels
+      value:
+        app.kubernetes.io/instance: prometheus-fail2ban-exporter-unittest
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: prometheus-fail2ban-exporter
+        app.kubernetes.io/version: 0.1.0
+        helm.sh/chart: prometheus-fail2ban-exporter-0.1.0
+  - equal:
+      path: spec.podSelector.matchLabels
+      value:
+        app.kubernetes.io/instance: prometheus-fail2ban-exporter-unittest
+        app.kubernetes.io/name: prometheus-fail2ban-exporter
+  - notExists:
+      path: spec.policyTypes
+  - notExists:
+      path: spec.egress
+  - notExists:
+      path: spec.ingress
+
+- it: Template networkPolicy 'default' with policyTypes, egress and ingress configuration
+  set:
+    networkPolicies.enabled: true
+    networkPolicies.default.enabled: true
+    networkPolicies.default.policyTypes:
+    - Egress
+    - Ingress
+    networkPolicies.default.ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: khv-production
+        podSelector:
+          matchLabels:
+            app.kubernetes.io/name: prometheus
+    networkPolicies.default.egress:
+    - to:
+      - namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: database
+        podSelector:
+          matchLabels:
+            app.kubernetes.io/name: oracle
+  asserts:
+  - equal:
+      path: spec.policyTypes
+      value:
+      - Egress
+      - Ingress
+  - equal:
+      path: spec.egress
+      value:
+      - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: database
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: oracle
+  - equal:
+      path: spec.ingress
+      value:
+      - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: khv-production
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: prometheus

values.yaml

@@ -270,9 +270,53 @@ podDisruptionBudget: {}
 #  maxUnavailable: 1
 #  minAvailable: 1
 
-## @section Network
-## @param networkPolicies Deploy network policies based on the used container network interface (CNI) implementation - like calico or weave.
-networkPolicies: {}
+## @section NetworkPolicies
+## @param networkPolicies.enabled Enable network policies in general.
+networkPolicies:
+  enabled: false
+
+  ## @param networkPolicies.default.enabled Enable the network policy for accessing the application by default. For example to scape the metrics.
+  ## @param networkPolicies.default.annotations Additional network policy annotations.
+  ## @param networkPolicies.default.labels Additional network policy labels.
+  ## @param networkPolicies.default.policyTypes List of policy types. Supported is ingress, egress or ingress and egress.
+  ## @param networkPolicies.default.egress Concrete egress network policy implementation.
+  ## @skip networkPolicies.default.egress Skip individual egress configuration.
+  ## @param networkPolicies.default.ingress Concrete ingress network policy implementation.
+  ## @skip networkPolicies.default.ingress Skip individual ingress configuration.
+  default:
+    enabled: false
+    annotations: {}
+    labels: {}
+    policyTypes: []
+    # - Egress
+    # - Ingress
+    egress: []
+    ingress: []
+    # Allow incoming HTTP traffic from prometheus.
+    #
+    # - from:
+    #   - namespaceSelector:
+    #       matchLabels:
+    #         kubernetes.io/metadata.name: monitoring
+    #     podSelector:
+    #       matchLabels:
+    #         app.kubernetes.io/name: prometheus
+    #   ports:
+    #   - port: http
+    #     protocol: TCP
+
+    # Allow incoming HTTP traffic from ingress-nginx.
+    #
+    # - from:
+    #   - namespaceSelector:
+    #       matchLabels:
+    #         kubernetes.io/metadata.name: ingress-nginx
+    #     podSelector:
+    #       matchLabels:
+    #         app.kubernetes.io/name: ingress-nginx
+    #   ports:
+    #   - port: http
+    #     protocol: TCP
 
 ## @section Prometheus
 prometheus: