From 04af8af68def59deaf226fbf4b8500b8b41f360a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Fri, 26 Jan 2024 10:00:10 +0100 Subject: [PATCH] [bitnami/solr] feat: :lock: Enable networkPolicy (#22725) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [bitnami/solr] feat: :lock: Enable networkPolicy Signed-off-by: Javier Salmeron Garcia * Update networkpolicy.yaml Signed-off-by: Javier J. Salmerón-García --------- Signed-off-by: Javier Salmeron Garcia Signed-off-by: Javier J. Salmerón-García --- bitnami/solr/Chart.yaml | 2 +- bitnami/solr/README.md | 62 ++++++++------- bitnami/solr/templates/NOTES.txt | 16 ++-- bitnami/solr/templates/_helpers.tpl | 17 +++- .../solr/templates/ingress-tls-secrets.yaml | 4 +- .../solr/templates/metrics-deployment.yaml | 2 +- bitnami/solr/templates/metrics-svc.yaml | 2 +- bitnami/solr/templates/networkpolicy.yaml | 78 +++++++++++++++++++ bitnami/solr/templates/pdb.yaml | 2 +- bitnami/solr/templates/prometheusrule.yaml | 2 +- bitnami/solr/templates/scripts-configmap.yaml | 4 +- bitnami/solr/templates/secrets.yaml | 4 +- bitnami/solr/templates/service-account.yaml | 2 +- bitnami/solr/templates/servicemonitor.yaml | 4 +- bitnami/solr/templates/statefulset.yaml | 2 +- bitnami/solr/templates/svc-headless.yaml | 2 +- bitnami/solr/templates/svc.yaml | 2 +- bitnami/solr/templates/tls-secrets.yaml | 4 +- bitnami/solr/values.yaml | 52 +++++++++++++ 19 files changed, 206 insertions(+), 57 deletions(-) create mode 100644 bitnami/solr/templates/networkpolicy.yaml diff --git a/bitnami/solr/Chart.yaml b/bitnami/solr/Chart.yaml index 38c397f2d7..02719c22b9 100644 --- a/bitnami/solr/Chart.yaml +++ b/bitnami/solr/Chart.yaml @@ -34,4 +34,4 @@ maintainers: name: solr sources: - https://github.com/bitnami/charts/tree/main/bitnami/solr -version: 8.5.1 +version: 8.6.0 diff --git a/bitnami/solr/README.md b/bitnami/solr/README.md index 38da63cad7..e996462d73 100644 --- a/bitnami/solr/README.md +++ b/bitnami/solr/README.md @@ -181,34 +181,40 @@ The command removes all the Kubernetes components associated with the chart and ### Traffic Exposure parameters -| Name | Description | Value | -| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `service.type` | Kubernetes Service type | `ClusterIP` | -| `service.ports.http` | Solr HTTP service port | `8983` | -| `service.nodePorts.http` | Node port for the HTTP service | `""` | -| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `service.clusterIP` | Solr service Cluster IP | `""` | -| `service.loadBalancerIP` | Solr service Load Balancer IP | `""` | -| `service.loadBalancerSourceRanges` | Solr service Load Balancer sources | `[]` | -| `service.externalTrafficPolicy` | Solr service external traffic policy | `Cluster` | -| `service.annotations` | Additional custom annotations for Solr service | `{}` | -| `service.extraPorts` | Extra ports to expose in the Solr service (normally used with the `sidecar` value) | `[]` | -| `service.headless.annotations` | Annotations for the headless service. | `{}` | -| `ingress.enabled` | Enable ingress record generation for Apache Geode | `false` | -| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | -| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | -| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | -| `ingress.hostname` | Default host for the ingress record | `solr.local` | -| `ingress.path` | Default path for the ingress record | `/` | -| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | -| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | -| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | -| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | -| `ingress.extraPaths` | Any additional arbitrary paths that may need to be added to the ingress under the main host. | `[]` | -| `ingress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` | -| `ingress.secrets` | If you're providing your own certificates, please use this to add the certificates as secrets | `[]` | -| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| Name | Description | Value | +| --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.ports.http` | Solr HTTP service port | `8983` | +| `service.nodePorts.http` | Node port for the HTTP service | `""` | +| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.clusterIP` | Solr service Cluster IP | `""` | +| `service.loadBalancerIP` | Solr service Load Balancer IP | `""` | +| `service.loadBalancerSourceRanges` | Solr service Load Balancer sources | `[]` | +| `service.externalTrafficPolicy` | Solr service external traffic policy | `Cluster` | +| `service.annotations` | Additional custom annotations for Solr service | `{}` | +| `service.extraPorts` | Extra ports to expose in the Solr service (normally used with the `sidecar` value) | `[]` | +| `service.headless.annotations` | Annotations for the headless service. | `{}` | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `ingress.enabled` | Enable ingress record generation for Apache Geode | `false` | +| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | +| `ingress.hostname` | Default host for the ingress record | `solr.local` | +| `ingress.path` | Default path for the ingress record | `/` | +| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | +| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `ingress.extraPaths` | Any additional arbitrary paths that may need to be added to the ingress under the main host. | `[]` | +| `ingress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` | +| `ingress.secrets` | If you're providing your own certificates, please use this to add the certificates as secrets | `[]` | +| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | ### Persistence parameters diff --git a/bitnami/solr/templates/NOTES.txt b/bitnami/solr/templates/NOTES.txt index 6d7ba431ca..37a64aa7c0 100644 --- a/bitnami/solr/templates/NOTES.txt +++ b/bitnami/solr/templates/NOTES.txt @@ -21,14 +21,14 @@ APP VERSION: {{ .Chart.AppVersion }} Solr can be accessed via port {{ .Values.service.ports.http }} on the following DNS name from within your cluster: - {{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.service.ports.http }} + {{ include "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}:{{ .Values.service.ports.http }} {{- if .Values.auth.enabled }} To get the Solr credentials execute the following commands: echo Username: {{ .Values.auth.adminUsername }} - echo Password: $(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "solr.secretName" . }} -o jsonpath="{.data.solr-password}" | base64 -d) + echo Password: $(kubectl get secret --namespace {{ include "common.names.namespace" . }} {{ include "solr.secretName" . }} -o jsonpath="{.data.solr-password}" | base64 -d) {{- end }} @@ -38,8 +38,8 @@ To connect to your Solr cluster from outside the cluster, perform the following 1. Obtain the NodePort IP and ports: - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.names.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.names.fullname" . }}) echo "Solr URL: ${NODE_IP}:${NODE_PORT}" {{- else if contains "LoadBalancer" .Values.service.type }} @@ -47,16 +47,16 @@ To connect to your Solr cluster from outside the cluster, perform the following 1. Obtain the LoadBalancer IP NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "common.names.fullname" . }}' + Watch the status with: 'kubectl get svc --namespace {{ include "common.names.namespace" . }} -w {{ include "common.names.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.names.namespace" . }} {{ include "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") echo "Solr URL: ${SERVICE_IP}:{{ .Values.service.ports.http }}" {{- else if contains "ClusterIP" .Values.service.type }} 1. Create a port-forward to the Solr client port: - kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "common.names.fullname" . }} {{ .Values.service.ports.http }}:{{ .Values.service.ports.http }} & + kubectl port-forward --namespace {{ include "common.names.namespace" . }} svc/{{ include "common.names.fullname" . }} {{ .Values.service.ports.http }}:{{ .Values.service.ports.http }} & echo "Solr URL: 127.0.0.1:{{ .Values.service.ports.http }}" {{- end }} @@ -67,7 +67,7 @@ To connect to your Solr cluster from outside the cluster, perform the following Solr Prometheus metrics can be accessed via port {{ .Values.metrics.service.ports.http }} on the following DNS name from within your cluster: - {{ printf "%s-exporter" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.metrics.service.ports.http }}/metrics + {{ printf "%s-exporter" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}:{{ .Values.metrics.service.ports.http }}/metrics {{- end }} diff --git a/bitnami/solr/templates/_helpers.tpl b/bitnami/solr/templates/_helpers.tpl index 1c03afd3a7..c39e17b5b8 100644 --- a/bitnami/solr/templates/_helpers.tpl +++ b/bitnami/solr/templates/_helpers.tpl @@ -101,7 +101,7 @@ Return Solr admin password {{- if not (empty .Values.auth.adminPassword) -}} {{- .Values.auth.adminPassword -}} {{- else -}} - {{- include "getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "common.names.fullname" .) "Length" 10 "Key" "solr-password") -}} + {{- include "getValueFromSecret" (dict "Namespace" (include "common.names.namespace" .) "Name" (include "common.names.fullname" .) "Length" 10 "Key" "solr-password") -}} {{- end -}} {{- end -}} @@ -113,7 +113,7 @@ Return proper Zookeeper hosts {{- include "common.tplvalues.render" (dict "value" (join "," .Values.externalZookeeper.servers) "context" $) -}} {{- else -}} {{- $zookeeperList := list -}} - {{- $releaseNamespace := default .Release.Namespace .Values.zookeeper.namespaceOverride -}} + {{- $releaseNamespace := default (include "common.names.namespace" .) .Values.zookeeper.namespaceOverride -}} {{- $clusterDomain := .Values.clusterDomain -}} {{- $zookeeperFullname := include "solr.zookeeper.fullname" . -}} {{- range $e, $i := until (int .Values.zookeeper.replicaCount) -}} @@ -123,6 +123,19 @@ Return proper Zookeeper hosts {{- end -}} {{- end -}} +{{/* +Return proper Zookeeper hosts +*/}} +{{- define "solr.zookeeper.port" -}} +{{- if .Values.externalZookeeper.servers -}} + {{- include "solr.zookeeper.hosts" . | regexFind ":[0-9]+" | trimPrefix ":" | default "2181" | int -}} +{{- else if .Values.zookeeper.enabled -}} + {{- int .Values.zookeeper.containerPorts.client -}} +{{- else -}} + {{- int "2181" -}} +{{- end -}} +{{- end -}} + {{/* Return true if a TLS secret object should be created */}} diff --git a/bitnami/solr/templates/ingress-tls-secrets.yaml b/bitnami/solr/templates/ingress-tls-secrets.yaml index 4ea1463374..2ff9887d44 100644 --- a/bitnami/solr/templates/ingress-tls-secrets.yaml +++ b/bitnami/solr/templates/ingress-tls-secrets.yaml @@ -10,7 +10,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ .name }} - namespace: {{ $.Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" $ | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }} {{- if $.Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} @@ -30,7 +30,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/bitnami/solr/templates/metrics-deployment.yaml b/bitnami/solr/templates/metrics-deployment.yaml index b5f7ad7655..004629d570 100644 --- a/bitnami/solr/templates/metrics-deployment.yaml +++ b/bitnami/solr/templates/metrics-deployment.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ printf "%s-exporter" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: solr-exporter {{- if .Values.commonAnnotations }} diff --git a/bitnami/solr/templates/metrics-svc.yaml b/bitnami/solr/templates/metrics-svc.yaml index 75d89ba8b2..4efe439921 100644 --- a/bitnami/solr/templates/metrics-svc.yaml +++ b/bitnami/solr/templates/metrics-svc.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Service metadata: name: {{ printf "%s-exporter" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.labels .Values.commonLabels ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} app.kubernetes.io/component: metrics diff --git a/bitnami/solr/templates/networkpolicy.yaml b/bitnami/solr/templates/networkpolicy.yaml new file mode 100644 index 0000000000..a9430470d8 --- /dev/null +++ b/bitnami/solr/templates/networkpolicy.yaml @@ -0,0 +1,78 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + policyTypes: + - Ingress + - Egress + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to other cluster pods + - ports: + - port: {{ .Values.containerPorts.http }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + # Allow outbound connections to Zookeeper + - ports: + - port: {{ include "solr.zookeeper.port" . }} + {{- if .Values.zookeeper.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: zookeeper + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.http }} + - port: {{ .Values.service.ports.http }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/solr/templates/pdb.yaml b/bitnami/solr/templates/pdb.yaml index fa3dfa1ee2..8fbe6262e5 100644 --- a/bitnami/solr/templates/pdb.yaml +++ b/bitnami/solr/templates/pdb.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} kind: PodDisruptionBudget metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/bitnami/solr/templates/prometheusrule.yaml b/bitnami/solr/templates/prometheusrule.yaml index 73c89e652c..c70c28a945 100644 --- a/bitnami/solr/templates/prometheusrule.yaml +++ b/bitnami/solr/templates/prometheusrule.yaml @@ -8,7 +8,7 @@ apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }} + namespace: {{ default include "common.names.namespace" . .Values.metrics.prometheusRule.namespace | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.metrics.prometheusRule.additionalLabels }} {{- include "common.tplvalues.render" (dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $) | nindent 4 }} diff --git a/bitnami/solr/templates/scripts-configmap.yaml b/bitnami/solr/templates/scripts-configmap.yaml index 7112cb7639..fa90981141 100644 --- a/bitnami/solr/templates/scripts-configmap.yaml +++ b/bitnami/solr/templates/scripts-configmap.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-scripts" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: solr {{- if .Values.commonAnnotations }} @@ -49,5 +49,5 @@ data: fi {{- end }} # Use hostname instead of IP to register in ZooKeeper - export SOLR_HOST="${MY_POD_NAME}.{{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + export SOLR_HOST="${MY_POD_NAME}.{{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" /opt/bitnami/scripts/solr/entrypoint.sh /opt/bitnami/scripts/solr/run.sh diff --git a/bitnami/solr/templates/secrets.yaml b/bitnami/solr/templates/secrets.yaml index afb53b1530..e57ca77636 100644 --- a/bitnami/solr/templates/secrets.yaml +++ b/bitnami/solr/templates/secrets.yaml @@ -13,7 +13,7 @@ metadata: {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} type: Opaque data: solr-password: {{ include "solr.password" . | b64enc | quote }} @@ -29,7 +29,7 @@ metadata: {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} type: Opaque data: keystore-password: {{ default (randAlphaNum 10) .Values.tls.keystorePassword | b64enc | quote }} diff --git a/bitnami/solr/templates/service-account.yaml b/bitnami/solr/templates/service-account.yaml index c14fe88787..e4b142b921 100644 --- a/bitnami/solr/templates/service-account.yaml +++ b/bitnami/solr/templates/service-account.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "solr.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: solr {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} diff --git a/bitnami/solr/templates/servicemonitor.yaml b/bitnami/solr/templates/servicemonitor.yaml index 1433a7402d..57424c3ba8 100644 --- a/bitnami/solr/templates/servicemonitor.yaml +++ b/bitnami/solr/templates/servicemonitor.yaml @@ -8,7 +8,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} + namespace: {{ default include "common.names.namespace" . .Values.metrics.serviceMonitor.namespace | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: metrics {{- if .Values.metrics.serviceMonitor.additionalLabels }} @@ -47,5 +47,5 @@ spec: {{- end }} namespaceSelector: matchNames: - - {{ .Release.Namespace }} + - {{ include "common.names.namespace" . }} {{- end }} diff --git a/bitnami/solr/templates/statefulset.yaml b/bitnami/solr/templates/statefulset.yaml index 704fdbf8b5..62b0ccb35f 100644 --- a/bitnami/solr/templates/statefulset.yaml +++ b/bitnami/solr/templates/statefulset.yaml @@ -12,7 +12,7 @@ metadata: {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} spec: podManagementPolicy: {{ .Values.podManagementPolicy }} replicas: {{ .Values.replicaCount }} diff --git a/bitnami/solr/templates/svc-headless.yaml b/bitnami/solr/templates/svc-headless.yaml index 3952d5cc43..3fd3fe25ac 100644 --- a/bitnami/solr/templates/svc-headless.yaml +++ b/bitnami/solr/templates/svc-headless.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Service metadata: name: {{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: solr {{- if or .Values.service.headless.annotations .Values.commonAnnotations }} diff --git a/bitnami/solr/templates/svc.yaml b/bitnami/solr/templates/svc.yaml index bb0516e9c5..29a79d38b2 100644 --- a/bitnami/solr/templates/svc.yaml +++ b/bitnami/solr/templates/svc.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: solr {{- if or .Values.service.annotations .Values.commonAnnotations }} diff --git a/bitnami/solr/templates/tls-secrets.yaml b/bitnami/solr/templates/tls-secrets.yaml index 5f82665f88..20434c4046 100644 --- a/bitnami/solr/templates/tls-secrets.yaml +++ b/bitnami/solr/templates/tls-secrets.yaml @@ -6,7 +6,7 @@ SPDX-License-Identifier: APACHE-2.0 {{- if (include "solr.createTlsSecret" .) }} {{- $secretName := printf "%s-crt" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} {{- $ca := genCA "solr-ca" 365 }} -{{- $releaseNamespace := .Release.Namespace }} +{{- $releaseNamespace := include "common.names.namespace" . }} {{- $clusterDomain := .Values.clusterDomain }} {{- $serviceName := include "common.names.fullname" . }} {{- $headlessServiceName := printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} @@ -21,7 +21,7 @@ metadata: {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} type: kubernetes.io/tls data: tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }} diff --git a/bitnami/solr/values.yaml b/bitnami/solr/values.yaml index 91e83ffe4b..68004e49aa 100644 --- a/bitnami/solr/values.yaml +++ b/bitnami/solr/values.yaml @@ -455,6 +455,58 @@ service: ## @param service.headless.annotations Annotations for the headless service. ## annotations: {} +## Network Policies +## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the ports the application is listening + ## on. When true, the app will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## Solr ingress parameters ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ ##