[bitnami/mongodb] feat: Add network policy template into mongodb chart (#20478)

* feat: Add network policy template into mongodb chart Signed-off-by: Ivan Kovacic <ivan.kovacic@barrage.net> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * fix: Changed default value of networkPolicy.enabled to false Signed-off-by: Ivan Kovacic <ivan.kovacic@barrage.net> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * fix: Minor naming improvements to mongodb net-pol Signed-off-by: Ivan Kovacic <ivan.kovacic@barrage.net> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Apply suggestions from code review Co-authored-by: Andrés Bono <andresbonojimenez@gmail.com> Signed-off-by: Ivan Kovacic <ivan.kovacic@barrage.net> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update bitnami/mongodb/values.yaml Co-authored-by: Andrés Bono <andresbonojimenez@gmail.com> Signed-off-by: Ivan Kovacic <ivan.kovacic@barrage.net> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Ivan Kovacic <ivan.kovacic@barrage.net> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com> Co-authored-by: Andrés Bono <andresbonojimenez@gmail.com>
2026-02-19 19:47:22 +08:00 · 2023-11-06 14:59:02 +01:00
parent 0e79d2e651
commit 23e23dcd5a
5 changed files with 167 additions and 1 deletions
--- a/bitnami/mongodb/Chart.yaml
+++ b/bitnami/mongodb/Chart.yaml
@@ -39,4 +39,4 @@ maintainers:
 name: mongodb
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/mongodb
-version: 14.1.0
+version: 14.1.1
--- a/bitnami/mongodb/README.md
+++ b/bitnami/mongodb/README.md
@@ -295,6 +295,16 @@ Refer to the [chart documentation for more information on each of these architec
 | `externalAccess.hidden.service.sessionAffinity`               | Control where client requests go, to the same pod or round-robin                                                                                | `None`                    |
 | `externalAccess.hidden.service.sessionAffinityConfig`         | Additional settings for the sessionAffinity                                                                                                     | `{}`                      |

+### Network policy parameters
+
+| Name                                      | Description                                                                                                                               | Value   |
+| ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `networkPolicy.enabled`                   | Enable MongoDB(&reg;) network policies                                                                                                    | `false` |
+| `networkPolicy.ingress.namespaceSelector` | Namespace selector label that is allowed to access the MongoDB(&reg;) node. This label will be used to identify the allowed namespace(s). | `{}`    |
+| `networkPolicy.ingress.podSelector`       | Pod selector label that is allowed to access the MongoDB(&reg;) node. This label will be used to identify the allowed pod(s).             | `{}`    |
+| `networkPolicy.ingress.customRules`       | Custom network policy for the MongoDB(&reg;) node.                                                                                        | `[]`    |
+| `networkPolicy.egress.customRules`        | Custom network policy for the MongoDB(&reg;) node.                                                                                        | `[]`    |
+
 ### Persistence parameters

 | Name                                          | Description                                                                                                                           | Value               |
--- a/bitnami/mongodb/templates/networkpolicy.yaml
+++ b/bitnami/mongodb/templates/networkpolicy.yaml
@@ -0,0 +1,46 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+kind: NetworkPolicy
+metadata:
+  name: {{ template "mongodb.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.labels .Values.commonLabels ) "context" . ) }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: mongodb
+  {{- if or .Values.annotations .Values.commonAnnotation }}
+  {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.annotations .Values.commonAnnotations ) "context" . ) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
+  podSelector:
+    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+      app.kubernetes.io/component: mongodb
+  ingress:
+    {{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.ingress.namespaceSelector .Values.networkPolicy.ingress.podSelector) }}
+    - from:
+        {{- if .Values.networkPolicy.ingress.namespaceSelector }}
+        - namespaceSelector:
+            matchLabels: {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.ingress.namespaceSelector "context" $ ) | nindent 14 }}
+        {{- end}}
+        {{- if .Values.networkPolicy.ingress.podSelector }}
+        - podSelector:
+            matchLabels: {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.ingress.podSelector "context" $ ) | nindent 14 }}
+        {{- end}}
+      ports:
+        - protocol: TCP
+          port: {{ .Values.containerPorts.mongodb }}
+    {{- end}}
+    {{- if .Values.networkPolicy.ingress.customRules }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.ingress.customRules "context" $ ) | nindent 4 }}
+    {{- end}}
+  {{- if .Values.networkPolicy.egress.customRules }}
+  egress:
+    {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.egress.customRules "context" $ ) | nindent 4 }}
+  {{- end}}
+{{- end}}
--- a/bitnami/mongodb/values.schema.json
+++ b/bitnami/mongodb/values.schema.json
@@ -100,6 +100,65 @@
        }
      }
    },
+    "networkPolicy": {
+      "type": "object",
+      "title": "Network policy configuration",
+      "form": true,
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "form": true,
+          "title": "Enable network policy",
+          "description": "Enable network policy using Kubernetes native NP",
+          "hidden": {
+            "value": false,
+            "path": "networkPolicy/enabled"
+          }
+        },
+        "ingress": {
+          "type": "object",
+          "properties": {
+            "namespaceSelector": {
+              "type": "object",
+              "title": "Namespace selector label that is allowed to access this instance",
+              "hidden": {
+                "value": {},
+                "path": "networkPolicy/ingress/namespaceSelector"
+              }
+            },
+            "podSelector": {
+              "type": "object",
+              "title": "Pod selector label that is allowed to access this instance",
+              "hidden": {
+                "value": {},
+                "path": "networkPolicy/ingress/podSelector"
+              }
+            },
+            "customRules": {
+              "type": "array",
+              "title": "Custom rules for ingress network policy",
+              "hidden": {
+                "value": [],
+                "path": "networkPolicy/ingress/customRules"
+              }
+            }
+          }
+        },
+        "egress": {
+          "type": "object",
+          "properties": {
+            "customRules": {
+              "type": "array",
+              "title": "Custom rules for egress network policy",
+              "hidden": {
+                "value": [],
+                "path": "networkPolicy/egress/customRules"
+              }
+            }
+          }
+        }
+      }
+    },
    "persistence": {
      "type": "object",
      "title": "Persistence configuration",
--- a/bitnami/mongodb/values.yaml
+++ b/bitnami/mongodb/values.yaml
@@ -1003,6 +1003,57 @@ externalAccess:
      ##
      sessionAffinityConfig: {}

+## @section Network policy parameters
+##
+
+## Enable Network policies using Kubernetes Network Policies
+## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+##
+networkPolicy:
+  ## @param networkPolicy.enabled Enable MongoDB(&reg;) network policies
+  ##
+  enabled: false
+
+  ## Ingress rules - Allow incoming connections
+  ##
+  ingress:
+    ## @param networkPolicy.ingress.namespaceSelector [object] Namespace selector label that is allowed to access the MongoDB(&reg;) node. This label will be used to identify the allowed namespace(s).
+    ## @param networkPolicy.ingress.podSelector [object] Pod selector label that is allowed to access the MongoDB(&reg;) node. This label will be used to identify the allowed pod(s).
+    ## @param networkPolicy.ingress.customRules [array] Custom network policy for the MongoDB(&reg;) node.
+    namespaceSelector: {}
+    ## e.g:
+    ## namespaceSelector:
+    ##   label1: value1
+    podSelector: {}
+    ## e.g:
+    ## podSelector:
+    ##   label2: value2
+    customRules: []
+    ## e.g:
+    ## customRules:
+    ##   - from:
+    ##     - namespaceSelector:
+    ##         matchLabels:
+    ##            label1: value1
+    ##       podSelector:
+    ##         matchLabels:
+    ##            label2: value2
+  ## Egress rules - deny outgoing connections
+  ##
+  egress:
+    ## @param networkPolicy.egress.customRules [array] Custom network policy for the MongoDB(&reg;) node.
+    ##
+    customRules: []
+    ## e.g:
+    ## customRules:
+    ##   - to:
+    ##     - namespaceSelector:
+    ##         matchLabels:
+    ##            label1: value1
+    ##       podSelector:
+    ##         matchLabels:
+    ##            label2: value2
+
 ## @section Persistence parameters
 ##