mirror of
https://github.com/bitnami/charts.git
synced 2026-02-12 21:47:15 +08:00
[bitnami/odoo] feat!: 🔒 💥 Improve security defaults (#24850)
* [bitnami/odoo] feat!: 🔒 💥 Improve security defaults Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * docs: 📝 Update metadata Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * fix: 🐛 Set proper add capabilities Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * fix: 🐛 Set proper capability names Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * fix: 🐛 Add FOWNER capability Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * chore: 🔧 Bump instance size Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * Update bitnami/odoo/values.yaml Co-authored-by: Andrés Bono <andresbono@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * chore: 🔧 Bump resource preset Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * chore: 🔧 Bump resource preset Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * chore: 🔧 Increase count size Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * chore: 🔧 Disable security preset in testing Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * chore: 🔧 Increase count size Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * [bitnami/odoo] chore: 🔧 Bump instance size Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * test: ✅ Remove loading check test Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * [bitnami/odoo] chore: 🔧 Bump instance size Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * [bitnami/odoo] chore: 🔧 Reduce instance size Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> --------- Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Co-authored-by: Andrés Bono <andresbono@vmware.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
committed by
GitHub
GitHub
parent
653e09ea07
commit
298ab2a716
@@ -13,7 +13,8 @@ it('allows installing/uninstalling an application and inviting new users', () =>
|
||||
cy.get('[title="Sales"]').within(() => {
|
||||
cy.get('button[name="button_immediate_install"]').click();
|
||||
});
|
||||
cy.reload();
|
||||
|
||||
cy.reload({timeout: 300000});
|
||||
|
||||
// Perform the second login only if the #login selector is visible
|
||||
cy.get("body").then(($body) => {
|
||||
@@ -41,8 +42,7 @@ it('allows installing/uninstalling an application and inviting new users', () =>
|
||||
});
|
||||
cy.contains('Uninstall').click({ force: true });
|
||||
cy.get('[name*="uninstall"]').click();
|
||||
cy.reload();
|
||||
|
||||
cy.reload({timeout: 300000});
|
||||
cy.get('[title="Home Menu"]').click();
|
||||
cy.contains('a', 'Invoicing').should('not.exist');
|
||||
});
|
||||
|
||||
@@ -20,7 +20,7 @@ for (const command of ['click']) {
|
||||
Cypress.Commands.add(
|
||||
'login',
|
||||
(username = Cypress.env('email'), password = Cypress.env('password')) => {
|
||||
cy.visit('/');
|
||||
cy.visit('/', {timeout: 120000});
|
||||
cy.get('#login').type(username);
|
||||
cy.get('#password').type(password);
|
||||
cy.contains('button', 'Log in').click();
|
||||
|
||||
@@ -25,7 +25,7 @@
|
||||
"target_platform": {
|
||||
"target_platform_id": "{VIB_ENV_ALTERNATIVE_TARGET_PLATFORM}",
|
||||
"size": {
|
||||
"name": "S4"
|
||||
"name": "M4"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
dependencies:
|
||||
- name: postgresql
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 13.4.6
|
||||
version: 15.2.2
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 2.18.0
|
||||
digest: sha256:1f142fdaae061ed4aff5509bbcbde665afa535367c47959426374f5b8eaeb3ba
|
||||
generated: "2024-03-05T09:16:08.018734583Z"
|
||||
version: 2.19.1
|
||||
digest: sha256:3e92f6281cd6514443c63639a235280230dd8d74f427b9e215bda673b7d4dedc
|
||||
generated: "2024-04-03T12:48:23.45156044+02:00"
|
||||
|
||||
@@ -13,7 +13,7 @@ dependencies:
|
||||
- condition: postgresql.enabled
|
||||
name: postgresql
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 13.x.x
|
||||
version: 15.x.x
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
tags:
|
||||
@@ -34,4 +34,4 @@ maintainers:
|
||||
name: odoo
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/odoo
|
||||
version: 25.6.0
|
||||
version: 26.0.0
|
||||
|
||||
@@ -164,69 +164,76 @@ See the [Parameters](#parameters) section to configure the PVC or to disable per
|
||||
|
||||
### Odoo deployment parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ---------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
|
||||
| `replicaCount` | Number of Odoo replicas to deploy | `1` |
|
||||
| `containerPorts.http` | Odoo HTTP container port | `8069` |
|
||||
| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` |
|
||||
| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `podSecurityContext.enabled` | Enabled Odoo pods' Security Context | `true` |
|
||||
| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
|
||||
| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `podSecurityContext.fsGroup` | Set Odoo pod's Security Context fsGroup | `0` |
|
||||
| `containerSecurityContext.enabled` | Enabled Odoo containers' Security Context | `true` |
|
||||
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `containerSecurityContext.runAsUser` | Set Odoo container's Security Context runAsUser | `0` |
|
||||
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
|
||||
| `livenessProbe.path` | Path for to check for livenessProbe | `/web/health` |
|
||||
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `600` |
|
||||
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `30` |
|
||||
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
|
||||
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
|
||||
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
|
||||
| `readinessProbe.enabled` | Enable readinessProbe | `true` |
|
||||
| `readinessProbe.path` | Path to check for readinessProbe | `/web/health` |
|
||||
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` |
|
||||
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
|
||||
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
|
||||
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
|
||||
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
|
||||
| `startupProbe.enabled` | Enable startupProbe | `false` |
|
||||
| `startupProbe.path` | Path to check for startupProbe | `/web/health` |
|
||||
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `300` |
|
||||
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
|
||||
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` |
|
||||
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` |
|
||||
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
|
||||
| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
||||
| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
||||
| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
||||
| `lifecycleHooks` | LifecycleHooks to set additional configuration at startup | `{}` |
|
||||
| `automountServiceAccountToken` | Mount Service Account token in pod | `false` |
|
||||
| `hostAliases` | Odoo pod host aliases | `[]` |
|
||||
| `podLabels` | Extra labels for Odoo pods | `{}` |
|
||||
| `podAnnotations` | Annotations for Odoo pods | `{}` |
|
||||
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
|
||||
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` |
|
||||
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` |
|
||||
| `affinity` | Affinity for pod assignment | `{}` |
|
||||
| `nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
|
||||
| `priorityClassName` | Odoo pods' Priority Class Name | `""` |
|
||||
| `schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
|
||||
| `terminationGracePeriodSeconds` | Seconds Odoo pod needs to terminate gracefully | `""` |
|
||||
| `updateStrategy.type` | Odoo deployment strategy type | `RollingUpdate` |
|
||||
| `updateStrategy.rollingUpdate` | Odoo deployment rolling update configuration parameters | `nil` |
|
||||
| `extraVolumes` | Optionally specify extra list of additional volumes for Odoo pods | `[]` |
|
||||
| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for Odoo container(s) | `[]` |
|
||||
| `extraContainerPorts` | Optionally specify extra list of additional ports for Odoo container(s) | `[]` |
|
||||
| `sidecars` | Add additional sidecar containers to the Odoo pod | `[]` |
|
||||
| `initContainers` | Add additional init containers to the Odoo pods | `[]` |
|
||||
| Name | Description | Value |
|
||||
| --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ |
|
||||
| `replicaCount` | Number of Odoo replicas to deploy | `1` |
|
||||
| `containerPorts.http` | Odoo HTTP container port | `8069` |
|
||||
| `extraContainerPorts` | Optionally specify extra list of additional ports for Odoo container(s) | `[]` |
|
||||
| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `large` |
|
||||
| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `podSecurityContext.enabled` | Enabled Odoo pods' Security Context | `true` |
|
||||
| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
|
||||
| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `podSecurityContext.fsGroup` | Set Odoo pod's Security Context fsGroup | `0` |
|
||||
| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
|
||||
| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `0` |
|
||||
| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `false` |
|
||||
| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `containerSecurityContext.capabilities.add` | List of capabilities to be added | `["CHOWN","FOWNER","SYS_CHROOT","SETGID","SETUID","DAC_OVERRIDE"]` |
|
||||
| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
|
||||
| `livenessProbe.path` | Path for to check for livenessProbe | `/web/health` |
|
||||
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `600` |
|
||||
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `30` |
|
||||
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
|
||||
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
|
||||
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
|
||||
| `readinessProbe.enabled` | Enable readinessProbe | `true` |
|
||||
| `readinessProbe.path` | Path to check for readinessProbe | `/web/health` |
|
||||
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` |
|
||||
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
|
||||
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
|
||||
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `12` |
|
||||
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
|
||||
| `startupProbe.enabled` | Enable startupProbe | `false` |
|
||||
| `startupProbe.path` | Path to check for startupProbe | `/web/health` |
|
||||
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `300` |
|
||||
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
|
||||
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` |
|
||||
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` |
|
||||
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
|
||||
| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
||||
| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
||||
| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
||||
| `lifecycleHooks` | LifecycleHooks to set additional configuration at startup | `{}` |
|
||||
| `automountServiceAccountToken` | Mount Service Account token in pod | `false` |
|
||||
| `hostAliases` | Odoo pod host aliases | `[]` |
|
||||
| `podLabels` | Extra labels for Odoo pods | `{}` |
|
||||
| `podAnnotations` | Annotations for Odoo pods | `{}` |
|
||||
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
|
||||
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` |
|
||||
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` |
|
||||
| `affinity` | Affinity for pod assignment | `{}` |
|
||||
| `nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
|
||||
| `priorityClassName` | Odoo pods' Priority Class Name | `""` |
|
||||
| `schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
|
||||
| `terminationGracePeriodSeconds` | Seconds Odoo pod needs to terminate gracefully | `""` |
|
||||
| `updateStrategy.type` | Odoo deployment strategy type | `RollingUpdate` |
|
||||
| `updateStrategy.rollingUpdate` | Odoo deployment rolling update configuration parameters | `nil` |
|
||||
| `extraVolumes` | Optionally specify extra list of additional volumes for Odoo pods | `[]` |
|
||||
| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for Odoo container(s) | `[]` |
|
||||
| `sidecars` | Add additional sidecar containers to the Odoo pod | `[]` |
|
||||
| `initContainers` | Add additional init containers to the Odoo pods | `[]` |
|
||||
|
||||
### Traffic Exposure Parameters
|
||||
|
||||
@@ -260,25 +267,25 @@ See the [Parameters](#parameters) section to configure the PVC or to disable per
|
||||
|
||||
### Persistence Parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ---------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
|
||||
| `persistence.enabled` | Enable persistence using Persistent Volume Claims | `true` |
|
||||
| `persistence.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` |
|
||||
| `persistence.storageClass` | Persistent Volume storage class | `""` |
|
||||
| `persistence.accessModes` | Persistent Volume access modes | `[]` |
|
||||
| `persistence.accessMode` | Persistent Volume access mode (DEPRECATED: use `persistence.accessModes` instead) | `ReadWriteOnce` |
|
||||
| `persistence.size` | Persistent Volume size | `10Gi` |
|
||||
| `persistence.dataSource` | Custom PVC data source | `{}` |
|
||||
| `persistence.annotations` | Annotations for the PVC | `{}` |
|
||||
| `persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` |
|
||||
| `persistence.existingClaim` | The name of an existing PVC to use for persistence | `""` |
|
||||
| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` |
|
||||
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` |
|
||||
| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `volumePermissions.containerSecurityContext.enabled` | Enable init container's Security Context | `true` |
|
||||
| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` |
|
||||
| `volumePermissions.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
| Name | Description | Value |
|
||||
| ---------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
|
||||
| `persistence.enabled` | Enable persistence using Persistent Volume Claims | `true` |
|
||||
| `persistence.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` |
|
||||
| `persistence.storageClass` | Persistent Volume storage class | `""` |
|
||||
| `persistence.accessModes` | Persistent Volume access modes | `[]` |
|
||||
| `persistence.accessMode` | Persistent Volume access mode (DEPRECATED: use `persistence.accessModes` instead) | `ReadWriteOnce` |
|
||||
| `persistence.size` | Persistent Volume size | `10Gi` |
|
||||
| `persistence.dataSource` | Custom PVC data source | `{}` |
|
||||
| `persistence.annotations` | Annotations for the PVC | `{}` |
|
||||
| `persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` |
|
||||
| `persistence.existingClaim` | The name of an existing PVC to use for persistence | `""` |
|
||||
| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` |
|
||||
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` |
|
||||
| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `volumePermissions.containerSecurityContext.enabled` | Enable init container's Security Context | `true` |
|
||||
| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
|
||||
| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` |
|
||||
| `volumePermissions.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
|
||||
### RBAC Parameters
|
||||
|
||||
@@ -314,9 +321,9 @@ See the [Parameters](#parameters) section to configure the PVC or to disable per
|
||||
| `postgresql.architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` |
|
||||
| `externalDatabase.host` | Database host | `""` |
|
||||
| `externalDatabase.port` | Database port number | `5432` |
|
||||
| `externalDatabase.user` | Non-root username for Keycloak | `bn_odoo` |
|
||||
| `externalDatabase.password` | Password for the non-root username for Keycloak | `""` |
|
||||
| `externalDatabase.database` | Keycloak database name | `bitnami_odoo` |
|
||||
| `externalDatabase.user` | Non-root username for Odoo | `bn_odoo` |
|
||||
| `externalDatabase.password` | Password for the non-root username for Odoo | `""` |
|
||||
| `externalDatabase.database` | Odoo database name | `bitnami_odoo` |
|
||||
| `externalDatabase.create` | Enable PostgreSQL user and database creation (when using an external db) | `true` |
|
||||
| `externalDatabase.postgresqlPostgresUser` | External Database admin username | `postgres` |
|
||||
| `externalDatabase.postgresqlPostgresPassword` | External Database admin password | `""` |
|
||||
@@ -326,20 +333,15 @@ See the [Parameters](#parameters) section to configure the PVC or to disable per
|
||||
|
||||
### NetworkPolicy parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ------- |
|
||||
| `networkPolicy.enabled` | Enable network policies | `false` |
|
||||
| `networkPolicy.ingress.enabled` | Enable network policy for Ingress Proxies | `false` |
|
||||
| `networkPolicy.ingress.namespaceSelector` | Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace. | `{}` |
|
||||
| `networkPolicy.ingress.podSelector` | Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods. | `{}` |
|
||||
| `networkPolicy.ingressRules.backendOnlyAccessibleByFrontend` | Enable ingress rule that makes the backend (mariadb) only accessible by Odoo's pods. | `false` |
|
||||
| `networkPolicy.ingressRules.customBackendSelector` | Backend selector labels. These labels will be used to identify the backend pods. | `{}` |
|
||||
| `networkPolicy.ingressRules.accessOnlyFrom.enabled` | Enable ingress rule that makes Odoo only accessible from a particular origin | `false` |
|
||||
| `networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access Odoo. This label will be used to identified the allowed namespace(s). | `{}` |
|
||||
| `networkPolicy.ingressRules.accessOnlyFrom.podSelector` | Pods selector label that is allowed to access Odoo. This label will be used to identified the allowed pod(s). | `{}` |
|
||||
| `networkPolicy.ingressRules.customRules` | Custom network policy ingress rule | `{}` |
|
||||
| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` |
|
||||
| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` |
|
||||
| Name | Description | Value |
|
||||
| --------------------------------------- | --------------------------------------------------------------- | ------ |
|
||||
| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
|
||||
| `networkPolicy.allowExternal` | Don't require server label for connections | `true` |
|
||||
| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
|
||||
| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
|
||||
| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
|
||||
| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
|
||||
| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
|
||||
|
||||
The above parameters map to the env variables defined in [bitnami/odoo](https://github.com/bitnami/containers/tree/main/bitnami/odoo). For more information please refer to the [bitnami/odoo](https://github.com/bitnami/containers/tree/main/bitnami/odoo) image documentation.
|
||||
|
||||
@@ -372,6 +374,18 @@ Find more information about how to deal with common errors related to Bitnami's
|
||||
|
||||
## Upgrading
|
||||
|
||||
### To 26.0.0
|
||||
|
||||
This major bump changes the following security defaults:
|
||||
|
||||
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
|
||||
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
|
||||
- The `networkPolicy` section has been normalized amongst all Bitnami charts. Compared to the previous approach, the values section has been simplified (check the Parameters section) and now it set to `enabled=true` by default. Egress traffic is allowed by default and ingress traffic is allowed by all pods but only to the ports set in `containerPorts` and `extraContainerPorts`.
|
||||
|
||||
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
|
||||
|
||||
Also, this major release bumps the PostgreSQL chart version to [15.x.x](https://github.com/bitnami/charts/pull/24171).
|
||||
|
||||
### To 24.0.0
|
||||
|
||||
This major updates the PostgreSQL subchart to its newest major, 13.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1300) you can find more information about the changes introduced in that version.
|
||||
|
||||
@@ -207,7 +207,7 @@ spec:
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: {{ coalesce .Values.containerPorts.http .Values.containerPort }}
|
||||
containerPort: {{ .Values.containerPorts.http }}
|
||||
{{- if .Values.extraContainerPorts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.extraContainerPorts "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
|
||||
@@ -1,30 +0,0 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.networkPolicy.enabled .Values.networkPolicy.ingressRules.backendOnlyAccessibleByFrontend }}
|
||||
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ printf "%s-backend" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- if .Values.networkPolicy.ingressRules.customBackendSelector }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.customBackendSelector "context" $) | nindent 6 }}
|
||||
{{- else }}
|
||||
app.kubernetes.io/name: postgresql
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end }}
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
|
||||
{{- end }}
|
||||
@@ -1,35 +0,0 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }}
|
||||
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ printf "%s-egress" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
policyTypes:
|
||||
- Egress
|
||||
egress:
|
||||
{{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }}
|
||||
- ports:
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
- port: 53
|
||||
protocol: TCP
|
||||
- to:
|
||||
- namespaceSelector: {}
|
||||
{{- end }}
|
||||
{{- if .Values.networkPolicy.egressRules.customRules }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -1,50 +0,0 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.ingress.enabled .Values.networkPolicy.ingressRules.accessOnlyFrom.enabled) }}
|
||||
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ printf "%s-ingress" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
ingress:
|
||||
{{- if and .Values.ingress.enabled .Values.networkPolicy.ingress.enabled (or .Values.networkPolicy.ingress.namespaceSelector .Values.networkPolicy.ingress.podSelector) }}
|
||||
- from:
|
||||
{{- if .Values.networkPolicy.ingress.namespaceSelector }}
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingress.namespaceSelector "context" $) | nindent 14 }}
|
||||
{{- end }}
|
||||
{{- if .Values.networkPolicy.ingress.podSelector }}
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingress.podSelector "context" $) | nindent 14 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if and .Values.networkPolicy.ingressRules.accessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector) }}
|
||||
- from:
|
||||
{{- if .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector }}
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector "context" $) | nindent 14 }}
|
||||
{{- end }}
|
||||
{{- if .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector }}
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector "context" $) | nindent 14 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.networkPolicy.ingressRules.customRules }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.customRules "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
80
bitnami/odoo/templates/networkpolicy.yaml
Normal file
80
bitnami/odoo/templates/networkpolicy.yaml
Normal file
@@ -0,0 +1,80 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.networkPolicy.enabled }}
|
||||
kind: NetworkPolicy
|
||||
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||
metadata:
|
||||
name: {{ template "common.names.fullname" . }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
{{- if .Values.networkPolicy.allowExternalEgress }}
|
||||
egress:
|
||||
- {}
|
||||
{{- else }}
|
||||
egress:
|
||||
# Allow dns resolution
|
||||
- ports:
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
- port: 53
|
||||
protocol: TCP
|
||||
# Allow outbound connections to PostgreSQL
|
||||
- ports:
|
||||
- port: {{ include "odoo.databasePort" . }}
|
||||
{{- if .Values.postgresql.enabled }}
|
||||
to:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: postgresql
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end }}
|
||||
{{- if .Values.networkPolicy.extraEgress }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ingress:
|
||||
- ports:
|
||||
- port: {{ .Values.containerPorts.http }}
|
||||
- port: {{ .Values.containerPorts.https }}
|
||||
{{- range .Values.extraContainerPorts }}
|
||||
- port: {{ .containerPort }}
|
||||
{{- end }}
|
||||
{{- if not .Values.networkPolicy.allowExternal }}
|
||||
from:
|
||||
- podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
{{ template "common.names.fullname" . }}-client: "true"
|
||||
{{- if .Values.networkPolicy.ingressNSMatchLabels }}
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
{{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
|
||||
{{ $key | quote }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
|
||||
{{ $key | quote }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.networkPolicy.extraIngress }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -190,12 +190,19 @@ replicaCount: 1
|
||||
##
|
||||
containerPorts:
|
||||
http: 8069
|
||||
## @param extraContainerPorts Optionally specify extra list of additional ports for Odoo container(s)
|
||||
## e.g:
|
||||
## extraContainerPorts:
|
||||
## - name: myservice
|
||||
## containerPort: 9090
|
||||
##
|
||||
extraContainerPorts: []
|
||||
## Odoo containers' resource requests and limits
|
||||
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
|
||||
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resourcesPreset: "none"
|
||||
resourcesPreset: "large"
|
||||
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
@@ -223,15 +230,30 @@ podSecurityContext:
|
||||
fsGroup: 0
|
||||
## Configure Container Security Context (only main container)
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
||||
## @param containerSecurityContext.enabled Enabled Odoo containers' Security Context
|
||||
## @param containerSecurityContext.enabled Enabled containers' Security Context
|
||||
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
|
||||
## @param containerSecurityContext.runAsUser Set Odoo container's Security Context runAsUser
|
||||
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
|
||||
## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
|
||||
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
|
||||
## @param containerSecurityContext.privileged Set container's Security Context privileged
|
||||
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
|
||||
## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
|
||||
## @param containerSecurityContext.capabilities.add List of capabilities to be added
|
||||
## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
|
||||
## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
seLinuxOptions: {}
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
add: ["CHOWN", "FOWNER", "SYS_CHROOT", "SETGID", "SETUID", "DAC_OVERRIDE"]
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
## Configure extra options for Odoo containers' liveness and readiness probes
|
||||
@@ -266,7 +288,7 @@ readinessProbe:
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 5
|
||||
failureThreshold: 6
|
||||
failureThreshold: 12
|
||||
successThreshold: 1
|
||||
## @param startupProbe.enabled Enable startupProbe
|
||||
## @param startupProbe.path Path to check for startupProbe
|
||||
@@ -385,13 +407,6 @@ extraVolumes: []
|
||||
## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for Odoo container(s)
|
||||
##
|
||||
extraVolumeMounts: []
|
||||
## @param extraContainerPorts Optionally specify extra list of additional ports for Odoo container(s)
|
||||
## e.g:
|
||||
## extraContainerPorts:
|
||||
## - name: longpolling
|
||||
## containerPort: 8072
|
||||
##
|
||||
extraContainerPorts: []
|
||||
## @param sidecars Add additional sidecar containers to the Odoo pod
|
||||
## e.g:
|
||||
## sidecars:
|
||||
@@ -629,7 +644,7 @@ volumePermissions:
|
||||
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resourcesPreset: "none"
|
||||
resourcesPreset: "nano"
|
||||
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
@@ -650,7 +665,7 @@ volumePermissions:
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
seLinuxOptions: {}
|
||||
runAsUser: 0
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
@@ -741,77 +756,58 @@ externalDatabase:
|
||||
## @section NetworkPolicy parameters
|
||||
##
|
||||
|
||||
## Add networkpolicies
|
||||
## Network Policy configuration
|
||||
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
|
||||
##
|
||||
networkPolicy:
|
||||
## @param networkPolicy.enabled Enable network policies
|
||||
## If ingress.enabled or metrics.enabled are true, configure networkPolicy.ingress and networkPolicy.metrics selectors respectively to allow communication
|
||||
## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
|
||||
##
|
||||
enabled: false
|
||||
## @param networkPolicy.ingress.enabled Enable network policy for Ingress Proxies
|
||||
## @param networkPolicy.ingress.namespaceSelector Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace.
|
||||
## @param networkPolicy.ingress.podSelector Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods.
|
||||
enabled: true
|
||||
## @param networkPolicy.allowExternal Don't require server label for connections
|
||||
## The Policy model to apply. When set to false, only pods with the correct
|
||||
## server label will have network access to the ports server is listening
|
||||
## on. When true, server will accept connections from any source
|
||||
## (with the correct destination port).
|
||||
##
|
||||
ingress:
|
||||
enabled: false
|
||||
## e.g:
|
||||
## podSelector:
|
||||
## label: ingress
|
||||
##
|
||||
podSelector: {}
|
||||
## e.g:
|
||||
## namespaceSelector:
|
||||
## label: ingress
|
||||
##
|
||||
namespaceSelector: {}
|
||||
## @param networkPolicy.ingressRules.backendOnlyAccessibleByFrontend Enable ingress rule that makes the backend (mariadb) only accessible by Odoo's pods.
|
||||
## @param networkPolicy.ingressRules.customBackendSelector Backend selector labels. These labels will be used to identify the backend pods.
|
||||
## @param networkPolicy.ingressRules.accessOnlyFrom.enabled Enable ingress rule that makes Odoo only accessible from a particular origin
|
||||
## @param networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector Namespace selector label that is allowed to access Odoo. This label will be used to identified the allowed namespace(s).
|
||||
## @param networkPolicy.ingressRules.accessOnlyFrom.podSelector Pods selector label that is allowed to access Odoo. This label will be used to identified the allowed pod(s).
|
||||
## @param networkPolicy.ingressRules.customRules Custom network policy ingress rule
|
||||
allowExternal: true
|
||||
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
|
||||
##
|
||||
ingressRules:
|
||||
## mariadb backend only can be accessed from Odoo
|
||||
##
|
||||
backendOnlyAccessibleByFrontend: false
|
||||
customBackendSelector: {}
|
||||
## Allow only from the indicated:
|
||||
##
|
||||
accessOnlyFrom:
|
||||
enabled: false
|
||||
## e.g:
|
||||
## namespaceSelector:
|
||||
## label: ingress
|
||||
##
|
||||
namespaceSelector: {}
|
||||
## e.g:
|
||||
## podSelector:
|
||||
## label: access
|
||||
##
|
||||
podSelector: {}
|
||||
## custom ingress rules
|
||||
## e.g:
|
||||
## customRules:
|
||||
## - from:
|
||||
## - namespaceSelector:
|
||||
## matchLabels:
|
||||
## label: example
|
||||
##
|
||||
customRules: {}
|
||||
## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53).
|
||||
## @param networkPolicy.egressRules.customRules Custom network policy rule
|
||||
allowExternalEgress: true
|
||||
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice
|
||||
## e.g:
|
||||
## extraIngress:
|
||||
## - ports:
|
||||
## - port: 1234
|
||||
## from:
|
||||
## - podSelector:
|
||||
## - matchLabels:
|
||||
## - role: frontend
|
||||
## - podSelector:
|
||||
## - matchExpressions:
|
||||
## - key: role
|
||||
## operator: In
|
||||
## values:
|
||||
## - frontend
|
||||
extraIngress: []
|
||||
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
|
||||
## e.g:
|
||||
## extraEgress:
|
||||
## - ports:
|
||||
## - port: 1234
|
||||
## to:
|
||||
## - podSelector:
|
||||
## - matchLabels:
|
||||
## - role: frontend
|
||||
## - podSelector:
|
||||
## - matchExpressions:
|
||||
## - key: role
|
||||
## operator: In
|
||||
## values:
|
||||
## - frontend
|
||||
##
|
||||
egressRules:
|
||||
## Deny connections to external. This is not compatible with an external database.
|
||||
##
|
||||
denyConnectionsToExternal: false
|
||||
## Additional custom egress rules
|
||||
## e.g:
|
||||
## customRules:
|
||||
## - to:
|
||||
## - namespaceSelector:
|
||||
## matchLabels:
|
||||
## label: example
|
||||
##
|
||||
customRules: {}
|
||||
extraEgress: []
|
||||
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
|
||||
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
|
||||
##
|
||||
ingressNSMatchLabels: {}
|
||||
ingressNSPodMatchLabels: {}
|
||||
|
||||
Reference in New Issue
Block a user