From 3436bc4e7c2e79c3bc98625b547026928719efd9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Mon, 12 Feb 2024 10:49:58 +0100 Subject: [PATCH] [bitnami/harbor] feat: :lock: Enable networkPolicy (#23205) Signed-off-by: Javier Salmeron Garcia --- bitnami/harbor/Chart.yaml | 2 +- bitnami/harbor/README.md | 49 +++ .../templates/core/core-cm-envvars.yaml | 2 +- bitnami/harbor/templates/core/core-cm.yaml | 2 +- .../core/core-config-override-secret.yaml | 2 +- bitnami/harbor/templates/core/core-dpl.yaml | 2 +- .../templates/core/core-networkpolicy.yaml | 130 ++++++ .../templates/core/core-secret-envvars.yaml | 2 +- .../harbor/templates/core/core-secret.yaml | 2 +- bitnami/harbor/templates/core/core-svc.yaml | 2 +- .../exporter/exporter-cm-envvars.yaml | 2 +- .../templates/exporter/exporter-dpl.yaml | 4 +- .../exporter/exporter-networkpolicy.yaml | 117 ++++++ .../exporter/exporter-secret-envvars.yaml | 2 +- .../templates/exporter/exporter-svc.yaml | 2 +- .../templates/ingress/core-ingress.yaml | 2 +- .../harbor/templates/ingress/tls-secret.yaml | 2 +- .../internal/internal-crt-secret.yaml | 10 +- .../jobservice/jobservice-cm-envvars.yaml | 2 +- .../jobservice/jobservice-config-secret.yaml | 2 +- .../templates/jobservice/jobservice-dpl.yaml | 2 +- .../jobservice/jobservice-networkpolicy.yaml | 121 ++++++ .../templates/jobservice/jobservice-pvc.yaml | 2 +- .../jobservice/jobservice-secret-envvars.yaml | 2 +- .../jobservice/jobservice-secrets.yaml | 2 +- .../templates/jobservice/jobservice-svc.yaml | 2 +- .../templates/nginx/configmap-http.yaml | 2 +- .../templates/nginx/configmap-https.yaml | 2 +- .../harbor/templates/nginx/deployment.yaml | 2 +- .../harbor/templates/nginx/networkpolicy.yaml | 83 ++++ bitnami/harbor/templates/nginx/service.yaml | 2 +- .../harbor/templates/nginx/tls-secret.yaml | 2 +- .../harbor/templates/portal/portal-cm.yaml | 2 +- .../harbor/templates/portal/portal-dpl.yaml | 2 +- .../portal/portal-networkpolicy.yaml | 75 ++++ .../harbor/templates/portal/portal-svc.yaml | 2 +- .../templates/registry/registry-cm.yaml | 2 +- .../registry/registry-ctl-cm-envvars.yaml | 2 +- .../templates/registry/registry-dpl.yaml | 2 +- .../registry/registry-networkpolicy.yaml | 123 ++++++ .../templates/registry/registry-pvc.yaml | 2 +- .../templates/registry/registry-secret.yaml | 2 +- .../templates/registry/registry-svc.yaml | 2 +- .../templates/trivy/trivy-cm-envvars.yaml | 2 +- .../templates/trivy/trivy-networkpolicy.yaml | 121 ++++++ .../templates/trivy/trivy-secret-envvars.yaml | 2 +- bitnami/harbor/templates/trivy/trivy-sts.yaml | 2 +- bitnami/harbor/templates/trivy/trivy-svc.yaml | 2 +- bitnami/harbor/values.yaml | 385 ++++++++++++++++++ 49 files changed, 1249 insertions(+), 45 deletions(-) create mode 100644 bitnami/harbor/templates/core/core-networkpolicy.yaml create mode 100644 bitnami/harbor/templates/exporter/exporter-networkpolicy.yaml create mode 100644 bitnami/harbor/templates/jobservice/jobservice-networkpolicy.yaml create mode 100644 bitnami/harbor/templates/nginx/networkpolicy.yaml create mode 100644 bitnami/harbor/templates/portal/portal-networkpolicy.yaml create mode 100644 bitnami/harbor/templates/registry/registry-networkpolicy.yaml create mode 100644 bitnami/harbor/templates/trivy/trivy-networkpolicy.yaml diff --git a/bitnami/harbor/Chart.yaml b/bitnami/harbor/Chart.yaml index 2b461402ed..230915609b 100644 --- a/bitnami/harbor/Chart.yaml +++ b/bitnami/harbor/Chart.yaml @@ -55,4 +55,4 @@ maintainers: name: harbor sources: - https://github.com/bitnami/charts/tree/main/bitnami/harbor -version: 19.5.0 +version: 19.6.0 diff --git a/bitnami/harbor/README.md b/bitnami/harbor/README.md index 8a0a7f52ab..e594701a27 100644 --- a/bitnami/harbor/README.md +++ b/bitnami/harbor/README.md @@ -336,6 +336,13 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `nginx.initContainers` | Add additional init containers to the NGINX pods | `[]` | | `nginx.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the NGINX pods | `[]` | | `nginx.extraVolumes` | Optionally specify extra list of additional volumes for the NGINX pods | `[]` | +| `nginx.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `nginx.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `nginx.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `nginx.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `nginx.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `nginx.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `nginx.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Harbor Portal Parameters @@ -417,6 +424,13 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `portal.automountServiceAccountToken` | Automount service account token | `false` | | `portal.service.ports.http` | Harbor Portal HTTP service port | `80` | | `portal.service.ports.https` | Harbor Portal HTTPS service port | `443` | +| `portal.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `portal.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `portal.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `portal.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `portal.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `portal.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `portal.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Harbor Core Parameters @@ -512,6 +526,13 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `core.service.ports.http` | Harbor Core HTTP service port | `80` | | `core.service.ports.https` | Harbor Core HTTPS service port | `443` | | `core.service.ports.metrics` | Harbor Core metrics service port | `8001` | +| `core.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `core.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `core.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `core.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `core.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `core.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `core.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Harbor Jobservice Parameters @@ -600,6 +621,13 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `jobservice.service.ports.http` | Harbor Jobservice HTTP service port | `80` | | `jobservice.service.ports.https` | Harbor Jobservice HTTPS service port | `443` | | `jobservice.service.ports.metrics` | Harbor Jobservice HTTPS service port | `8001` | +| `jobservice.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `jobservice.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `jobservice.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `jobservice.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `jobservice.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `jobservice.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `jobservice.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Harbor Registry Parameters @@ -645,6 +673,13 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `registry.extraVolumes` | Optionally specify extra list of additional volumes for the Harbor Registry pods | `[]` | | `registry.serviceAccountName` | Set the service account name for the Registry pods | `""` | | `registry.automountServiceAccountToken` | Automount service account token | `false` | +| `registry.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `registry.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `registry.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `registry.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `registry.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `registry.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `registry.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | | `registry.server.image.registry` | Harbor Registry image registry | `REGISTRY_NAME` | | `registry.server.image.repository` | Harbor Registry image repository | `REPOSITORY_NAME/harbor-registry` | | `registry.server.image.digest` | Harbor Registry image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | @@ -836,6 +871,13 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `trivy.automountServiceAccountToken` | Automount service account token | `false` | | `trivy.service.ports.http` | Trivy HTTP service port | `8080` | | `trivy.service.ports.https` | Trivy HTTPS service port | `8443` | +| `trivy.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `trivy.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `trivy.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `trivy.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `trivy.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `trivy.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `trivy.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Harbor Exporter Parameters @@ -914,6 +956,13 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `exporter.sidecars` | Attach additional containers to the pod (evaluated as a template) | `[]` | | `exporter.automountServiceAccountToken` | Automount service account token | `false` | | `exporter.service.ports.metrics` | Exporter HTTP service port | `8001` | +| `exporter.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `exporter.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `exporter.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `exporter.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `exporter.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `exporter.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `exporter.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### PostgreSQL Parameters diff --git a/bitnami/harbor/templates/core/core-cm-envvars.yaml b/bitnami/harbor/templates/core/core-cm-envvars.yaml index 167cf1053e..7d3be7fc72 100644 --- a/bitnami/harbor/templates/core/core-cm-envvars.yaml +++ b/bitnami/harbor/templates/core/core-cm-envvars.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-envvars" (include "harbor.core" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.core.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/core/core-cm.yaml b/bitnami/harbor/templates/core/core-cm.yaml index 796cc3aa65..4411e41a33 100644 --- a/bitnami/harbor/templates/core/core-cm.yaml +++ b/bitnami/harbor/templates/core/core-cm.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "harbor.core" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.core.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/core/core-config-override-secret.yaml b/bitnami/harbor/templates/core/core-config-override-secret.yaml index bf21ef2453..e1c965cd9c 100644 --- a/bitnami/harbor/templates/core/core-config-override-secret.yaml +++ b/bitnami/harbor/templates/core/core-config-override-secret.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ printf "%s-config-override" (include "harbor.core" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.core.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/core/core-dpl.yaml b/bitnami/harbor/templates/core/core-dpl.yaml index 8b5e88f7dc..12a1dd7529 100644 --- a/bitnami/harbor/templates/core/core-dpl.yaml +++ b/bitnami/harbor/templates/core/core-dpl.yaml @@ -7,7 +7,7 @@ apiVersion: {{ template "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ include "harbor.core" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.core.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/core/core-networkpolicy.yaml b/bitnami/harbor/templates/core/core-networkpolicy.yaml new file mode 100644 index 0000000000..0f65887ac9 --- /dev/null +++ b/bitnami/harbor/templates/core/core-networkpolicy.yaml @@ -0,0 +1,130 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.core.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "harbor.core" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: core + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.core.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: core + policyTypes: + - Ingress + - Egress + {{- if .Values.core.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to jobservice + - ports: + - port: {{ ternary .Values.jobservice.containerPorts.https .Values.jobservice.containerPorts.http .Values.internalTLS.enabled }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: jobservice + # Allow outbound connections to core + - ports: + - port: {{ ternary .Values.core.containerPorts.https .Values.core.containerPorts.http .Values.internalTLS.enabled }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.core.containerPorts.metrics }} + {{- end }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: core + # Allow outbound connections to registry + - ports: + - port: {{ ternary .Values.registry.server.containerPorts.https .Values.registry.server.containerPorts.http .Values.internalTLS.enabled }} + - port: {{ ternary .Values.registry.controller.containerPorts.https .Values.registry.controller.containerPorts.http .Values.internalTLS.enabled }} + - port: {{ .Values.registry.server.containerPorts.debug }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.registry.server.containerPorts.metrics }} + {{- end }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: registry + # Allow outbound connections to trivy + - ports: + - port: {{ ternary .Values.trivy.containerPorts.https .Values.trivy.containerPorts.http .Values.internalTLS.enabled }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.trivy.containerPorts.metrics }} + {{- end }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: trivy + # Allow outbound connections to redis + - ports: + - port: {{ include "harbor.redis.port" . | trimAll "\"" | int }} + {{- if .Values.redis.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to postgresql + - ports: + - port: {{ include "harbor.database.port" . | trimAll "\"" | int }} + {{- if .Values.postgresql.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- if .Values.core.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.core.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ ternary .Values.core.containerPorts.https .Values.core.containerPorts.http .Values.internalTLS.enabled }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.core.containerPorts.metrics }} + {{- end }} + {{- if not .Values.core.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "harbor.core" . }}-client: "true" + {{- if .Values.core.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.core.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.core.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.core.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.core.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.core.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/harbor/templates/core/core-secret-envvars.yaml b/bitnami/harbor/templates/core/core-secret-envvars.yaml index ce98a063b8..33b6f73561 100644 --- a/bitnami/harbor/templates/core/core-secret-envvars.yaml +++ b/bitnami/harbor/templates/core/core-secret-envvars.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ printf "%s-envvars" (include "harbor.core" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.core.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/core/core-secret.yaml b/bitnami/harbor/templates/core/core-secret.yaml index a541897ae5..c4d0b0f34d 100644 --- a/bitnami/harbor/templates/core/core-secret.yaml +++ b/bitnami/harbor/templates/core/core-secret.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "harbor.core" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.core.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/core/core-svc.yaml b/bitnami/harbor/templates/core/core-svc.yaml index 32926aeef4..f04e2f4f6d 100644 --- a/bitnami/harbor/templates/core/core-svc.yaml +++ b/bitnami/harbor/templates/core/core-svc.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "harbor.core" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.core.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/exporter/exporter-cm-envvars.yaml b/bitnami/harbor/templates/exporter/exporter-cm-envvars.yaml index 9be66ac702..ad13b2bf07 100644 --- a/bitnami/harbor/templates/exporter/exporter-cm-envvars.yaml +++ b/bitnami/harbor/templates/exporter/exporter-cm-envvars.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "harbor.exporter" . }}-envvars - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.exporter.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/exporter/exporter-dpl.yaml b/bitnami/harbor/templates/exporter/exporter-dpl.yaml index 8227f59d30..96dd6ee1d2 100644 --- a/bitnami/harbor/templates/exporter/exporter-dpl.yaml +++ b/bitnami/harbor/templates/exporter/exporter-dpl.yaml @@ -3,12 +3,12 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if .Values.metrics.enabled}} +{{- if .Values.metrics.enabled }} apiVersion: {{ template "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ include "harbor.exporter" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.exporter.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/exporter/exporter-networkpolicy.yaml b/bitnami/harbor/templates/exporter/exporter-networkpolicy.yaml new file mode 100644 index 0000000000..7749221f8d --- /dev/null +++ b/bitnami/harbor/templates/exporter/exporter-networkpolicy.yaml @@ -0,0 +1,117 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled .Values.exporter.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "harbor.exporter" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: core + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.exporter.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: core + policyTypes: + - Ingress + - Egress + {{- if .Values.exporter.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to jobservice + - ports: + - port: {{ .Values.jobservice.containerPorts.metrics }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: jobservice + # Allow outbound connections to core + - ports: + - port: {{ ternary .Values.core.containerPorts.https .Values.core.containerPorts.http .Values.internalTLS.enabled }} + - port: {{ .Values.core.containerPorts.metrics }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: core + # Allow outbound connections to registry + - ports: + - port: {{ .Values.registry.server.containerPorts.metrics }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: registry + # Allow outbound connections to trivy + - ports: + - port: {{ .Values.trivy.containerPorts.metrics }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: trivy + # Allow outbound connections to redis + - ports: + - port: {{ include "harbor.redis.port" . | trimAll "\"" | int }} + {{- if .Values.redis.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to postgresql + - ports: + - port: {{ include "harbor.database.port" . | trimAll "\"" | int }} + {{- if .Values.postgresql.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- if .Values.exporter.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.exporter.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.exporter.containerPorts.metrics }} + {{- if not .Values.exporter.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "harbor.exporter" . }}-client: "true" + {{- if .Values.exporter.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.exporter.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.exporter.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.exporter.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.exporter.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.exporter.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/harbor/templates/exporter/exporter-secret-envvars.yaml b/bitnami/harbor/templates/exporter/exporter-secret-envvars.yaml index a1970d47e0..99781f659b 100644 --- a/bitnami/harbor/templates/exporter/exporter-secret-envvars.yaml +++ b/bitnami/harbor/templates/exporter/exporter-secret-envvars.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "harbor.exporter" . }}-envvars - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.exporter.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/exporter/exporter-svc.yaml b/bitnami/harbor/templates/exporter/exporter-svc.yaml index 4987139c6c..8a99fc54fb 100644 --- a/bitnami/harbor/templates/exporter/exporter-svc.yaml +++ b/bitnami/harbor/templates/exporter/exporter-svc.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Service metadata: name: "{{ template "harbor.exporter" . }}" - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.exporter.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/ingress/core-ingress.yaml b/bitnami/harbor/templates/ingress/core-ingress.yaml index 276a499974..cf0048f7de 100644 --- a/bitnami/harbor/templates/ingress/core-ingress.yaml +++ b/bitnami/harbor/templates/ingress/core-ingress.yaml @@ -30,7 +30,7 @@ apiVersion: {{ template "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: name: {{ include "harbor.ingress" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} annotations: {{- if .Values.internalTLS.enabled }} diff --git a/bitnami/harbor/templates/ingress/tls-secret.yaml b/bitnami/harbor/templates/ingress/tls-secret.yaml index a96f048c12..6f9409386a 100644 --- a/bitnami/harbor/templates/ingress/tls-secret.yaml +++ b/bitnami/harbor/templates/ingress/tls-secret.yaml @@ -28,7 +28,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/internal/internal-crt-secret.yaml b/bitnami/harbor/templates/internal/internal-crt-secret.yaml index 80f68eb2a9..fa6a0bd1e4 100644 --- a/bitnami/harbor/templates/internal/internal-crt-secret.yaml +++ b/bitnami/harbor/templates/internal/internal-crt-secret.yaml @@ -14,7 +14,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: core type: kubernetes.io/tls @@ -32,7 +32,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: jobservice type: kubernetes.io/tls @@ -50,7 +50,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: registry type: kubernetes.io/tls @@ -68,7 +68,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: portal type: kubernetes.io/tls @@ -86,7 +86,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: trivy type: kubernetes.io/tls diff --git a/bitnami/harbor/templates/jobservice/jobservice-cm-envvars.yaml b/bitnami/harbor/templates/jobservice/jobservice-cm-envvars.yaml index 36ec296fcf..421ea4228f 100644 --- a/bitnami/harbor/templates/jobservice/jobservice-cm-envvars.yaml +++ b/bitnami/harbor/templates/jobservice/jobservice-cm-envvars.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-envvars" (include "harbor.jobservice" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.jobservice.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/jobservice/jobservice-config-secret.yaml b/bitnami/harbor/templates/jobservice/jobservice-config-secret.yaml index 7b1ef0b9fa..b43f63e6b0 100644 --- a/bitnami/harbor/templates/jobservice/jobservice-config-secret.yaml +++ b/bitnami/harbor/templates/jobservice/jobservice-config-secret.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "harbor.jobservice" . }}-config - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.jobservice.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/jobservice/jobservice-dpl.yaml b/bitnami/harbor/templates/jobservice/jobservice-dpl.yaml index c79b46a59b..c21c0957b7 100644 --- a/bitnami/harbor/templates/jobservice/jobservice-dpl.yaml +++ b/bitnami/harbor/templates/jobservice/jobservice-dpl.yaml @@ -7,7 +7,7 @@ apiVersion: {{ template "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ include "harbor.jobservice" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.jobservice.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/jobservice/jobservice-networkpolicy.yaml b/bitnami/harbor/templates/jobservice/jobservice-networkpolicy.yaml new file mode 100644 index 0000000000..0c1704e9f8 --- /dev/null +++ b/bitnami/harbor/templates/jobservice/jobservice-networkpolicy.yaml @@ -0,0 +1,121 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.jobservice.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "harbor.jobservice" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: jobservice + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.jobservice.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: jobservice + policyTypes: + - Ingress + - Egress + {{- if .Values.jobservice.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to jobservice + - ports: + - port: {{ ternary .Values.jobservice.containerPorts.https .Values.jobservice.containerPorts.http .Values.internalTLS.enabled }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: jobservice + # Allow outbound connections to core + - ports: + - port: {{ ternary .Values.core.containerPorts.https .Values.core.containerPorts.http .Values.internalTLS.enabled }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: core + # Allow outbound connections to registry + - ports: + - port: {{ ternary .Values.registry.server.containerPorts.https .Values.registry.server.containerPorts.http .Values.internalTLS.enabled }} + - port: {{ ternary .Values.registry.controller.containerPorts.https .Values.registry.controller.containerPorts.http .Values.internalTLS.enabled }} + - port: {{ .Values.registry.server.containerPorts.debug }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: registry + # Allow outbound connections to trivy + - ports: + - port: {{ ternary .Values.trivy.containerPorts.https .Values.trivy.containerPorts.http .Values.internalTLS.enabled }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: trivy + # Allow outbound connections to redis + - ports: + - port: {{ include "harbor.redis.port" . | trimAll "\"" | int }} + {{- if .Values.redis.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to postgresql + - ports: + - port: {{ include "harbor.database.port" . | trimAll "\"" | int }} + {{- if .Values.postgresql.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- if .Values.jobservice.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.jobservice.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ ternary .Values.jobservice.containerPorts.https .Values.jobservice.containerPorts.http .Values.internalTLS.enabled }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.jobservice.containerPorts.metrics }} + {{- end }} + {{- if not .Values.jobservice.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "harbor.jobservice" . }}-client: "true" + {{- if .Values.jobservice.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.jobservice.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.jobservice.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.jobservice.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.jobservice.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.jobservice.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/harbor/templates/jobservice/jobservice-pvc.yaml b/bitnami/harbor/templates/jobservice/jobservice-pvc.yaml index 05edc6e2d2..6fc21aee69 100644 --- a/bitnami/harbor/templates/jobservice/jobservice-pvc.yaml +++ b/bitnami/harbor/templates/jobservice/jobservice-pvc.yaml @@ -9,7 +9,7 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ include "harbor.jobservice" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.jobservice.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/jobservice/jobservice-secret-envvars.yaml b/bitnami/harbor/templates/jobservice/jobservice-secret-envvars.yaml index 0b7af7846a..1ad5efa4bf 100644 --- a/bitnami/harbor/templates/jobservice/jobservice-secret-envvars.yaml +++ b/bitnami/harbor/templates/jobservice/jobservice-secret-envvars.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ printf "%s-envvars" (include "harbor.jobservice" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.jobservice.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/jobservice/jobservice-secrets.yaml b/bitnami/harbor/templates/jobservice/jobservice-secrets.yaml index 98828d59d8..14012aaba9 100644 --- a/bitnami/harbor/templates/jobservice/jobservice-secrets.yaml +++ b/bitnami/harbor/templates/jobservice/jobservice-secrets.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "harbor.jobservice" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.jobservice.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/jobservice/jobservice-svc.yaml b/bitnami/harbor/templates/jobservice/jobservice-svc.yaml index c8c996ffa8..2289da24ee 100644 --- a/bitnami/harbor/templates/jobservice/jobservice-svc.yaml +++ b/bitnami/harbor/templates/jobservice/jobservice-svc.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "harbor.jobservice" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.jobservice.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/nginx/configmap-http.yaml b/bitnami/harbor/templates/nginx/configmap-http.yaml index 7bc01a361a..72d11c6f81 100644 --- a/bitnami/harbor/templates/nginx/configmap-http.yaml +++ b/bitnami/harbor/templates/nginx/configmap-http.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "harbor.nginx" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.nginx.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/nginx/configmap-https.yaml b/bitnami/harbor/templates/nginx/configmap-https.yaml index af81b63f0a..3ebf8b4e7f 100644 --- a/bitnami/harbor/templates/nginx/configmap-https.yaml +++ b/bitnami/harbor/templates/nginx/configmap-https.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "harbor.nginx" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.nginx.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/nginx/deployment.yaml b/bitnami/harbor/templates/nginx/deployment.yaml index 247630dea6..7664d652b1 100644 --- a/bitnami/harbor/templates/nginx/deployment.yaml +++ b/bitnami/harbor/templates/nginx/deployment.yaml @@ -8,7 +8,7 @@ apiVersion: {{ template "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ include "harbor.nginx" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.nginx.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/nginx/networkpolicy.yaml b/bitnami/harbor/templates/nginx/networkpolicy.yaml new file mode 100644 index 0000000000..d15d01d0de --- /dev/null +++ b/bitnami/harbor/templates/nginx/networkpolicy.yaml @@ -0,0 +1,83 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (eq .Values.exposureType "proxy") .Values.nginx.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "harbor.nginx" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: jobservice + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.nginx.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: jobservice + policyTypes: + - Ingress + - Egress + {{- if .Values.nginx.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to core + - ports: + - port: {{ ternary .Values.core.containerPorts.https .Values.core.containerPorts.http .Values.internalTLS.enabled }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: core + # Allow outbound connections to portal + - ports: + - port: {{ ternary .Values.portal.containerPorts.https .Values.portal.containerPorts.http .Values.internalTLS.enabled }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: portal + {{- if .Values.nginx.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.nginx.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.nginx.containerPorts.http }} + - port: {{ .Values.nginx.containerPorts.https }} + {{- if not .Values.nginx.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "harbor.nginx" . }}-client: "true" + {{- if .Values.nginx.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.nginx.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.nginx.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.nginx.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.nginx.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.nginx.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/harbor/templates/nginx/service.yaml b/bitnami/harbor/templates/nginx/service.yaml index 4f7457bac2..2c0f3970ea 100644 --- a/bitnami/harbor/templates/nginx/service.yaml +++ b/bitnami/harbor/templates/nginx/service.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.nginx.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/nginx/tls-secret.yaml b/bitnami/harbor/templates/nginx/tls-secret.yaml index ad4521dc86..adea4b507f 100644 --- a/bitnami/harbor/templates/nginx/tls-secret.yaml +++ b/bitnami/harbor/templates/nginx/tls-secret.yaml @@ -11,7 +11,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.nginx.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/portal/portal-cm.yaml b/bitnami/harbor/templates/portal/portal-cm.yaml index f4cfd9244a..008866910c 100644 --- a/bitnami/harbor/templates/portal/portal-cm.yaml +++ b/bitnami/harbor/templates/portal/portal-cm.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "harbor.portal" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.portal.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/portal/portal-dpl.yaml b/bitnami/harbor/templates/portal/portal-dpl.yaml index 35eb05f7ae..f8b3023901 100644 --- a/bitnami/harbor/templates/portal/portal-dpl.yaml +++ b/bitnami/harbor/templates/portal/portal-dpl.yaml @@ -7,7 +7,7 @@ apiVersion: {{ template "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ include "harbor.portal" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.portal.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/portal/portal-networkpolicy.yaml b/bitnami/harbor/templates/portal/portal-networkpolicy.yaml new file mode 100644 index 0000000000..9212dfe09b --- /dev/null +++ b/bitnami/harbor/templates/portal/portal-networkpolicy.yaml @@ -0,0 +1,75 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.portal.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "harbor.portal" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: portal + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.portal.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: portal + policyTypes: + - Ingress + - Egress + {{- if .Values.portal.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to core + - ports: + - port: {{ ternary .Values.core.containerPorts.https .Values.core.containerPorts.http .Values.internalTLS.enabled }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: core + {{- if .Values.portal.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.portal.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ ternary .Values.portal.containerPorts.https .Values.portal.containerPorts.http .Values.internalTLS.enabled }} + {{- if not .Values.portal.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "harbor.portal" . }}-client: "true" + {{- if .Values.portal.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.portal.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.portal.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.portal.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.portal.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.portal.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/harbor/templates/portal/portal-svc.yaml b/bitnami/harbor/templates/portal/portal-svc.yaml index 010015b71b..186b9fb253 100644 --- a/bitnami/harbor/templates/portal/portal-svc.yaml +++ b/bitnami/harbor/templates/portal/portal-svc.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "harbor.portal" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.portal.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/registry/registry-cm.yaml b/bitnami/harbor/templates/registry/registry-cm.yaml index d121e7ac39..76a61f922b 100644 --- a/bitnami/harbor/templates/registry/registry-cm.yaml +++ b/bitnami/harbor/templates/registry/registry-cm.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "harbor.registry" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.registry.server.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/registry/registry-ctl-cm-envvars.yaml b/bitnami/harbor/templates/registry/registry-ctl-cm-envvars.yaml index d7611f960e..73a4e905cb 100644 --- a/bitnami/harbor/templates/registry/registry-ctl-cm-envvars.yaml +++ b/bitnami/harbor/templates/registry/registry-ctl-cm-envvars.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-ctl-envvars" (include "harbor.registry" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.registry.server.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/registry/registry-dpl.yaml b/bitnami/harbor/templates/registry/registry-dpl.yaml index ae1d21ab8b..859ab1590a 100644 --- a/bitnami/harbor/templates/registry/registry-dpl.yaml +++ b/bitnami/harbor/templates/registry/registry-dpl.yaml @@ -7,7 +7,7 @@ apiVersion: {{ template "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ include "harbor.registry" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.registry.server.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/registry/registry-networkpolicy.yaml b/bitnami/harbor/templates/registry/registry-networkpolicy.yaml new file mode 100644 index 0000000000..5f525974b1 --- /dev/null +++ b/bitnami/harbor/templates/registry/registry-networkpolicy.yaml @@ -0,0 +1,123 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.registry.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "harbor.registry" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: registry + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.registry.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: registry + policyTypes: + - Ingress + - Egress + {{- if .Values.registry.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to jobservice + - ports: + - port: {{ ternary .Values.jobservice.containerPorts.https .Values.jobservice.containerPorts.http .Values.internalTLS.enabled }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: jobservice + # Allow outbound connections to core + - ports: + - port: {{ ternary .Values.core.containerPorts.https .Values.core.containerPorts.http .Values.internalTLS.enabled }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: core + # Allow outbound connections to registry + - ports: + - port: {{ ternary .Values.registry.server.containerPorts.https .Values.registry.server.containerPorts.http .Values.internalTLS.enabled }} + - port: {{ ternary .Values.registry.controller.containerPorts.https .Values.registry.controller.containerPorts.http .Values.internalTLS.enabled }} + - port: {{ .Values.registry.server.containerPorts.debug }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: registry + # Allow outbound connections to trivy + - ports: + - port: {{ ternary .Values.trivy.containerPorts.https .Values.trivy.containerPorts.http .Values.internalTLS.enabled }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: trivy + # Allow outbound connections to redis + - ports: + - port: {{ include "harbor.redis.port" . | trimAll "\"" | int }} + {{- if .Values.redis.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to postgresql + - ports: + - port: {{ include "harbor.database.port" . | trimAll "\"" | int }} + {{- if .Values.postgresql.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- if .Values.registry.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.registry.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ ternary .Values.registry.server.containerPorts.https .Values.registry.server.containerPorts.http .Values.internalTLS.enabled }} + - port: {{ ternary .Values.registry.controller.containerPorts.https .Values.registry.controller.containerPorts.http .Values.internalTLS.enabled }} + - port: {{ .Values.registry.server.containerPorts.debug }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.registry.server.containerPorts.metrics }} + {{- end }} + {{- if not .Values.registry.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "harbor.registry" . }}-client: "true" + {{- if .Values.registry.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.registry.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.registry.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.registry.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.registry.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.registry.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/harbor/templates/registry/registry-pvc.yaml b/bitnami/harbor/templates/registry/registry-pvc.yaml index 6044812728..ab9165b621 100644 --- a/bitnami/harbor/templates/registry/registry-pvc.yaml +++ b/bitnami/harbor/templates/registry/registry-pvc.yaml @@ -9,7 +9,7 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ include "harbor.registry" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.registry.server.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/registry/registry-secret.yaml b/bitnami/harbor/templates/registry/registry-secret.yaml index c3b4ee35de..4b305b8cd8 100644 --- a/bitnami/harbor/templates/registry/registry-secret.yaml +++ b/bitnami/harbor/templates/registry/registry-secret.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "harbor.registry" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.registry.server.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/registry/registry-svc.yaml b/bitnami/harbor/templates/registry/registry-svc.yaml index 3df417cbba..7f84ee5125 100644 --- a/bitnami/harbor/templates/registry/registry-svc.yaml +++ b/bitnami/harbor/templates/registry/registry-svc.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "harbor.registry" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.registry.server.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/trivy/trivy-cm-envvars.yaml b/bitnami/harbor/templates/trivy/trivy-cm-envvars.yaml index 2ce4176f8b..d837c87d51 100644 --- a/bitnami/harbor/templates/trivy/trivy-cm-envvars.yaml +++ b/bitnami/harbor/templates/trivy/trivy-cm-envvars.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-envvars" (include "harbor.trivy" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.trivy.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/trivy/trivy-networkpolicy.yaml b/bitnami/harbor/templates/trivy/trivy-networkpolicy.yaml new file mode 100644 index 0000000000..6bd3722dce --- /dev/null +++ b/bitnami/harbor/templates/trivy/trivy-networkpolicy.yaml @@ -0,0 +1,121 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.trivy.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "harbor.trivy" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: trivy + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.trivy.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: trivy + policyTypes: + - Ingress + - Egress + {{- if .Values.trivy.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to jobservice + - ports: + - port: {{ ternary .Values.jobservice.containerPorts.https .Values.jobservice.containerPorts.http .Values.internalTLS.enabled }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: jobservice + # Allow outbound connections to core + - ports: + - port: {{ ternary .Values.core.containerPorts.https .Values.core.containerPorts.http .Values.internalTLS.enabled }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: core + # Allow outbound connections to registry + - ports: + - port: {{ ternary .Values.registry.server.containerPorts.https .Values.registry.server.containerPorts.http .Values.internalTLS.enabled }} + - port: {{ ternary .Values.registry.controller.containerPorts.https .Values.registry.controller.containerPorts.http .Values.internalTLS.enabled }} + - port: {{ .Values.registry.server.containerPorts.debug }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: registry + # Allow outbound connections to trivy + - ports: + - port: {{ ternary .Values.trivy.containerPorts.https .Values.trivy.containerPorts.http .Values.internalTLS.enabled }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: trivy + # Allow outbound connections to redis + - ports: + - port: {{ include "harbor.redis.port" . | trimAll "\"" | int }} + {{- if .Values.redis.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to postgresql + - ports: + - port: {{ include "harbor.database.port" . | trimAll "\"" | int }} + {{- if .Values.postgresql.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- if .Values.trivy.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.trivy.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ ternary .Values.trivy.containerPorts.https .Values.trivy.containerPorts.http .Values.internalTLS.enabled }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.trivy.containerPorts.metrics }} + {{- end }} + {{- if not .Values.trivy.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "harbor.trivy" . }}-client: "true" + {{- if .Values.trivy.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.trivy.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.trivy.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.trivy.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.trivy.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.trivy.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/harbor/templates/trivy/trivy-secret-envvars.yaml b/bitnami/harbor/templates/trivy/trivy-secret-envvars.yaml index bda73ee119..0f8eb2a18c 100644 --- a/bitnami/harbor/templates/trivy/trivy-secret-envvars.yaml +++ b/bitnami/harbor/templates/trivy/trivy-secret-envvars.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ printf "%s-envvars" (include "harbor.trivy" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.trivy.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/trivy/trivy-sts.yaml b/bitnami/harbor/templates/trivy/trivy-sts.yaml index 4a690153eb..5c315e2ac8 100644 --- a/bitnami/harbor/templates/trivy/trivy-sts.yaml +++ b/bitnami/harbor/templates/trivy/trivy-sts.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} kind: StatefulSet metadata: name: {{ include "harbor.trivy" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.trivy.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/templates/trivy/trivy-svc.yaml b/bitnami/harbor/templates/trivy/trivy-svc.yaml index 3522fdd788..ef4c069cba 100644 --- a/bitnami/harbor/templates/trivy/trivy-svc.yaml +++ b/bitnami/harbor/templates/trivy/trivy-svc.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "harbor.trivy" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.trivy.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/harbor/values.yaml b/bitnami/harbor/values.yaml index 207be4ddb0..c728314d97 100644 --- a/bitnami/harbor/values.yaml +++ b/bitnami/harbor/values.yaml @@ -916,6 +916,61 @@ nginx: ## @param nginx.extraVolumes Optionally specify extra list of additional volumes for the NGINX pods ## extraVolumes: [] + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param nginx.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param nginx.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param nginx.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param nginx.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param nginx.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param nginx.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param nginx.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Harbor Portal Parameters ## @@ -1199,6 +1254,61 @@ portal: ports: http: 80 https: 443 + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param portal.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param portal.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param portal.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param portal.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param portal.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param portal.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param portal.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Harbor Core Parameters ## @@ -1543,6 +1653,61 @@ core: http: 80 https: 443 metrics: 8001 + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param core.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param core.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param core.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param core.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param core.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param core.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param core.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Harbor Jobservice Parameters ## @@ -1849,6 +2014,61 @@ jobservice: http: 80 https: 443 metrics: 8001 + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param jobservice.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param jobservice.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param jobservice.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param jobservice.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param jobservice.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param jobservice.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param jobservice.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Harbor Registry Parameters ## @@ -2032,6 +2252,61 @@ registry: ## @param registry.automountServiceAccountToken Automount service account token ## automountServiceAccountToken: false + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param registry.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param registry.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param registry.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param registry.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param registry.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param registry.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param registry.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## Harbor Registry main container parameters ## server: @@ -2679,6 +2954,61 @@ trivy: ports: http: 8080 https: 8443 + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param trivy.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param trivy.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param trivy.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param trivy.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param trivy.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param trivy.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param trivy.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Harbor Exporter Parameters ## @@ -2940,6 +3270,61 @@ exporter: ## ports: metrics: 8001 + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param exporter.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param exporter.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param exporter.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param exporter.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param exporter.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param exporter.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param exporter.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section PostgreSQL Parameters ##