[bitnami/rabbitmq] Network policy review (#25900)

* [bitnami/rabbitmq] Network policy review Apply the same changes made in PR #25519 to the RabbitMQ chart Signed-off-by: Ben Foster <bpfoster@gmail.com> * Update bitnami/rabbitmq/templates/networkpolicy.yaml Co-authored-by: Fran Mulero <francisco-jose.mulero@broadcom.com> Signed-off-by: Ben Foster <bpfoster@gmail.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Ben Foster <bpfoster@gmail.com> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Co-authored-by: Fran Mulero <francisco-jose.mulero@broadcom.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
2026-02-27 06:48:01 +08:00 · 2024-05-22 03:34:35 -04:00
parent 4492bedb72
commit 4e28b72cff
5 changed files with 33 additions and 17 deletions
--- a/bitnami/rabbitmq/CHANGELOG.md
+++ b/bitnami/rabbitmq/CHANGELOG.md
@@ -1,8 +1,13 @@
 # Changelog

+## 14.3.0 (2024-05-21)
+
+* [bitnami/rabbitmq] Network policy review ([#25900](https://github.com/bitnami/charts/pulls/25900))
+
 ## 14.2.0 (2024-05-21)

-* [bitnami/rabbitmq] feat: :sparkles: :lock: Add warning when original images are replaced ([#26269](https://github.com/bitnami/charts/pulls/26269))
+* [bitnami/*] ci: :construction_worker: Add tag and changelog support (#25359) ([91c707c](https://github.com/bitnami/charts/commit/91c707c)), closes [#25359](https://github.com/bitnami/charts/issues/25359)
+* [bitnami/rabbitmq] feat: :sparkles: :lock: Add warning when original images are replaced (#26269) ([17516c1](https://github.com/bitnami/charts/commit/17516c1)), closes [#26269](https://github.com/bitnami/charts/issues/26269)

 ## <small>14.1.5 (2024-05-18)</small>

--- a/bitnami/rabbitmq/Chart.yaml
+++ b/bitnami/rabbitmq/Chart.yaml
@@ -30,4 +30,4 @@ maintainers:
 name: rabbitmq
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/rabbitmq
-version: 14.2.0
+version: 14.3.0
--- a/bitnami/rabbitmq/README.md
+++ b/bitnami/rabbitmq/README.md
@@ -623,10 +623,12 @@ You can enable this `initContainer` by setting `volumePermissions.enabled` to `t
 | `networkPolicy.kubeAPIServerPorts`      | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)                               | `[]`                     |
 | `networkPolicy.allowExternal`           | Don't require server label for connections                                                                                       | `true`                   |
 | `networkPolicy.allowExternalEgress`     | Allow the pod to access any range of port and all destinations.                                                                  | `true`                   |
+| `networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true.                        | `true`                   |
 | `networkPolicy.extraIngress`            | Add extra ingress rules to the NetworkPolicy                                                                                     | `[]`                     |
 | `networkPolicy.extraEgress`             | Add extra ingress rules to the NetworkPolicy                                                                                     | `[]`                     |
-| `networkPolicy.ingressNSMatchLabels`    | Labels to match to allow traffic from other namespaces                                                                           | `{}`                     |
-| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces                                                                       | `{}`                     |
+| `networkPolicy.ingressPodMatchLabels`   | Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true.                              | `{}`                     |
+| `networkPolicy.ingressNSMatchLabels`    | Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.                        | `{}`                     |
+| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.                    | `{}`                     |

 ### Metrics Parameters

--- a/bitnami/rabbitmq/templates/networkpolicy.yaml
+++ b/bitnami/rabbitmq/templates/networkpolicy.yaml
@@ -66,23 +66,23 @@ spec:
      from:
        - podSelector:
            matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
-        - podSelector:
-            matchLabels:
-              {{ include "common.names.fullname" . }}-client: "true"
        - podSelector:
            matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
+        {{- if .Values.networkPolicy.addExternalClientAccess }}
+        - podSelector:
+            matchLabels:
+              {{ template "common.names.fullname" . }}-client: "true"
+        {{- end }}
+        {{- if .Values.networkPolicy.ingressPodMatchLabels }}
+        - podSelector:
+            matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }}
+        {{- end }}
        {{- if .Values.networkPolicy.ingressNSMatchLabels }}
        - namespaceSelector:
-            matchLabels:
-              {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
-              {{ $key | quote }}: {{ $value | quote }}
-              {{- end }}
+            matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressNSMatchLabels "context" $ ) | nindent 14 }}
          {{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
          podSelector:
-            matchLabels:
-              {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
-              {{ $key | quote }}: {{ $value | quote }}
-              {{- end }}
+            matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressNSPodMatchLabels "context" $ ) | nindent 14 }}
          {{- end }}
        {{- end }}
      {{- end }}
--- a/bitnami/rabbitmq/values.yaml
+++ b/bitnami/rabbitmq/values.yaml
@@ -1246,6 +1246,9 @@ networkPolicy:
  ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
  ##
  allowExternalEgress: true
+  ## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true.
+  ##
+  addExternalClientAccess: true
  ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
  ## e.g:
  ## extraIngress:
@@ -1279,8 +1282,14 @@ networkPolicy:
  ##                   - frontend
  ##
  extraEgress: []
-  ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
-  ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
+  ## @param networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true.
+  ## e.g:
+  ## ingressPodMatchLabels:
+  ##   my-client: "true"
+  #
+  ingressPodMatchLabels: {}
+  ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
+  ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
  ##
  ingressNSMatchLabels: {}
  ingressNSPodMatchLabels: {}