diff --git a/bitnami/kong/Chart.yaml b/bitnami/kong/Chart.yaml index 79e51ce6d2..a8a1227725 100644 --- a/bitnami/kong/Chart.yaml +++ b/bitnami/kong/Chart.yaml @@ -45,4 +45,4 @@ maintainers: name: kong sources: - https://github.com/bitnami/charts/tree/main/bitnami/kong -version: 10.4.2 +version: 10.5.0 diff --git a/bitnami/kong/README.md b/bitnami/kong/README.md index 37fbfaed38..82e30f24d3 100644 --- a/bitnami/kong/README.md +++ b/bitnami/kong/README.md @@ -183,41 +183,49 @@ helm delete my-release ### Traffic Exposure Parameters -| Name | Description | Value | -| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `service.type` | Kubernetes Service type | `ClusterIP` | -| `service.exposeAdmin` | Add the Kong Admin ports to the service | `false` | -| `service.disableHttpPort` | Disable Kong proxy HTTP and Kong admin HTTP ports | `false` | -| `service.ports.proxyHttp` | Kong proxy service HTTP port | `80` | -| `service.ports.proxyHttps` | Kong proxy service HTTPS port | `443` | -| `service.ports.adminHttp` | Kong admin service HTTP port (only if service.exposeAdmin=true) | `8001` | -| `service.ports.adminHttps` | Kong admin service HTTPS port (only if service.exposeAdmin=true) | `8444` | -| `service.nodePorts.proxyHttp` | NodePort for the Kong proxy HTTP endpoint | `""` | -| `service.nodePorts.proxyHttps` | NodePort for the Kong proxy HTTPS endpoint | `""` | -| `service.nodePorts.adminHttp` | NodePort for the Kong admin HTTP endpoint | `""` | -| `service.nodePorts.adminHttps` | NodePort for the Kong admin HTTPS endpoint | `""` | -| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `service.clusterIP` | Cluster internal IP of the service | `""` | -| `service.externalTrafficPolicy` | external traffic policy managing client source IP preservation | `""` | -| `service.loadBalancerIP` | loadBalancerIP if kong service type is `LoadBalancer` | `""` | -| `service.loadBalancerSourceRanges` | Kong service Load Balancer sources | `[]` | -| `service.annotations` | Annotations for Kong service | `{}` | -| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `ingress.enabled` | Enable ingress controller resource | `false` | -| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | -| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | -| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | -| `ingress.hostname` | Default host for the ingress resource | `kong.local` | -| `ingress.path` | Ingress path | `/` | -| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | -| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | -| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | -| `ingress.extraHosts` | The list of additional hostnames to be covered with this ingress record. | `[]` | -| `ingress.extraPaths` | Additional arbitrary path/backend objects | `[]` | -| `ingress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` | -| `ingress.secrets` | If you're providing your own certificates, please use this to add the certificates as secrets | `[]` | -| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| Name | Description | Value | +| --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.exposeAdmin` | Add the Kong Admin ports to the service | `false` | +| `service.disableHttpPort` | Disable Kong proxy HTTP and Kong admin HTTP ports | `false` | +| `service.ports.proxyHttp` | Kong proxy service HTTP port | `80` | +| `service.ports.proxyHttps` | Kong proxy service HTTPS port | `443` | +| `service.ports.adminHttp` | Kong admin service HTTP port (only if service.exposeAdmin=true) | `8001` | +| `service.ports.adminHttps` | Kong admin service HTTPS port (only if service.exposeAdmin=true) | `8444` | +| `service.nodePorts.proxyHttp` | NodePort for the Kong proxy HTTP endpoint | `""` | +| `service.nodePorts.proxyHttps` | NodePort for the Kong proxy HTTPS endpoint | `""` | +| `service.nodePorts.adminHttp` | NodePort for the Kong admin HTTP endpoint | `""` | +| `service.nodePorts.adminHttps` | NodePort for the Kong admin HTTPS endpoint | `""` | +| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.clusterIP` | Cluster internal IP of the service | `""` | +| `service.externalTrafficPolicy` | external traffic policy managing client source IP preservation | `""` | +| `service.loadBalancerIP` | loadBalancerIP if kong service type is `LoadBalancer` | `""` | +| `service.loadBalancerSourceRanges` | Kong service Load Balancer sources | `[]` | +| `service.annotations` | Annotations for Kong service | `{}` | +| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `ingress.enabled` | Enable ingress controller resource | `false` | +| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | +| `ingress.hostname` | Default host for the ingress resource | `kong.local` | +| `ingress.path` | Ingress path | `/` | +| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | +| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `ingress.extraHosts` | The list of additional hostnames to be covered with this ingress record. | `[]` | +| `ingress.extraPaths` | Additional arbitrary path/backend objects | `[]` | +| `ingress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` | +| `ingress.secrets` | If you're providing your own certificates, please use this to add the certificates as secrets | `[]` | +| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | ### Kong Ingress Controller Container Parameters diff --git a/bitnami/kong/templates/migrate-job-networkpolicy.yaml b/bitnami/kong/templates/migrate-job-networkpolicy.yaml new file mode 100644 index 0000000000..59530c6c24 --- /dev/null +++ b/bitnami/kong/templates/migrate-job-networkpolicy.yaml @@ -0,0 +1,68 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.networkPolicy.enabled (or (eq .Values.database "postgresql") (eq .Values.database "cassandra")) }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }}-migrate + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: migration + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + - ports: + # Allow dns resolution + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + {{- if (eq .Values.database "postgresql") }} + # Allow connection to PostgreSQL + - ports: + - port: {{ include "kong.postgresql.port" . | trimAll "\"" | int }} + {{- if .Values.postgresql.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- end }} + {{- if (eq .Values.database "cassandra") }} + # Allow connection to Cassandra + - ports: + - port: {{ include "kong.cassandra.port" . | trimAll "\"" | int }} + {{- if .Values.cassandra.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: cassandra + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/kong/templates/networkpolicy.yaml b/bitnami/kong/templates/networkpolicy.yaml new file mode 100644 index 0000000000..68507697d9 --- /dev/null +++ b/bitnami/kong/templates/networkpolicy.yaml @@ -0,0 +1,107 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: server + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + - ports: + # Allow dns resolution + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + {{- if .Values.ingressController.enabled }} + # Allow access to kube-apiserver + {{- range $port := .Values.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + {{- end }} + {{- if (eq .Values.database "postgresql") }} + # Allow connection to PostgreSQL + - ports: + - port: {{ include "kong.postgresql.port" . | trimAll "\"" | int }} + {{- if .Values.postgresql.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- end }} + {{- if (eq .Values.database "cassandra") }} + # Allow connection to Cassandra + - ports: + - port: {{ include "kong.cassandra.port" . | trimAll "\"" | int }} + {{- if .Values.cassandra.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: cassandra + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.kong.containerPorts.proxyHttp }} + - port: {{ .Values.kong.containerPorts.proxyHttps }} + - port: {{ .Values.kong.containerPorts.adminHttp }} + - port: {{ .Values.kong.containerPorts.adminHttps }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPorts.http }} + {{- end }} + {{- if .Values.ingressController.enabled }} + - port: {{ .Values.ingressController.containerPorts.health }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/kong/values.yaml b/bitnami/kong/values.yaml index 81a969f49c..9e068d7c74 100644 --- a/bitnami/kong/values.yaml +++ b/bitnami/kong/values.yaml @@ -477,6 +477,64 @@ service: ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) ## extraPorts: [] +## Network Policies +## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## Configure the ingress resource that allows you to access the ## Kong installation. Set up the URL