Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-16 06:47:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/*] Add network policies - first batch (#8088)

Browse Source 
* [bitnami/discourse] Add Network Policies

* [bitnami/discourse] Update networkPolicy.enabled comment

* [bitnami/ejbca] Add Network Policies

* [bitnami/ghost] Add Network Policies

* [bitnami/jasperreports] Add Network Policies

* [bitnami/suitecrm] Add Network Policies

* [bitnami/discourse] Add endline to networkpolicy-backend-ingress-rules.yaml

* [bitnami/*] Cosmetic changes

* [bitnami/discourse] Rename network policy files

* [bitnami/*] Fix comments' format for readme-generator
This commit is contained in:
Pablo Galego
2021-11-17 16:09:17 +01:00
committed by GitHub
parent 5816c03620
commit 81ece48240
30 changed files with 1087 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/jasperreports/Chart.yaml
View File

@@ -30,4 +30,4 @@ name: jasperreports
sources:
- https://github.com/bitnami/bitnami-docker-jasperreports
- http://community.jaspersoft.com/project/jasperreports-server
version: 11.0.10
version: 11.1.0

18
bitnami/jasperreports/README.md
View File

@@ -194,6 +194,24 @@ The command removes all the Kubernetes components associated with the chart and
| `externalDatabase.database` | Name of the existing database | `bitnami_jasperreports` |
### NetworkPolicy parameters
| Name | Description | Value |
| ------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `networkPolicy.enabled` | Enable network policies | `false` |
| `networkPolicy.ingress.enabled` | Enable network policy for Ingress Proxies | `false` |
| `networkPolicy.ingress.namespaceSelector` | Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace. | `{}` |
| `networkPolicy.ingress.podSelector` | Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods. | `{}` |
| `networkPolicy.ingressRules.backendOnlyAccessibleByFrontend` | Enable ingress rule that makes the backend (mariadb) only accessible by Jasperreports' pods. | `false` |
| `networkPolicy.ingressRules.customBackendSelector` | Backend selector labels. These labels will be used to identify the backend pods. | `{}` |
| `networkPolicy.ingressRules.accessOnlyFrom.enabled` | Enable ingress rule that makes Jasperreports only accessible from a particular origin | `false` |
| `networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access Jasperreports. This label will be used to identified the allowed namespace(s). | `{}` |
| `networkPolicy.ingressRules.accessOnlyFrom.podSelector` | Pods selector label that is allowed to access Jasperreports. This label will be used to identified the allowed pod(s). | `{}` |
| `networkPolicy.ingressRules.customRules` | Custom network policy ingress rule | `{}` |
| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` |
| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` |
The above parameters map to the env variables defined in [bitnami/jasperreports](http://github.com/bitnami/bitnami-docker-jasperreports). For more information please refer to the [bitnami/jasperreports](http://github.com/bitnami/bitnami-docker-jasperreports) image documentation.
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

27
bitnami/jasperreports/templates/networkpolicy-backend-ingress.yaml Normal file
View File

@@ -0,0 +1,27 @@
{{- if and .Values.networkPolicy.enabled .Values.networkPolicy.ingressRules.backendOnlyAccessibleByFrontend }}
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
kind: NetworkPolicy
metadata:
name: {{ printf "%s-backend" (include "common.names.fullname" .) }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }}
{{- end }}
spec:
podSelector:
matchLabels:
{{- if .Values.networkPolicy.ingressRules.customBackendSelector }}
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.customBackendSelector "context" $) | nindent 6 }}
{{- else }}
app.kubernetes.io/name: mariadb
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
ingress:
- from:
- podSelector:
matchLabels:
{{- include "common.labels.matchLabels" . | nindent 14 }}
{{- end }}

32
bitnami/jasperreports/templates/networkpolicy-egress.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }}
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
kind: NetworkPolicy
metadata:
name: {{ printf "%s-egress" (include "common.names.fullname" .) }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }}
{{- end }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/instance: {{ .Release.Name }}
policyTypes:
- Egress
egress:
{{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }}
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
- to:
- namespaceSelector: {}
{{- end }}
{{- if .Values.networkPolicy.egressRules.customRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }}
{{- end }}
{{- end }}

47
bitnami/jasperreports/templates/networkpolicy-ingress.yaml Normal file
View File

@@ -0,0 +1,47 @@
{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.ingress.enabled .Values.networkPolicy.ingressRules.accessOnlyFrom.enabled) }}
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
kind: NetworkPolicy
metadata:
name: {{ printf "%s-ingress" (include "common.names.fullname" .) }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }}
{{- end }}
spec:
podSelector:
matchLabels:
{{- include "common.labels.standard" . | nindent 6 }}
ingress:
{{- if and .Values.ingress.enabled .Values.networkPolicy.ingress.enabled (or .Values.networkPolicy.ingress.namespaceSelector .Values.networkPolicy.ingress.podSelector) }}
- from:
{{- if .Values.networkPolicy.ingress.namespaceSelector }}
- namespaceSelector:
matchLabels:
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingress.namespaceSelector "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.networkPolicy.ingress.podSelector }}
- podSelector:
matchLabels:
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingress.podSelector "context" $) | nindent 14 }}
{{- end}}
{{- end }}
{{- if and .Values.networkPolicy.ingressRules.accessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector) }}
- from:
{{- if .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector }}
- namespaceSelector:
matchLabels:
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector }}
- podSelector:
matchLabels:
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector "context" $) | nindent 14 }}
{{- end }}
{{- end }}
{{- if .Values.networkPolicy.ingressRules.customRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.customRules "context" $) | nindent 4 }}
{{- end }}
{{- end }}

77
bitnami/jasperreports/values.yaml
View File

@@ -514,3 +514,80 @@ externalDatabase:
## @param externalDatabase.database Name of the existing database
##
database: bitnami_jasperreports
## @section NetworkPolicy parameters
## Add networkpolicies
##
networkPolicy:
## @param networkPolicy.enabled Enable network policies
## If ingress.enabled or metrics.enabled are true, configure networkPolicy.ingress and networkPolicy.metrics selectors respectively to allow communication
##
enabled: false
## @param networkPolicy.ingress.enabled Enable network policy for Ingress Proxies
## @param networkPolicy.ingress.namespaceSelector Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace.
## @param networkPolicy.ingress.podSelector Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods.
##
ingress:
enabled: false
## e.g:
## podSelector:
## label: ingress
##
podSelector: {}
## e.g:
## namespaceSelector:
## label: ingress
##
namespaceSelector: {}
## @param networkPolicy.ingressRules.backendOnlyAccessibleByFrontend Enable ingress rule that makes the backend (mariadb) only accessible by Jasperreports' pods.
## @param networkPolicy.ingressRules.customBackendSelector Backend selector labels. These labels will be used to identify the backend pods.
## @param networkPolicy.ingressRules.accessOnlyFrom.enabled Enable ingress rule that makes Jasperreports only accessible from a particular origin
## @param networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector Namespace selector label that is allowed to access Jasperreports. This label will be used to identified the allowed namespace(s).
## @param networkPolicy.ingressRules.accessOnlyFrom.podSelector Pods selector label that is allowed to access Jasperreports. This label will be used to identified the allowed pod(s).
## @param networkPolicy.ingressRules.customRules Custom network policy ingress rule
##
ingressRules:
## mariadb backend only can be accessed from Jasperreports
##
backendOnlyAccessibleByFrontend: false
customBackendSelector: {}
## Allow only from the indicated:
##
accessOnlyFrom:
enabled: false
## e.g:
## namespaceSelector:
## label: ingress
##
namespaceSelector: {}
## e.g:
## podSelector:
## label: access
##
podSelector: {}
## custom ingress rules
## e.g:
## customRules:
## - from:
## - namespaceSelector:
## matchLabels:
## label: example
##
customRules: {}
## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53).
## @param networkPolicy.egressRules.customRules Custom network policy rule
##
egressRules:
## Deny connections to external. This is not compatible with an external database.
##
denyConnectionsToExternal: false
## Additional custom egress rules
## e.g:
## customRules:
## - to:
## - namespaceSelector:
## matchLabels:
## label: example
##
customRules: {}