Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-08 00:37:41 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/opensearch] feat: 🔒 Enable networkPolicy (#22870)

Browse Source 
* [bitnami/opensearch] feat: 🔒 Enable networkPolicy

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* fix: 🐛 Add allowExternalEgress to avoid breaking istio

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* fix: 🐛 Set correct values for networkpolicy

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-02-01 11:31:52 +01:00
committed by GitHub
parent a55b6091f3
commit aa5df1fa93
8 changed files with 75 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/opensearch/Chart.yaml
View File

@@ -30,4 +30,4 @@ maintainers:
name: opensearch
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/opensearch
version: 0.8.3
version: 0.9.0

15
bitnami/opensearch/README.md
View File

@@ -280,8 +280,9 @@ helm delete --purge my-release
| `master.serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` |
| `master.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` |
| `master.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` |
| `master.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` |
| `master.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` |
| `master.networkPolicy.allowExternal` | The Policy model to apply | `true` |
| `master.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `master.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `master.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `master.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
@@ -389,8 +390,9 @@ helm delete --purge my-release
| `data.serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` |
| `data.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` |
| `data.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` |
| `data.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` |
| `data.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` |
| `data.networkPolicy.allowExternal` | The Policy model to apply | `true` |
| `data.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `data.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `data.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `data.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
@@ -490,8 +492,9 @@ helm delete --purge my-release
| `coordinating.serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` |
| `coordinating.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` |
| `coordinating.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` |
| `coordinating.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` |
| `coordinating.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` |
| `coordinating.networkPolicy.allowExternal` | The Policy model to apply | `true` |
| `coordinating.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `coordinating.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `coordinating.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `coordinating.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
@@ -592,8 +595,9 @@ helm delete --purge my-release
| `ingest.serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` |
| `ingest.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` |
| `ingest.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` |
| `ingest.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` |
| `ingest.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` |
| `ingest.networkPolicy.allowExternal` | The Policy model to apply | `true` |
| `ingest.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `ingest.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `ingest.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `ingest.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
@@ -773,8 +777,9 @@ helm delete --purge my-release
| `dashboards.serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` |
| `dashboards.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` |
| `dashboards.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` |
| `dashboards.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` |
| `dashboards.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` |
| `dashboards.networkPolicy.allowExternal` | The Policy model to apply | `true` |
| `dashboards.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `dashboards.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `dashboards.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `dashboards.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |

11
bitnami/opensearch/templates/coordinating/networkpolicy.yaml
View File

@@ -23,6 +23,10 @@ spec:
policyTypes:
- Ingress
- Egress
{{- if .Values.coordinating.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
# Allow dns resolution
- ports:
@@ -34,6 +38,8 @@ spec:
- ports:
- port: {{ .Values.service.ports.restAPI }}
- port: {{ .Values.service.ports.transport }}
- port: {{ .Values.containerPorts.restAPI }}
- port: {{ .Values.containerPorts.transport }}
- port: {{ .Values.dashboards.service.ports.http }}
to:
- podSelector:
@@ -41,10 +47,11 @@ spec:
{{- if .Values.coordinating.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.coordinating.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
- port: {{ .Values.service.ports.restAPI }}
- port: {{ .Values.service.ports.transport }}
- port: {{ .Values.containerPorts.restAPI }}
- port: {{ .Values.containerPorts.transport }}
{{- if not .Values.coordinating.networkPolicy.allowExternal }}
from:
- podSelector:

10
bitnami/opensearch/templates/dashboards/networkpolicy.yaml
View File

@@ -23,6 +23,10 @@ spec:
policyTypes:
- Ingress
- Egress
{{- if .Values.dashboards.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
# Allow dns resolution
- ports:
@@ -34,6 +38,8 @@ spec:
- ports:
- port: {{ .Values.service.ports.restAPI }}
- port: {{ .Values.service.ports.transport }}
- port: {{ .Values.containerPorts.restAPI }}
- port: {{ .Values.containerPorts.transport }}
- port: {{ .Values.dashboards.service.ports.http }}
to:
- podSelector:
@@ -41,10 +47,10 @@ spec:
{{- if .Values.dashboards.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.dashboards.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
- port: {{ .Values.service.ports.restAPI }}
- port: {{ .Values.service.ports.transport }}
- port: {{ .Values.dashboards.containerPorts.http }}
{{- if not .Values.dashboards.networkPolicy.allowExternal }}
from:
- podSelector:

11
bitnami/opensearch/templates/data/networkpolicy.yaml
View File

@@ -23,6 +23,10 @@ spec:
policyTypes:
- Ingress
- Egress
{{- if .Values.data.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
# Allow dns resolution
- ports:
@@ -34,6 +38,8 @@ spec:
- ports:
- port: {{ .Values.service.ports.restAPI }}
- port: {{ .Values.service.ports.transport }}
- port: {{ .Values.containerPorts.restAPI }}
- port: {{ .Values.containerPorts.transport }}
- port: {{ .Values.dashboards.service.ports.http }}
to:
- podSelector:
@@ -41,10 +47,11 @@ spec:
{{- if .Values.data.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.data.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
- port: {{ .Values.service.ports.restAPI }}
- port: {{ .Values.service.ports.transport }}
- port: {{ .Values.containerPorts.restAPI }}
- port: {{ .Values.containerPorts.transport }}
{{- if not .Values.data.networkPolicy.allowExternal }}
from:
- podSelector:

11
bitnami/opensearch/templates/ingest/networkpolicy.yaml
View File

@@ -23,6 +23,10 @@ spec:
policyTypes:
- Ingress
- Egress
{{- if .Values.ingest.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
# Allow dns resolution
- ports:
@@ -34,6 +38,8 @@ spec:
- ports:
- port: {{ .Values.service.ports.restAPI }}
- port: {{ .Values.service.ports.transport }}
- port: {{ .Values.containerPorts.restAPI }}
- port: {{ .Values.containerPorts.transport }}
- port: {{ .Values.dashboards.service.ports.http }}
to:
- podSelector:
@@ -41,10 +47,11 @@ spec:
{{- if .Values.ingest.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.ingest.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
- port: {{ .Values.service.ports.restAPI }}
- port: {{ .Values.service.ports.transport }}
- port: {{ .Values.containerPorts.restAPI }}
- port: {{ .Values.containerPorts.transport }}
{{- if not .Values.ingest.networkPolicy.allowExternal }}
from:
- podSelector:

11
bitnami/opensearch/templates/master/networkpolicy.yaml
View File

@@ -23,6 +23,10 @@ spec:
policyTypes:
- Ingress
- Egress
{{- if .Values.master.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
# Allow dns resolution
- ports:
@@ -34,6 +38,8 @@ spec:
- ports:
- port: {{ .Values.service.ports.restAPI }}
- port: {{ .Values.service.ports.transport }}
- port: {{ .Values.containerPorts.restAPI }}
- port: {{ .Values.containerPorts.transport }}
- port: {{ .Values.dashboards.service.ports.http }}
to:
- podSelector:
@@ -41,10 +47,11 @@ spec:
{{- if .Values.master.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.master.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
- port: {{ .Values.service.ports.restAPI }}
- port: {{ .Values.service.ports.transport }}
- port: {{ .Values.containerPorts.restAPI }}
- port: {{ .Values.containerPorts.transport }}
{{- if not .Values.master.networkPolicy.allowExternal }}
from:
- podSelector:

25
bitnami/opensearch/values.yaml
View File

@@ -840,12 +840,15 @@ master:
networkPolicy:
## @param master.networkPolicy.enabled Enable creation of NetworkPolicy resources
##
enabled: false
enabled: true
## @param master.networkPolicy.allowExternal The Policy model to apply
## When set to false, only pods with the correct client label will have network access to the ports Keycloak is
## listening on. When true, Keycloak will accept connections from any source (with the correct destination port).
##
allowExternal: true
## @param master.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param master.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraIngress:
@@ -1251,12 +1254,15 @@ data:
networkPolicy:
## @param data.networkPolicy.enabled Enable creation of NetworkPolicy resources
##
enabled: false
enabled: true
## @param data.networkPolicy.allowExternal The Policy model to apply
## When set to false, only pods with the correct client label will have network access to the ports Keycloak is
## listening on. When true, Keycloak will accept connections from any source (with the correct destination port).
##
allowExternal: true
## @param data.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param data.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraIngress:
@@ -1624,12 +1630,15 @@ coordinating:
networkPolicy:
## @param coordinating.networkPolicy.enabled Enable creation of NetworkPolicy resources
##
enabled: false
enabled: true
## @param coordinating.networkPolicy.allowExternal The Policy model to apply
## When set to false, only pods with the correct client label will have network access to the ports Keycloak is
## listening on. When true, Keycloak will accept connections from any source (with the correct destination port).
##
allowExternal: true
## @param coordinating.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param coordinating.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraIngress:
@@ -1999,12 +2008,15 @@ ingest:
networkPolicy:
## @param ingest.networkPolicy.enabled Enable creation of NetworkPolicy resources
##
enabled: false
enabled: true
## @param ingest.networkPolicy.allowExternal The Policy model to apply
## When set to false, only pods with the correct client label will have network access to the ports Keycloak is
## listening on. When true, Keycloak will accept connections from any source (with the correct destination port).
##
allowExternal: true
## @param ingest.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param ingest.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraIngress:
@@ -2825,12 +2837,15 @@ dashboards:
networkPolicy:
## @param dashboards.networkPolicy.enabled Enable creation of NetworkPolicy resources
##
enabled: false
enabled: true
## @param dashboards.networkPolicy.allowExternal The Policy model to apply
## When set to false, only pods with the correct client label will have network access to the ports Keycloak is
## listening on. When true, Keycloak will accept connections from any source (with the correct destination port).
##
allowExternal: true
## @param dashboards.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param dashboards.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraIngress: