From cfc94a7d63c5b1b57c0900130806ace401bb9c06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Fri, 26 Jan 2024 13:57:26 +0100 Subject: [PATCH] [bitnami/sonarqube] feat: :lock: Enable networkPolicy (#22722) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [bitnami/sonarqube] feat: :lock: Enable networkPolicy Signed-off-by: Javier Salmeron Garcia * Update bitnami/sonarqube/templates/externaldb-secret.yaml Co-authored-by: Fran de Paz Galán Signed-off-by: Javier J. Salmerón-García * Update bitnami/sonarqube/values.yaml Co-authored-by: Fran de Paz Galán Signed-off-by: Javier J. Salmerón-García --------- Signed-off-by: Javier Salmeron Garcia Signed-off-by: Javier J. Salmerón-García Co-authored-by: Fran de Paz Galán --- bitnami/sonarqube/Chart.yaml | 2 +- bitnami/sonarqube/README.md | 66 +++++++++------- bitnami/sonarqube/templates/NOTES.txt | 20 ++--- bitnami/sonarqube/templates/deployment.yaml | 2 +- .../templates/externaldb-secret.yaml | 2 +- bitnami/sonarqube/templates/ingress.yaml | 2 +- .../sonarqube/templates/install_plugins.yaml | 2 +- .../sonarqube/templates/jmx-configmap.yaml | 2 +- .../sonarqube/templates/jmx-metrics-svc.yaml | 2 +- .../templates/jmx-servicemonitor.yaml | 2 +- .../sonarqube/templates/networkpolicy.yaml | 79 +++++++++++++++++++ bitnami/sonarqube/templates/pvc.yaml | 2 +- bitnami/sonarqube/templates/secret.yaml | 2 +- .../sonarqube/templates/service-account.yaml | 2 +- bitnami/sonarqube/templates/service.yaml | 2 +- bitnami/sonarqube/templates/tls-secret.yaml | 4 +- bitnami/sonarqube/values.yaml | 53 +++++++++++++ 17 files changed, 192 insertions(+), 54 deletions(-) create mode 100644 bitnami/sonarqube/templates/networkpolicy.yaml diff --git a/bitnami/sonarqube/Chart.yaml b/bitnami/sonarqube/Chart.yaml index 2aa346e6ba..8dd6096252 100644 --- a/bitnami/sonarqube/Chart.yaml +++ b/bitnami/sonarqube/Chart.yaml @@ -37,4 +37,4 @@ maintainers: name: sonarqube sources: - https://github.com/bitnami/charts/tree/main/bitnami/sonarqube -version: 4.3.1 +version: 4.4.0 diff --git a/bitnami/sonarqube/README.md b/bitnami/sonarqube/README.md index e26864bc30..971fd61172 100644 --- a/bitnami/sonarqube/README.md +++ b/bitnami/sonarqube/README.md @@ -199,36 +199,42 @@ The command removes all the Kubernetes components associated with the chart and ### Traffic Exposure Parameters -| Name | Description | Value | -| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `service.type` | SonarQube™ service type | `LoadBalancer` | -| `service.ports.http` | SonarQube™ service HTTP port | `80` | -| `service.ports.elastic` | SonarQube™ service ElasticSearch port | `9001` | -| `service.nodePorts.http` | Node port for HTTP | `""` | -| `service.nodePorts.elastic` | Node port for ElasticSearch | `""` | -| `service.clusterIP` | SonarQube™ service Cluster IP | `""` | -| `service.loadBalancerIP` | SonarQube™ service Load Balancer IP | `""` | -| `service.loadBalancerSourceRanges` | SonarQube™ service Load Balancer sources | `[]` | -| `service.externalTrafficPolicy` | SonarQube™ service external traffic policy | `Cluster` | -| `service.annotations` | Additional custom annotations for SonarQube™ service | `{}` | -| `service.extraPorts` | Extra ports to expose in SonarQube™ service (normally used with the `sidecars` value) | `[]` | -| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `ingress.enabled` | Enable ingress record generation for SonarQube™ | `false` | -| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | -| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | -| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | -| `ingress.hostname` | Default host for the ingress record | `sonarqube.local` | -| `ingress.path` | Default path for the ingress record | `/` | -| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | -| `ingress.labels` | Additional labels for the Ingress resource. | `{}` | -| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | -| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | -| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | -| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | -| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | -| `ingress.secrets` | Custom TLS certificates as secrets | `[]` | -| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| Name | Description | Value | +| --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `service.type` | SonarQube™ service type | `LoadBalancer` | +| `service.ports.http` | SonarQube™ service HTTP port | `80` | +| `service.ports.elastic` | SonarQube™ service ElasticSearch port | `9001` | +| `service.nodePorts.http` | Node port for HTTP | `""` | +| `service.nodePorts.elastic` | Node port for ElasticSearch | `""` | +| `service.clusterIP` | SonarQube™ service Cluster IP | `""` | +| `service.loadBalancerIP` | SonarQube™ service Load Balancer IP | `""` | +| `service.loadBalancerSourceRanges` | SonarQube™ service Load Balancer sources | `[]` | +| `service.externalTrafficPolicy` | SonarQube™ service external traffic policy | `Cluster` | +| `service.annotations` | Additional custom annotations for SonarQube™ service | `{}` | +| `service.extraPorts` | Extra ports to expose in SonarQube™ service (normally used with the `sidecars` value) | `[]` | +| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `ingress.enabled` | Enable ingress record generation for SonarQube™ | `false` | +| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | +| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `ingress.hostname` | Default host for the ingress record | `sonarqube.local` | +| `ingress.path` | Default path for the ingress record | `/` | +| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `ingress.labels` | Additional labels for the Ingress resource. | `{}` | +| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | +| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `ingress.secrets` | Custom TLS certificates as secrets | `[]` | +| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | ### SonarQube caCerts provisioning parameters diff --git a/bitnami/sonarqube/templates/NOTES.txt b/bitnami/sonarqube/templates/NOTES.txt index 8d79da626c..952170ded9 100644 --- a/bitnami/sonarqube/templates/NOTES.txt +++ b/bitnami/sonarqube/templates/NOTES.txt @@ -9,11 +9,11 @@ The chart has been deployed in diagnostic mode. All probes have been disabled an Get the list of pods by executing: - kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} + kubectl get pods --namespace {{ include "common.names.namespace" . }} -l app.kubernetes.io/instance={{ .Release.Name }} Access the pod you want to debug by executing - kubectl exec --namespace {{ .Release.Namespace }} -ti -- bash + kubectl exec --namespace {{ include "common.names.namespace" . }} -ti -- bash In order to replicate the container startup scripts execute this command: @@ -24,7 +24,7 @@ In order to replicate the container startup scripts execute this command: Your SonarQube(TM) site can be accessed through the following DNS name from within your cluster: - {{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} (port {{ $port }}) + {{ include "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }} (port {{ $port }}) To access your SonarQube(TM) site from outside the cluster follow the steps below: @@ -42,21 +42,21 @@ To access your SonarQube(TM) site from outside the cluster follow the steps belo {{- if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") echo "SonarQube(TM) URL: http://$NODE_IP:$NODE_PORT/" {{- else if contains "LoadBalancer" .Values.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}' + Watch the status with: 'kubectl get svc --namespace {{ include "common.names.namespace" . }} -w {{ template "common.names.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.names.namespace" . }} {{ template "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") echo "SonarQube(TM) URL: http://$SERVICE_IP{{- if ne $port "80" }}:{{ $port }}{{ end }}/" {{- else if contains "ClusterIP" .Values.service.type }} - kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "common.names.fullname" . }} {{ $port }}:{{ $port }} & + kubectl port-forward --namespace {{ include "common.names.namespace" . }} svc/{{ template "common.names.fullname" . }} {{ $port }}:{{ $port }} & echo "SonarQube(TM) URL: http://127.0.0.1{{- if ne $port "80" }}:{{ $port }}{{ end }}/" {{- end }} @@ -67,7 +67,7 @@ To access your SonarQube(TM) site from outside the cluster follow the steps belo 3. Login with the following credentials below: echo Username: {{ .Values.sonarqubeUsername }} - echo Password: $(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} -o jsonpath="{.data.sonarqube-password}" | base64 -d) + echo Password: $(kubectl get secret --namespace {{ include "common.names.namespace" . }} {{ template "common.names.fullname" . }} -o jsonpath="{.data.sonarqube-password}" | base64 -d) {{- if .Values.metrics.jmx.enabled }} @@ -75,7 +75,7 @@ You can access the JMX Prometheus metrics following the steps below: 1. Get the JMX Prometheus metrics URL by running: - kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ printf "%s-jmx-metrics" (include "common.names.fullname" .) }} {{ .Values.metrics.jmx.service.ports.metrics }}:{{ .Values.metrics.jmx.service.ports.metrics }} & + kubectl port-forward --namespace {{ include "common.names.namespace" . }} svc/{{ printf "%s-jmx-metrics" (include "common.names.fullname" .) }} {{ .Values.metrics.jmx.service.ports.metrics }}:{{ .Values.metrics.jmx.service.ports.metrics }} & echo "JMX Prometheus metrics URL: http://127.0.0.1:{{ .Values.metrics.jmx.service.ports.metrics }}/" 2. Open a browser and access JMX Prometheus metrics using the obtained URL. diff --git a/bitnami/sonarqube/templates/deployment.yaml b/bitnami/sonarqube/templates/deployment.yaml index bb320fcacb..c32a60df92 100644 --- a/bitnami/sonarqube/templates/deployment.yaml +++ b/bitnami/sonarqube/templates/deployment.yaml @@ -7,7 +7,7 @@ apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/bitnami/sonarqube/templates/externaldb-secret.yaml b/bitnami/sonarqube/templates/externaldb-secret.yaml index 1db4648b85..9902540ff6 100644 --- a/bitnami/sonarqube/templates/externaldb-secret.yaml +++ b/bitnami/sonarqube/templates/externaldb-secret.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ printf "%s-externaldb" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/bitnami/sonarqube/templates/ingress.yaml b/bitnami/sonarqube/templates/ingress.yaml index 1f023127db..995b23490a 100644 --- a/bitnami/sonarqube/templates/ingress.yaml +++ b/bitnami/sonarqube/templates/ingress.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.labels .Values.commonLabels ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} {{- if or .Values.ingress.annotations .Values.commonAnnotations }} diff --git a/bitnami/sonarqube/templates/install_plugins.yaml b/bitnami/sonarqube/templates/install_plugins.yaml index de95bae307..9ee5d51c5d 100644 --- a/bitnami/sonarqube/templates/install_plugins.yaml +++ b/bitnami/sonarqube/templates/install_plugins.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-install-plugins-configmap" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: diff --git a/bitnami/sonarqube/templates/jmx-configmap.yaml b/bitnami/sonarqube/templates/jmx-configmap.yaml index 56535e9ef2..30744ae63b 100644 --- a/bitnami/sonarqube/templates/jmx-configmap.yaml +++ b/bitnami/sonarqube/templates/jmx-configmap.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-jmx-conf" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/bitnami/sonarqube/templates/jmx-metrics-svc.yaml b/bitnami/sonarqube/templates/jmx-metrics-svc.yaml index cad8ebbcec..80691964dc 100644 --- a/bitnami/sonarqube/templates/jmx-metrics-svc.yaml +++ b/bitnami/sonarqube/templates/jmx-metrics-svc.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Service metadata: name: {{ printf "%s-jmx-metrics" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: metrics {{- if or .Values.metrics.jmx.service.annotations .Values.commonAnnotations }} diff --git a/bitnami/sonarqube/templates/jmx-servicemonitor.yaml b/bitnami/sonarqube/templates/jmx-servicemonitor.yaml index 7f83c3f55c..34cf2189fc 100644 --- a/bitnami/sonarqube/templates/jmx-servicemonitor.yaml +++ b/bitnami/sonarqube/templates/jmx-servicemonitor.yaml @@ -38,7 +38,7 @@ spec: {{- end }} namespaceSelector: matchNames: - - {{ .Release.Namespace }} + - {{ include "common.names.namespace" . }} selector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} app.kubernetes.io/component: metrics diff --git a/bitnami/sonarqube/templates/networkpolicy.yaml b/bitnami/sonarqube/templates/networkpolicy.yaml new file mode 100644 index 0000000000..56e7c505f1 --- /dev/null +++ b/bitnami/sonarqube/templates/networkpolicy.yaml @@ -0,0 +1,79 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + policyTypes: + - Ingress + - Egress + egress: + - ports: + # Allow dns resolution + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound http/https connection (plugin installation) + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + # Allow outbund connection to PostgreSQL + - ports: + - port: {{ include "sonarqube.database.port" . }} + {{- if .Values.postgresql.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.http }} + - port: {{ .Values.service.ports.http }} + - port: {{ .Values.containerPorts.elastic }} + - port: {{ .Values.service.ports.elastic }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/sonarqube/templates/pvc.yaml b/bitnami/sonarqube/templates/pvc.yaml index edc1fe7d77..e7d6c23c64 100644 --- a/bitnami/sonarqube/templates/pvc.yaml +++ b/bitnami/sonarqube/templates/pvc.yaml @@ -8,7 +8,7 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.persistence.annotations .Values.commonAnnotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.persistence.annotations .Values.commonAnnotations ) "context" . ) }} diff --git a/bitnami/sonarqube/templates/secret.yaml b/bitnami/sonarqube/templates/secret.yaml index 1ef26813ee..836ad5f9dc 100644 --- a/bitnami/sonarqube/templates/secret.yaml +++ b/bitnami/sonarqube/templates/secret.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/bitnami/sonarqube/templates/service-account.yaml b/bitnami/sonarqube/templates/service-account.yaml index 877d34eecf..3fdf7d065d 100644 --- a/bitnami/sonarqube/templates/service-account.yaml +++ b/bitnami/sonarqube/templates/service-account.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "sonarqube.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} diff --git a/bitnami/sonarqube/templates/service.yaml b/bitnami/sonarqube/templates/service.yaml index 718380d92b..b2d4281744 100644 --- a/bitnami/sonarqube/templates/service.yaml +++ b/bitnami/sonarqube/templates/service.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.service.annotations .Values.commonAnnotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} diff --git a/bitnami/sonarqube/templates/tls-secret.yaml b/bitnami/sonarqube/templates/tls-secret.yaml index cb443531bc..18082abe67 100644 --- a/bitnami/sonarqube/templates/tls-secret.yaml +++ b/bitnami/sonarqube/templates/tls-secret.yaml @@ -10,7 +10,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ .name }} - namespace: {{ $.Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" $ | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }} {{- if $.Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} @@ -30,7 +30,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/bitnami/sonarqube/values.yaml b/bitnami/sonarqube/values.yaml index e097fec8f0..bf78085059 100644 --- a/bitnami/sonarqube/values.yaml +++ b/bitnami/sonarqube/values.yaml @@ -508,6 +508,59 @@ service: ## timeoutSeconds: 300 ## sessionAffinityConfig: {} + +## Network Policies +## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the ports the application is listening + ## on. When true, the app will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## SonarQube™ ingress parameters ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ ##