mirror of
https://github.com/bitnami/charts.git
synced 2026-03-07 16:17:21 +08:00
[bitnami/kafka] Add networkpolicy support (#8356)
This commit is contained in:
bbaudelet
@@ -29,4 +29,4 @@ name: kafka
|
||||
sources:
|
||||
- https://github.com/bitnami/bitnami-docker-kafka
|
||||
- https://kafka.apache.org/
|
||||
version: 14.6.0
|
||||
version: 14.7.0
|
||||
|
||||
@@ -179,7 +179,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
| `podSecurityContext.enabled` | Enable security context for the pods | `true` |
|
||||
| `podSecurityContext.fsGroup` | Group ID for the filesystem used by the containers | `1001` |
|
||||
| `podSecurityContext.runAsUser` | User ID for the service user running the pod | `1001` |
|
||||
| `containerSecurityContext.enabled` | Enable Kafka containers' Security Context | `false` |
|
||||
| `containerSecurityContext.enabled` | Enable Kafka containers' Security Context | `false` |
|
||||
| `resources.limits` | The resources limits for Kafka containers | `{}` |
|
||||
| `resources.requests` | The requested resources for Kafka containers | `{}` |
|
||||
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
|
||||
@@ -205,34 +205,38 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
|
||||
### Exposure parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ------------------------------------------------- | --------------------------------------------------------------------------------------------- | ----------------------- |
|
||||
| `service.type` | Kubernetes Service type | `ClusterIP` |
|
||||
| `service.port` | Kafka port for client connections | `9092` |
|
||||
| `service.internalPort` | Kafka port for inter-broker connections | `9093` |
|
||||
| `service.externalPort` | Kafka port for external connections | `9094` |
|
||||
| `service.nodePorts` | Specify the nodePort value for the LoadBalancer and NodePort service types. | `{}` |
|
||||
| `service.loadBalancerIP` | loadBalancerIP for Kafka Service | `""` |
|
||||
| `service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` |
|
||||
| `service.annotations` | Service annotations | `{}` |
|
||||
| `externalAccess.enabled` | Enable Kubernetes external cluster access to Kafka brokers | `false` |
|
||||
| `externalAccess.autoDiscovery.enabled` | Enable using an init container to auto-detect external IPs/ports by querying the K8s API | `false` |
|
||||
| `externalAccess.autoDiscovery.image.registry` | Init container auto-discovery image registry | `docker.io` |
|
||||
| `externalAccess.autoDiscovery.image.repository` | Init container auto-discovery image repository | `bitnami/kubectl` |
|
||||
| `externalAccess.autoDiscovery.image.tag` | Init container auto-discovery image tag (immutable tags are recommended) | `1.19.16-debian-10-r25` |
|
||||
| `externalAccess.autoDiscovery.image.pullPolicy` | Init container auto-discovery image pull policy | `IfNotPresent` |
|
||||
| `externalAccess.autoDiscovery.image.pullSecrets` | Init container auto-discovery image pull secrets | `[]` |
|
||||
| `externalAccess.autoDiscovery.resources.limits` | Init container auto-discovery resource limits | `{}` |
|
||||
| `externalAccess.autoDiscovery.resources.requests` | Init container auto-discovery resource requests | `{}` |
|
||||
| `externalAccess.service.type` | Kubernetes Service type for external access. It can be NodePort or LoadBalancer | `LoadBalancer` |
|
||||
| `externalAccess.service.port` | Kafka port used for external access when service type is LoadBalancer | `9094` |
|
||||
| `externalAccess.service.loadBalancerIPs` | Array of load balancer IPs for each Kafka broker. Length must be the same as replicaCount | `[]` |
|
||||
| `externalAccess.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` |
|
||||
| `externalAccess.service.nodePorts` | Array of node ports used for each Kafka broker. Length must be the same as replicaCount | `[]` |
|
||||
| `externalAccess.service.useHostIPs` | Use service host IPs to configure Kafka external listener when service type is NodePort | `false` |
|
||||
| `externalAccess.service.domain` | Domain or external ip used to configure Kafka external listener when service type is NodePort | `""` |
|
||||
| `externalAccess.service.annotations` | Service annotations for external access | `{}` |
|
||||
| `externalAccess.service.usePodIPs` | using the MY_POD_IP address for external access. | `false` |
|
||||
| Name | Description | Value |
|
||||
| ------------------------------------------------- | ---------------------------------------------------------------------------------------------- | ----------------------- |
|
||||
| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources. | `false` |
|
||||
| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
|
||||
| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed | `{}` |
|
||||
| `networkPolicy.externalAccess.from` | customize the from section for External Access on tcp-external port | `[]` |
|
||||
| `service.type` | Kubernetes Service type | `ClusterIP` |
|
||||
| `service.port` | Kafka port for client connections | `9092` |
|
||||
| `service.internalPort` | Kafka port for inter-broker connections | `9093` |
|
||||
| `service.externalPort` | Kafka port for external connections | `9094` |
|
||||
| `service.nodePorts` | Specify the nodePort value for the LoadBalancer and NodePort service types. | `{}` |
|
||||
| `service.loadBalancerIP` | loadBalancerIP for Kafka Service | `""` |
|
||||
| `service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` |
|
||||
| `service.annotations` | Service annotations | `{}` |
|
||||
| `externalAccess.enabled` | Enable Kubernetes external cluster access to Kafka brokers | `false` |
|
||||
| `externalAccess.autoDiscovery.enabled` | Enable using an init container to auto-detect external IPs/ports by querying the K8s API | `false` |
|
||||
| `externalAccess.autoDiscovery.image.registry` | Init container auto-discovery image registry | `docker.io` |
|
||||
| `externalAccess.autoDiscovery.image.repository` | Init container auto-discovery image repository | `bitnami/kubectl` |
|
||||
| `externalAccess.autoDiscovery.image.tag` | Init container auto-discovery image tag (immutable tags are recommended) | `1.19.16-debian-10-r25` |
|
||||
| `externalAccess.autoDiscovery.image.pullPolicy` | Init container auto-discovery image pull policy | `IfNotPresent` |
|
||||
| `externalAccess.autoDiscovery.image.pullSecrets` | Init container auto-discovery image pull secrets | `[]` |
|
||||
| `externalAccess.autoDiscovery.resources.limits` | Init container auto-discovery resource limits | `{}` |
|
||||
| `externalAccess.autoDiscovery.resources.requests` | Init container auto-discovery resource requests | `{}` |
|
||||
| `externalAccess.service.type` | Kubernetes Service type for external access. It can be NodePort or LoadBalancer | `LoadBalancer` |
|
||||
| `externalAccess.service.port` | Kafka port used for external access when service type is LoadBalancer | `9094` |
|
||||
| `externalAccess.service.loadBalancerIPs` | Array of load balancer IPs for each Kafka broker. Length must be the same as replicaCount | `[]` |
|
||||
| `externalAccess.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` |
|
||||
| `externalAccess.service.nodePorts` | Array of node ports used for each Kafka broker. Length must be the same as replicaCount | `[]` |
|
||||
| `externalAccess.service.useHostIPs` | Use service host IPs to configure Kafka external listener when service type is NodePort | `false` |
|
||||
| `externalAccess.service.domain` | Domain or external ip used to configure Kafka external listener when service type is NodePort | `""` |
|
||||
| `externalAccess.service.annotations` | Service annotations for external access | `{}` |
|
||||
| `externalAccess.service.usePodIPs` | using the MY_POD_IP address for external access. | `false` |
|
||||
|
||||
|
||||
### Persistence parameters
|
||||
@@ -304,7 +308,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
| `metrics.kafka.tlsCaCert` | The secret key from the certificatesSecret or tlsCaSecret if 'ca-cert' key different from the default (ca-file) | `ca-file` |
|
||||
| `metrics.kafka.podLabels` | Kafka exporter pod labels | `{}` |
|
||||
| `metrics.kafka.podAnnotations` | Kafka exporter pod annotations | `{}` |
|
||||
| `metrics.kafka.containerSecurityContext.enabled` | Enable Kafka Exporter containers' Security Context | `false` |
|
||||
| `metrics.kafka.containerSecurityContext.enabled` | Enable Prometheus Kafka Exporter containers' Security Context | `false` |
|
||||
| `metrics.kafka.resources.limits` | Kafka Exporter container resource limits | `{}` |
|
||||
| `metrics.kafka.resources.requests` | Kafka Exporter container resource requests | `{}` |
|
||||
| `metrics.kafka.affinity` | Affinity for Kafka Exporter pod assignment | `{}` |
|
||||
@@ -324,7 +328,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
| `metrics.jmx.image.tag` | JMX exporter image tag (immutable tags are recommended) | `0.16.1-debian-10-r129` |
|
||||
| `metrics.jmx.image.pullPolicy` | JMX exporter image pull policy | `IfNotPresent` |
|
||||
| `metrics.jmx.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
| `metrics.jmx.containerSecurityContext.enabled` | Enable Prometheus JMX Exporter' Security Context | `false` |
|
||||
| `metrics.jmx.containerSecurityContext.enabled` | Enable Prometheus JMX Exporter Containers' Security Context | `false` |
|
||||
| `metrics.jmx.resources.limits` | JMX Exporter container resource limits | `{}` |
|
||||
| `metrics.jmx.resources.requests` | JMX Exporter container resource requests | `{}` |
|
||||
| `metrics.jmx.service.type` | Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) for JMX Exporter | `ClusterIP` |
|
||||
|
||||
52
bitnami/kafka/templates/networkpolicy.yaml
Normal file
52
bitnami/kafka/templates/networkpolicy.yaml
Normal file
@@ -0,0 +1,52 @@
|
||||
{{- if .Values.networkPolicy.enabled }}
|
||||
kind: NetworkPolicy
|
||||
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||
metadata:
|
||||
name: {{ template "common.names.fullname" . }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- include "common.labels.matchLabels" . | nindent 6 }}
|
||||
ingress:
|
||||
# Allow client connections
|
||||
- ports:
|
||||
- port: {{ .Values.service.port }}
|
||||
{{- if not .Values.networkPolicy.allowExternal }}
|
||||
from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
{{ template "common.names.fullname" . }}-client: "true"
|
||||
{{- if .Values.networkPolicy.explicitNamespacesSelector }}
|
||||
namespaceSelector:
|
||||
{{ toYaml .Values.networkPolicy.explicitNamespacesSelector | indent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
# Allow communication inter-broker
|
||||
- ports:
|
||||
- port: {{ .Values.service.internalPort }}
|
||||
from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
{{- include "common.labels.matchLabels" . | nindent 14 }}
|
||||
# Allow External connection
|
||||
{{- if .Values.externalAccess.enabled }}
|
||||
- ports:
|
||||
- port: {{ .Values.service.externalPort }}
|
||||
{{- if .Values.externalAccess.from }}
|
||||
from: {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.externalAccess.from "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.kafka.enabled }}
|
||||
# Allow prometheus scrapes
|
||||
- ports:
|
||||
- port: {{ .Values.metrics.kafka.service.port }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -617,6 +617,40 @@ sidecars: []
|
||||
initContainers: []
|
||||
|
||||
## @section Exposure parameters
|
||||
networkPolicy:
|
||||
## @param networkPolicy.enabled Enable creation of NetworkPolicy resources.
|
||||
##
|
||||
enabled: false
|
||||
## @param networkPolicy.allowExternal Don't require client label for connections
|
||||
## The Policy model to apply. When set to false, only pods with the correct
|
||||
## client label will have network access to Kafka port for client connections (service.port).
|
||||
## When true, kafka will accept connections from any source
|
||||
## (with the correct destination port).
|
||||
##
|
||||
allowExternal: true
|
||||
## @param networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed
|
||||
## If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace
|
||||
## and that match other criteria, the ones that have the good label, can reach the kafka.
|
||||
## But sometimes, we want the kafka to be accessible to clients from other namespaces, in this case, we can use this
|
||||
## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added.
|
||||
##
|
||||
## Example:
|
||||
## explicitNamespacesSelector:
|
||||
## matchLabels:
|
||||
## role: frontend
|
||||
## matchExpressions:
|
||||
## - {key: role, operator: In, values: [frontend]}
|
||||
##
|
||||
explicitNamespacesSelector: {}
|
||||
## @param networkPolicy.externalAccess.from customize the from section for External Access on tcp-external port
|
||||
## Example:
|
||||
## - ipBlock:
|
||||
## cidr: 172.9.0.0/16
|
||||
## except:
|
||||
## - 172.9.1.0/24
|
||||
##
|
||||
externalAccess:
|
||||
from: []
|
||||
|
||||
## Service parameters
|
||||
##
|
||||
|
||||
Reference in New Issue
Block a user